Data Protection Act 2018
|Publication Date:||January 01, 2018|
Data Protection Act 2018
2018 Chapter 12
An Act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under certain regulations relating to information; to make provision for a direct marketing code of practice; and for connected purposes.
[23 May 2018]
Be it enacted by the Queen’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—
(1) This Act makes provision about the processing of personal data.
(2) Most processing of personal data is subject to the GDPR.
(3) Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).
(4) Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
(5) Part 4 makes provision about the processing of personal data by the intelligence services.
(6) Part 5 makes provision about the Information Commissioner.
(7) Part 6 makes provision about the enforcement of the data protection legislation.
(8) Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.
2 Protection of personal data
(1) The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—
requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,
conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.
(2) When carrying out functions under the GDPR, the applied GDPR and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest.
3 Terms relating to the processing of personal data
(1) This section defines some terms used in this Act.
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to—
an identifier such as a name, an identification number, location data or an online identifier, or
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as—
collection, recording, organisation, structuring or storage,
adaptation or alteration,
retrieval, consultation or use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination, or
restriction, erasure or destruction,
(subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).
(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.
(6) “Controller” and “processor”, in relation to the processing of personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies, have the same meaning as in that Chapter or Part (see sections 5, 6, 32 and 83 and see also subsection (14)(d)).
(7) “Filing system” means any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.
(8) “The Commissioner” means the Information Commissioner (see section 114).
(9) “The data protection legislation” means—
the applied GDPR,
regulations made under this Act, and
regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the Law Enforcement Directive.
(10) “The GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
(11) “The applied GDPR” means the GDPR as applied by Chapter 3 of Part 2.
(12) “The Law Enforcement Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
(13) “The Data Protection Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28 January 1981, as amended up to the day on which this Act is passed.
(14) In Parts 5 to 7, except where otherwise provided—
references to the GDPR are to the GDPR read with Chapter 2 of Part 2 and include the applied GDPR read with Chapter 3 of Part 2 ;
references to Chapter 2 of Part 2, or to a provision of that Chapter, include that Chapter or that provision as applied by Chapter 3 of Part 2;
references to personal data, and the processing of personal data, are to personal data and processing to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies;
references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies.
(15) There is an index of defined expressions in section 206.
Scope and definitions
4 Processing to which this Part applies
(1) This Part is relevant to most processing of personal data.
(2) Chapter 2 of this Part—
applies to the types of processing of personal data to which the GDPR applies by virtue of Article 2 of the GDPR, and
supplements, and must be read with, the GDPR.
(3) Chapter 3 of this Part—
applies to certain types of processing of personal data to which the GDPR does not apply (see section 21), and
makes provision for a regime broadly equivalent to the GDPR to apply to such processing.
(1) Terms used in Chapter 2 of this Part and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR.
(2) In subsection (1), the reference to a term’s meaning in the GDPR is to its meaning in the GDPR read with any provision of Chapter 2 which modifies the term’s meaning for the purposes of the GDPR.
(3) Subsection (1) is subject to any provision in Chapter 2 which provides expressly for the term to have a different meaning and to section 204.
(4) Terms used in Chapter 3 of this Part and in the applied GDPR have the same meaning in Chapter 3 as they have in the applied GDPR.
(5) In subsection (4), the reference to a term’s meaning in the applied GDPR is to its meaning in the GDPR read with any provision of Chapter 2 (as applied by Chapter 3 ) or Chapter 3 which modifies the term’s meaning for the purposes of the applied GDPR.
(6) Subsection (4) is subject to any provision in Chapter 2 (as applied by Chapter 3 ) or Chapter 3 which provides expressly for the term to have a different meaning.
(7) A reference in Chapter 2 or Chapter 3 of this Part to the processing of personal data is to processing to which the Chapter applies.
(8) Sections 3 and 205 include definitions of other expressions used in this Part.
Meaning of certain terms used in the GDPR
6 Meaning of “controller”
(1) The definition of “controller” in Article 4(7) of the GDPR has effect subject to—
section 209, and
(2) For the purposes of the GDPR, where personal data is processed only—
for purposes for which it is required by an enactment to be processed, and
by means by which it is required by an enactment to be processed,
the person on whom the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.
7 Meaning of “public authority” and “public body”
(1) For the purposes of the GDPR, the following (and only the following) are “public authorities” and “public bodies” under the law of the United Kingdom—
a public authority as defined by the Freedom of Information Act 2000,
a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13), and
an authority or body specified or described by the Secretary of State in regulations,
subject to subsections (2), (3) and (4).
(2) An authority or body that falls within subsection (1) is only a “public authority” or “public body” for the purposes of the GDPR when performing a task carried out in the public interest or in the exercise of official authority vested in it.
(3) The references in subsection (1)(a) and (b) to public authorities and Scottish public authorities as...
To continue readingREQUEST YOUR TRIAL