Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Lord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Digital, Culture, Media & Sport
Wednesday 22nd November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Stevenson of Balmacara
My Lords, this is a relatively narrow point and affects only a very small part of the Bill, but is still quite important. The amendments in the group mainly cover the question of how the Bill can reach out to the question about anonymisation and how, or not, it plays against de-identification. There are two amendments and a clause stand part Motion which relate to other slightly different issues, which we will get to in turn.
Amendment 170CA would insert into the Bill the term “anonymisation”, as there is no definition of de-identification in the Bill. I will come back to explain what that means in practice. Amendment 170CB provides an important exemption for data scientists and information security specialists dealing with a particular area, because there is a fear that the introduction of criminal sanctions might mean that they would be caught when they are trying to consider the issue for scientific and other reasons. Amendment 170CC adds a definition of identified data—after all, if it is to be criminalised, there needs to be a definition. This definition will cover cases which involve names of individuals, but will also cover those where fingerprints, for instance, are used to identify people.
The clause creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller. Amendment 170F asks for guidance relating to this offence. It is at the request of the Royal Society, because it wants clarity on the legal basis for processing.
Amendment 170G concerns transparency. If we are going to go into this area, it is very important that we know more about what is happening. The amendment suggests that the Information Commissioner,
“must set standards by which a data controller is required to anonymise personal data”.
There may be lots of new technologies soon to be invented or already available, and it is important that the way in which this important work goes forward can be flexed as and when new technologies come forward. We think that the Information Commissioner is in the strongest position to do that.
The other set of amendments to which our names are attached, Amendments 170E and 170H, relate to particular problems that can arise in large databases within health. There is a worry that where re-identification occurs by accident or just through the process of using the data, an offence will be created. MedConfidential suggests that some form of academic peer reviewing might be useful in trying to assess whether this was a deliberate act or just an unfortunate consequence of the work being done by those looking at the dataset concerned. The further amendment, Amendment 170H, clarifies whether an offence actually occurs when the re-identification work applies to disseminated NHS data —which of course, by its very nature, is often rather scattered and difficult to bring together. There is a particular reason for that, which we could go into.
At the heart of what I just said is a worry that certain academics have communicated to us: that the Bill is attempting to address what is in fact a fundamental mathematical problem—that there is no real way of making re-identification illegal—with a legal solution, and that this approach will have limited impact on the main privacy risks for UK citizens. If you do not define de-identification, the problem is compounded. The reference I have already made suggests that there might be advantage to the Bill if it used the terms used in the GDPR, which are anonymisation and pseudonymisation.
The irony which underlies the passion with which we have received submissions on this is that the people likely to be most affected by this part of the Bill are UK information security researchers, one of our academic strengths. It seems ironic that we should be putting into the Bill a specific criminal penalty which would stop them doing their work. Their appeal to us, which I hope will not fall on stony ground, is that we should look at this again. This is not to say in any sense that it is not an important issue, given the subsequent pain and worry that happens when datasets certified as anonymised are suddenly revealed as capable of being cracked, so people can pick up not just details of information about dates of birth or addresses but much more important stuff to do with medical health. So it is very important—and others may want to speak to the risk that it poses also to children, in particular. I hope that that is something that we might pick up.
There needs to be a proper definition in the Bill, whatever else we do about it, and that would be right in a sense. But we would like transparency about what is happening in this area, so that there is more certainty than at present about what exactly is meant by anonymous data and whether it can be achieved. That could be solved if the Information Commissioner is given responsibility for doing it. I beg to move.
Lord Clement-Jones (LD)
We are in the thickets here at the interface between technology, techno-speak and legality. Picking our way through Clause 162 is going to be rather important.
There are two schools of thought. The first is that we can amend this clause in fairly radical ways—and I support many of the amendments proposed by the noble Lord, Lord Stevenson. Of course, I am speaking to Amendment 170E as well, which tries to simplify the language and make it much more straightforward in terms of retroactive approval for actions taken in this respect, and I very much hope that parliamentary draftsmen will approve of our efforts to simplify the language. However, another more drastic school of thought is represented by many researchers—and the noble Lord, Lord Stevenson, has put the case very well that they have put to us, that the cause of security research will be considerably hampered. But it is not just the research community that is concerned, although it is extremely concerned by the lack of definition, the sanctions and the restrictions that the provisions appear to place on their activities. Business is also concerned, as numerous industry practices might be considered illegal and a criminal offence, including browser fingerprinting, data linkage in medicine, what they call device reconciliation or offline purchases tracking. So there is a lot of uncertainty for business as well as for the academic research community.
This is where we get into the techno-language. We are advised that modern, privacy-enhancing technologies such as differential privacy, homomorphic encryption—I am sure that the Minister is highly familiar with that—and question and answer systems are being used and further developed. There is nothing worse than putting a chill on the kind of research that we want to see by not acknowledging that there is the technology to make sure that we can do what we need to do and can keep our consumers safe in the circumstances. The fact is that quite often anonymisation, as we are advised, can never be complete. It is only by using this new technology that we can do that. I very much hope that the Minister is taking the very best legal and technology advice in the drafting and purposes of this clause. I am sure that he is fully aware that there is a great deal of concern about it.
Baroness Neville-Rolfe
I rise to support the noble Lords, Lord Stevenson and Lord Clement-Jones, and some of the amendments in this group on this, the final day in Committee. I congratulate my noble friends Lord Ashton and Lady Chisholm of Owlpen as well as the indefatigable Bill team for taking this gargantuan Bill through so rapidly.
The problem caused by criminalising re-identification was brought to my attention by one of our most distinguished universities and research bodies, Imperial College London. I thought that this was a research issue, which troubled me but which I thought might be easy to deal with. However, talking to the professor in the computational privacy group today, I found, as the noble Lord, Lord Clement-Jones, said, that it goes wider and could cause problems for companies as well. That leads me to think that I should probably draw attention to my relevant interests in the House of Lords register of interests.
The computational privacy group explained that the curious addition of Clause 162—which is different in character and language from other parts of the Bill, as the noble Lord, Lord Stevenson, said—draws on Australian experience, but risks halving the work of the privacy group, which is an academic body, and possibly creating costs and problems for other organisations and companies. I am not yet convinced that we should proceed with this clause at all, for two reasons. First, it will not address the real risk of unethical practice by people outside the UK. As the provision is not in the GDPR or equivalent frameworks in most other countries, only UK and Australian bodies or companies will be affected, which could lead to the migration of research teams and data entrepreneurs to Harvard, Paris and other sunny and sultry climes. Secondly, because it will become criminal in the UK to re-identify de-identified data—it is like saying “seashells on the seashore”—the clause could perversely increase the risk of data being re-identified and misused. It will limit the ability of researchers to show up the vulnerability of published datasets, which will make life easier for hackers and fraudsters—another perversity. For that reason, it may be wise to recognise the scope and value of modern privacy-enhancing technologies in ensuring the anonymous use of data somewhere in the Bill, which could perhaps be looked at.
I acknowledge that there are defences in Clause 162 —so, if a person faces prosecution, they have a defence. However, in my experience, responsible organisations do not much like to rely on defences when they are criminal prohibitions, as they can be open to dispute. I am also grateful to the noble Lord, Lord Stevenson— I am so sorry about his voice, although it seems to be getting a bit better—for proposing an exemption in cases where re-identification relates to demonstrating how personal data can be re-identified or is vulnerable to attack. However, I am not sure that the clause and its wider ramifications have been thought through. I am a strong supporter of regulation to deal with proven harm, especially in the data and digital area, where we are still learning about the externalities. But it needs to be reasonable, balanced, costed, careful and thought through—and time needs to be taken for that purpose.
I very much hope that my noble friend the Minister can find a way through these problems but, if that is not possible, I believe that the Government should consider withdrawing the clause.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have spoken on this very important clause. I agree very much with the noble Lords, Lord Clement-Jones and Lord Stevenson, that these are important issues which we need to consider. The amendments seek to amend Clause 162, which introduces the offence of re-identifying data that has been de-identified. I will start by giving some background to this clause because, as noble Lords have mentioned, this is new to data protection legislation.
Pseudonymisation of datasets is increasingly commonplace in many organisations, both large and small. This is a very welcome development: where sensitive personal data is being processed in computerised files, it is important that people know that data controllers are taking cybersecurity seriously and that their records are kept confidential. Article 32 of the GDPR actively encourages controllers to implement technical and organisational measures to ensure an appropriate level of security, including, for example, through the pseudonymisation and encryption of personal data.
As noble Lords will be aware, the rapid advancement of technology has opened many doors for innovation in these sectors. However, as we continue to be able to do more with technology, the risk of its misuse also grows. Online data hackers and scammers are a much more prominent and substantial threat than was posed in 1998, when the original Data Protection Act was passed. It is appropriate, therefore, that the Bill addresses the contemporary challenges posed by today’s digital world. This clause responds to concerns raised by the National Data Guardian for Health and Care and other stakeholders regarding the security of data kept in online files, and is particularly timely following the well-documented cyberattacks on public and private businesses over the last few years.
It is important to note that the Bill recognises that there might be legitimate reasons for re-identifying data without the consent of the controller who encrypted it. The clause includes a certain number of defences, as my noble friend Lady Neville-Rolfe mentioned. These can be relied on in certain circumstances, such as where re-identification is necessary for the purpose of preventing or detecting crime, to comply with a legal obligation or is otherwise necessary in the public interest. I am aware that some academic circles, including Imperial College London, have raised concerns that this clause will prohibit researchers testing the robustness of data security systems. However, I can confidently reassure noble Lords that, if such research is carried out with the consent of the controller or the data subjects, no offence is committed. Even if the research is for legitimate purposes but carried out without the consent of the controller who de-identified the data in the first place, as long as researchers act quickly and responsibly to notify the controller, or the Information Commissioner, of the breach, they will be able to rely on the public interest defences in Clause 162. Finally, it is only an offence to knowingly or recklessly re-identify data, not to accidentally re-identify it. Clause 162(1) is clear on that point.
I turn to the specific amendments that have been tabled in this group. Amendment 170CA seeks to change the wording in line 3 from “de-identified” to “anonymised”. The current clause provides a definition of de-identification which draws upon the definition of “pseudonymisation” in article 4 of the GDPR. We see no obvious benefit in switching to “anonymised”. Indeed, it may be actively more confusing, given that recital 26 appears to use the term “anonymous information” to refer to information that cannot be re-identified, whereas here we are talking about data that can be—and, indeed, has been—re-identified.
Amendment 170CB seeks to provide an exemption for re-identification for the purpose of demonstrating how the personal data can be re-identified or is vulnerable to attacks. The Bill currently provides a defence for re-identification where the activity was consented to, was necessary for the purpose of preventing or detecting crime, was justified as being in the public interest, or where the person charged reasonably believes the activity was, or would have been, consented to. So long as those re-identifying datasets can prove that their actions satisfy any of these conditions, they will not be guilty of an offence. In addition, we need to be careful here not to create defences so wide that they become open to abuse.
Amendment 170CC seeks to add to the definition of what constitutes re-identification. I agree with the noble Lord that current techniques for re-identification involve linking datasets. However, we risk making the offence too prescriptive if we start defining exactly how re-identification will occur. As noble Lords, including the noble Lord, Lord Clement-Jones, mentioned, as technology evolves and offenders find new ways to re-identify personal data, we want the offence to keep pace.
Amendment 170E seeks to add an extra defence for persons who achieve approval for re-identifying de-identified personal data after the re-identification has taken place. The current clause provides a defence where a person acted in the reasonable belief that they would have had the consent of the controller or the data subject had they known about the circumstances of the re-identification. Retroactive approval for the re-identification could be relied on as evidence in support of that defence, so we believe that there is no need to provide a separate defence for retroactive consent.
Lord Clement-Jones
My Lords, I think that the noble Lord is misreading the amendment. As I read my own amendment, I thought it was substitutional.
Lord Ashton of Hyde
If we are talking about Amendment 170E, I am certainly prepared to look at that and address it.
Lord Clement-Jones
That may have been the original intention, but perhaps it was never put properly into effect.
Lord Ashton of Hyde
In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.
Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.
Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.
It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.
I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.
Lord Clement-Jones
Lord Clement-Jones
My Lords, in moving Amendment 183A I hope to astonish the Minister with my brevity. Clause 172 deals with the avoidance of certain contractual terms related to health records so that,
“A term or condition of a contract is void in so far as it purports to require an individual to supply another person with a record which — … (a) consists of the information contained in a health record, and … (b) has been or is to be obtained by a data subject in the exercise of a data subject access right”.
The NHS has committed to informing patients how their medical records are used. The legal protections in the Bill against an enforced subject access request on a medical record should also apply to such information about that record. Does this provide the required protection? I beg to move.
Baroness Chisholm of Owlpen
It is probably for the best that we are not doing a seventh day in Committee because the noble Lord, Lord Stevenson, has told us that his voice is going and I seem to have an infected eye. Slowly, we are falling by the way, so it is probably just as well that this is our last evening.
This amendment seeks to amend Clause 172, which concerns contractual terms relating to health records. As noble Lords are aware, the Bill will give people more control over use of their data, providing stronger access rights as well as new rights to move or delete personal data. Data subject access rights are intended to aid people in getting access to information held about them by organisations. While subject access provisions are present in current data protection law, the process will be simplified and streamlined under the new legal framework, reflecting the importance of data protection in today’s digital age.
There are, unfortunately, a minority of instances where service providers and employers seek to exploit the rights of data subjects, making it a condition of a contract that a person supplies to them health records obtained through use of their data subject access rights. It is with this in mind that Clause 172 was drafted, to protect data subjects from abuses of their rights. Organisations are able to use provisions in the Access to Medical Reports Act 1988 to gain access to a person’s health records for employment or insurance purposes, and so should not be unduly relying upon subject access rights to acquire such information.
Amendment 183A seeks to widen the clause to include prohibiting contractual terms from including a requirement to use subject access rights to supply a person with information “associated with” as well as “in” a health record. While I can see where the noble Lord is coming from with the amendment and appreciate the willingness further to protect data subjects from exploitation, we are not convinced that it is necessary to widen the scope of this clause. The Government believe that avoidance of contractual terms—that is to say a restriction on parties’ freedom of contract—is not something that should legislated for lightly. Our starting point must be that contractual terms are voided only where there is a known, rather than a hypothetical, abuse of them.
It is also important to point out that the clause has been carried over from the 1998 Act, which has served us well for many years and we are not aware of any issues with its scope. But I will certainly carefully read the noble Lord’s contribution in Hansard, and with this in mind I encourage the noble Lord to withdraw his amendment.
Lord Clement-Jones
My Lords, I thank the Minister. She will not need to spend very long reading my contribution in Hansard, as she will appreciate, but I pledge to read what she had to say. The interplay with the Access to Medical Reports Act may be of some importance in this, but on both sides we may need to reflect a little further. The case being made is that, because the NHS is making more information available about the use of patient records, it may be appropriate to change the legislation, which, as the Minister said, may have been fit for purpose for a period of time but now, in the light of new circumstances, may need changing. Indeed, it may not be “hypothetical” any more, to use her word. I will reflect on what the Minister said, but if there is scope for further improvement of the clause, I hope that it might be considered at a future stage. In the meantime, I beg leave to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, at earlier stages of the Bill, the Minister and others have been at pains to stress the need to ensure that, whatever we finally do, the Bill should help to build trust between those who operate and accept data and those who provide it—the data subjects. It is important that we look at all aspects of that trust relationship and think about what we can do to make sure that it fructifies. Amendment 184 tries to add to the Bill something that could be there, because it is provided for in the GDPR, but is not there. Will the Minister explain when he responds why article 80(2) of the GDPR is not translated into UK legislation, as could happen? The proposed new clause would provide that,
“a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate”.
I will largely leave the noble Lord, Lord Clement-Jones, to introduce Amendment 185 because he has a new and brief style of introduction, which we like a lot.
Lord Stevenson of Balmacara
It is certainly new to me. He may have been here a lot longer than I have and there have been other occasions where he has been less than fulsome in his contributions. But I am not in any sense criticising him because everything he says has fantastic precision and clarity, as befits a mere solicitor. It is important that we give him the chance to shine on this particular issue as well.
I mentioned what a pleasure it is to have the noble Baroness, Lady Neville-Rolfe, here today, particularly because she will speak very well to the fact that only a few happy months ago we worked on the Consumer Rights Bill, which is now an Act, in which a power was given to private enforcers to take civil action in courts to protect collective consumer rights via an enforcement order. The campaigning consumer body Which? is the designated private enforcer.
Also, in the financial sector, Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland have the power to present super-complaints to the FCA. The super-complainant system is working very well; one reason why the PPI mis-selling scandal was discovered was as a result of the work of Citizens Advice. These independent enforcers of consumer rights in the traditional consumer sector and in the consumer finance sector exist. Why is there no equivalent status for digital consumer enforcers? That is the question raised by the amendment.
The powers for independent action here are important in themselves and I am sure other noble Lords will speak to that point, but they are also really important at the start of this new regime we are bringing in. With the new Data Protection Bill we have a different arrangement. Far more people are involved and a lot more people are having to think harder about how their data is being used. It makes absolute sense to have a system that does not require too much knowledge or detail, which was aided and abetted by experts who had experience in this, such as Which? and others, and would allow those who are a little fazed by the whole process of trying to raise an action and get things going to have a steady hand that they know will take it on behind them.
The Government will probably argue that by implementing article 80(1) of the GDPR they are providing effectively the same service. That is a system under which an individual can have their case taken up by much the same bodies as would be available under article 80(2). However, when an individual complainant is working with a body such as Which?, we are probably talking about redress of the individual whose rights have been breached in some way and exacting from the company or companies concerned a penalty or some sort of remuneration. One can see in that sense that the linking between the individual and the body that might take that on is important and would be very helpful.
However, there are cases—recent ones come to mind such as TalkTalk, Equifax, Cash Converters and Uber—where data has gone missing and there has been a real worry about what information has escaped and is available out there. I do not think that in those cases we are talking about people wanting redress. What they want is action, such as making sure that their credit ratings are not affected by their data having come out and that they could perhaps get out of contracts. One of the issues that was raised with EE and TalkTalk was that people had lost confidence in the companies and wanted to be able to get out of their contracts. That is not a monetary penalty but a different form of arrangement. In some senses, just ongoing monitoring of the company with which one’s data is lodged might be a process. All that plays to a need to have in law in Britain the article 80(2) version of what is in the GDPR. I beg to move.
Lord Clement-Jones
My Lords, I strongly support Amendment 184. The Minister will have noticed that Amendment 185 would simply import the same provisions into applied GDPR for this purpose. The rationale, which has been very well put forward by the noble Lord, Lord Stevenson, is precisely the same.
I do not know whether the Minister was choking over his breakfast this morning, but if he was reading the Daily Telegraph—he shakes his head. I am encouraged that he was not reading the Daily Telegraph, but he would have seen that a letter was written to his right honourable friend Matt Hancock, the Digital Minister, demanding that the legislation can and should contain the second limb that is contained in the GDPR but is not brought into the Bill. The letter was signed by Which?, Age UK, Privacy International and the Open Rights Group for all the reasons that the noble Lord, Lord Stevenson, put forward. The noble Lord mentioned a number of data breach cases, but the Uber breach came to light only last night. It was particularly egregious because Uber did not tell anybody about it for months and, as far as one can make out from the press reports, it was a pay-off. There is a very important role for such organisations to play on behalf of vulnerable consumers.
The Which? survey was particularly important in that respect because it showed that consumers have little understanding of the kind of redress that they may have following a data breach. A recent survey shows that almost one in five consumers say that they would not know how to claim redress for a data breach, and the same proportion do not know who would be responsible for helping them when data is lost. Therefore the equivalent of a super-complaint in these circumstances is very important. To add to that point, young people are often the target of advertising and analysis using their personal data. I think they would benefit particularly from having this kind of super-complaint process for a data breach.
I hope very much that the Government, who I believe are conducting some kind of review, although it is not entirely clear, will think about this again because it is definitely something we will need to bring back on Report.
Baroness Jones of Moulsecoomb (GP)
My Lords, I support Amendment 184. As the noble Lord, Lord Stevenson, said, the GDPR does allow not-for-profit organisations to lodge complaints about suspected breaches of data protection without needing the authorisation of the individuals concerned. I really do not understand why this has been taken out; it is such an important piece of legislation that gives teeth to data protection. Most people do not have the time or the inclination to lodge complaints against data controllers. So many organisations are now holding data about us that it is ridiculous to suggest that individuals can become data detectives responsible for finding out who holds data on them and trying to work out whether that data is being processed in accordance with data protection rules.
I went through the hassle of getting my own subject access request from the Met police. It took a lot of form filling and cost me £10, which was absolutely not money well spent because the file, when I got it, was so redacted. I did ask for my money back but was not given it. That shows me that most of us will not know that data about us is being held—so the amendment is extremely valid.
Despite my opposition to some provisions in the Bill, I accept that it is very important. However, it is equally important that we get it right and that we do not have all these derogations which mean that it has less authority and power. Personally, I think that the amendment strengthens the data protection regime without any hassle for consumers. I hope that the Government will include it in the next iteration of the Bill.
Lord Ashton of Hyde
My Lords, I am grateful to all noble Lords who have contributed—in particular my noble friend Lord Lucas, who was even briefer than the noble Lord, Lord Clement-Jones. He made his point very succinctly and well.
With the greatest respect to the noble Lords, Lord Stevenson and Lord Clement-Jones—and I do mean that sincerely—during the passage of the 443 amendments in Committee that we are rapidly approaching the end of, we have listened carefully to each other, but in this case I am afraid that we reject Amendments 184 and 185 as being unnecessary. We believe that they are not required because the Bill already provides sufficient recourse for data subjects by allowing them to give consent to a non-profit organisation to represent their interests.
Clause 173, in conjunction with article 80(1) of the GDPR, provides data subjects with the right to authorise a non-profit organisation which has statutory objectives in the public interest and which is active in the field of data protection to exercise the rights described in Clauses 156 to 160 of the Bill. Taken together with existing provision for collective redress, and the ability of individuals and organisations to independently complain to the Information Commissioner where they have concerns, groups of like-minded data subjects will have a variety of redress mechanisms from which to choose. It is not true that when we have large numbers of data subjects they are unable, or too ignorant of their rights, to combine. For example, it is worth noting that more than 5,000 data subjects have brought one such action which is currently proceeding through the courts.
Furthermore, we would argue that the amendment is premature. If we were to make provision for article 80(2), it would be imperative to analyse the effectiveness not only of Clause 173 and article 80(1) of the GDPR but of other similar provisions in UK law to ensure that they are operating in the interests of data subjects and not third parties. We would also need to assess, for example, how effective the existing law has been in dealing with issues such as aggregate damages, which cases brought under article 80(2) might be subject to.
More generally, the Bill seeks to empower data subjects and ensure that they receive the information they need to enforce their own rights, with assistance from non-profit organisations if they wish. The solution to a perceived lack of data subject engagement cannot be to cut them out of the enforcement process as well. Indeed, there is a real irony here. Let us consider briefly a claim against a controller who should have sought, but failed to get, proper consent for their processing. Are noble Lords really suggesting that an unrelated third party should be able to enforce a claim for not having sought consent without first seeking that same consent?
We should also remember that these not-for-profit organisations are active in the field of data subjects’ rights; indeed, the GDPR states that they have to be. While many—the noble Lord, Lord Clement-Jones, mentioned Which?—will no doubt have data subjects’ true interests at heart and will be acting in those best interests, others will have a professional interest in achieving a different outcome: raising their own profile, for example.
I know that these amendments are well intentioned and I do have some sympathy with the ambition of facilitating greater private enforcement to complement the work of the Information Commissioner. But, for the reasons I have set out, I am not convinced that they are the right solution to the problems identified by noble Lords, and I therefore urge the noble Lord to withdraw his amendment.
Lord Clement-Jones
My Lords, I am baffled by the Minister’s response. The Government have taken on board huge swathes of the GDPR; in fact, they extol the virtues of the GDPR, which is coming into effect, as are many of its articles. Yet they are baulking at a very clear statement in article 80(2), which could not be clearer. Their prevarication is extravagant.
Lord Ashton of Hyde
The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.
To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.
Lord Kennedy of Southwark
My Lords, government Amendments 185A, 185B, 185C and 185D add four fairly substantial new clauses to the Bill on the last day of Committee. I can see the point made by the Minister when he moved the amendments, but it is disappointing that they were not included right at the start. Have the Government just thought about them as a good thing?
The Delegated Powers and Regulatory Reform Committee has not had time to look at these matters. I note that in Amendment 185A, the Government suggest that regulations be approved by Parliament under the negative procedure. I will look very carefully at anything that the committee wants to bring to the attention of the House when we look at these matters again on Report. I am sure the committee will have reported by then.
I will not oppose the amendments today, but that is not to say that I will not move some amendments on Report—particularly if the committee draws these matters to the House’s attention.
Lord Clement-Jones
My Lords, I want to echo that point. There is time for reflection on this set of amendments and I sympathise with what the noble Lord, Lord Kennedy, said.
Lord Ashton of Hyde
My Lords, I am grateful for those comments. We understand that the DPRRC will have to look at the powers under the clause. As usual, as we have done already, we take great note of what the committee says; no doubt it will opine soon. We will pay attention to that.
“SCHEDULE 18 MINOR AND CONSEQUENTIAL AMENDMENTSPart 1ACTS AND MEASURESParliamentary Commissioner Act 1967 (c. 13)
1_ In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Local Government Act 1974 (c. 7)
2_ The Local Government Act 1974 is amended as follows.3_ In section 33A(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or (ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”4_ In section 34O(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Consumer Credit Act 1974 (c. 39)
5_ The Consumer Credit Act 1974 is amended as follows.6_ In section 157(2A) (duty to disclose name etc of agency)—(a) in paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and(b) in paragraph (b), after “any” insert “other”.7_ In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers)”.8_ In section 189(1) (definitions), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.Medical Act 1983 (c. 54)
9_ The Medical Act 1983 is amended as follows.10_(1) Section 29E (evidence) is amended as follows.(2) In subsection (5), after “enactment” insert “or the GDPR”.(3) For subsection (7) substitute—“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”11_(1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.(2) In subsection (4), after “enactment” insert “or the GDPR”.(3) For subsection (5A) substitute—“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”12_ In section 55 (interpretation), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.13_(1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows. (2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.(3) For sub-paragraph (8A) substitute—“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”Dentists Act 1984 (c. 24)
14_ The Dentists Act 1984 is amended as follows.15_(1) Section 33B (the General Dental Council’s power to require disclosure of information: the dental profession) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”16_(1) Section 36Y (the General Dental Council’s power to require disclosure of information: professions complementary to dentistry) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Access to Medical Reports Act 1988 (c. 28)
17_ In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—““health professional” has the same meaning as in the Data Protection Act 2017 (see section 183 of that Act);”.Opticians Act 1989 (c. 44)
18_(1) Section 13B of the Opticians Act 1989 (the Council’s power to require disclosure of information) is amended as follows. (2) In subsection (3), after “enactment” insert “or the GDPR”.(3) For subsection (4) substitute—“(4) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (9) insert—“(10) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Human Fertilisation and Embryology Act 1990 (c. 37)
19_(1) Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)
20_(1) Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Tribunals and Inquiries Act 1992 (c. 53)
21_ In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “section 112 of the Data Protection Act 2017”.Health Service Commissioners Act 1993 (c. 46)
22_ In section 18A(1) of the Health Service Commissioners Act 1993 (power to disclose information)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Data Protection Act 1998 (c. 29)
23_ The Data Protection Act 1998 is repealed.Crime and Disorder Act 1998 (c. 37)
24_ In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”. Food Standards Act 1999 (c. 28)
25_(1) Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration and Asylum Act 1999 (c. 33)
26_(1) Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported) is amended as follows.(2) For subsection (4) substitute—“(4) For the purposes of Article 49(1)(d) of the GDPR, the provision under this section of identification data is a transfer of personal data which is necessary for important reasons of public interest.”(3) After subsection (4) insert—“(4A) “The GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Financial Services and Markets Act 2000 (c. 8)
27_ The Financial Services and Markets Act 2000 is amended as follows.28_ In section 86(9) (exempt offers to the public), for “the Data Protection Act 1998 or any directly applicable EU legislation relating to data protection” substitute “—(a) the data protection legislation, or(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection”.29_ In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.30_ In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.31_ In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.32_ In section 417 (definitions), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Terrorism Act 2000 (c. 11)
33_ In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.Freedom of Information Act 2000 (c. 36)
34_ The Freedom of Information Act 2000 is amended as follows.35_ In section 2(3) (absolute exemptions), for paragraph (f) substitute—“(f) section 40(1),(fa) section 40(2) so far as relating to cases where the first condition referred to in that subsection is satisfied,”.36_ In section 18 (the Information Commissioner) omit subsection (1). 37_(1) Section 40 (personal information) is amended as follows.(2) In subsection (2)—(a) in paragraph (a), for “do” substitute “does”, and(b) in paragraph (b), for “either the first or the second” substitute “the first, second or third”.(3) For subsection (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (4) substitute—“(4A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14, 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) For subsection (5) substitute—“(5A) The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).(5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies—(a) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—(i) would (apart from this Act) contravene any of the data protection principles, or(ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(6) Omit subsection (6).(7) For subsection (7) substitute—“(7) In this section—“the data protection principles” means the principles set out in— (a)Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act).(8) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”38_ Omit section 49 (reports to be laid before Parliament).39_ For section 61 (appeal proceedings) substitute—“61 Appeal proceedings(1) Tribunal Procedure Rules may make provision for regulating the exercise of rights of appeal conferred by sections 57(1) and (2) and 60(1) and (4).(2) In relation to appeals under those provisions, Tribunal Procedure Rules may make provision about—(a) securing the production of material used for the processing of personal data, and(b) the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.(3) Subsection (4) applies where—(a) a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal on an appeal under those provisions, and(b) if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.(4) The First-tier Tribunal may certify the offence to the Upper Tribunal.(5) Where an offence is certified under subsection (4), the Upper Tribunal may—(a) inquire into the matter, and(b) deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.(6) Before exercising the power under subsection (5)(b), the Upper Tribunal must—(a) hear any witness who may be produced against or on behalf of the person charged with the offence, and(b) hear any statement that may be offered in defence.(7) In this section,“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4) and (14) of that Act).”40_ In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “the data protection legislation”.41_ After section 76A insert—“76B Disclosure of information to Commissioner or TribunalNo enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner, the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of their functions under this Act. 76C Confidentiality of information provided to Commissioner(1) A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which—(a) has been obtained by, or provided to, the Commissioner under or for the purposes of this Act,(b) relates to an identified or identifiable individual or business, and(c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,unless the disclosure is made with lawful authority.(2) For the purposes of subsection (1), a disclosure is made with lawful authority only if and to the extent that—(a) the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,(b) the information was provided for the purpose of its being made available to the public (in whatever manner) under a provision of this Act or the data protection legislation,(c) the disclosure was made for the purposes of, and is necessary for, the discharge of a function under this Act or the data protection legislation,(d) the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,(e) the disclosure was made for the purposes of criminal or civil proceedings, however arising, or(f) having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.(3) It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).(4) A person guilty of an offence under this section is liable—(a) on summary conviction in England and Wales, to a fine;(b) on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;(c) on conviction on indictment, to a fine.(5) No proceedings for an offence under this section may be instituted—(a) in England and Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;(b) in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.”42_ In section 77(1)(b) (offence of altering etc records with intent to prevent disclosure), omit “or section 7 of the Data Protection Act 1998,”.43_ In section 84 (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Political Parties, Elections and Referendums Act 2000 (c. 41)
44_(1) Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.(2) In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph,“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Finance and Accountability (Scotland) Act 2000 (asp 1)
45_ The Public Finance and Accountability (Scotland) Act 2000 is amended as follows.46_ In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.47_ In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.48_ In section 29(1) (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice and Police Act 2001 (c. 16)
49_ The Criminal Justice and Police Act 2001 is amended as follows.50_ In section 57(1) (retention of seized items)—(a) omit paragraph (m), and(b) after paragraph (s) insert—“(t) paragraph 10 of Schedule 15 to the Data Protection Act 2017;”.51_ In section 65(7) (meaning of “legal privilege”)—(a) for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017”, and(b) for “paragraph 9” substitute “paragraph 11 (matters exempt from inspection and seizure: privileged communications)”.52_ In Schedule 1 (powers of seizure)—(a) omit paragraph 65, and(b) after paragraph 73R insert—“Data Protection Act 201773S_ The power of seizure conferred by paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017 (powers of entry and inspection).”Anti-terrorism, Crime and Security Act 2001 (c.24)
53_ The Anti-terrorism, Crime and Security Act 2001 is amended as follows.54_(1) Section 19 (disclosure of information held by revenue departments) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.55_(1) Part 1 of Schedule 4 (extension of existing disclosure powers) is amended as follows.(2) Omit paragraph 42.(3) After paragraph 52 insert—“52A_ Section 76C(1) of the Freedom of Information Act 2000.”(4) After paragraph 53F insert—“53G_ Section 127(1) of the Data Protection Act 2017.”Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))
56_(1) Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.(2) In subsection (3), after “provision” insert “or the GDPR”.(3) For subsection (5) substitute— “(5) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (7) insert—“(8) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Justice (Northern Ireland) Act 2002 (c. 26)
57_(1) Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Proceeds of Crime Act 2002 (c. 29)
58_ The Proceeds of Crime Act 2002 is amended as follows.59_ In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.60_ In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.61_ In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.62_ In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.63_ In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.64_ After section 442 insert—“442A Data protection legislationIn this Part, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Scottish Public Services Ombudsman Act 2002 (asp 11)
65_(1) In Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (disclosure of information by the Ombudsman), the entry for the Information Commissioner is amended as follows.(2) In paragraph 1, for sub-paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”.(3) For paragraph 2 substitute—“2_ The commission of an offence under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Freedom of Information (Scotland) Act 2002 (asp 13)
66_ The Freedom of Information (Scotland) Act 2002 is amended as follows. 67_ In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection (2)(a)(i) or (b) of that section”.68_(1) Section 38 (personal information) is amended as follows.(2) In subsection (1), for paragraph (b) substitute—“(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));”.(3) For subsection (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit subsection (4).(6) In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act);”.(7) After that subsection insert—“(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Courts Act 2003 (c. 39)
69_ Schedule 5 to the Courts Act 2003 (collection of fines) is amended as follows.70_(1) Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.(2) In sub-paragraph (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”71_(1) Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.(2) In sub-paragraph (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In sub-paragraph (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Sexual Offences Act 2003 (c. 42)
72_(1) Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice Act 2003 (c. 44)
73_ The Criminal Justice Act 2003 is amended as follows.74_ In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “the data protection legislation”.75_ In section 327B (disclosure of information about convictions etc of child sex offenders to members of the public: interpretation), after subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Audit (Wales) Act 2004 (c. 23)
76_(1) Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (5), at the beginning insert “In this section—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Domestic Violence, Crime and Victims Act 2004 (c. 28)
77_(1) Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children Act 2004 (c. 31)
78_ The Children Act 2004 is amended as follows.79_(1) Section 12 (information databases) is amended as follows.(2) In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (13) insert—“(14) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”80_(1) Section 29 (information databases: Wales) is amended as follows. (2) In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (14) insert—“(15) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Constitutional Reform Act 2005 (c. 4)
81_(1) Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act 2005 (c. 9)
82_ In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—““health record” has the same meaning as in the Data Protection Act 2017 (see section 184 of that Act);”.Public Services Ombudsman (Wales) Act 2005 (c. 10)
83_(1) Section 34X of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (5) substitute—“(5) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc);(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Commissioners for Revenue and Customs Act 2005 (c. 11)
84_(1) Section 22 of the Commissioners for Revenue and Customs Act 2005 (data protection, etc) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Gambling Act 2005 (c. 19)
85_(1) Section 352 of the Gambling Act 2005 (data protection) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Commissioner for Older People (Wales) Act 2006 (c. 30)
86_(1) Section 18 of the Commissioner for Older People (Wales) Act 2006 (power to disclose information) is amended as follows.(2) In subsection (7), for paragraph (a) substitute— “(a) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (8) substitute—“(8) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”National Health Service Act 2006 (c. 41)
87_ The National Health Service Act 2006 is amended as follows.88_(1) Section 251 (control of patient information) is amended as follows.(2) In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “of the data protection legislation”.(3) In subsection (13), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.89_ In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.National Health Service (Wales) Act 2006 (c. 42)
90_ The National Health Service (Wales) Act 2006 is amended as follows.91_(1) Section 201C (provision of information about medical supplies: supplementary) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”92_ In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.Tribunals, Courts and Enforcement Act 2007 (c. 15)
93_ The Tribunals, Courts and Enforcement Act 2007 is amended as follows.94_ In section 11(5)(b)(right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.95_ In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.Statistics and Registration Service Act 2007 (c. 18)
96_ The Statistics and Registration Service Act 2007 is amended as follows.97_(1) Section 45A (information held by other public authorities) is amended as follows.(2) In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”. (3) In subsection (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(5) In subsection (12)(c), after the first “legislation” insert “(which is not part of the data protection legislation)”.98_(1) Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.(2) In paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (c), after the first “legislation” insert “(which is not part of the data protection legislation)”.99_(1) Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.(2) In paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (d), after the first “legislation” insert “(which is not part of the data protection legislation)”.100_ In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “the data protection legislation”.101(1) Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.(2) In subsection (6), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(4) In subsection (17), for “the Data Protection Act 1998” substitute “the data protection legislation”.102(1) Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.(2) In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(3) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.103(1) Section 54 (Data Protection Act 1998 and Human Rights Act 1998) is amended as follows.(2) In the heading omit “Data Protection Act 1998 and”.(3) Omit paragraph (a) (together with the final “or”).104_ In section 67 (general interpretation: Part 1), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Serious Crime Act 2007 (c. 27)
105_ The Serious Crime Act 2007 is amended as follows.106(1) Section 5A (verification and disclosure of information) is amended as follows.(2) In subsection (6)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”107(1) Section 68 (disclosure of information to prevent fraud) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”. (3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”108(1) Section 85 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Legal Services Act 2007 (c. 29)
109(1) Section 169 of the Legal Services Act 2007 (disclosure of information to the Legal Services Board) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Adoption and Children (Scotland) Act 2007 (asp 4)
110_ In section 74 of the Adoption and Children (Scotland) Act 2007 (disclosure of medical information about parents), for subsection (5) substitute—“(5) In subsection (4)(e), “processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act).”Criminal Justice and Immigration Act 2008 (c. 4)
111_ The Criminal Justice and Immigration Act 2008 is amended as follows.112_ Omit—(a) section 77 (power to alter penalty for unlawfully obtaining etc personal data), and(b) section 78 (new defence for obtaining etc for journalism and other special purposes).113(1) Section 114 (supply of information to Secretary of State etc) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (6) insert—“(6A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Regulatory Enforcement and Sanctions Act 2008 (c. 13)
114(1) Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2008 (c. 14)
115_ In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.Counter-Terrorism Act 2008 (c. 28)
116(1) Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows. (2) In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Health etc.(Scotland) Act 2008 (asp 5)
117(1) Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (7) insert—“(7A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Banking Act 2009 (c. 1)
118(1) Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.(2) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Borders, Citizenship and Immigration Act 2009 (c. 11)
119(1) Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.(2) In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine and Coastal Access Act 2009 (c. 23)
120_ The Marine and Coastal Access Act 2009 is amended as follows.121(1) Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”122(1) Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Broads Authority Act 2009 (c. i)
123(1) Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (6), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”. Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))
124(1) Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.(2) In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Terrorist Asset-Freezing etc. Act 2010 (c. 38)
125(1) Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (6), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Marine (Scotland) Act 2010 (asp 5)
126(1) Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Charities Act 2011 (c. 25)
127(1) Section 59 of the Charities Act 2011 (disclosure: supplementary) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Welsh Language (Wales) Measure 2011 (nawm 1)
128_ The Welsh Language (Wales) Measure 2011 is amended as follows.129(1) Section 22 (power to disclose information) is amended as follows.(2) In subsection (4)—(a) in the English language text, for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”, and(b) in the Welsh language text, for paragraph (a) substitute—“(a) adrannau 137 i 147, 153 i 155, neu 164 i 166 o Ddeddf Diogelu Data 2017 neu Atodlen 15 i’r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);”.(3) For subsection (5)—(a) in the English language text substitute—“(5) The offences referred to under subsection (3)(b) are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of exercise of warrant etc); or (b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”, and(b) in the Welsh language text substitute—“(5) Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw’r rhai—(a) o dan ddarpariaeth yn Neddf Diogelu Data 2017 ac eithrio paragraff 15 o Atodlen 15 (rhwystro gweithredu gwarant etc); neu(b) o dan adran 76C neu 77 o Ddeddf Rhyddid Gwybodaeth 2000 (troseddau o ddatgelu gwybodaeth ac altro etc cofnodion gyda’r bwriad o atal datgelu).”(4) In subsection (8)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(5) In subsection (9)—(a) at the appropriate place in the English language text insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) at the appropriate place in the Welsh language text insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.130(1) Paragraph 8 of Schedule 2 (inquiries by the Commissioner: reports) is amended as follows.(2) In sub-paragraph (7)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(3) In sub-paragraph (8)—(a) in the English language text, after “paragraph” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) in the Welsh language text, after “hwn” insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation “yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.Safeguarding Board Act (Northern Ireland) 2011 (c. 7 (N.I))
131(1) Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2012 (c. 7)
132_ The Health and Social Care Act 2012 is amended as follows.133_ In section 250(7) (power to publish information standards), for the definition of “processing” substitute— ““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.134(1) Section 251A (consistent identifiers) is amended as follows.(2) In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”135(1) Section 251B (duty to share information) is amended as follows.(2) In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Protection of Freedoms Act 2012 (c. 9)
136_ The Protection of Freedoms Act 2012 is amended as follows.137(1) Section 27 (exceptions and further provision about consent and notification) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”138_ In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.139_ In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.HGV Road User Levy Act 2013 (c. 7)
140(1) Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Crime and Courts Act 2013 (c. 22)
141_ The Crime and Courts Act 2013 is amended as follows.142(1) Section 42 (other interpretive provisions) is amended as follows.(2) In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “Article 82 of the GDPR or section 159 or 160 of the Data Protection Act 2017 (compensation for contravention of the data protection legislation)”.(3) After subsection (5) insert—“(5A) In subsection (5)(a), “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).” 143(1) Paragraph 1 of Schedule 7 (statutory restrictions on disclosure) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph, insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine Act (Northern Ireland) 2013 (c. 10 (N.I.))
144(1) Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Local Audit and Accountability Act 2014 (c. 2)
145(1) Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.(2) In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (3) insert—“(3A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”(4) In sub-paragraph (4), for “comprise or include” substitute “comprises or includes”.Anti-social Behaviour, Crime and Policing Act 2014 (c. 12)
146(1) Paragraph 7 of Schedule 4 to the Anti-social Behaviour, Crime and Policing Act 2014 (anti-social behaviour case reviews: information) is amended as follows.(2) In sub-paragraph (4)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After sub-paragraph (5) insert—“(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Immigration Act 2014 (c. 22)
147(1) Paragraph 6 of Schedule 6 to the Immigration Act 2014 (information: limitation on powers) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Care Act 2014 (c. 23)
148_ In section 67(9) of the Care Act 2014 (involvement in assessment, plans etc), for paragraph (a) substitute—“(a) a health record (within the meaning given in section 184 of the Data Protection Act 2017),”.Social Services and Well-being (Wales) Act 2014 (anaw 4)
149_ In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—(a) in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”, and(b) in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “personal data” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2017 (gweler adran 2(2) a (14) o’r Ddeddf honno))”.Counter-Terrorism and Security Act 2015 (c. 6)
150(1) Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Small Business, Enterprise and Employment Act 2015 (c. 26)
151(1) Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies) is amended as follows.(2) In subsection (7)—(a) for paragraph (b) substitute—“(b) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers);”, and(b) omit paragraph (c).(3) After subsection (7) insert—“(7A) In subsection (7) “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Modern Slavery Act 2015 (c. 30)
152(1) Section 54A of the Modern Slavery Act 2015 (Gangmasters and Labour Abuse Authority: information gateways) is amended as follows.(2) In subsection (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 (c. 2 (N.I.))
153_ The Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 is amended as follows.154_ In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “the data protection legislation”.155_ In section 25(1) (interpretation of this Act), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.156_ In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “the data protection legislation”. Justice Act (Northern Ireland) 2015 (c. 9 (N.I.))
157(1) Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration Act 2016 (c. 19)
158(1) Section 7 of the Immigration Act 2016 (information gateways: supplementary) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Investigatory Powers Act 2016 (c. 25)
159_ The Investigatory Powers Act 2016 is amended as follows.160_ In section 1(5)(b), for sub-paragraph (ii) substitute—“(ii) in section 161 of the Data Protection Act 2017 (unlawful obtaining etc of personal data),”.161_ In section 199 (bulk personal datasets: interpretation), for subsection (2) substitute—“(2) In this Part, “personal data” means—(a) personal data within the meaning of section 2(2) of the Data Protection Act 2017 which is subject to processing described in section 80 (1) of that Act, and(b) data relating to a deceased individual where the data would fall within paragraph (a) if it related to a living individual.”162_ In section 202(4) (restriction on use of class BPD warrants), in the definition of “sensitive personal data”, for “which is of a kind mentioned in section 2(a) to (f) of the Data Protection Act 1998” substitute “the processing of which would be sensitive processing for the purposes of section 84(7) of the Data Protection Act 2017”.163_ In section 206 (additional safeguards for health records), for subsection (7) substitute—“(7) In subsection (6)—“health professional” has the same meaning as in the Data Protection Act 2017 (see section 183(1) of that Act);“health service body” has the meaning given by section 183(4) of that Act.”164(1) Section 237 (information gateway) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (2) insert—“(3) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))
165(1) Section 49 of the Police Services Ombudsman Act (Northern Ireland) 2016 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 and 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”. (3) For subsection (5) substitute—“(5) The offences are those under—(a) any provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc),(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”(4) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (c. 12 (N.I.))
166(1) Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.(2) In subsection (8), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (12) insert—“(12A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act (Northern Ireland) 2016 (c. 18 (N.I.))
167_ In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—““health record” has the meaning given by section 184 of the Data Protection Act 2017;”.Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))
168_ The Justice Act (Northern Ireland) 2016 is amended as follows.169(1) Section 17 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.170_ In section 44(3)(disclosure of information)—(a) in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Policing and Crime Act 2017 (c. 3)
171(1) Section 50 of the Policing and Crime Act 2017 (Freedom of Information Act etc: Police Federation for England and Wales) is amended as follows.(2) The existing text becomes subsection (1). (3) In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection, insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children and Social Work Act 2017 (c. 12)
172_ In Schedule 5 to the Children and Social Work Act 2017—(a) in Part 1 (general amendments to do with social workers etc in England) omit paragraph 6, and(b) in Part 2 (renaming of Health and Social Work Professions Order 2001) omit paragraph 47(g).Higher Education and Research Act 2017 (c. 29)
173_ The Higher Education and Research Act 2017 is amended as follows.174(1) Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.175(1) Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert —“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Digital Economy Act 2017 (c. 30)
176_ The Digital Economy Act 2017 is amended as follows.177(1) Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”178(1) Section 43 (codes of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.179(1) Section 49 (further provision about disclosures under section 48) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”180(1) Section 52 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”. 181(1) Section 57 (further provision about disclosures under section 56) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”182(1) Section 60 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.183(1) Section 65 (supplementary provision about disclosures under section 64) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”184(1) Section 70 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.185_ Omit sections 108 to 110 (charges payable to the Information Commissioner).Landfill Disposals Tax (Wales) Act 2017 (anaw 3)
186(1) Section 60 of the Landfill Disposals Tax (Wales) Act 2017 (disclosure of information to the Welsh Revenue Authority) is amended as follows.(2) In subsection (4)(a)—(a) in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”, and(b) in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri’r ddeddfwriaeth diogelu data”.(3) After subsection (7)—(a) in the English language text insert—“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”, and(b) in the Welsh language text insert—“(8) Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno).”This Act
187(1) Section 183 (meaning of “health professional” and “social work professional”) is amended as follows (to reflect the arrangements for the registration of social workers in England under Part 2 of the Children and Social Work Act 2017).(2) In subsection (1)(g)—(a) omit “and Social Work”, and(b) omit “, other than the social work profession in England”.(3) In subsection (2), for paragraph (a) substitute— “(a) a person registered as a social worker in the register maintained by Social Work England under section 39(1) of the Children and Social Work Act 2017;”.Part 2SUBORDINATE LEGISLATIONChannel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)
188(1) Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.(2) In paragraph (2)—(a) for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “section 186 of the Data Protection Act 2017 (“the 2017 Act”), data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.(3) In paragraph (3)—(a) for “section 5 of the 1998 Act, data which are” substitute “section 186 of the 2017 Act, data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)
189_ The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.190_ In Article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”, and(b) for “are” substitute “is”.191_ In Article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”,(b) for “are” substitute “is”, and(c) for “section 5” substitute “section 186 ”.Environmental Information Regulations 2004 (S.I. 2004/3391)
192_ The Environmental Information Regulations 2004 are amended as follows.193(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act);”.(3) For paragraph (4) substitute—“(4A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a public authority as defined in these Regulations, and (b) the references to personal data held by such an authority were to be interpreted in accordance with regulation 3(2).”194(1) Regulation 13 (personal data) is amended as follows.(2) For paragraph (1) substitute—“(1) To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—(a) the first condition is satisfied, or(b) the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.”(3) For paragraph (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—(a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”(4) For paragraph (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(5) Omit paragraph (4).(6) For paragraph (5) substitute—“(5A) For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—(a) the condition in paragraph (5B)(a) is satisfied, or(b) a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.(5B) The conditions mentioned in paragraph (5A) are—(a) giving a member of the public the confirmation or denial—(i) would (apart from these Regulations) contravene any of the data protection principles, or (ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 97 of the Data Protection Act 2017 (right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;(e) on a request under section 92(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(7) After that paragraph insert—“(6) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”195_ In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “regulation 13(1)(b) or (5A)”.196_ In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “regulation 13(5A)”.Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)
197_ The Environmental Information (Scotland) Regulations 2004 are amended as follows.198(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (2) and (14) of that Act);”.(3) For paragraph (3) substitute—“(3A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and(b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.”199(1) Regulation 11 (personal data) is amended as follows.(2) For paragraph (2) substitute— “(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if—(a) the first condition set out in paragraph (3A) is satisfied, or(b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.”(3) For paragraph (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For paragraph (4) substitute—“(4A) The third condition is that any of the following applies to the information—(a) it is exempt from the obligation under Article 15(1) of the GDPR (general processing: right of access by the data subject) to provide access to, and information about, personal data by virtue of provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit paragraph (5).(6) After paragraph (6) insert—“(7) In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)
200(1) Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.(2) In paragraph (1)(d)—(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.(3) After paragraph (1) insert—“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene— (a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).(1C) The condition in this paragraph is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.(1D) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).”(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”(4) Omit paragraphs (2) to (4).INSPIRE Regulations 2009 (S.I. 2009/3157)
201(1) Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.(2) In paragraph (2)—(a) omit “or” at the end of sub-paragraph (a),(b) for sub-paragraph (b) substitute—“(b) Article 21 of the GDPR (general processing: right to object to processing), or(c) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”, and(c) omit the words following sub-paragraph (b).(3) After paragraph (7) insert—“(8) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act; “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).(9) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)
202_ In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co- operation in criminal matters).Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (S.R.(N.I.) 2014 No. 224)
203_ In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—(a) in paragraph (9) omit sub-paragraph (b) and the word “and” before it, and(b) in paragraph (11) omit the definition of “processing” and “sensitive personal data” and the word “and” before it.Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)
204_ In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—(a) in paragraph (7) omit sub-paragraph (b) and the word “and” before it, and(b) omit paragraph (8).Provision inserted in subordinate legislation by this Schedule
205_ Provision inserted into subordinate legislation by this Schedule may be amended or revoked as if it had been inserted using the power under which the subordinate legislation was originally made.”
Lord Clement-Jones
My Lords, looking at the amendments and new Schedule 18 is rather like looking for a needle in a haystack, but I hope that the Minister received some notice of what I was going to raise. If not, as ever, I hope that he will helpfully write to me. In paragraph 42 of new Schedule 18, there is a reference to an amendment to Section 77 of the Freedom of Information Act. It deletes any reference to,
“section 7 of the Data Protection Act 1998”.
That is a deletion of a summary offence, which is rather baffling to many of us. It is about not keeping records. Many of us thought that, since there have been very few or no prosecutions under that section of the Freedom of Information Act, the answer would perhaps have been to ratchet up the penalty. At the moment, it is only a summary offence. Therefore, there is a six-month time limit, and it is difficult to get the information to hand in that period. If it was made a more serious offence, it would be rather more straightforward to prosecute in those circumstances. The Government, however, seem to have swept this off the statute book, buried in new Schedule 18. I hope that the Minister when he writes will elucidate clearly and perhaps say that in another part of the forest a criminal offence still lurks.