This HTML version does not include page and line references. Please use the pdf version for page and line references.
Data (Use and Access) Bill [HL]

EXPLANATORY NOTES

Explanatory notes to the Bill, prepared by the Department for Science, Innovation and Technology, the Department of Health and Social Care, the Home Office, the Department for Business and Trade, HM Treasury and the Department for Energy Security and Net Zero, have been ordered to be published as HL Bill 40—EN.

EUROPEAN CONVENTION ON HUMAN RIGHTS

Baroness Jones of Whitchurch has made the following statement under section 19(1)(a) of the Human Rights Act 1998:

In my view the provisions of the Data (Use and Access) Bill [HL] are compatible with the Convention rights.

Data (Use and Access) Bill [HL]
[As Introduced]
CONTENTS
Part 1 Access to customer data and business data
Introductory
1 Customer data and business data
Data regulations
2 Power to make provision in connection with customer data
3 Customer data: supplementary
4 Power to make provision in connection with business data
5 Business data: supplementary
6 Decision-makers
7 Interface bodies
Enforcement
8 Enforcement of regulations under this Part
9 Restrictions on powers of investigation etc
10 Financial penalties
Fees etc and financial assistance
11 Fees
12 Levy
13 Financial assistance
Financial services sector
14 The FCA and financial services interfaces
15 The FCA and financial services interfaces: supplementary
16 The FCA and financial services interfaces: penalties and levies
17 The FCA and co-ordination with other regulators
Supplementary
18 Liability in damages
19 Duty to review regulations
20 Restrictions on processing and data protection
21 Regulations under this Part: supplementary
22 Regulations under this Part: Parliamentary procedure and consultation
23 Related subordinate legislation
24 Repeal of provisions relating to supply of customer data
25 Other defined terms
26 Index of defined terms for this Part
Part 2 Digital verification services
Introductory
27 Introductory
DVS trust framework and supplementary codes
28 DVS trust framework
29 Supplementary codes
30 Withdrawal of a supplementary code
31 Review of DVS trust framework and supplementary codes
DVS register
32 DVS register
33 Registration in the DVS register
34 Power to refuse registration in the DVS register
35 Registration of additional services
36 Supplementary notes
37 Addition of services to supplementary notes
38 Applications for registration, supplementary notes, etc
39 Fees for applications for registration, supplementary notes, etc
40 Duty to remove person from the DVS register
41 Power to remove person from the DVS register
42 Duty to remove services from the DVS register
43 Duty to remove supplementary notes from the DVS register
44 Duty to remove services from supplementary notes
Information gateway
45 Power of public authority to disclose information to registered person
46 Information disclosed by the Revenue and Customs
47 Information disclosed by the Welsh Revenue Authority
48 Information disclosed by Revenue Scotland
49 Code of practice about the disclosure of information
Trust mark
50 Trust mark for use by registered persons
Supplementary
51 Power of Secretary of State to require information
52 Arrangements for third party to exercise functions
53 Report on the operation of this Part
54 Index of defined terms for this Part
55 Powers relating to verification of identity or status
Part 3 National Underground Asset Register
56 National Underground Asset Register: England and Wales
57 Information in relation to apparatus: England and Wales
58 National Underground Asset Register: Northern Ireland
59 Information in relation to apparatus: Northern Ireland
60 Pre-commencement consultation
Part 4 Registers of births and deaths
61 Form in which registers of births and deaths are to be kept
62 Provision of equipment and facilities by local authorities
63 Requirements to sign register
64 Treatment of existing registers and records
65 Minor and consequential amendments
Part 5 Data protection and privacy
Chapter 1 Data protection
Terms used in this Chapter
66 The 2018 Act and the UK GDPR
Definitions in the UK GDPR and the 2018 Act
67 Meaning of research and statistical purposes
68 Consent to processing for the purposes of scientific research
69 Consent to law enforcement processing
Data protection principles
70 Lawfulness of processing
71 The purpose limitation
72 Processing in reliance on relevant international law
Processing of special categories of personal data
73 Elected representatives responding to requests
74 Processing of special categories of personal data
Data subject’s rights
75 Fees and reasons for responses to data subjects’ requests about law enforcement processing
76 Time limits for responding to data subjects’ requests
77 Information to be provided to data subjects
78 Searches in response to data subjects’ requests
79 Data subjects’ rights to information: legal professional privilege exemption
Automated decision-making
80 Automated decision-making
Logging of law enforcement processing
81 Logging of law enforcement processing
Codes of conduct
82 General processing and codes of conduct
83 Law enforcement processing and codes of conduct
International transfers of personal data
84 Transfers of personal data to third countries and international organisations
Safeguards for processing for research etc purposes
85 Safeguards for processing for research etc purposes
86 Section 85: consequential provision
National security
87 National security exemption
Intelligence services
88 Joint processing by intelligence services and competent authorities
89 Joint processing: consequential amendments
Information Commissioner’s role
90 Duties of the Commissioner in carrying out functions
91 Codes of practice for the processing of personal data
92 Codes of practice: panels and impact assessments
93 Manifestly unfounded or excessive requests to the Commissioner
94 Analysis of performance
95 Notices from the Commissioner
Enforcement
96 Power of the Commissioner to require documents
97 Power of the Commissioner to require a report
98 Assessment notices: removal of OFSTED restriction
99 Interview notices
100 Penalty notices
101 Annual report on regulatory action
102 Complaints by data subjects
103 Court procedure in connection with subject access requests
104 Consequential amendments to the EITSET Regulations
Protection of prohibitions, restrictions and data subject’s rights
105 Protection of prohibitions, restrictions and data subject’s rights
Miscellaneous
106 Regulations under the UK GDPR
107 Further minor provision about data protection
Chapter 2 Privacy and electronic communications
108 The PEC Regulations
109 Interpretation of the PEC Regulations
110 Duty to notify the Commissioner of personal data breach: time periods
111 Storing information in the terminal equipment of a subscriber or user
112 Emergency alerts: interpretation of time periods
113 Commissioner’s enforcement powers
114 Codes of conduct
Part 6 The Information Commission
115 The Information Commission
116 Abolition of the office of Information Commissioner
117 Transfer of functions to the Information Commission
118 Transfer of property etc to the Information Commission
Part 7 Other provision about use of, or access to, data
Information standards for health and social care
119 Information standards for health and adult social care in England
Smart meter communication services
120 Grant of smart meter communication licences
Information to improve public service delivery
121 Disclosure of information to improve public service delivery to undertakings
Retention of information by providers of internet services
122 Retention of information by providers of internet services in connection with death of child
Information for research about online safety matters
123 Information for research about online safety matters
Retention of biometric data
124 Retention of biometric data and recordable offences
125 Retention of pseudonymised biometric data
126 Retention of biometric data from INTERPOL
Trust services
127 The eIDAS Regulation
128 Recognition of EU conformity assessment bodies
129 Removal of recognition of EU standards etc
130 Recognition of overseas trust products
131 Co-operation between supervisory authority and overseas authorities
132 Time periods: the eIDAS Regulation and the EITSET Regulations
Part 8 Final provisions
133 Power to make consequential amendments
134 Regulations
135 Extent
136 Commencement
137 Transitional, transitory and saving provision
138 Short title
Schedule 1 National Underground Asset Register (England and Wales): monetary penalties
Schedule 2 National Underground Asset Register (Northern Ireland): monetary penalties
Schedule 3 Registers of births and deaths: minor and consequential amendments
Part 1 Amendments of the Births and Deaths Registration Act 1953
Part 2 Amendments of other legislation
Schedule 4 Lawfulness of processing: recognised legitimate interests
Schedule 5 Purpose limitation: processing to be treated as compatible with original purpose
Schedule 6 Automated decision-making: minor and consequential amendments
Schedule 7 Transfers of personal data to third countries etc: general processing
Schedule 8 Transfers of personal data to third countries etc: law enforcement processing
Schedule 9 Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision
Part 1 Minor and consequential amendments
Part 2 Transitional provision
Schedule 10 Complaints: minor and consequential amendments
Schedule 11 Further minor provision about data protection
Schedule 12 Storing information in the terminal equipment of a subscriber or user
Schedule 13 Privacy and electronic communications: Commissioner’s enforcement powers
Schedule 14 The Information Commission
Schedule 15 Information standards for health and adult social care in England
Schedule 16 Grant of smart meter communication licences
Part 1 Amendments of the Energy Act 2008
Part 2 Amendments of other legislation
[As Introduced]

A

bill

to

Make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; and for connected purposes.

B e it enacted by the King’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—

Part 1 Access to customer data and business data

Introductory

1 Customer data and business data

(1)

This Part confers powers on the Secretary of State and the Treasury to make
provision in connection with access to customer data and business data.

(2)

In this Part—


business data, in relation to a trader, means—

(a)

information about goods, services and digital content supplied
or provided by the trader,

(b)

information relating to the supply or provision of goods,
services and digital content by the trader (such as, for example, information about—

(i)

where goods, services or digital content are supplied
or provided,

(ii)

prices or other terms on which they are supplied or
provided,

(iii)

how they are used, or

(iv)

their performance or quality),

(c)

information relating to feedback about the goods, services or
digital content (or their supply or provision), and

(d)

information relating to the provision of information described
in paragraphs (a) to (c) to a person in accordance with data regulations;


customer data means information relating to a customer of a trader,
including—

(a)

information relating to goods, services and digital content
supplied or provided by the trader to the customer or to another person at the customer’s request (such as, for example, information about—

(i)

prices or other terms on which goods, services or digital
content are supplied or provided to the customer or the other person,

(ii)

how they are used by the customer or the other person,
or

(iii)

their performance or quality when used by the customer
or the other person), and

(b)

information relating to the provision of information described
in paragraph (a) , or of other information relating to a customer of a trader, to a person in accordance with data regulations;


data holder, in relation to customer data or business data of a trader,
means—

(a)

the trader, or

(b)

a person who, in the course of a business, processes the data;


data regulations means regulations under section 2 or 4 (and see section 23 );


trader means a person who supplies or provides goods, services or
digital content in the course of a business, whether acting personally or through another person acting in the trader’s name or on the trader’s behalf.

(3)

For the purposes of this Part, a person (“C”) is a customer of a trader (“T”)
if C has at any time—

(a)

purchased goods, services or digital content supplied or provided by
T (whether for use by C or another person),

(b)

been supplied or provided by T with goods, services or digital content
purchased from T by another person, or

(c)

otherwise received goods, services or digital content free of charge
from T.

(4)

In subsection (3) , the references to purchase, supply, provision or receipt of
goods, services or digital content at any time include purchase, supply, provision or receipt before this section comes into force.

(5)

In subsections (3) and (4) , references to purchasing goods, services or digital
content include entering into an agreement to do so.

(6)

In this Part—

(a)

a reference to providing customer data or business data to a person
(however expressed) includes a reference to providing the person with access to such data or with the ability to provide other persons with access to such data, and

(b)

a reference to a person receiving customer data or business data
(however expressed) includes a reference to a person obtaining access to such data or the ability to provide other persons with access to such data.

Data regulations

2 Power to make provision in connection with customer data

(1)

The Secretary of State or the Treasury may by regulations make provision
requiring a data holder to provide customer data—

(a)

to the customer, at the customer’s request, or

(b)

to a person of a specified description who is authorised by the
customer to receive the data (an “authorised person”), at the customer’s request or at the authorised person’s request.

(2)

In this Part, in relation to customer data, “third party recipient” means a
person of a description specified by provision made under subsection (1) (b) (and see section 25 (1) ).

(3)

The Secretary of State or the Treasury may by regulations make provision
enabling or requiring a data holder—

(a)

to produce, collect or retain, or arrange for the production, collection
or retention of, customer data;

(b)

to make changes to customer data, including to require rectification
of inaccurate customer data, at the request of a customer or authorised person.

(4)

The Secretary of State or the Treasury may by regulations make provision
for a person who is an authorised person in relation to customer data to take, on the customer’s behalf, action that the customer could take in relation to goods, services or digital content supplied or provided by a person who is, or has been, a data holder in relation to the customer data.

(5)

In deciding whether to make regulations under this section, the Secretary of
State or the Treasury must have regard to (among other things)—

(a)

the likely effects for existing and future customers,

(b)

the likely effects for data holders,

(c)

the likely effect on small businesses and micro businesses,

(d)

the likely effect on innovation in the supply or provision of goods,
services and digital content affected by the regulations or other goods, services and digital content, and

(e)

the likely effect on competition in markets for goods, services and
digital content affected by the regulations or other markets.

3 Customer data: supplementary

(1)

This section is about provision that regulations under section 2 may (among
other things) contain.

(2)

The regulations may include—

(a)

provision about the procedure by which customers authorise persons
to receive customer data or to do other things;

(b)

provision restricting the persons that may be authorised to persons
that comply with specified conditions;

(c)

provision for a specified person to decide whether a person satisfies
the conditions for authorisation (and see section 6 for further provision about decision-makers).

(3)

The regulations may make provision about requests relating to customer data,
including provision about the circumstances in which a data holder may or must refuse to act on a request.

(4)

The regulations may make provision about the providing of customer data
and the taking of action described in section 2 (4) , including—

(a)

provision requiring a data holder to provide customer data on one or
more occasions, for a specified period or at specified intervals;

(b)

provision requiring a data holder, customer or third party recipient
to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;

(c)

provision requiring a data holder or third party recipient to comply
with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(d)

provision requiring a data holder or third party recipient to provide,
or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services;

(e)

provision about interface bodies (see section 7 ).

(5)

The regulations may include—

(a)

provision enabling or requiring a data holder to produce, collect or
retain, or arrange for the production, collection or retention of, records of customer data provided in accordance with the regulations;

(b)

provision enabling or requiring a third party recipient to produce or
retain, or arrange for the production or retention of, records of customer data received in accordance with the regulations.

(6)

The regulations may make provision requiring a person who, in the course
of a business, processes customer data of a trader to assist, or take specified steps to assist, the trader in complying with regulations under this Part.

(7)

The regulations may make provision about the processing of customer data
provided to a third party recipient in accordance with the regulations, including—

(a)

provision requiring a third party recipient to use specified facilities
or services, including dashboard services, other electronic communications services or application programming interfaces;

(b)

provision requiring a third party recipient to comply with specified
standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(c)

provision requiring a third party recipient to provide, or arrange for,
specified assistance in connection with the establishment, maintenance or management of such facilities or services;

(d)

provision about interface bodies (see section 7 );

(e)

provision about further disclosure of the data, including provision for
a person to whom customer data is further disclosed to be subject to—

(i)

some or all of the obligations imposed on a third party recipient
by the regulations in relation to the customer data;

(ii)

conditions imposed by the third party recipient.

(8)

The regulations may make provision enabling or requiring a data holder or
a third party recipient to publish specified information relating to the rights and obligations of persons under the regulations, including—

(a)

information about the rights of customers in relation to customer data
processed by the data holder or a third party recipient;

(b)

information about the activities carried out by the data holder or a
third party recipient in performance of their obligations under the regulations.

(9)

The regulations may make provision about complaints, including provision
requiring data holders or third party recipients to implement procedures for the handling of complaints.

(10)

The regulations may make provision about procedures for the resolution of
disputes, including—

(a)

provision appointing, or providing for the appointment of, a person
to determine disputes;

(b)

provision about the person’s powers when determining disputes;

(c)

provision about the effect of decisions relating to disputes;

(d)

provision about the review of decisions relating to disputes;

(e)

provision about appeals to a court or tribunal.

(11)

In subsections (4) (d) and (7) (c) , references to assistance include actual or
contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).

4 Power to make provision in connection with business data

(1)

The Secretary of State or the Treasury may by regulations make provision
requiring a data holder to publish business data or to provide business data—

(a)

to a customer of the trader to whom the business data relates, or

(b)

to another person of a specified description.

(2)

In this Part, in relation to business data, “third party recipient” means a person
of a description specified by provision made under subsection (1) (b) (and see section 25 (1) ).

(3)

The Secretary of State or the Treasury may by regulations make provision
enabling or requiring a data holder to produce, collect or retain, or arrange for the production, collection or retention of, business data.

(4)

The Secretary of State or the Treasury may by regulations—

(a)

make provision requiring a public authority that is a third party
recipient (whether by virtue of those regulations or other data regulations), or a person appointed by such a public authority, to publish business data or to provide business data—

(i)

to a customer of the trader to whom the business data relates,
or

(ii)

to another person of a specified description,

(b)

in relation to the public authority, or a person appointed by the public
authority to do something described in paragraph (a) , make any provision that could be made in relation to a data holder, in connection with business data, in reliance on subsection (3) or sections 5 to 21 , other than provision imposing a levy on the public authority or person, and

(c)

in relation to a person to whom the public authority is required to
provide business data by virtue of provision made under paragraph (a) (ii) , make any provision that could be made in relation to a third party recipient in reliance on sections 5 to 21 .

(5)

In deciding whether to make regulations under this section, the Secretary of
State or the Treasury must have regard to (among other things)—

(a)

the likely effects for existing and future customers,

(b)

the likely effects for data holders,

(c)

the likely effect on small businesses and micro businesses,

(d)

the likely effect on innovation in the supply or provision of goods,
services and digital content affected by the regulations or other goods, services and digital content, and

(e)

the likely effect on competition in markets for goods, services and
digital content affected by the regulations or other markets.

5 Business data: supplementary

(1)

This section is about provision that regulations under section 4 may (among
other things) contain.

(2)

The regulations may require business data to be provided on request and
make provision about requests, including—

(a)

provision for requests to be made by a customer, a third party recipient
or another person;

(b)

provision about the circumstances in which a data holder may or must
refuse to act on a request.

(3)

The regulations may make provision requiring business data to be provided
to customers, or third party recipients, who are approved to receive it, including—

(a)

provision restricting the persons that may be approved to persons that
comply with specified conditions;

(b)

provision for a specified person to decide whether a person satisfies
the conditions for approval (and see section 6 for further provision about decision-makers).

(4)

The regulations may make provision about the providing or publishing of
business data, including—

(a)

provision requiring a data holder to provide or publish business data
on one or more occasions, for a specified period or at specified intervals;

(b)

provision requiring a data holder, customer or third party recipient
to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;

(c)

provision requiring a data holder or third party recipient to comply
with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(d)

provision requiring a data holder or third party recipient to provide,
or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services.

(e)

provision about interface bodies (see section 7 ).

(5)

The regulations may include—

(a)

provision enabling or requiring a data holder to produce, collect or
retain, or arrange for the production, collection or retention of, records of business data provided in accordance with the regulations;

(b)

provision enabling or requiring a third party recipient to produce or
retain, or arrange for the production or retention of, records of business data received in accordance with the regulations.

(6)

The regulations may make provision requiring a person who, in the course
of a business, processes business data of a trader to assist, or take specified steps to assist, the trader in complying with regulations under this Part.

(7)

The regulations may make provision about the processing of business data
provided to a third party recipient in accordance with the regulations, including—

(a)

provision requiring a third party recipient to use specified facilities
or services, including dashboard services, other electronic communications services or application programming interfaces;

(b)

provision requiring a third party recipient to comply with specified
standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(c)

provision requiring a third party recipient to provide, or arrange for,
specified assistance in connection with the establishment, maintenance or management of such facilities or services;

(d)

provision about interface bodies (see section 7 );

(e)

provision about further disclosure of the data, including provision for
a person to whom business data is further disclosed to be subject to some or all of the obligations imposed on customers or third party recipients by the regulations in relation to the business data.

(8)

The regulations may make provision enabling or requiring a data holder or
a third party recipient to publish specified information relating to the rights and obligations of persons under the regulations, including information about the activities carried out by the data holder or third party recipient in performance of their obligations under the regulations.

(9)

The regulations may make provision about complaints, including provision
requiring data holders or third party recipients to implement procedures for the handling of complaints.

(10)

The regulations may make provision about procedures for the resolution of
disputes, including—

(a)

provision appointing, or providing for the appointment of, a person
to determine disputes;

(b)

provision about the person’s powers when determining disputes;

(c)

provision about the effect of decisions relating to disputes;

(d)

provision about the review of decisions relating to disputes;

(e)

provision about appeals to a court or tribunal.

(11)

In subsections (4) (d) and (7) (c) , references to assistance include actual or
contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).

6 Decision-makers

(1)

This section is about the provision about decision-makers that regulations
under section 2 or 4 may or must (among other things) contain.

(2)

In this Part, “decision-maker” means a person who is authorised or required
to take a decision described in section 3 (2) (c) (authorisation) or 5 (3) (b) (approval).

(3)

The regulations may make provision about the appointment of a
decision-maker.

(4)

The regulations may make provision enabling or requiring a decision-maker
to suspend or revoke a decision.

(5)

The regulations may confer powers on a decision-maker for the purpose of
monitoring compliance with conditions for authorisation or approval (“monitoring powers”) (and see section 8 for provision about enforcement of requirements imposed in exercise of those powers).

(6)

The monitoring powers that may be conferred on a decision-maker include
powers to require the provision of documents or information (but such powers are subject to the restrictions in section 9 as well as any restrictions included in the regulations).

(7)

The regulations must make provision about the rights of persons affected by
the exercise of a decision-maker’s functions under the regulations and such provision may include (among other things)—

(a)

provision about the review of decision-makers’ decisions;

(b)

provision about appeals to a court or tribunal.

(8)

The regulations may make provision about complaints, including provision
requiring a decision-maker to implement procedures for the handling of complaints.

(9)

The regulations may make provision enabling or requiring a decision-maker
to publish, or provide to a specified person, specified documents or information relating to the exercise of the decision-maker’s functions.

(10)

The regulations may make provision for a decision-maker to arrange for its
monitoring powers to be exercised by another person.

(11)

The regulations may—

(a)

provide for functions under the regulations to be exercisable by more
than one decision-maker (whether jointly or concurrently);

(b)

where functions of decision-makers are exercisable concurrently—

(i)

provide for one of the decision-makers to be the lead
decision-maker;

(ii)

require the other decision-makers to consult the lead
decision-maker before exercising the functions in a particular case;

(iii)

provide for the lead decision-maker to give directions as to
which decision-maker is to exercise a function in a particular case.

(12)

The regulations may make provision enabling or requiring a decision-maker—

(a)

to produce guidance about how it proposes to exercise its functions
under the regulations (including provision enabling or requiring decision-makers with functions exercisable jointly or concurrently to produce joint guidance),

(b)

to publish the guidance, and

(c)

to provide copies to specified persons.

7 Interface bodies

(1)

This section is about the provision that regulations under section 2 or 4 may
(among other things) contain about bodies with one or more of the following tasks—

(a)

establishing a facility or service used, or capable of being used, for
providing, publishing or otherwise processing customer data or business data or for taking action described in section 2 (4) (referred to in this Part as an “interface”);

(b)

setting standards, or making other arrangements, relating to, or to the
use of, an interface (referred to in this Part as “interface standards” and “interface arrangements”);

(c)

maintaining or managing an interface, interface standards or interface
arrangements.

(2)

Such bodies are referred to in this Part as “interface bodies”.

(3)

The regulations may—

(a)

require a data holder or a third party recipient to set up an interface
body;

(b)

make provision about the type of body to be set up.

(4)

In relation to an interface body (whether or not it is required to be set up by
regulations under section 2 or 4 ), the regulations may—

(a)

make provision about the body’s composition and governance;

(b)

make provision requiring a data holder or a third party recipient to
provide, or arrange for, assistance for the body;

(c)

impose other requirements relating to the body on a person who is
required to set it up or to provide, or arrange for, assistance for the body;

(d)

make provision requiring the body to carry on all or part of a task
described in subsection (1) ;

(e)

make provision requiring the body to do other things in connection
with its interface, interface standards or interface arrangements;

(f)

make provision about how the body carries out its functions (such as,
for example, provision about the body’s objectives or matters to be taken into account by the body);

(g)

confer powers on the body for the purpose of monitoring use of its
interface, interface standards or interface arrangements (“monitoring powers”) (and see section 8 for provision about enforcement of requirements imposed in exercise of those powers);

(h)

make provision for the body to arrange for its monitoring powers to
be exercised by another person;

(i)

make provision about the rights of persons affected by the exercise of
the body’s functions under the regulations, including (among other things)—

(i)

provision about the review of decisions made in exercise of
those functions;

(ii)

provision about appeals to a court or tribunal;

(j)

make provision about complaints, including provision requiring the
body to implement procedures for the handling of complaints;

(k)

make provision enabling or requiring the body to publish, or provide
to a specified person, specified documents or information relating to its interface, interface standards or interface arrangements;

(l)

make provision enabling or requiring the body to produce guidance
about how it proposes to exercise its functions under the regulations, to publish the guidance and to provide copies to specified persons.

(5)

The monitoring powers that may be conferred on an interface body include
power to require the provision of documents or information (but such powers are subject to the restrictions in section 9 as well as any restrictions included in the regulations).

(6)

Examples of facilities or services referred to in subsection (1) include dashboard
services, other electronic communications services and application programming interfaces.

(7)

In subsection (4) (b) and (c) , the references to assistance include actual or
contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).

Enforcement

8 Enforcement of regulations under this Part

(1)

The Secretary of State or the Treasury may by regulations make provision—

(a)

for the purpose of monitoring compliance with regulations under this
Part or requirements imposed in exercise of a power conferred by such regulations, and

(b)

for the enforcement of such regulations or requirements,

including provision for monitoring or enforcement by a specified public authority.

(2)

In this Part, “enforcer” means a public authority that is authorised or required
to carry out monitoring or enforcement described in subsection (1) .

(3)

The following subsections and sections 9 and 10 make provision about what
regulations under subsection (1) may or must (among other things) contain.

(4)

The regulations may confer powers of investigation on an enforcer, including—

(a)

powers to require the provision of documents or information,

(b)

powers to require an individual to attend at a place and answer
questions, and

(c)

powers of entry, inspection, search and seizure,

but such powers are subject to the restrictions in section 9 (as well as any restrictions included in the regulations).

(5)

The regulations may—

(a)

make provision enabling an enforcer to issue a notice (“a compliance
notice”) requiring compliance with—

(i)

regulations under this Part;

(ii)

a condition for authorisation or approval imposed by a
decision-maker;

(iii)

any other requirement imposed in exercise of a power conferred
by regulations under this Part;

(b)

make provision for the enforcement of compliance notices, including
provision for their enforcement as if they were orders of a court or tribunal;

(c)

make provision enabling an enforcer to publish a statement to the
effect that the enforcer considers that a person is not complying with—

(i)

a requirement imposed by regulations under this Part,

(ii)

a requirement imposed by a compliance notice, or

(iii)

any other requirement imposed in exercise of a power conferred
by regulations under this Part.

(6)

The regulations may make provision creating offences punishable with an
unlimited fine, or a fine not exceeding a specified amount, in respect of—

(a)

the provision of false or misleading information in response to a
request made in accordance with regulations under this Part;

(b)

an act or omission (including falsification) which prevents an enforcer,
an interface body or a decision-maker from accessing information, documents, equipment or other material.

(7)

The regulations may make provision enabling a financial penalty to be
imposed by an enforcer in respect of—

(a)

the provision of false or misleading information in response to a
request made in accordance with regulations under this Part;

(b)

a failure to comply with a requirement imposed by regulations under
this Part;

(c)

a failure to comply with a requirement imposed by a compliance
notice;

(d)

a failure to comply with any other requirement imposed in exercise
of a power conferred by regulations under this Part;

and see section 10 for further provision about financial penalties.

(8)

The regulations may make provision about the rights of persons affected by
the exercise of an enforcer’s functions under the regulations, including—

(a)

provision about the review of a decision made in exercise of those
functions;

(b)

provision about appeals to a court or tribunal.

(9)

The regulations may make provision about complaints, including provision
requiring an enforcer to implement procedures for the handling of complaints.

(10)

The regulations may make provision enabling or requiring an enforcer to
publish, or to provide to a specified person, specified information relating to monitoring or enforcement described in subsection (1) , including—

(a)

information about the exercise of the enforcer’s functions, either
generally or in relation to a particular case, and

(b)

information about convictions for offences.

(11)

The regulations may make provision for an enforcer to arrange for its powers
of investigation under the regulations to be exercised by another person.

(12)

The regulations may—

(a)

provide for functions under the regulations to be exercisable by more
than one enforcer (whether jointly or concurrently);

(b)

where functions of enforcers are exercisable concurrently—

(i)

provide for one of the enforcers to be the lead enforcer;

(ii)

require the other enforcers to consult the lead enforcer before
exercising the functions in a particular case;

(iii)

provide for the lead enforcer to give directions as to which
enforcer is to exercise a function in a particular case.

(13)

The regulations may make provision enabling or requiring an enforcer—

(a)

to produce guidance about how it proposes to exercise its functions
under the regulations (including provision enabling or requiring enforcers with functions exercisable jointly or concurrently to produce joint guidance),

(b)

to publish the guidance, and

(c)

to provide copies to specified persons.

9 Restrictions on powers of investigation etc

(1)

Regulations under this Part may not—

(a)

authorise entry to a private dwelling without a warrant issued by a
justice, or

(b)

require a person to provide information within subsections (2) to (7) to a decision-maker, an interface body or an enforcer.

(2)

Information is within this subsection if requiring a person to provide the
information would involve an infringement of the privileges of either House of Parliament.

(3)

Information is within this subsection if it is information in respect of a
communication which is made—

(a)

between a professional legal adviser and the adviser’s client, and

(b)

in connection with the giving of legal advice to the client with respect
to obligations, liabilities or rights imposed or conferred by or under regulations made under this Part.

(4)

Information is within this subsection if it is information in respect of a
communication which is made—

(a)

between a professional legal adviser and the adviser’s client or between
such an adviser or client and another person,

(b)

in connection with, or in contemplation of, proceedings under or
arising out of regulations made under this Part (including proceedings arising out of the exercise of powers conferred by such regulations), and

(c)

for the purposes of such proceedings.

(5)

In subsections (3) and (4) , references to the client of a professional legal adviser
include references to a person acting on behalf of the client.

(6)

Information is within this subsection if requiring a person to provide the
information would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.

(7)

The reference to an offence in subsection (6) does not include an offence
under—

(a)

regulations made under this Part;

(b)

section 5 of the Perjury Act 1911 (false statements made otherwise
than on oath);

(c)

section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995
(false statements made otherwise than on oath);

(d)

Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714
(N.I. 19)) (false statutory declarations and other false unsworn statements).

(8)

An oral or written statement provided by a person in response to a request
for information made by a decision-maker, an interface body or an enforcer in accordance with regulations under this Part may not be used in evidence against that person on a prosecution for an offence (other than an offence under regulations made under this Part) unless in the proceedings—

(a)

in giving evidence the person provides information inconsistent with
the statement, and

(b)

evidence relating to the statement is adduced, or a question relating
to it is asked, by that person or on that person’s behalf.

(9)

In this section, “justice” means—

(a)

in England and Wales, a justice of the peace,

(b)

in Scotland, a sheriff or summary sheriff, and

(c)

in Northern Ireland, a lay magistrate.

10 Financial penalties

(1)

This section is about provision that regulations under this Part conferring
power on an enforcer to impose a financial penalty may or must (among other things) contain.

(2)

The regulations must provide for the amount of a financial penalty to be—

(a)

a specified amount or an amount determined in accordance with the
regulations, or

(b)

an amount not exceeding such an amount,

unless section 16 confers power to provide otherwise.

(3)

The regulations must include provision—

(a)

requiring an enforcer to produce guidance about how the enforcer
proposes to exercise any discretion to determine the amount of a financial penalty and to have regard to such guidance in exercising its discretion;

(b)

requiring an enforcer to publish the guidance;

(c)

requiring an enforcer, before imposing a financial penalty on a person,
to give the person written notice (a “notice of intent”) of the proposed financial penalty;

(d)

ensuring that the person is given an opportunity to make
representations about the proposed financial penalty;

(e)

requiring the enforcer, after the period for making representations, to
decide whether to impose the financial penalty;

(f)

requiring the enforcer, if they decide to impose the financial penalty,
to give the person notice in writing (a “final notice”) imposing the penalty;

(g)

enabling a person on whom a financial penalty is imposed to appeal
to a court or tribunal in accordance with the regulations;

(h)

as to the powers of the court or tribunal on such an appeal.

(4)

The regulations may include provision—

(a)

requiring or enabling an enforcer to provide copies of guidance
described in subsection (3) (a) to specified persons;

(b)

enabling a notice of intent or final notice to be withdrawn or amended;

(c)

requiring an enforcer to withdraw a final notice in specified
circumstances;

(d)

for a financial penalty to be increased in the event of late payment
by—

(i)

a specified amount or an amount determined in accordance
with the regulations, or

(ii)

an amount not exceeding such an amount;

(e)

as to how financial penalties are recoverable.

Fees etc and financial assistance

11 Fees

(1)

The Secretary of State or the Treasury may by regulations—

(a)

make provision enabling a person listed in subsection (2) , or a person
acting on their behalf, to require other persons to pay fees for the purpose of meeting expenses described in subsection (3) , and

(b)

make provision about what must or may be done with amounts paid
as fees.

(2)

Those persons are—

(a)

data holders;

(b)

decision-makers;

(c)

interface bodies;

(d)

enforcers;

(e)

other persons on whom duties are imposed, or powers are conferred,
by or under regulations made under this Part.

(3)

Those expenses are expenses incurred, or to be incurred, by the person listed
in subsection (2) , or a person acting on their behalf, in performing duties, or exercising powers, imposed or conferred on the person listed in subsection (2) by or under regulations made under this Part.

(4)

Regulations under subsection (1)

(a)

may only provide for a fee to be payable by persons that appear to
the Secretary of State or the Treasury to be capable of being directly affected by the performance of duties, or the exercise of powers, imposed or conferred by or under regulations made under this Part;

(b)

may provide for the amount of a fee to be an amount which is
intended to exceed the cost of the things in respect of which the fee is charged.

(5)

Regulations under subsection (1) must provide for the amount of a fee to
be—

(a)

a specified amount or an amount determined in accordance with the
regulations, or

(b)

an amount not exceeding such an amount,

unless section 15 confers power to provide otherwise.

(6)

Regulations under subsection (1) may provide for the amount, or maximum
amount, of a fee to increase at specified times and by—

(a)

a specified amount or an amount determined in accordance with the
regulations, or

(b)

an amount not exceeding such an amount.

(7)

Regulations under subsection (1) enabling a person to determine the amount
of a fee must require the person to publish information about the amount and how it is determined.

(8)

Regulations under subsection (1) may (among other things) make provision
about—

(a)

interest on any unpaid amounts;

(b)

the recovery of unpaid amounts.

12 Levy

(1)

The Secretary of State or the Treasury may by regulations—

(a)

impose, or provide for a specified public authority to impose, a levy
on data holders or third party recipients for the purpose of meeting expenses described in subsection (2) , and

(b)

make provision about what must or may be done with funds raised
by means of the levy.

(2)

Those expenses are expenses incurred, or to be incurred, during a period by
a person listed in subsection (3) , or a person acting on their behalf, in performing duties, or exercising powers, imposed or conferred on the person listed in subsection (3) by or under regulations made under this Part.

(3)

Those persons are—

(a)

decision-makers;

(b)

interface bodies;

(c)

enforcers;

(d)

public authorities subject to requirements imposed by regulations
made in reliance on section 4 (4) .

(4)

Regulations under subsection (1) may only provide for a levy in respect of
expenses of a person to be imposed on data holders or third party recipients that appear to the Secretary of State or the Treasury to be capable of being directly affected by the exercise of some or all of the functions conferred on the person by or under regulations made under this Part.

(5)

Regulations under subsection (1) providing for a specified public authority
to impose a levy must—

(a)

make provision about how the rate of the levy is to be determined;

(b)

make provision about how the period in respect of which the levy is
payable is to be determined;

(c)

require the public authority to publish information about the rate, the
period and how they are determined.

(6)

Regulations under subsection (1) may (among other things) make provision
about—

(a)

interest on any unpaid amounts payable by way of a levy;

(b)

the recovery of such unpaid amounts.

13 Financial assistance

(1)

The Secretary of State or the Treasury may give financial assistance to a person
for the purpose of—

(a)

meeting expenses incurred, or to be incurred, by the person in
performing duties, or exercising powers, imposed or conferred by or under regulations made under this Part, or

(b)

exercising other functions in connection with such regulations.

(2)

But subsection (1) does not enable financial assistance to be provided to a
person listed in subsection (3) or to a person acting on their behalf.

(3)

Those persons are—

(a)

data holders,

(b)

customers, or

(c)

third party recipients, other than a third party recipient that is a public
authority subject to requirements imposed by regulations made in reliance on section 4 (4) .

(4)

The financial assistance may be given on such terms and conditions as the
Secretary of State or the Treasury considers appropriate.

(5)

In this section, “financial assistance” means any kind of financial assistance
whether actual or contingent, including a grant, loan, guarantee or indemnity, but does not include buying a company’s share capital.

Financial services sector

14 The FCA and financial services interfaces

(1)

The Treasury may by regulations make provision enabling or requiring the
Financial Conduct Authority (referred to in this Part as “the FCA”) to make rules—

(a)

requiring financial services providers described in the regulations to
use a prescribed interface, comply with prescribed interface standards or participate in prescribed interface arrangements, when providing or receiving customer data or business data which is required to be provided by or to the financial services provider by data regulations;

(b)

requiring persons described in the regulations to use a prescribed
interface, comply with prescribed interface standards or participate in prescribed interface arrangements, when the person, in the course of a business, receives, from a financial services provider, customer data or business data which is required to be provided to the person by data regulations;

(c)

imposing interface-related requirements on a description of person
falling within subsection (3) .

(2)

Such rules are referred to in this Part as “FCA interface rules”.

(3)

The following persons fall within this subsection—

(a)

an interface body linked to the financial services sector;

(b)

a person required by regulations made in reliance on section 7 to set
up an interface body linked to the financial services sector;

(c)

a person who uses an interface, complies with interface standards or
participates in interface arrangements linked to the financial services sector or who is required to do so by data regulations or rules made by virtue of regulations under subsection (1) (a) or (b) .

(4)

For the purposes of this section, requirements are interface-related if they
relate to—

(a)

the composition, governance or activities of an interface body linked
to the financial services sector,

(b)

an interface, interface standards or interface arrangements linked to
the financial services sector, or

(c)

the use of such an interface, compliance with such interface standards
or participation in such interface arrangements.

(5)

For the purposes of this section—

(a)

an interface body is linked to the financial services sector to the extent
that its interface, interface standards or interface arrangements are linked to the financial services sector;

(b)

interfaces, interface standards and interface arrangements are linked
to the financial services sector to the extent that they are used, or intended to be used, by financial services providers (whether or not they are used, or intended to be used, by other persons).

(6)

The Treasury may by regulations make provision enabling or requiring the
FCA to impose requirements on a person to whom FCA interface rules apply (referred to in this Part as “FCA additional requirements”) where the FCA considers it appropriate to impose the requirement—

(a)

in response to a failure, or likely failure, by the person to comply with
an FCA interface rule or FCA additional requirement, or

(b)

in order to advance a purpose which the FCA is required to advance
when exercising functions conferred by regulations under this section (see section 15 (3) (a) ).

(7)

Regulations under subsection (6) may, for example, provide for the FCA to
impose requirements by giving a notice or direction.

(8)

The restrictions in section 9 apply in connection with FCA interface rules and
FCA additional requirements as they apply in connection with regulations under this Part.

(9)

In section 9 as so applied—

(a)

the references in subsections (1) (b) and (8) to an enforcer include the
FCA, and

(b)

the references in subsections (3) and (4) to regulations made under
this Part include FCA interface rules and FCA additional requirements.

(10)

In this section—


financial services provider means a person providing financial services;


prescribed means prescribed in FCA interface rules.

15 The FCA and financial services interfaces: supplementary

(1)

This section is about provision that regulations under section 14 may or must
(among other things) contain.

(2)

The regulations—

(a)

may require or enable the FCA to impose interface-related requirements
that could be imposed by regulations made in reliance on section 7 (4) or (5) , but

(b)

may not require or enable the FCA to require a person to set up an
interface body.

(3)

The regulations must—

(a)

require the FCA, so far as is reasonably possible, to exercise functions
conferred by the regulations in a manner which is compatible with, or which advances, one or more specified purposes;

(b)

specify one or more matters to which the FCA must have regard when
exercising functions conferred by the regulations;

(c)

if they require or enable the FCA to make rules, make provision about
the procedure for making rules, including provision requiring such consultation with persons likely to be affected by the rules or representatives of such persons as the FCA considers appropriate.

(4)

The regulations may—

(a)

require the FCA to carry out an analysis of the costs and benefits that
will arise if proposed rules are made or proposed changes are made to rules and make provision about what the analysis must include;

(b)

require the FCA to publish rules or changes to rules and to provide
copies to specified persons;

(c)

make provision about the effect of rules, including provision about
circumstances in which rules are void and circumstances in which a person is not to be taken to have contravened a rule;

(d)

make provision enabling or requiring the FCA to modify or waive
rules as they apply to a particular case;

(e)

make provision about the procedure for imposing FCA additional
requirements;

(f)

make provision enabling or requiring the FCA to produce guidance
about how it proposes to exercise its functions under the regulations, to publish the guidance and to provide copies to specified persons.

(5)

The regulations may require or enable the FCA to impose the following types
of requirement on a person as FCA additional requirements—

(a)

a requirement to review the person’s conduct;

(b)

a requirement to take remedial action;

(c)

a requirement to make redress for loss or damage suffered by others
as a result of the person’s conduct.

(6)

The regulations may require or enable FCA interface rules to require a person
listed in subsection (7) to pay fees to an interface body, or to another person listed in that subsection, for the purpose of meeting expenses described in subsection (8) .

(7)

Those persons are—

(a)

persons falling within section 14 (3) (b) or (c) ;

(b)

financial services providers.

(8)

Those expenses are expenses incurred, or to be incurred, by the interface body
or person listed in subsection (7) , or a person acting on behalf of such a body or person, in performing duties, or exercising powers, imposed or conferred by—

(a)

regulations under this Part, or

(b)

rules made by virtue of regulations under section 14 .

(9)

Regulations made in reliance on subsection (6)

(a)

may enable rules to provide for the amount of a fee to be an amount
which is intended to exceed the cost of the things in respect of which the fee is charged;

(b)

may require or enable rules to make provision about the amount, or
maximum amount, of a fee, including provision about how a fee is to be determined;

(c)

may require or enable rules to make provision about the amount, or
maximum amount, by which the amount, or maximum amount, of a fee must or may increase and the times at which it must or may increase;

(d)

must require rules, where relevant, to require a person who determines
an amount referred to in paragraph (b) or (c) to publish information about the amount and how it is determined;

(e)

may require or enable rules to make provision about—

(i)

interest on any unpaid amounts;

(ii)

the recovery of unpaid amounts.

(10)

Regulations under section 14 may provide that powers to make FCA interface
rules include powers to do things described in section 21 (1) (a) to (h) (supplementary powers) (ignoring the restriction in relation to fees in section 21 (3) ).

(11)

In this section, “financial services provider” and “interface-related” have the
meaning given in section 14 .

(12)

The reference in subsection (5) (c) to making redress includes—

(a)

paying interest, and

(b)

providing redress in the form of a remedy or relief which could not
be awarded in legal proceedings.

16 The FCA and financial services interfaces: penalties and levies

(1)

Subsections (2) and (3) are about the provision that regulations made by the
Treasury under this Part providing for the FCA to enforce requirements under FCA interface rules may (among other things) contain in relation to financial penalties.

(2)

The regulations may require or enable the FCA—

(a)

to set the amount or maximum amount of, or of an increase in, a
penalty imposed in respect of failure to comply with a requirement imposed by the FCA in exercise of a power conferred by regulations under section 14 (whether imposed by means of FCA interface rules or an FCA additional requirement), or

(b)

to set the method for determining such an amount.

(3)

Regulations made in reliance on subsection (2)

(a)

must require the FCA to produce and publish a statement of its policy
with respect to the amount of the penalties;

(b)

may require the policy to include specified matters;

(c)

may make provision about the procedure for producing the statement;

(d)

may require copies of the statement to be provided to specified
persons;

(e)

may require the FCA to have regard to a statement published in
accordance with the regulations.

(4)

The Treasury may by regulations—

(a)

impose, or provide for the FCA to impose, a levy on data holders or
third party recipients for the purpose of meeting expenses incurred, or to be incurred, during a period by the FCA, or by a person acting on the FCA’s behalf, in performing duties, or exercising powers, imposed or conferred on the FCA by regulations under section 14 , and

(b)

make provision about what must or may be done with funds raised
by means of the levy.

(5)

Regulations under subsection (4) may only provide for a levy in respect of
expenses of the FCA to be imposed on persons that appear to the Treasury to be capable of being directly affected by the exercise of some or all of the functions conferred on the FCA by regulations under section 14 .

(6)

Regulations under subsection (4) providing for the FCA to impose a levy
must—

(a)

make provision about how the rate of the levy is to be determined;

(b)

make provision about how the period in respect of which the levy is
payable is to be determined;

(c)

require the FCA to publish information about the rate, the period and
how they are determined.

(7)

Regulations under subsection (4) may (among other things) make provision
about—

(a)

interest on any unpaid amounts payable by way of a levy;

(b)

the recovery of such unpaid amounts.

17 The FCA and co-ordination with other regulators

The Treasury may by regulations amend section 98 of the Financial Services (Banking Reform) Act 2013 (payment systems: duty of the FCA and other regulators to ensure co-ordinated exercise of relevant functions) by—

(a)

amending the definition of “relevant functions” so as to add or remove
a function conferred on the FCA by regulations under this Part, and

(b)

amending the definition of “objectives” so as to add or remove an
objective of the FCA relevant to such a function.

Supplementary

18 Liability in damages

(1)

The Secretary of State or the Treasury may by regulations provide that a
person listed in subsection (2) is not liable in damages for anything done or omitted to be done in the exercise of functions conferred by or under regulations made under this Part.

(2)

Those persons are—

(a)

a public authority;

(b)

a member, officer or member of staff of a public authority;

(c)

a person who could be held vicariously liable for things done or
omitted to be done by a public authority.

(3)

Regulations under this section may not—

(a)

make provision removing liability for an act or omission which is
shown to have been in bad faith, or

(b)

make provision so as to prevent an award of damages made in respect
of an act or omission on the ground that the act or omission was unlawful as a result of section 6(1) of the Human Rights Act 1998.

19 Duty to review regulations

(1)

The relevant person must, by regulations, provide for the review of provision
made by the relevant person in exercise of powers to make regulations under other sections in this Part (“Part 1 provision”) (but see the exceptions in subsection (8) ).

(2)

In this section, “the relevant person” means—

(a)

in relation to Part 1 provision made by the Secretary of State, the
Secretary of State, and

(b)

in relation to Part 1 provision made by the Treasury, the Treasury.

(3)

Regulations under subsection (1) must require the relevant person—

(a)

to review the Part 1 provision,

(b)

to prepare and publish a report setting out the findings of each review,
and

(c)

to lay a copy of the report before Parliament.

(4)

The regulations must require the relevant person—

(a)

to publish the report setting out the findings of the first review of the
Part 1 provision before the end of the period of 5 years beginning with the day on which the provision comes into force, and

(b)

to publish reports setting out the findings of subsequent reviews at
intervals of not more than 5 years.

(5)

The regulations must require that, in carrying out a review, the relevant
person must consider whether the Part 1 provision remains appropriate, having regard to (among other things)—

(a)

the objectives it is intended to achieve, and

(b)

to the extent that it is part of data regulations, the matters to which
the relevant person was required to have regard in deciding whether to make the provision (see sections 2 (5) and 4 (5) ).

(6)

The regulations must provide that the relevant person may omit material
from a report before publication if the relevant person thinks that the publication of that material might harm the commercial interests of any person.

(7)

The regulations may (whether made by the Secretary of State or the Treasury)
provide for the Secretary of State and the Treasury to carry out a joint review, and to produce a joint report, in respect of Part 1 provision made by the Secretary of State and Part 1 provision made by the Treasury.

(8)

Subsection (1) does not apply in relation to—

(a)

Part 1 provision that is required to be reviewed by the relevant person
by virtue of existing regulations under this section, or

(b)

Part 1 provision that makes, amends or revokes provision described
in paragraph (a) ,

nor does it require the relevant person to provide for the review of Part 1 provision that has been revoked.

(9)

Section 28 of the Small Business, Enterprise and Employment Act 2015 (duty
to review regulatory provisions in secondary legislation) does not apply in relation to a power to make regulations under this Part.

20 Restrictions on processing and data protection

(1)

Except as provided by subsection (2) , regulations under this Part may provide
for the processing of information in accordance with the regulations not to be in breach of—

(a)

any obligation of confidence owed by the person processing the
information, or

(b)

any other restriction on the processing of information (however
imposed).

(2)

Regulations under this Part are not to be read as authorising or requiring
processing of personal data that would contravene the data protection legislation (but in determining whether particular processing of data would do so, take into account the power conferred or duty imposed by the provision of the regulations in question).

(3)

In this section—


the data protection legislation has the same meaning as in the Data
Protection Act 2018 (see section 3(9) of that Act);


personal data has the same meaning as in that Act (see section 3(2) of
that Act).

21 Regulations under this Part: supplementary

(1)

Regulations under this Part may (among other things)—

(a)

make provision generally or in relation to particular cases;

(b)

make different provision for different purposes or areas;

(c)

make provision about the form and manner in which things must or
may be done;

(d)

make provision about the content of requests, notices or other
documents;

(e)

make provision about the time by which, or period within which,
things must or may be done;

(f)

make provision by reference to standards, arrangements, specifications
or technical requirements as published from time to time;

(g)

confer functions on a person, including functions involving the exercise
of a discretion, and make provision in connection with the procedure for exercising the functions;

(h)

make consequential, supplementary, incidental, transitional, transitory
or saving provision.

(2)

Regulations under this Part may not require or enable a person to set the
maximum amount of a fine for an offence, except that such regulations may make provision about the maximum amount referring to the standard scale, the statutory maximum or a similar amount.

(3)

Regulations under this Part may not require or enable a person to set the
amount or maximum amount of, or of an increase in, a penalty or fee or to set the method for determining such an amount, except as provided by subsection (4) and sections 15 and 16 .

(4)

Regulations under this Part—

(a)

may make provision about the amount or method described in
subsection (3) referring to a published index, and

(b)

may require or enable a person to make decisions, in accordance with
a maximum amount or method set out in the regulations, about the amount of, or of an increase or reduction in, a penalty or fee payable in a particular case.

(5)

Regulations under this Part making the following types of provision may
amend, repeal or revoke primary legislation—

(a)

provision about the handling of complaints;

(b)

provision about the resolution of disputes;

(c)

provision about appeals;

(d)

provision described in subsection (1) (h) .

22 Regulations under this Part: Parliamentary procedure and consultation

(1)

The following regulations under this Part are subject to the affirmative
resolution procedure—

(a)

the first regulations under each of section 2 (1) , (3) and (4) making
provision about a particular description of customer data,

(b)

the first regulations under each of section 4 (1) , (3) and (4) making
provision about a particular description of business data,

(c)

regulations under section 2 or 4 which make the requirements of
regulations under this Part more onerous for data holders or interface bodies,

(d)

regulations under section 6 (5) , 7 , 8 , 11 , 12 , 14 , 16 , 17 or 18 , and

(e)

regulations described in section 21 (5) which amend, repeal or revoke
primary legislation.

(2)

Other regulations under this Part are subject to the negative resolution
procedure.

(3)

Before making regulations described in subsection (1) , the Secretary of State
or the Treasury (as the case may be) must consult such of the following as the Secretary of State or the Treasury considers appropriate—

(a)

persons likely to be affected by the regulations or representatives of
such persons;

(b)

sectoral regulators with functions in relation to data holders likely to
be affected by the regulations.

(4)

The requirement in subsection (3) may be satisfied by consultation undertaken
before the day on which this Act is passed.

23 Related subordinate legislation

(1)

This section is about cases in which subordinate legislation, other than
regulations under this Part, contains provision described in section 2 (1) to (4) or 4 (1) to (4) (and such provision is referred to in this section as “related subordinate legislation”).

(2)

The regulation-making powers under this Part may be exercised so as to
make, in connection with the related subordinate legislation, any provision that they could be exercised to make as part of, or in connection with, provision made under section 2 (1) to (4) or, as appropriate, section 4 (1) to (4) .

(3)

In this Part, references to “data regulations” include regulations made in
reliance on subsection (2) to the extent that they make provision described in sections 2 to 7 .

(4)

In this section, “subordinate legislation” has the same meaning as in the
Interpretation Act 1978 (see section 21 of that Act).

24 Repeal of provisions relating to supply of customer data

Omit sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013 (supply of customer data).

25 Other defined terms

(1)

In this Part—


application programming interface means a facility for allowing
software to make use of facilities contained in other software;


dashboard service means an electronic communications service by
means of which information may be requested by and provided to a person;


digital content means data which is produced and supplied in digital
form;


electronic communications service has the meaning given by section
32 of the Communications Act 2003;


goods includes water, gas and electricity (however supplied);


micro business has the meaning given by section 33 of the Small
Business, Enterprise and Employment Act 2015, read with any regulations under that section;


primary legislation means—

(a)

an Act of Parliament;

(b)

an Act of the Scottish Parliament;

(c)

a Measure or Act of Senedd Cymru;

(d)

Northern Ireland legislation;


processing has the same meaning as in the Data Protection Act 2018
(see section 3(4) of that Act) and related terms are to be interpreted accordingly;


public authority means a person whose functions—

(a)

are of a public nature, or

(b)

include functions of that nature;


small business has the meaning given by section 33 of the Small
Business, Enterprise and Employment Act 2015, read with any regulations under that section;


specified means specified, or of a description specified, by regulations
under this Part, or in exercise of a power conferred by such regulations, except to the extent otherwise provided in this Part;


third party recipient means—

(a)

in section 3 , a third party in relation to customer data (see
section 2 (2) ),

(b)

in sections 4 and 5 , a third party recipient in relation to business
data (see section 4 (2) ), and

(c)

in other sections, a third party recipient in relation to customer
data or business data (see sections 2 (2) and 4 (2) ).

(2)

In this Part, references to doing something “in the course of a business”
include doing something in the course of—

(a)

a trade, craft or profession, or

(b)

any other undertaking carried on for gain or reward.

(3)

In this Part—

(a)

references to making arrangements include producing model
arrangements,

(b)

references to managing a facility (or an interface that is a facility)
include operating, or overseeing the operation, of a facility,

(c)

references to managing a service (or an interface that is a service)
include providing, or overseeing the provision of, a service, and

(d)

references to managing standards or arrangements include assisting
people to use them or overseeing how they are used.

26 Index of defined terms for this Part

The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part.

Term

Provision

application programming interface

section 25 (1)

business, in the course of a

section 25 (2)

business data

section 1 (2)

customer

section 1 (3)

customer data

section 1 (2)

dashboard service

section 25 (1)

data holder

section 1 (2)

data regulations

sections 1 (2) and 23 (3)

decision-maker

section 6 (2)

digital content

section 25 (1)

electronic communications service

section 25 (1)

enforcer

section 8 (2)

the FCA

section 14 (1)

FCA additional requirement

section 14 (6)

FCA interface rules

section 14 (2)

goods

section 25 (1)

interface

section 7 (1)

interface arrangements

section 7 (1)

interface body

section 7 (2)

interface standards

section 7 (1)

making arrangements

section 25 (3)

managing (facilities, services, standards or arrangements)

section 25 (3)

micro business

section 25 (1)

monitoring powers (in sections 6 and 7 )

section 6 (5) or 7 (4) (g) (as appropriate)

primary legislation

section 25 (1)

processing

section 25 (1)

providing customer data

section 1 (6) (a)

public authority

section 25 (1)

receiving customer data

section 1 (6) (b)

small business

section 25 (1)

specified

section 25 (1)

third party recipient

section 25 (1)

trader

section 1 (2)

Part 2 Digital verification services

Introductory

27 Introductory

(1)

This Part contains provision to secure the reliability of digital verification
services by means of—

(a)

a trust framework (see section 28 ),

(b)

supplementary codes (see section 29 ),

(c)

a register (see section 32 ),

(d)

an information gateway (see section 45 ), and

(e)

a trust mark (see section 50 ).

(2)

In this Part, “digital verification services” means verification services provided
to any extent by means of the internet.

(3)

In subsection (2) , “verification services” means services that are provided at
the request of an individual and consist in—

(a)

ascertaining or verifying a fact about the individual from information
provided otherwise than by the individual, and

(b)

confirming to another person that the fact about the individual has
been ascertained or verified from information so provided.

DVS trust framework and supplementary codes

28 DVS trust framework

(1)

The Secretary of State must prepare and publish a document (“the DVS trust
framework”) setting out rules concerning the provision of digital verification services.

(2)

Those rules may include (among other things) rules relating to, and to the
conduct of, a person who provides such services; and references in this Part to a person providing services in accordance with the DVS trust framework (however expressed) include a person complying with such rules.

(3)

In preparing the DVS trust framework, the Secretary of State must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

(4)

The requirement in subsection (3) may be satisfied by consultation undertaken
before the coming into force of this section.

(5)

The Secretary of State may revise and republish the DVS trust framework
(whether following a review under section 31 or otherwise).

(6)

The DVS trust framework, and any revised version of the framework, must
specify the time it comes into force (which must not be a time earlier than the time it is published).

(7)

The DVS trust framework, and any revised version of the framework, may—

(a)

set out different rules for different digital verification services,

(b)

specify that provisions come into force at different times for different
purposes, and

(c)

make transitional or saving provision.

(8)

Where the Secretary of State revises and republishes the DVS trust framework,
the DVS trust framework (as revised) may provide that from a date, or from the end of a period, specified in the framework a pre-revision certificate is required to be ignored for the purposes of sections 33 (1) (a) , 35 (1) (c) , 40 (1) (c) and 42 (1) (c) .

(9)

In subsection (8) , a “pre-revision certificate” means a certificate which—

(a)

certifies that digital verification services provided by the holder of the
certificate are provided in accordance with the DVS trust framework, and

(b)

was issued before the time the relevant revision to the DVS trust
framework comes into force.

(10)

Provision included in the DVS trust framework in reliance on subsection (8) may make different provision in relation to different descriptions of pre-revision certificate.

29 Supplementary codes

(1)

The Secretary of State may prepare and publish one or more sets of rules
concerning the provision of digital verification services which supplement the DVS trust framework.

(2)

In this Part, a set of rules published under subsection (1) is referred to as a
supplementary code.

(3)

Those rules may include (among other things) rules relating to, and to the
conduct of, a person who provides such services; and in this Part references to a person providing services in accordance with a supplementary code (however expressed) include a person complying with such rules.

(4)

In preparing a set of rules, the Secretary of State must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

(5)

The requirement in subsection (4) may be satisfied by consultation undertaken
before the coming into force of this section.

(6)

The Secretary of State may revise and republish a supplementary code
(whether following a review under section 31 or otherwise).

(7)

A supplementary code, and any revised version of a supplementary code,
must specify the time it comes into force (which must not be a time earlier than the time it is published).

(8)

A supplementary code, and any revised version of a supplementary code,
may—

(a)

set out different rules for different digital verification services,

(b)

specify that provisions come into force at different times for different
purposes, and

(c)

make transitional or saving provision.

(9)

Where the Secretary of State revises and republishes a supplementary code,
the supplementary code (as revised) may provide that from a date, or from the end of a period, specified in the code a pre-revision certificate is required to be ignored for the purposes of sections 36 (1) (a) , 37 (1) (c) , 43 (1) (c) and 44 (1) (c) .

(10)

In subsection (9) , a “pre-revision certificate” means a certificate which—

(a)

certifies that digital verification services provided by the holder of the
certificate are provided in accordance with the supplementary code, and

(b)

was issued before the time the relevant revision to the supplementary
code comes into force.

(11)

Provision included in a supplementary code in reliance on subsection (9) may
make different provision in relation to different descriptions of pre-revision certificate.

30 Withdrawal of a supplementary code

(1)

The Secretary of State may determine to withdraw a supplementary code.

(2)

A determination must—

(a)

be published, and

(b)

specify when the code is withdrawn, which must be a time after the
end of the period of 21 days beginning with the day on which the determination is published.

31 Review of DVS trust framework and supplementary codes

(1)

At least every 12 months, the Secretary of State must—

(a)

carry out a review of the DVS trust framework, and

(b)

at the same time, carry out a review of each supplementary code which
has not been withdrawn.

(2)

In carrying out a review under subsection (1) , the Secretary of State must
consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

DVS register

32 DVS register

(1)

The Secretary of State must establish and maintain a register of persons
providing digital verification services.

(2)

The register is referred to in this Part as the DVS register.

(3)

The Secretary of State must make the DVS register publicly available.

33 Registration in the DVS register

(1)

The Secretary of State must register a person providing digital verification
services in the DVS register if—

(a)

the person holds a certificate from an accredited conformity assessment
body certifying that digital verification services provided by the person are provided in accordance with the DVS trust framework,

(b)

the person applies to be registered in the DVS register in respect of
one or more of the digital verification services to which the certificate relates,

(c)

the application complies with any requirements imposed by a
determination under section 38 , and

(d)

the person complies with any regulations under section 39 (1) requiring
a fee to be paid.

(2)

But subsection (1) is subject to—

(a)

the power to refuse registration under section 34 (1) , and

(b)

the duties to refuse registration under sections 34 (10) and 41 (10) .

(3)

If the conditions in paragraphs (a) to (d) of subsection (1) are not met, the
Secretary of State may not register a person in the DVS register.

(4)

The register must record the digital verification services in respect of which
a person is, from time to time, registered.

(5)

For the purposes of subsection (1) (a) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
DVS trust framework under section 28 (8) .

(6)

In this Part, “accredited conformity assessment body” means a conformity
assessment body that is accredited by the UK national accreditation body in accordance with Article 5 of the Accreditation Regulation as competent to carry out assessments of whether digital verification services are provided in accordance with the DVS trust framework.

(7)

In subsection (6)


the Accreditation Regulation means Regulation (EC) No 765/2008 of
the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93;


conformity assessment body has the same meaning as in the
Accreditation Regulation (see Article 2(13) of that Regulation);


the UK national accreditation body means the UK national accreditation
body for the purposes of Article 4(1) of the Accreditation Regulation.

34 Power to refuse registration in the DVS register

(1)

The Secretary of State may refuse to register a person providing digital
verification services in the DVS register if the Secretary of State—

(a)

considers that it is necessary to do so in the interests of national
security, or

(b)

is satisfied that the person is failing to comply with the DVS trust
framework in respect of one or more of the digital verification services in respect of which the person applies to be registered.

(2)

Before refusing to register a person under this section the Secretary of State
must, by written notice, inform the person that the Secretary of State intends to do so.

(3)

The notice must—

(a)

state the name and address of the person,

(b)

state the reason why the Secretary of State—

(i)

considers that it is necessary to refuse to register the person in
the interests of national security, or

(ii)

is satisfied that the person is failing as mentioned in subsection (1) (b) ,

(c)

state whether the Secretary of State intends to specify a period in the
notice under subsection (8) and, if so, what period is intended to be specified,

(d)

state that the person may make written representations to the Secretary
of State about—

(i)

the Secretary of State’s intention to refuse to register the person
in the DVS register, and

(ii)

where relevant, the period the Secretary of State intends to
specify in the notice under subsection (8) , and

(e)

specify the period within which such representations may be made.

(4)

Where the Secretary of State intends to refuse to register a person in reliance
on subsection (1) (a) , the requirement in subsection (3) (b) does not apply if, or to the extent that, the Secretary of State considers that stating the reason described in subsection (3) (b) (i) would be contrary to the interests of national security.

(5)

The period specified for making written representations must be a period of
not less than 21 days beginning with the day on which the notice is given.

(6)

If the Secretary of State considers that it is appropriate for the person to have
an opportunity to make oral representations about the matters mentioned in subsection (3) (d) , the notice must also—

(a)

state that the person may make such representations, and

(b)

specify the arrangements for making such representations and the
time at which, or the period within which, they may be made.

(7)

When deciding whether to refuse to register the person in the DVS register
under this section, the Secretary of State must consider any oral or written representations made by the person in accordance with the notice.

(8)

Where the Secretary of State refuses to register the person in the DVS register
under this section, the Secretary of State must by written notice inform the person that the person’s application for registration has been refused.

(9)

The Secretary of State may, in the notice given under subsection (8) , state
that any further application for registration made by the person during a period specified in the notice will be refused.

(10)

If the person applies to be registered in the DVS register during the period
specified in the notice in reliance on subsection (9) , the Secretary of State must refuse the application.

(11)

The period specified in the notice in reliance on subsection (9) must begin
with the day on which the notice is given and must not exceed two years.

35 Registration of additional services

(1)

Subsection (2) applies if—

(a)

a person is registered in the DVS register,

(b)

the person applies for their entry in the register to be amended to
record additional digital verification services that the person provides in accordance with the DVS trust framework,

(c)

the person holds a certificate from an accredited conformity assessment
body certifying that the person provides the additional services in accordance with the DVS trust framework,

(d)

the application complies with any requirements imposed by a
determination under section 38 , and

(e)

the person complies with any regulations under section 39 (1) requiring
a fee to be paid.

(2)

The Secretary of State must amend the DVS register to record that the person
is also registered in respect of the additional services referred to in subsection (1) .

(3)

If the conditions in paragraphs (a) to (e) of subsection (1) are not met, the
Secretary of State may not amend the DVS register as described in subsection (2) .

(4)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
DVS trust framework under section 28 (8) .

36 Supplementary notes

(1)

Subsection (2) applies if—

(a)

a person holds a certificate from an accredited conformity assessment
body certifying that digital verification services provided by the person are provided in accordance with a supplementary code,

(b)

the person applies for a note about one or more of the services to
which the certificate relates to be included in the entry relating to that person in the DVS register,

(c)

the application complies with any requirements imposed by a
determination under section 38 , and

(d)

the person complies with any regulations under section 39 (1) requiring
a fee to be paid.

(2)

The Secretary of State must include a note in the entry relating to the person
in the DVS register recording that the person provides, in accordance with the supplementary code referred to in subsection (1) , the services in respect of which the person made the application referred to in that subsection.

(3)

But subsection (2) does not apply if the supplementary code referred to in
subsection (1) has been withdrawn.

(4)

If the conditions in paragraphs (a) to (d) of subsection (1) are not met, the
Secretary of State may not include a note described in subsection (2) in the DVS register.

(5)

For the purposes of subsection (1) (a) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
supplementary code as a result of section 29 (9) .

(6)

In this Part, a note included in the DVS register in accordance with subsection (2) is referred to as a supplementary note.

37 Addition of services to supplementary notes

(1)

Subsection (2) applies if—

(a)

a person has a supplementary note included in the DVS register
relating to a supplementary code,

(b)

the person applies for the note to be amended to record additional
digital verification services that the person provides in accordance with that code,

(c)

the person holds a certificate from an accredited conformity assessment
body certifying that the person provides the additional services in accordance with that code,

(d)

the application complies with any requirements imposed by a
determination under section 38 , and

(e)

the person complies with any regulations under section 39 (1) requiring
a fee to be paid.

(2)

The Secretary of State must amend the note to record that the person also
provides the additional services referred to in subsection (1) in accordance with the supplementary code to which the note relates.

(3)

But subsection (2) does not apply if the supplementary code to which the
note relates has been withdrawn.

(4)

If the conditions in paragraphs (a) to (e) of subsection (1) are not met, the
Secretary of State may not amend the note as described in subsection (2) .

(5)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
supplementary code as a result of section 29 (9) .

38 Applications for registration, supplementary notes, etc

(1)

The Secretary of State may determine—

(a)

the form of an application under section 33 , 35 , 36 or 37 ,

(b)

the information to be contained in or provided with the application,

(c)

the documents to be provided with the application, and

(d)

the manner in which the application is to be submitted.

(2)

A determination may make different provision for different purposes.

(3)

The Secretary of State must publish a determination.

(4)

The Secretary of State may revise a determination.

(5)

If the Secretary of State revises a determination the Secretary of State must
publish the determination as revised.

39 Fees for applications for registration, supplementary notes, etc

(1)

The Secretary of State may by regulations make provision for or in connection
with—

(a)

the payment of fees for applications under sections 33 , 35 , 36 and 37 , and

(b)

the payment of fees in connection with continued registration in the
DVS register.

(2)

The regulations may not provide for payment of fees to anyone other than
the Secretary of State.

(3)

The regulations must—

(a)

specify the amount, or the maximum amount of a fee, or

(b)

provide for a fee, or the maximum amount of a fee, to be determined
in accordance with regulations.

(4)

The regulations may provide for the amount of a fee to exceed the
administrative costs of determining the application or the administrative costs associated with the continued registration (as the case may be).

(5)

Regulations under subsection (1) may (among other things) make provision
about the following—

(a)

when fees are to be paid;

(b)

the manner in which fees are to be paid;

(c)

the payment of discounted fees;

(d)

exceptions to requirements to pay fees;

(e)

the refund of fees (in whole or in part);

(f)

interest on any unpaid amounts,

including provision conferring functions on the Secretary of State in relation to the matters in paragraphs (a) to (e) .

(6)

A fee payable under regulations made under subsection (1) (b) , and any interest
payable in respect of it, is recoverable summarily (or, in Scotland, recoverable) as a civil debt.

(7)

The regulations may—

(a)

make different provision for different purposes;

(b)

make transitional, transitory or saving provision.

(8)

Regulations under this section are subject to the negative resolution procedure.

40 Duty to remove person from the DVS register

(1)

The Secretary of State must remove a person from the DVS register if the
person—

(a)

asks to be removed from the register,

(b)

ceases to provide all of the digital verification services in respect of
which the person is registered in the register, or

(c)

no longer holds a certificate from an accredited conformity assessment
body certifying that at least one of those digital verification services is provided in accordance with the DVS trust framework.

(2)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
DVS trust framework under section 28 (8) .

41 Power to remove person from the DVS register

(1)

The Secretary of State may remove a person from the DVS register if—

(a)

the Secretary of State is satisfied that the person is failing to comply
with the DVS trust framework when providing one or more of the digital verification services in respect of which the person is registered,

(b)

the person has a supplementary note included in the DVS register and
the Secretary of State is satisfied that the person is failing to comply with the supplementary code to which the note relates when providing one or more of the digital verification services recorded in the note,

(c)

the Secretary of State is satisfied that the person has failed to provide
the Secretary of State with information in accordance with a notice under section 51 , or

(d)

the Secretary of State considers that it is necessary to do so in the
interests of national security.

(2)

Before removing a person from the DVS register under this section the
Secretary of State must, by written notice, inform the person that the Secretary of State intends to do so.

(3)

The notice must—

(a)

state the name and address of the person,

(b)

state the reason why the Secretary of State—

(i)

is satisfied that the person is failing or has failed as mentioned
in subsection (1) (a) to (c) , or

(ii)

considers that it is necessary to remove the person from the
DVS register in the interests of national security,

(c)

state whether the Secretary of State intends to specify a period in the
notice under subsection (8) and, if so, what period is intended to be specified,

(d)

state that the person may make written representations to the Secretary
of State about—

(i)

the Secretary of State’s intention to remove the person from
the DVS register, and

(ii)

where relevant, the period the Secretary of State intends to
specify in the notice under subsection (8) , and

(e)

specify the period within which such representations may be made.

(4)

The requirement in subsection (3) (b) does not apply if, or to the extent that,
the Secretary of State considers that stating the reason described in subsection (3) (b) (ii) would be contrary to the interests of national security.

(5)

The period specified for making written representations must be a period of
not less than 21 days beginning with the day on which the notice is given.

(6)

If the Secretary of State considers that it is appropriate for the person to have
an opportunity to make oral representations about the matters mentioned in subsection (3) (d) , the notice must also—

(a)

state that the person may make such representations, and

(b)

specify the arrangements for making such representations and the
time at which, or the period within which, they may be made.

(7)

When deciding whether to remove the person from the DVS register under
this section, the Secretary of State must consider any oral or written representations made by the person in accordance with the notice.

(8)

Where the Secretary of State removes the person from the DVS register under
this section, the Secretary of State must by written notice inform the person of that.

(9)

The Secretary of State may, in the notice given under subsection (8) , state
that any application for re-registration made by the person during a period specified in the notice will be refused.

(10)

If the person applies to be re-registered during the period specified in the
notice in reliance on subsection (9) , the Secretary of State must refuse the application.

(11)

The period specified in the notice in reliance on subsection (9) must begin
with the day on which the notice is given and must not exceed two years.

42 Duty to remove services from the DVS register

(1)

Where a person is registered in the DVS register in respect of digital
verification services, subsection (2) applies if the person—

(a)

asks for the register to be amended so that the person is no longer
registered in respect of one or more of those services,

(b)

ceases to provide one or more of those services (but not all of them),
or

(c)

no longer holds a certificate from an accredited conformity assessment
body certifying that all of those services are provided in accordance with the DVS trust framework.

(2)

The Secretary of State must amend the register to record that the person is
no longer registered in respect of (as the case may be)—

(a)

the service or services mentioned in a request described in subsection (1) (a) ,

(b)

the service or services which the person has ceased to provide, or

(c)

the service or services for which there is no longer a certificate as
described in subsection (1) (c) .

(3)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
DVS trust framework under section 28 (8) .

43 Duty to remove supplementary notes from the DVS register

(1)

The Secretary of State must remove a supplementary note included in the
entry in the DVS register relating to a person if—

(a)

the person asks for the note to be removed,

(b)

the person ceases to provide all of the digital verification services to
which the note relates,

(c)

the person no longer holds a certificate from an accredited conformity
assessment body certifying that at least one of those digital verification services is provided in accordance with the supplementary code to which the note relates, or

(d)

the supplementary code to which the note relates has been withdrawn.

(2)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
supplementary code as a result of section 29 (9) .

44 Duty to remove services from supplementary notes

(1)

Where a person has a supplementary note included in their entry in the DVS
register in respect of digital verification services, subsection (2) applies if the person—

(a)

asks for the note to be amended so that it no longer records one or
more of those services,

(b)

ceases to provide one or more of the services recorded in the note (but
not all of them), or

(c)

no longer holds a certificate from an accredited conformity assessment
body certifying that all of the services included in the note are provided in accordance with a supplementary code.

(2)

The Secretary of State must amend the supplementary note so it no longer
records (as the case may be)—

(a)

the service or services mentioned in a request described in subsection (1) (a) ,

(b)

the service or services which the person has ceased to provide, or

(c)

the service or services for which there is no longer a certificate as
described in subsection (1) (c) .

(3)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
supplementary code as a result of section 29 (9) .

Information gateway

45 Power of public authority to disclose information to registered person

(1)

This section applies where—

(a)

a person is registered in the DVS register, and

(b)

an individual makes a request to the person for the provision of digital
verification services in respect of which the person is registered.

(2)

A public authority may disclose to the person information relating to the
individual for the purpose of enabling the person to provide the digital verification services for the individual.

(3)

A disclosure of information under this section does not breach—

(a)

any obligation of confidence owed by the public authority making the
disclosure, or

(b)

any other restriction on the disclosure of information (however
imposed).

(4)

But this section does not authorise a disclosure of information which—

(a)

would contravene the data protection legislation (but in determining
whether a disclosure would do so, the power conferred by this section is to be taken into account), or

(b)

is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the
Investigatory Powers Act 2016.

(5)

This section does not authorise a public authority to disclose information
obtained by the authority otherwise than in connection with the exercise by the authority of functions of a public nature.

(6)

This section does not affect a power to disclose information that exists apart
from this section.

(7)

A public authority may charge a person fees in respect of the disclosure to
the person of information under this section.

(8)

In this section—


data protection legislation has the same meaning as in the Data
Protection Act 2018 (see section 3(9) of that Act);


public authority means a person whose functions—

(a)

are of a public nature, or

(b)

include functions of that nature.

46 Information disclosed by the Revenue and Customs

(1)

This section applies where the Revenue and Customs disclose personal
information to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2)

The person must not further disclose the information otherwise than for the
purpose of providing digital verification services for the individual, except with the consent of the Commissioners for His Majesty’s Revenue and Customs.

(3)

Any other person who receives the information, whether directly or indirectly
from the person to whom the Revenue and Customs disclose the information, must not further disclose the information, except with the consent of the Commissioners for His Majesty’s Revenue and Customs.

(4)

If a person discloses information in contravention of this section, section 19
of the Commissioners for Revenue and Customs Act 2005 (offence of wrongful disclosure) applies in relation to that disclosure as it applies in relation to a disclosure of information in contravention of section 20(9) of that Act.

(5)

In this section—


personal information means information relating to a person whose
identity—

(a)

is specified in the information, or

(b)

can be deduced from it;


the Revenue and Customs has the meaning given by section 17(3) of
the Commissioners for Revenue and Customs Act 2005.

47 Information disclosed by the Welsh Revenue Authority

(1)

This section applies where the Welsh Revenue Authority discloses personal
information to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2)

The person must not further disclose the information otherwise than for the
purpose of providing digital verification services for the individual, except with the consent of the Welsh Revenue Authority.

(3)

Any other person who receives the information, whether directly or indirectly
from the person to whom the Welsh Revenue Authority discloses the information, must not further disclose the information, except with the consent of the Welsh Revenue Authority.

(4)

A person who discloses information in contravention of subsection (2) or (3) commits an offence.

(5)

It is a defence for a person charged with an offence under subsection (4) to
prove that the person reasonably believed—

(a)

that the disclosure was lawful, or

(b)

that the information had already lawfully been made available to the
public.

(6)

A person who commits an offence under subsection (4) is liable—

(a)

on summary conviction in England and Wales, to imprisonment for
a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)

on summary conviction in Scotland, to imprisonment for a term not
exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c)

on summary conviction in Northern Ireland, to imprisonment for a
term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d)

on conviction on indictment, to imprisonment for a term not exceeding
2 years or a fine (or both).

(7)

In this section, “personal information” means information relating to a person
whose identity—

(a)

is specified in the information, or

(b)

can be deduced from it.

48 Information disclosed by Revenue Scotland

(1)

This section applies where Revenue Scotland discloses personal information
to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2)

The person must not further disclose the information otherwise than for the
purpose of providing digital verification services for the individual, except with the consent of Revenue Scotland.

(3)

Any other person who receives the information, whether directly or indirectly
from the person to whom Revenue Scotland discloses the information, must not further disclose the information, except with the consent of Revenue Scotland.

(4)

A person who discloses information in contravention of subsection (2) or (3) commits an offence.

(5)

It is a defence for a person charged with an offence under subsection (4) to
prove that the person reasonably believed—

(a)

that the disclosure was lawful, or

(b)

that the information had already lawfully been made available to the
public.

(6)

A person who commits an offence under subsection (4) is liable—

(a)

on summary conviction in England and Wales, to imprisonment for
a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)

on summary conviction in Scotland, to imprisonment for a term not
exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c)

on summary conviction in Northern Ireland, to imprisonment for a
term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d)

on conviction on indictment, to imprisonment for a term not exceeding
2 years or a fine (or both).

(7)

In this section, “personal information” means information relating to a person
whose identity—

(a)

is specified in the information, or

(b)

can be deduced from it.

49 Code of practice about the disclosure of information

(1)

The Secretary of State must prepare and publish a code of practice about the
disclosure of information under section 45 .

(2)

The code of practice must be consistent with the code of practice prepared
under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act (as altered or replaced from time to time).

(3)

A public authority must have regard to the code of practice in disclosing
information under section 45 .

(4)

The Secretary of State may from time to time revise and republish the code
of practice.

(5)

In preparing or revising the code of practice, the Secretary of State must
consult—

(a)

the Information Commissioner,

(b)

the Welsh Ministers,

(c)

the Scottish Ministers,

(d)

the Department of Finance in Northern Ireland, and

(e)

such other persons as the Secretary of State considers appropriate.

(6)

The requirement in subsection (5) may be satisfied by consultation undertaken
before the coming into force of this section.

(7)

The Secretary of State may not publish the first version of the code of practice
unless a draft of the code has been laid before, and approved by a resolution of, each House of Parliament.

(8)

The Secretary of State may not republish the code of practice following its
revision unless—

(a)

a draft of the code as revised has been laid before each House of
Parliament, and

(b)

the 40-day period has expired without either House of Parliament
resolving not to approve the draft.

(9)

“The 40-day period” means—

(a)

the period of 40 days beginning with the day on which the draft is
laid before Parliament, or

(b)

if the draft is not laid before each House on the same day, the period
of 40 days beginning with the later of the days on which it is laid before Parliament.

(10)

In calculating the 40-day period, no account is to be taken of any whole days
that fall within a period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.

(11)

In this section, “public authority” means whose functions—

(a)

are of a public nature, or

(b)

include functions of that nature.

Trust mark

50 Trust mark for use by registered persons

(1)

The Secretary of State may designate a mark for use in the course of providing,
or offering to provide, digital verification services.

(2)

A mark designated under this section must be published by the Secretary of
State.

(3)

A mark designated under this section may not be used by a person in the
course of providing, or offering to provide, digital verification services unless the person is registered in the DVS register in respect of those digital verification services.

(4)

The Secretary of State may enforce subsection (3) in civil proceedings for an
injunction or, in Scotland, an interdict.

Supplementary

51 Power of Secretary of State to require information

(1)

The Secretary of State may by written notice require—

(a)

an accredited conformity assessment body, or

(b)

a person registered in the DVS register,

to provide the Secretary of State with information that the Secretary of State reasonably requires for the purposes of the exercise of the Secretary of State’s functions under this Part.

(2)

A notice under this section must state why the information is required for
the purposes of the exercise of those functions.

(3)

A notice under this section—

(a)

may specify or describe particular information or a category of
information;

(b)

may specify the form in which the information must be provided;

(c)

may specify the time at which, or the period within which, the
information must be provided;

(d)

may specify the place where the information must be provided.

(4)

A notice under this section that is given to a person registered in the DVS
register must provide information about the consequences under section 41 of failure to comply with the notice.

(5)

The Secretary of State may cancel a notice under this section by notice to the
person to whom it was given.

(6)

A disclosure of information required by a notice under this section does not
breach—

(a)

any obligation of confidence owed by the person making the disclosure,
or

(b)

any other restriction on the disclosure of information (however
imposed).

(7)

But a notice under this section does not require a disclosure of information
if the disclosure—

(a)

would contravene section 46 , 47 or 48 ,

(b)

would contravene the data protection legislation (but in determining
whether a disclosure would do so, the duty imposed by the notice is to be taken into account), or

(c)

is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the
Investigatory Powers Act 2016.

(8)

A notice under this section does not require a person to provide the Secretary
of State with information in respect of a communication which is made—

(a)

between a professional legal adviser and the adviser’s client, and

(b)

in connection with the giving of legal advice to the client with respect
to obligations, liabilities or rights under this Part.

(9)

In subsection (8) , references to the client of a professional legal adviser include
references to a person acting on behalf of the client.

(10)

A notice under this section does not require a person to provide the Secretary
of State with information if doing so would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.

(11)

The reference to an offence in subsection (10) does not include an offence
under—

(a)

section 5 of the Perjury Act 1911 (false statements made otherwise
than on oath);

(b)

section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995
(false statements made otherwise than on oath);

(c)

Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714
(N.I. 19)) (false statutory declarations and other false unsworn statements).

(12)

In this section, “data protection legislation” has the same meaning as in the
Data Protection Act 2018 (see section 3(9) of that Act).

52 Arrangements for third party to exercise functions

(1)

The Secretary of State may make arrangements for a person prescribed by
regulations under this section to exercise a relevant function of the Secretary of State (and, where arrangements are made, references in this Part, or in regulations made under this Part, to the Secretary of State are to be read accordingly).

(2)

Arrangements under this section may—

(a)

provide for the Secretary of State to make payments to the person,
and

(b)

make provision as to the circumstances in which any such payments
are to be repaid to the Secretary of State.

(3)

Regulations under this section are subject to the affirmative resolution
procedure.

(4)

In this section, “relevant function” means a function of the Secretary of State
conferred by or under this Part (including the function of charging or recovering fees under regulations under section 39 ) other than a power to make regulations.

(5)

If a person exercises the function of charging or recovering fees by virtue of
arrangements under this section, the person must pay the fees to the Secretary of State, except to the extent that the Secretary of State directs otherwise.

53 Report on the operation of this Part

(1)

The Secretary of State must prepare and publish reports on the operation of
this Part.

(2)

The first report must be published within the period of 12 months beginning
with the day on which section 28 comes into force.

(3)

The reports must be published not more than 12 months apart.

54 Index of defined terms for this Part

The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part.

Term

Provision

accredited conformity assessment body

section 33 (6)

digital verification services

section 27 (2)

the DVS register

section 32 (2)

the DVS trust framework

section 28 (1)

supplementary code

section 29 (2)

supplementary note

section 36 (6)

55 Powers relating to verification of identity or status

(1)

In section 15 of the Immigration, Asylum and Nationality Act 2006 (penalty
for employing a person subject to immigration control), after subsection (7) insert—

“(8)

An order under subsection (3) containing provision described in
subsection (7)(a), (b) or (c) may, in particular—

(a)

specify a document generated by a DVS-registered person or
a DVS-registered person of a specified description;

(b)

specify a document which was provided to such a person in
order to generate such a document;

(c)

specify steps involving the use of services provided by such a
person.

(9)

In subsection (8), “DVS-registered person” means a person who is
registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2024 (“the DVS register”).

(10)

An order under subsection (3) which specifies a description of
DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to specified services (see section 36 of the Data (Use and Access) Act 2024).”

(2)

In section 34 of the Immigration Act 2014 (requirements which may be
prescribed for the purposes of provisions about occupying premises under a residential tenancy agreement)—

(a)

in subsection (1)—

(i)

in paragraph (a), after “occupiers” insert “, a DVS-registered
person or a DVS-registered person of a prescribed description”,

(ii)

in paragraph (b), after “occupiers” insert “, a DVS-registered
person or a DVS-registered person of a prescribed description”, and

(iii)

in paragraph (c), at the end insert “, including steps involving
the use of services provided by a DVS-registered person or a DVS-registered person of a prescribed description”, and

(b)

after that subsection insert—

“(1A)

An order prescribing requirements for the purposes of this
Chapter which contains provision described in subsection (1)(a) or (b) may, in particular—

(a)

prescribe a document generated by a DVS-registered
person or a DVS-registered person of a prescribed description;

(b)

prescribe a document which was provided to such a
person in order to generate such a document.

(1B)

In subsections (1) and (1A), “DVS-registered person” means a
person who is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2024 (“the DVS register”).

(1C)

An order prescribing requirements for the purposes of this
Chapter which prescribes a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section 36 of the Data (Use and Access) Act 2024).”

(3)

In Schedule 6 to the Immigration Act 2016 (illegal working compliance orders
etc), after paragraph 5 insert—

“Prescribed checks and documents

5A

(1)

Regulations under paragraph 5(6)(b) or (c) may, in particular—

(a)

prescribe checks carried out using services provided by a
DVS-registered person or a DVS-registered person of a prescribed description;

(b)

prescribe documents generated by such a person;

(c)

prescribe documents which were provided to such a person
in order to generate such documents.

(2)

In sub-paragraph (1), “DVS-registered person” means a person who
is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2024 (“the DVS register”).

(3)

Regulations under paragraph 5(6)(b) or (c) which prescribe a
description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section 36 of the Data (Use and Access) Act 2024).”

Part 3 National Underground Asset Register

56 National Underground Asset Register: England and Wales

(1)

After section 106 of the New Roads and Street Works Act 1991 insert—

“Part 3A National Underground Asset Register: England and Wales

The register

106A National Underground Asset Register

(1)

The Secretary of State must keep a register of information relating to
apparatus in streets in England and Wales.

(2)

The register is to be known as the National Underground Asset
Register (and is referred to in this Act as “NUAR”).

(3)

NUAR must be kept in such form and manner as may be prescribed.

(4)

The Secretary of State must make arrangements so as to enable any
person who is required, by a provision of this Act, to enter information into NUAR to have access to NUAR for that purpose.

(5)

Regulations under subsection (3) are subject to the negative procedure.

(6)

The obligations of the Secretary of State under subsection (1) and
under Article 45A (1) of the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) (keeping of register of information relating to apparatus in streets in Northern Ireland) may be discharged by the keeping of a single register in relation to England, Wales and Northern Ireland.

106B Initial upload of information into NUAR

(1)

Before the end of the initial upload period an undertaker having
apparatus in a street must enter into NUAR—

(a)

all information that is included in the undertaker’s records
under section 79(1) on the archive upload date, and

(b)

any other information of a prescribed description that is held
by the undertaker on that date.

(2)

The duty under subsection (1) does not apply in such cases as may
be prescribed.

(3)

Information must be entered into NUAR under subsection (1) in such
form and manner as may be prescribed.

(4)

An undertaker who fails to comply with a duty placed on the
undertaker under this section—

(a)

commits an offence, and

(b)

is liable to compensate any person in respect of damage or loss
incurred by the person in consequence of the failure.

(5)

A person who commits an offence under subsection (4) (a) is liable on
summary conviction to a fine.

(6)

In criminal or civil proceedings against an undertaker arising out of
a failure to comply with a duty under this section, it is a defence for the undertaker to show that all reasonable care was taken to secure that no such failure occurred by—

(a)

the undertaker and the undertaker’s employees, and

(b)

any contractor of the undertaker and the undertaker’s
employees.

(7)

Section 95 applies in relation to an offence under this section as it
applies in relation to an offence under Part 3.

(8)

For the purposes of subsection (1) the Secretary of State must by
regulations—

(a)

specify a date as “the archive upload date”, and

(b)

specify a period beginning with that date as the “initial upload
period”.

(9)

Regulations under this section are subject to the negative procedure.

106C Access to information kept in NUAR

(1)

The Secretary of State may by regulations make provision for or in
connection with making information kept in NUAR available.

(2)

The regulations may (among other things)—

(a)

make provision about which information, or descriptions of
information, may be made available;

(b)

make provision about the descriptions of person to whom
information may be made available;

(c)

make provision for information to be made available subject
to exceptions;

(d)

make provision requiring or authorising the Secretary of State
to adapt, modify or obscure information before making it available;

(e)

make provision authorising all information kept in NUAR to
be made available to prescribed descriptions of person under prescribed conditions;

(f)

make provision about the purposes for which information may
be made available;

(g)

make provision about the form and manner in which
information may be made available;

(h)

make provision for or in connection with the granting of
licences by the Secretary of State in relation to any non-Crown IP rights that may exist in relation to information made available (including provision about the form of a licence and the terms and conditions of a licence);

(i)

make provision for information to be made available for free
or for a fee;

(j)

make provision about the amounts of the fees, including
provision for the amount of a fee to be an amount which is intended to exceed the cost of the things in respect of which the fee is charged;

(k)

make provision about how funds raised by means of fees must
or may be used, including provision for funds to be paid to persons who are required, by a provision of this Act, to enter information into NUAR.

(3)

Except as otherwise prescribed and subject to section 106H , processing
of information by the Secretary of State in exercise of functions conferred by or under section 106A or this section does not breach—

(a)

an obligation of confidence owed by the Secretary of State, or

(b)

any other restriction on the processing of information (however
imposed).

(4)

Regulations under this section are subject to the affirmative procedure.

(5)

In this section—


database right has the same meaning as in Part 3 of the
Copyright and Rights in Databases Regulations 1997 (S.I. 1997/3032);


non-Crown IP right means any copyright, database right or
other intellectual property right which is not owned by the Crown.

Requirements for undertakers to pay fees and provide information

106D Fees payable by undertakers in relation to NUAR

(1)

The Secretary of State may by regulations make provision requiring
undertakers having apparatus in a street to pay fees to the Secretary of State for or in connection with the exercise by the Secretary of State of any function conferred by or under this Part.

(2)

The regulations may—

(a)

specify the amounts of the fees, or the maximum amounts of
the fees, or

(b)

provide for the amounts of the fees, or the maximum amounts
of the fees, to be determined in accordance with the regulations.

(3)

In making the regulations the Secretary of State must seek to secure
that, so far as possible and taking one year with another, combined NUAR income matches combined NUAR expenses.

(4)

Except where the regulations specify the amounts of the fees—

(a)

the amounts of the fees must be specified by the Secretary of
State in a statement, and

(b)

the Secretary of State must—

(i)

publish the statement, and

(ii)

lay it before Parliament.

(5)

Regulations under subsection (1) may make provision about—

(a)

when a fee is to be paid;

(b)

the manner in which a fee is to be paid;

(c)

the payment of discounted fees;

(d)

exceptions to requirements to pay fees;

(e)

the refund of all or part of a fee which has been paid.

(6)

Before making regulations under subsection (1) , the Secretary of State
must consult—

(a)

such representatives of persons likely to be affected by the
regulations as the Secretary of State considers appropriate, and

(b)

such other persons as the Secretary of State considers
appropriate.

(7)

Subject to the following provisions of this section regulations under subsection (1) are subject to the affirmative procedure.

(8)

Regulations under subsection (1) that only make provision of a kind
mentioned in subsection (2) are subject to the negative procedure.

(9)

But the first regulations under subsection (1) that make provision of
a kind mentioned in subsection (2) are subject to the affirmative procedure.

(10)

In this section—


combined NUAR expenses means the sum of—

(a)

expenses incurred by the Secretary of State in, or in
connection with, exercising functions conferred by or under this Part (including expenses not directly connected with the keeping of NUAR), and

(b)

expenses incurred by the Secretary of State in, or in
connection with, exercising functions conferred by or under Articles 45A to 45H of, and Schedule 2ZA to, the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) (including expenses not directly connected with the keeping of the register kept under Article 45A (1) of that Order);


combined NUAR income means the sum of—

(a)

income received by the Secretary of State from fees
payable under regulations under subsection (1) , and

(b)

income received by the Secretary of State from fees
payable under regulations under Article 45D (1) of the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)).

106E Providing information for purposes of regulations under section 106D

(1)

The Secretary of State may by regulations make provision requiring
undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes—

(a)

assisting the Secretary of State in determining the provision
that it is appropriate for regulations under section 106D (1) or a statement under section 106D (4) to make;

(b)

assisting the Secretary of State in determining whether it is
appropriate to make changes to such provision.

(2)

The Secretary of State may by regulations make provision requiring
undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes—

(a)

ascertaining whether a fee is payable by a person under
regulations under section 106D (1) ;

(b)

working out the amount of a fee payable by a person.

(3)

Regulations under subsection (1) or (2) may require an undertaker to
notify the Secretary of State of any changes to information previously provided under the regulations.

(4)

Regulations under subsection (1) or (2) may make provision about—

(a)

when information is to be provided (which may be at
prescribed intervals);

(b)

the form and manner in which information is to be provided;

(c)

exceptions to requirements to provide information.

(5)

Regulations under subsection (1) or (2) are subject to the negative
procedure.

Monetary penalties

106F Monetary penalties

Schedule 5A makes provision about the imposition of penalties in
connection with requirements imposed by regulations under sections
106D (1) and 106E (1) and (2) .

Exercise of functions by third party

106G Arrangements for third party to exercise functions

(1)

The Secretary of State may make arrangements for a prescribed person
to exercise a relevant function of the Secretary of State.

(2)

More than one person may be prescribed.

(3)

Arrangements under this section may—

(a)

provide for the Secretary of State to make payments to the
person, and

(b)

make provision as to the circumstances in which such payments
are to be repaid to the Secretary of State.

(4)

In the case of the exercise of a function by a person authorised by
arrangements under this section to exercise that function, a reference in this Part or in regulations under this Part to the Secretary of State in connection with that function is to be read as a reference to that person.

(5)

Arrangements under this section do not prevent the Secretary of State
from exercising a function to which the arrangements relate.

(6)

Except as otherwise prescribed and subject to section 106H , the
disclosure of information between the Secretary of State and a person in connection with the person’s entering into arrangements under this section or exercise of functions to which such arrangements relate does not breach—

(a)

an obligation of confidence owed by the person making the
disclosure, or

(b)

any other restriction on the disclosure of information (however
imposed).

(7)

Regulations under this section are subject to the affirmative procedure.

(8)

In this section “relevant function” means a function of the Secretary
of State conferred by or under this Part (including the function of charging or recovering fees under regulations under section 106D ) other than—

(a)

a power to make regulations, or

(b)

a function under section 106D (4) (specifying of fees etc).

(9)

If a person exercises the function of charging or recovering fees by
virtue of arrangements under this section, the person must pay the fees to the Secretary of State, except to the extent that the Secretary of State directs otherwise.

Data protection

106H Data protection

(1)

A duty or power to process information that is imposed or conferred
by or under this Part does not operate to require or authorise the processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, that duty or power is to be taken into account).

(2)

In this section—


the data protection legislation has the same meaning as in the
Data Protection Act 2018 (see section 3(9) of that Act);


personal data has the same meaning as in that Act (see section
3(2) of that Act).

Supplementary provisions

106I Regulations under this Part

(1)

In this Part “prescribed” means prescribed by regulations made by
the Secretary of State.

(2)

Regulations under this Part may make—

(a)

different provision for different purposes;

(b)

supplementary and incidental provision.

(3)

Regulations under this Part are to be made by statutory instrument.

(4)

Before making regulations under this Part the Secretary of State must
consult the Welsh Ministers and the Department for Infrastructure in Northern Ireland.

(5)

Where regulations under this Part are subject to “the affirmative
procedure” the regulations may not be made unless a draft of the statutory instrument containing them has been laid before and approved by a resolution of each House of Parliament.

(6)

Where regulations under this Part are subject to “the negative
procedure” the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament.

(7)

Any provision that may be made in regulations under this Part subject
to the negative procedure may be made in regulations subject to the affirmative procedure.

106J Interpretation

(1)

In this Part the following terms have the same meaning as in Part 3—


apparatus (see sections 89(3) and 105(1));


in (in a context referring to apparatus in a street) (see section
105(1));


street (see section 48(1) and (2));


undertaker (in relation to apparatus or in a context referring
to having apparatus in a street) (see sections 48(5) and 89(4)).

(2)

In this Part “processing” has the same meaning as in the Data
Protection Act 2018 (see section 3(4) of that Act) and “process” is to be read accordingly.”

(2)

Section 166 of the New Roads and Street Works Act 1991, so far as relating
to Part 3A of that Act (inserted by subsection (1) ), extends to England and Wales.

(3)

In section 167 of that Act (Crown application), after subsection (5) insert—

“(5A)

The provisions of Part 3A of this Act (National Underground Asset
Register: England and Wales) bind the Crown.

(5B)

Nothing in subsection (5A) is to be construed as authorising the
bringing of proceedings for a criminal offence against a person acting on behalf of the Crown.”

(4)

Schedule 1 to this Act inserts Schedule 5A into the New Roads and Street
Works Act 1991 (monetary penalties).

57 Information in relation to apparatus: England and Wales

(1)

The New Roads and Street Works Act 1991 is amended in accordance with
subsections (2) to (6) .

(2)

For the italic heading before section 79 (records of location of apparatus)
substitute “Duties in relation to recording and sharing of information about apparatus”.

(3)

In section 79—

(a)

for the heading substitute “Information in relation to apparatus”;

(b)

in subsection (1), for paragraph (c) substitute—

“(c)

being informed of its location under section 80 (2) (a) ,”;

(c)

after subsection (1A) (as inserted by section 46(2) of the Traffic
Management Act 2004) insert—

“(1B)

An undertaker must, except in such cases as may be prescribed,
record in relation to every item of apparatus belonging to the undertaker such other information as may be prescribed as soon as reasonably practicable after—

(a)

placing the item in the street or altering its position,

(b)

inspecting, maintaining, adjusting, repairing, altering
or renewing the item,

(c)

locating the item in the street in the course of executing
any other works, or

(d)

receiving any such information in relation to the item
under section 80 (2) (a) .”;

(d)

omit subsection (3);

(e)

in subsection (3A) (as inserted by section 46(4) of the Traffic
Management Act 2004)—

(i)

for “to (3)” substitute “and (2A)”;

(ii)

for “subsection (1)” substitute “this section”;

(f)

after subsection (3A) insert—

“(3B)

Except in such cases as may be prescribed, where an undertaker
records information as required by subsection (1) or (1B) , or updates such information, the undertaker must, within a prescribed period, enter the recorded or updated information into NUAR.

(3C)

Information must be entered into NUAR under subsection (3B) in such form and manner as may be prescribed.”;

(g)

in subsection (4)(a), omit “not exceeding level 5 on the standard scale”;

(h)

after subsection (6) insert—

“(7)

In this section “prescribed” means—

(a)

in subsections (1) to (2)—

(i)

in relation to apparatus in streets in England,
prescribed by regulations made by the Secretary of State;

(ii)

in relation to apparatus in streets in Wales,
prescribed by regulations made by the Secretary of State or the Welsh Ministers;

(b)

otherwise, prescribed by regulations made by the
Secretary of State.

(8)

Before making regulations under this section the Secretary of
State must consult the Welsh Ministers.

(9)

For the meaning of “NUAR”, see section 106A .”

(4)

For section 80 (duty to inform undertakers of location of apparatus)
substitute—

“80 Duties to report missing or incorrect information in relation to
apparatus

(1)

Subsection (2) applies where a relevant person executing works of any
description in a street finds an item of apparatus which does not belong to the person in relation to which prescribed information—

(a)

is not entered in NUAR, or

(b)

is entered in NUAR but is incorrect.

(2)

Except in such cases as may be prescribed, the person must—

(a)

take such steps as are reasonably practicable to inform the
undertaker to whom the item belongs of the missing or incorrect information, and

(b)

if (having taken such steps) the person is unable to inform the
undertaker to whom the item belongs of the missing or incorrect information, enter into NUAR, in such form and manner as may be prescribed, prescribed information in relation to the item.

(3)

A person who fails to comply with subsection (2) commits an offence.

(4)

A person who commits an offence under subsection (3) is liable on
summary conviction to a fine not exceeding level 4 on the standard scale.

(5)

Before making regulations under this section the Secretary of State
must consult—

(a)

the Welsh Ministers,

(b)

such representatives of persons likely to be affected by the
regulations as the Secretary of State considers appropriate, and

(c)

such other persons as the Secretary of State considers
appropriate.

(6)

For the purposes of this section a person executing works in a street
is a “relevant person” if the person has, pursuant to regulations under section 106C (1) , access to NUAR in relation to the street in question.

(7)

For the meaning of “NUAR”, see section 106A .”

(5)

Before section 81 (duty to maintain apparatus) insert—

“Other duties and liabilities of undertakers in relation to apparatus”.

(6)

In section 104 (regulations)—

(a)

in subsection (1)—

(i)

after “Part” insert “, except in section 79,”;

(ii)

omit from “, which” to the end;

(b)

after subsection (1) insert—

“(1A)

Regulations under this Part may make—

(a)

different provision for different cases;

(b)

supplementary or incidental provision.”;

(c)

in subsection (2), after “Regulations” insert “made by the Secretary of
State”;

(d)

after subsection (2) insert—

“(2A)

Regulations made by the Welsh Ministers under section 79 are
to be made by statutory instrument and a statutory instrument containing such regulations is subject to annulment in pursuance of a resolution of Senedd Cymru.”

(7)

In consequence of the provision made by subsection (4) , omit section 47 of
the Traffic Management Act 2004.

(8)

The Street Works (Records) (England) Regulations 2002 (S.I. 2002/3217) have
effect as if the reference to England in regulation 1(2) were a reference to England and Wales.

(9)

The Street Works (Records) (Wales) Regulations 2005 (S.I. 2005/1812) are
revoked.

(10)

In Schedule 7B to the Government of Wales Act 2006 (general restriction on
competence of Senedd Cymru), in paragraph 11(6)(b) (exceptions to restrictions relating to Ministers of the Crown), before sub-paragraph (i) insert—

“(ai)

section 79 of the New Roads and Street Works Act
1991;”.

58 National Underground Asset Register: Northern Ireland

(1)

The Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) is
amended in accordance with subsections (2) to (4) .

(2)

In Article 2 (interpretation), in paragraph (2)—

(a)

after the definition of “in” insert—

““
NUAR provision means any of Articles 45A to 45H and Schedule
2ZA ;”;

(b)

in the definition of “prescribed”—

(i)

for “means” substitute “means—”;

(ii)

the words from “prescribed by” to the end become paragraph
(a);

(iii)

at the beginning of that paragraph insert “except in Articles 39
and 40 and a NUAR provision,”;

(iv)

after that paragraph insert—

“(b)

in Article 40 and a NUAR provision, prescribed
by regulations made by the Secretary of State;”.

(3)

After Article 45
insert—

“National Underground Asset Register

45A National Underground Asset Register

(1)

The Secretary of State must keep a register of information relating to
apparatus in streets in Northern Ireland.

(2)

The register is to be known as the National Underground Asset
Register (and is referred to in this Order as “NUAR”).

(3)

NUAR must be kept in such form and manner as may be prescribed.

(4)

The Secretary of State must make arrangements so as to enable any
person who is required, by a provision of this Order, to enter information into NUAR to have access to NUAR for that purpose.

(5)

The obligations of the Secretary of State under paragraph (1) and
under section 106A (1) of the New Roads and Street Works Act 1991 (keeping of register of information relating to apparatus in streets in England and Wales) may be discharged by the keeping of a single register in relation to England, Wales and Northern Ireland.

45B Initial upload of information into NUAR

(1)

Before the end of the initial upload period an undertaker having
apparatus in a street must enter into NUAR—

(a)

all information that is included in the undertaker’s records
under Article 39(1) on the archive upload date, and

(b)

any other information of a prescribed description that is held
by the undertaker on that date.

(2)

The duty under paragraph (1) does not apply in such cases as may
be prescribed.

(3)

Information must be entered into NUAR under paragraph (1) in such
form and manner as may be prescribed.

(4)

An undertaker who fails to comply with a duty placed on the
undertaker under this paragraph—

(a)

commits an offence, and

(b)

is liable to compensate any person in respect of damage or loss
incurred by the person in consequence of the failure.

(5)

A person who commits an offence under paragraph (4) (a) is liable on
summary conviction to a fine not exceeding level 5 on the standard scale.

(6)

In criminal or civil proceedings against an undertaker arising out of
a failure to comply with a duty under this Article, it is a defence for the undertaker to show that all reasonable care was taken to secure that no such failure occurred by—

(a)

the undertaker and the undertaker’s employees, and

(b)

any contractor of the undertaker and the undertaker’s
employees.

(7)

For the purposes of paragraph (1) the Secretary of State must by
regulations—

(a)

specify a date as “the archive upload date”, and

(b)

specify a period beginning with that date as the “initial upload
period”.

45C Access to information kept in NUAR

(1)

The Secretary of State may by regulations make provision for or in
connection with making information kept in NUAR available.

(2)

The regulations may (among other things)—

(a)

make provision about which information, or descriptions of
information, may be made available;

(b)

make provision about the descriptions of person to whom
information may be made available;

(c)

make provision for information to be made available subject
to exceptions;

(d)

make provision requiring or authorising the Secretary of State
to adapt, modify or obscure information before making it available;

(e)

make provision authorising all information kept in NUAR to
be made available to prescribed descriptions of person under prescribed conditions;

(f)

make provision about the purposes for which information may
be made available;

(g)

make provision about the form and manner in which
information may be made available;

(h)

make provision for or in connection with the granting of
licences by the Secretary of State in relation to any non-Crown IP rights that may exist in relation to information made available (including provision about the form of a licence and the terms and conditions of a licence);

(i)

make provision for information to be made available for free
or for a fee;

(j)

make provision about the amounts of the fees, including
provision for the amount of a fee to be an amount which is intended to exceed the cost of the things in respect of which the fee is charged;

(k)

make provision about how funds raised by means of fees must
or may be used, including provision for funds to be paid to persons who are required, by a provision of this Order, to enter information into NUAR.

(3)

Except as otherwise prescribed and subject to Article 45H , processing
of information by the Secretary of State in exercise of functions conferred by or under Article 45A or this Article does not breach—

(a)

an obligation of confidence owed by the Secretary of State, or

(b)

any other restriction on the processing of information (however
imposed).

(4)

In this Article—


database right has the same meaning as in Part 3 of the
Copyright and Rights in Databases Regulations 1997 (S.I. 1997/3032);


non-Crown IP right means any copyright, database right or
other intellectual property right which is not owned by the Crown;


processing has the same meaning as in the Data Protection Act
2018 (see section 3(4) of that Act).

45D Fees payable by undertakers in relation to NUAR

(1)

The Secretary of State may by regulations make provision requiring
undertakers having apparatus in a street to pay fees to the Secretary of State for or in connection with the exercise by the Secretary of State of any function conferred by or under a NUAR provision.

(2)

The regulations may—

(a)

specify the amounts of the fees, or the maximum amounts of
the fees, or

(b)

provide for the amounts of the fees, or the maximum amounts
of the fees, to be determined in accordance with the regulations.

(3)

In making the regulations the Secretary of State must seek to secure
that, so far as possible and taking one year with another, combined NUAR income matches combined NUAR expenses.

(4)

Except where the regulations specify the amounts of the fees—

(a)

the amounts of the fees must be specified by the Secretary of
State in a statement, and

(b)

the Secretary of State must—

(i)

publish the statement, and

(ii)

lay it before Parliament.

(5)

Regulations under paragraph (1) may make provision about—

(a)

when a fee is to be paid;

(b)

the manner in which a fee is to be paid;

(c)

the payment of discounted fees;

(d)

exceptions to requirements to pay fees;

(e)

the refund of all or part of a fee which has been paid.

(6)

Before making regulations under paragraph (1) , the Secretary of State
must consult—

(a)

such representatives of persons likely to be affected by the
regulations as the Secretary of State considers appropriate, and

(b)

such other persons as the Secretary of State considers
appropriate.

(7)

In this Article—


combined NUAR expenses means the sum of—

(a)

expenses incurred by the Secretary of State in, or in
connection with, exercising functions conferred by or under a NUAR provision (including expenses not directly connected with the keeping of NUAR), and

(b)

expenses incurred by the Secretary of State in, or in
connection with, exercising functions conferred by or under Part 3A of the New Roads and Street Works Act 1991 (including expenses not directly connected with the keeping of the register kept under section 106A (1) of that Act);


combined NUAR income means the sum of—

(a)

income received by the Secretary of State from fees
payable under regulations under paragraph (1) , and

(b)

income received by the Secretary of State from fees
payable under regulations under section 106D (1) of the New Roads and Street Works Act 1991.

45E Providing information for purposes of regulations under Article 45D

(1)

The Secretary of State may by regulations make provision requiring
undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes—

(a)

assisting the Secretary of State in determining the provision
that it is appropriate for regulations under Article 45D (1) or a statement under Article 45D (4) to make;

(b)

assisting the Secretary of State in determining whether it is
appropriate to make changes to such provision.

(2)

The Secretary of State may by regulations make provision requiring
undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes—

(a)

ascertaining whether a fee is payable by a person under
regulations under Article 45D (1) ;

(b)

working out the amount of a fee payable by a person.

(3)

Regulations under paragraph (1) or (2) may require an undertaker to
notify the Secretary of State of any changes to information previously provided under the regulations.

(4)

Regulations under paragraph (1) or (2) may make provision about—

(a)

when information is to be provided (which may be at
prescribed intervals);

(b)

the form and manner in which information is to be provided;

(c)

exceptions to requirements to provide information.

45F Monetary penalties

Schedule 2ZA makes provision about the imposition of penalties in
connection with requirements imposed by regulations under Articles 45D (1) and 45E (1) and (2) .

45G Arrangements for third party to exercise functions

(1)

The Secretary of State may make arrangements for a prescribed person
to exercise a relevant function of the Secretary of State.

(2)

More than one person may be prescribed.

(3)

Arrangements under this Article may—

(a)

provide for the Secretary of State to make payments to the
person, and

(b)

make provision as to the circumstances in which such payments
are to be repaid to the Secretary of State.

(4)

In the case of the exercise of a function by a person authorised by
arrangements under this Article to exercise that function, a reference in a NUAR provision or in regulations under a NUAR provision to the Secretary of State in connection with that function is to be read as a reference to that person.

(5)

Arrangements under this Article do not prevent the Secretary of State
from exercising a function to which the arrangements relate.

(6)

Except as otherwise prescribed and subject to Article 45H , the
disclosure of information between the Secretary of State and a person in connection with the person’s entering into arrangements under this Article or exercise of functions to which such arrangements relate does not breach—

(a)

an obligation of confidence owed by the person making the
disclosure, or

(b)

any other restriction on the disclosure of information (however
imposed).

(7)

In this Article “relevant function” means a function of the Secretary
of State conferred by or under a NUAR provision (including the function of charging or recovering fees under regulations under Article 45D ) other than—

(a)

a power to make regulations, or

(b)

a function under Article 45D (4) (specifying of fees etc).

(8)

If a person exercises the function of charging or recovering fees by
virtue of arrangements under this Article, the person must pay the fees to the Secretary of State, except to the extent that the Secretary of State directs otherwise.

45H Data protection

(1)

A duty or power to process information that is imposed or conferred
by or under a NUAR provision does not operate to require or authorise the processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, that duty or power is to be taken into account).

(2)

In this Article—


the data protection legislation has the same meaning as in the
Data Protection Act 2018 (see section 3(9) of that Act);


personal data has the same meaning as in that Act (see section
3(2) of that Act);


processing has the same meaning as in that Act (see section
3(4) of that Act).”

(4)

In Article 59 (regulations)—

(a)

before paragraph (1) insert—

“(A1)

Before making regulations under a NUAR provision the
Secretary of State must consult the Department for Infrastructure and the Welsh Ministers.

(A2)

Regulations under Article 39 or 40 or under a NUAR provision
may make supplementary or incidental provision.”;

(b)

in paragraph (1), after “Order” insert “, other than regulations made
by the Secretary of State,”;

(c)

before paragraph (2) insert—

“(1B)

For the purposes of the Statutory Instruments Act 1946 a power
of the Secretary of State to make regulations under this Order is exercisable by statutory instrument, and that Act applies in relation to a document by which such a power is exercised as if this Order were an Act of Parliament passed after the commencement of that Act.

(1C)

Regulations made by the Secretary of State under Articles 39,
40, 45A , 45B and 45E are subject to the negative Westminster procedure.

(1D)

Subject to paragraphs (1E) and (1F) , regulations made by the
Secretary of State under Articles 45C , 45D and 45G and paragraph 1 of Schedule 2ZA are subject to the affirmative Westminster procedure.

(1E)

Regulations under Article 45D (1) that only make provision of
a kind mentioned in Article 45D (2) are subject to the negative Westminster procedure.

(1F)

But the first regulations under Article 45D (1) that make
provision of a kind mentioned in Article 45D (2) are subject to the affirmative Westminster procedure.

(1G)

Where regulations under this Order are subject to “the
affirmative Westminster procedure” the regulations may not be made unless a draft of the statutory instrument containing them has been laid before and approved by a resolution of each House of Parliament.

(1H)

Where regulations under this Order are subject to “the negative
Westminster procedure” the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament.

(1I)

Any provision that may be made in regulations under this
Order subject to the negative Westminster procedure may be made in regulations subject to the affirmative Westminster procedure.”

(5)

Article 59 (A2) of the Street Works (Northern Ireland) Order 1995 (S.I.
1995/3210 (N.I. 19)) (inserted by subsection (4) (a) ) is repealed on the coming into operation of Article 59(1A) of that Order (as inserted by Article 28(3) of the Street Works (Amendment) (Northern Ireland) Order 2007 (S.I. 2007/287 (N.I. 1))).

(6)

Schedule 2 to this Act inserts Schedule 2ZA into the Street Works (Northern
Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) (monetary penalties).

59 Information in relation to apparatus: Northern Ireland

(1)

The Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) is
amended in accordance with subsections (2) to (5) .

(2)

For the italic heading before Article 39 (records of location of apparatus)
substitute “Duties in relation to recording and sharing of information about apparatus”.

(3)

In Article 39—

(a)

for the heading substitute “Information in relation to apparatus”;

(b)

in paragraph (1), for sub-paragraph (c) substitute—

“(c)

being informed of its location under Article 40 (2) (a) ,”;

(c)

after paragraph (1A) (as inserted by Article 22(2) of the Street Works
(Amendment) (Northern Ireland) Order 2007 (S.I. 2007/287 (N.I. 1))) insert—

“(1B)

An undertaker must, except in such cases as may be prescribed,
record in relation to every item of apparatus belonging to the undertaker such other information as may be prescribed as soon as reasonably practicable after—

(a)

placing the item in the street or altering its position,

(b)

inspecting, maintaining, adjusting, repairing, altering
or renewing the item,

(c)

locating the item in the street in the course of executing
any other works, or

(d)

receiving any such information in relation to the item
under Article 40 (2) (a) .”;

(d)

omit paragraph (3);

(e)

in paragraph (3A) (as inserted by Article 22(4) of the Street Works
(Amendment) (Northern Ireland) Order 2007 (S.I. 2007/287 (N.I. 1)))—

(i)

for “to (3)” substitute “and (2A)”;

(ii)

for “paragraph (1)” substitute “this Article”;

(f)

after paragraph (3A) insert—

“(3B)

Except in such cases as may be prescribed, where an undertaker
records information as required by paragraph (1) or (1B) , or updates such information, the undertaker must, within a prescribed period, enter the recorded or updated information into NUAR.

(3C)

Information must be entered into NUAR under paragraph (3B) in such form and manner as may be prescribed.”;

(g)

after paragraph (5) insert—

“(6)

In this Article “prescribed” means—

(a)

in paragraphs (1) to (2), prescribed by regulations made
by the Secretary of State or the Department for Infrastructure;

(b)

otherwise, prescribed by regulations made by the
Secretary of State.

(7)

Before making regulations under this Article the Secretary of
State must consult the Department for Infrastructure.

(8)

For the meaning of “NUAR”, see Article 45A .”

(4)

For Article 40 (duty to inform undertakers of location of apparatus)
substitute—

“40 Duties to report missing or incorrect information in relation to
apparatus

(1)

Paragraph (2) applies where a relevant person executing works of any
description in a street finds an item of apparatus which does not belong to the person in relation to which prescribed information—

(a)

is not entered in NUAR, or

(b)

is entered in NUAR but is incorrect.

(2)

Except in such cases as may be prescribed, the person must—

(a)

take such steps as are reasonably practicable to inform the
undertaker to whom the item belongs of the missing or incorrect information, and

(b)

if (having taken such steps) the person is unable to inform the
undertaker to whom the item belongs of the missing or incorrect information, enter into NUAR, in such form and manner as may be prescribed, prescribed information in relation to the item.

(3)

A person who fails to comply with paragraph (2) commits an offence.

(4)

A person who commits an offence under paragraph (3) is liable on
summary conviction to a fine not exceeding level 4 on the standard scale.

(5)

Before making regulations under this Article the Secretary of State
must consult—

(a)

the Department for Infrastructure,

(b)

such representatives of persons likely to be affected by the
regulations as the Secretary of State considers appropriate, and

(c)

such other persons as the Secretary of State considers
appropriate.

(6)

For the purposes of this Article a person executing works in a street
is a “relevant person” if the person has, pursuant to regulations under Article 45C , access to NUAR in relation to the street in question.

(7)

For the meaning of “NUAR”, see Article 45A .”

(5)

Before Article 41 (duty to maintain apparatus) insert—

“Other duties and liabilities of undertakers in relation to apparatus”.

(6)

As a consequence of the provision made by subsection (4) , omit Article 23 of
the Street Works (Amendment) (Northern Ireland) Order 2007 (S.I. 2007/287 (N.I. 1)).

(7)

A power of the Secretary of State to make regulations under paragraph (1)
or (2) of Article 39 of the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) (by virtue of subsection (3) (g) ) includes power to amend or revoke any provision of the Street Works (Records) Regulations (Northern Ireland) 2004 (S.R. (N.I.) 2004 No. 276) made under the paragraph concerned.

60 Pre-commencement consultation

(1)

A requirement to consult under a provision inserted into the New Roads and
Street Works Act 1991 by section 56 or 57 may be satisfied by consultation undertaken before the day on which this Act is passed.

(2)

A requirement to consult under a provision inserted into the Street Works
(Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) by section 58 or 59 may be satisfied by consultation undertaken before the day on which this Act is passed.

Part 4 Registers of births and deaths

61 Form in which registers of births and deaths are to be kept

(1)

The Births and Deaths Registration Act 1953 is amended as follows.

(2)

For section 25 (provision of registers, etc, by Registrar General) substitute—

“25 Form in which registers are to be kept, etc

(1)

Registers of live-births, still-births and deaths must be kept in such
form as the Registrar General may reasonably require.

(2)

The Registrar General may, in particular, require any such register to
be kept in a form that secures that any information entered in the register by a registrar—

(a)

in the case of a register of live-births or of deaths, is available
to the superintendent registrar and to the Registrar General immediately after the entry has been made, and

(b)

in the case of a register of still-births, is available to the
Registrar General immediately after the entry has been made.

(3)

In a case where a register is kept in such form as is mentioned in subsection (2) , any information in the register which is available to
the superintendent registrar or Registrar General is to be regarded as held by that person (as well as by the registrar) in connection with that person’s functions.

(4)

The Registrar General—

(a)

may provide anything which the Registrar General considers
appropriate for the registers mentioned in subsection (1) to be kept in the form required under that subsection, and

(b)

must maintain anything provided under paragraph (a) .

(5)

The Registrar General must also provide the forms required for the
purposes of this Act for making certified copies of entries in registers.”

(3)

Omit the following provisions—

(a)

section 26 (quarterly returns to be made by registrar to superintendent
registrar);

(b)

section 27 (quarterly returns by superintendent registrar to Registrar
General);

(c)

section 28 (custody of registers, etc).

62 Provision of equipment and facilities by local authorities

In the Registration Service Act 1953, after section 11 insert—

“11A Provision of equipment and facilities by local authorities

(1)

At each register office provided for the superintendent registrar of a
district, the council which employs the superintendent registrar shall, subject to the provisions of the local scheme, provide and maintain such equipment or facilities as the Registrar General reasonably considers to be necessary for the performance of the superintendent registrar’s functions.

(2)

At each office and each station for a sub-district of a registrar, the
council which employs the registrar shall, subject to the provisions of the local scheme, provide and maintain such equipment or facilities as the Registrar General reasonably considers to be necessary for the performance of the registrar’s functions.”

63 Requirements to sign register

(1)

The Births and Deaths Registration Act 1953 is amended as follows.

(2)

After section 38A insert—

“38B Requirements to sign register

(1)

Where any register of births or register of deaths is required to be
kept under this Act otherwise than in hard copy form, the Minister may by regulations provide that—

(a)

a person’s duty under this Act to sign the register at any time
is to have effect as a duty to comply with specified requirements at that time, and

(b)

a person who complies with those requirements is to be treated
for the purposes of this Act as having signed the register at that time and, in the case of a duty to sign the register in the presence of the registrar, to have done so in the presence of the registrar,

and accordingly, in such a case, the entry in the register is to be taken for the purposes of this Act to have been signed by the person.

(2)

The provision that may be made by regulations under this section
includes, among other things—

(a)

provision requiring a person to sign something other than the
register;

(b)

provision requiring a person to provide specified evidence of
identity in such form and manner as may be specified.

(3)

In this section “specified” means specified in regulations under this
section.”

(3)

In section 39A (regulations made by the Minister: further provisions), after
subsection (5) insert—

“(6)

A statutory instrument that contains (whether alone or with other
provision) regulations made by the Minister under section 38B may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”

64 Treatment of existing registers and records

(1)

The repeal of section 28 of the Births and Deaths Registration Act 1953 by section 61 above does not affect—

(a)

the requirement under section 28(2) of that Act for every
superintendent registrar (“S”) to keep with the records of S’s office any registers of live-births or of deaths which are in S’s custody immediately before the coming into force of that repeal, or

(b)

the requirement under section 28(4) of that Act for the Registrar
General to keep in the General Register Office—

(i)

any certified copies or information sent or provided under
section 27 of that Act (quarterly returns by superintendent registrar to Registrar General), or

(ii)

any registers of still-births that were forwarded to the Registrar
General before the coming into force of that repeal.

(2)

Any register of live-births or of deaths which, immediately before the coming
into force of this section, is in the custody of a registrar and is unfilled is, as soon as is reasonably practicable after the coming into force of this section, to be delivered to the superintendent registrar (“S”) to be kept by S with the records of S’s office.

(3)

Any register of still-births which, immediately before the coming into force
of this section, is in the custody of a registrar and is unfilled is, as soon as is reasonably practicable after the coming into force of this section, to be forwarded to the Registrar General to be kept in the General Register Office in such order and manner as the Registrar General thinks fit.

(4)

The Registrar General may dispose of—

(a)

any certified copies held by the Registrar General of entries in any
register of still-births forwarded to the Registrar General under section 28(3) of the Births and Deaths Registration Act 1953 or subsection (3) above, or

(b)

any information contained in those entries which is held by the
Registrar General in electronic form by virtue of section 27 of that Act.

(5)

Where, at any time during the period mentioned in subsection (6) , a copy
has been kept otherwise than in hard copy form of any register of births or register of deaths kept for a sub-district under the Births and Deaths Registration Act 1953—

(a)

that copy is to be treated, on and after the day on which section 61 of this Act comes into force, as the register kept for the sub-district for the purposes of that Act,

(b)

on and after that day, the register is to be treated for the purposes of
section 25(3) of that Act as having been kept in the form in which the copy was kept,

(c)

where before that day a person signed any entry in the register, the
entry is to continue, on and after that day, to be regarded for the purposes of that Act as having been signed by the person, and

(d)

the Registrar General may dispose of—

(i)

any certified copies held by the Registrar General of entries in
the register, or

(ii)

any information contained in those entries which is held by
the Registrar General in electronic form by virtue of section 27 of that Act.

(6)

The period referred to in subsection (5) is the period—

(a)

beginning with 1 July 2009, and

(b)

ending immediately before the day on which section 61 comes into
force.

(7)

Expressions used in this section and in the Births and Deaths Registration
Act 1953 have the same meaning in this section as in that Act.

65 Minor and consequential amendments

Schedule 3 contains minor and consequential amendments.

Part 5 Data protection and privacy

Chapter 1 Data protection

Terms used in this Chapter

66 The 2018 Act and the UK GDPR

In this Chapter—


the 2018 Act means the Data Protection Act 2018;


the UK GDPR means Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Definitions in the UK GDPR and the 2018 Act

67 Meaning of research and statistical purposes

(1)

In Article 4 of the UK GDPR (definitions)—

(a)

the existing text becomes paragraph 1, and

(b)

after that paragraph insert—

“2.

References in this Regulation to the processing of personal data
for the purposes of scientific research (including references to processing for “scientific research purposes”) are references to processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.

3.

Such references—

(a)

include processing for the purposes of technological
development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific, but

(b)

only include processing for the purposes of a study in
the area of public health that can reasonably be described as scientific where the study is conducted in the public interest.

4.

References in this Regulation to the processing of personal data
for the purposes of historical research (including references to processing for “historical research purposes”) include processing for the purposes of genealogical research.

5.

References in this Regulation to the processing of personal data
for statistical purposes are references to processing for statistical surveys or for the production of statistical results where—

(a)

the information that results from the processing is
aggregate data that is not personal data, and

(b)

the controller does not use the personal data processed,
or the information that results from the processing, in support of measures or decisions with respect to a particular data subject to whom the personal data relates.”

(2)

In consequence of the amendment made by subsection (1) (a) , in section 6 of
the 2018 Act (meaning of “controller”), for “4(7)” substitute “4(1)(7)”.

68 Consent to processing for the purposes of scientific research

(1)

Article 4 of the UK GDPR (definitions) is amended as follows.

(2)

In point (11) of paragraph 1 (definition of “consent”), at the end insert “(and
see paragraphs 6 and 7 of this Article)”.

(3)

After paragraph 5 (inserted by section 67 of this Act) insert—

“6.

A data subject’s consent is to be treated as falling within the definition
of “consent” in point (11) of paragraph 1 if—

(a)

it does not fall within that definition because (and only because)
the consent is given to the processing of personal data for the purposes of an area of scientific research,

(b)

at the time the consent is sought, it is not possible to identify
fully the purposes for which personal data is to be processed,

(c)

seeking consent in relation to the area of scientific research is
consistent with generally recognised ethical standards relevant to the area of research, and

(d)

so far as the intended purposes of the processing allow, the data
subject is given the opportunity to consent only to processing for part of the research.

7.

References in this Regulation to consent given for a specific purpose
(however expressed) include consent described in paragraph 6.”

69 Consent to law enforcement processing

(1)

The 2018 Act is amended as follows.

(2)

In section 33 (definitions), after subsection (1) insert—

“(1A)

“Consent” of the data subject to the processing of personal data means
a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data (and see section 40A ).”

(3)

In section 34(2) (overview of Chapter 2 of Part 3), after paragraph (a) (but
before the “and” at the end of that paragraph) insert—

“(aa)

section 40A makes provision about processing carried out in
reliance on the consent of the data subject,”.

(4)

After section 40 insert—

“40A Conditions for consent

(1)

This section is about processing of personal data that is carried out in
reliance on the consent of the data subject.

(2)

The controller must be able to demonstrate that the data subject
consented to the processing.

(3)

If the data subject’s consent is given in writing as part of a document
which also concerns other matters, the request for consent must be made—

(a)

in a manner which clearly distinguishes the request from the
other matters,

(b)

in an intelligible and easily accessible form, and

(c)

in clear and plain language.

(4)

Any part of a document described in subsection (3) which constitutes
an infringement of this Part is not binding.

(5)

The data subject may withdraw the consent at any time (but the
withdrawal of consent does not affect the lawfulness of processing in reliance on the consent before its withdrawal).

(6)

Processing may only be carried out in reliance on consent if—

(a)

before the consent is given, the controller or processor informs
the data subject of the right to withdraw it, and

(b)

it is as easy for the data subject to withdraw the consent as to
give it.

(7)

When assessing whether consent is freely given, account must be taken
of, among other things, whether the provision of a service is conditional on consent to the processing of personal data that is not necessary for the provision of that service.”

(5)

In section 206 (index of defined expressions), in the Table, in the entry for
“consent”—

(a)

after “consent” insert “(to processing of personal data)”,

(b)

for “Part” substitute “Parts 3 and”, and

(c)

for “section” substitute “sections 33, 40A and”.

Data protection principles

70 Lawfulness of processing

(1)

The UK GDPR is amended in accordance with subsections (2) to (5) .

(2)

In Article 6(1) (lawful processing)—

(a)

in point (e)—

(i)

after “task” insert “of the controller”, and

(ii)

after “or” insert “a task carried out”,

(b)

after that point insert—

“(ea)

processing is necessary for the purposes of a recognised
legitimate interest;”, and

(c)

in the words after point (f), for “Point (f)” substitute “Points (ea) and
(f)”.

(3)

In Article 6(3) (basis for processing etc), in the last subparagraph, in the first
sentence—

(a)

after “task” insert “of the controller”, and

(b)

after “interest or” insert “a task carried out”.

(4)

In Article 6, at the end insert—

“5.

For the purposes of paragraph 1(ea), processing is necessary for the
purposes of a recognised legitimate interest only if it meets a condition in Annex 1.

6.

The Secretary of State may by regulations amend Annex 1 by—

(a)

adding or varying provisions, or

(b)

omitting provisions added by regulations made under this
paragraph.

7.

The Secretary of State may only make regulations under paragraph 6
where—

(a)

the requirement in paragraph 8 is satisfied, and

(b)

if the regulations add a case to Annex 1, the requirement in
paragraph 9 is also satisfied.

8.

The requirement in this paragraph is that the Secretary of State
considers it appropriate to make the regulations having regard to, among other things—

(a)

the interests and fundamental rights and freedoms of data
subjects which require protection of personal data, and

(b)

where relevant, the fact that children may be less aware of the
risks and consequences associated with processing of personal data and of their rights in relation to such processing.

9.

The requirement in this paragraph is that the Secretary of State
considers that processing in the case to be added to Annex 1 is necessary to safeguard an objective listed in Article 23(1)(c) to (j).

10.

Regulations under paragraph 6 are subject to the affirmative resolution
procedure.

11.

For the purposes of paragraph 1(f), examples of types of processing
that may be processing that is necessary for the purposes of a legitimate interest include—

(a)

processing that is necessary for the purposes of direct marketing,

(b)

intra-group transmission of personal data (whether relating to
clients, employees or other individuals) where that is necessary for internal administrative purposes, and

(c)

processing that is necessary for the purposes of ensuring the
security of network and information systems.

12.

In paragraph 11—


intra-group transmission means transmission between members
of a group of undertakings or between members of a group of institutions affiliated to a central body;


security of network and information systems has the same
meaning as in the Network and Information Systems Regulations 2018 (S.I. 2018/506) (see regulation 1(3)(g)).”

(5)

In Article 21(1) (right to object), after “point (e)” insert “, (ea)”.

(6)

Schedule 4 to this Act inserts Annex 1 to the UK GDPR.

(7)

In section 8 of the 2018 Act (lawfulness of processing: public interest etc),
omit “the controller’s”.

(8)

In the provisions listed in subsection (9)

(a)

for “gateway” substitute “gateways”, and

(b)

for “were omitted” substitute “disapplied only the gateway in point
(ea) (recognised legitimate interests)”.

(9)

The provisions are—

(a)

section 40(8) of the Freedom of Information Act 2000 (personal data
which is exempt information);

(b)

section 38(5A) of the Freedom of Information (Scotland) Act 2002 (asp
13) (personal data which is exempt information);

(c)

regulation 13(6) of the Environmental Information Regulations 2004
(S.I. 2004/3391) (restriction on disclosure of personal data);

(d)

regulation 11(7) of the Environmental Information (Scotland)
Regulations 2004 (S.S.I. 2004/520) (restriction on disclosure of personal data);

(e)

regulation 45(1E) of the Civil Contingencies Act 2004 (Contingency
Planning) Regulations 2005 (S.I. 2005/2042) (personal data which is sensitive information);

(f)

regulation 39(1E) of the Civil Contingencies Act 2004 (Contingency
Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494) (personal data which is sensitive information);

(g)

regulation 9(9) of the INSPIRE Regulations 2009 (S.I. 2009/3157)
(limitation of public access to personal data included in a spatial data set);

(h)

regulation 10(8) of the INSPIRE (Scotland) Regulations 2009 (S.S.I.
2009/440) (limitation of public access to personal data included in a spatial data set).

71 The purpose limitation

(1)

The UK GDPR is amended in accordance with subsections (2) to (5) .

(2)

In Article 5(1)(b) (purpose limitation)—

(a)

after “collected” insert “(whether from the data subject or otherwise)”,

(b)

after “further processed” insert “by or on behalf of a controller”, and

(c)

for the words from “those purposes;” to “initial purposes” substitute
“the purposes for which the controller collected the data”.

(3)

In Article 5, at the end insert—

“3.

For the avoidance of doubt, processing is not lawful by virtue only of
being processing in a manner that is compatible with the purposes for which the personal data was collected.”

(4)

In Article 6 (lawfulness of processing), omit paragraph 4.

(5)

After Article 8 insert—

“Article 8A Purpose limitation: further processing

1.

This Article is about the determination, for the purposes of Article
5(1)(b) (purpose limitation), of whether processing of personal data by or on behalf of a controller for a purpose (a “new purpose”) other than the purpose for which the controller collected the data (“the original purpose”) is processing in a manner compatible with the original purpose.

2.

In making the determination, a person must take into account, among
other things—

(a)

any link between the original purpose and the new purpose;

(b)

the context in which the personal data was collected, including
the relationship between the data subject and the controller;

(c)

the nature of the processing, including whether it is processing
described in Article 9(1) (processing of special categories of personal data) or Article 10(1) (processing of personal data relating to criminal convictions etc);

(d)

the possible consequences of the intended processing for data
subjects;

(e)

the existence of appropriate safeguards (for example, encryption
or pseudonymisation).

3.

Processing of personal data for a new purpose is to be treated as
processing in a manner compatible with the original purpose where—

(a)

the data subject consents to the processing of personal data for
the new purpose and the new purpose is specified, explicit and legitimate,

(b)

the processing is carried out in accordance with Article 84B—

(i)

for the purposes of scientific research or historical research,

(ii)

for the purposes of archiving in the public interest, or

(iii)

for statistical purposes,

(c)

the processing is carried out for the purposes of ensuring that
processing of personal data complies with Article 5(1) or demonstrating that it does so,

(d)

the processing meets a condition in Annex 2, or

(e)

the processing is necessary to safeguard an objective listed in
Article 23(1)(c) to (j) and is authorised by an enactment or rule of law.

4.

Where the controller collected the personal data based on Article 6(1)(a)
(data subject’s consent), processing for a new purpose is only processing in a manner compatible with the original purpose if—

(a)

it falls within paragraph 3(a) or (c), or

(b)

it falls within paragraph 3(d) or (e) and the controller cannot
reasonably be expected to obtain the data subject’s consent.

5.

The Secretary of State may by regulations amend Annex 2 by—

(a)

adding or varying provisions, or

(b)

omitting provisions added by regulations made under this
paragraph.

6.

The Secretary of State may only make regulations under paragraph 5
adding a case to Annex 2 where the Secretary of State considers that processing in that case is necessary to safeguard an objective listed in Article 23(1)(c) to (j).

7.

Regulations under paragraph 5 may make provision identifying
processing by any means, including by reference to the controller, the data subject, the personal data or the provision of Article 6(1) relied on for the purposes of the processing.

8.

Regulations under paragraph 5 are subject to the affirmative resolution
procedure.”

(6)

Schedule 5 to this Act inserts Annex 2 to the UK GDPR.

(7)

The 2018 Act is amended in accordance with subsections (8) to (10) .

(8)

In section 36(1) (the second data protection principle)—

(a)

in paragraph (a), for “on any occasion” substitute “(whether from the
data subject or otherwise)”, and

(b)

in paragraph (b)—

(i)

after “processed” insert “by or on behalf of a controller”, and

(ii)

for “it was collected” substitute “the controller collected it”.

(9)

In section 87(1) (the second data protection principle)—

(a)

in paragraph (a), for “on any occasion” substitute “(whether from the
data subject or otherwise)”, and

(b)

in paragraph (b)—

(i)

after “processed” insert “by or on behalf of a controller”, and

(ii)

for “it was collected” substitute “the controller collected it”.

(10)

In paragraph 1 of Schedule 2 (exemptions etc from the UK GDPR: provisions
to be adapted or restricted), omit sub-paragraph (b)(ii).

72 Processing in reliance on relevant international law

(1)

The UK GDPR is amended in accordance with subsections (2) to (5) .

(2)

In Article 6(3) (lawfulness of processing: basis in domestic law)—

(a)

in the first subparagraph, omit “and (e)”,

(b)

after that subparagraph insert—

“The basis for the processing referred to in point (e) of paragraph 1 must be laid down by domestic law or relevant international law (see section 9A of the 2018 Act).”, and

(c)

in the last subparagraph, in the last sentence, after “domestic law”
insert “or relevant international law”.

(3)

In Article 8A(3)(e) (purpose limitation: further processing necessary to
safeguard an objective listed in Article 23(1)) (inserted by section 71 of this Act), at the end insert “or by relevant international law (see section 9A of the 2018 Act)”.

(4)

In Article 9 (processing of special categories of personal data)—

(a)

in paragraph 2(g) (substantial public interest), after “domestic law”
insert “, or relevant international law,”, and

(b)

in paragraph 5, before point (a) insert—

“(za)

section 9A makes provision about when the requirement
in paragraph 2(g) of this Article for a basis in relevant international law is met;”.

(5)

In Article 10 (processing of personal data relating to criminal convictions and
offences)—

(a)

in paragraph 1, after “domestic law” insert “, or relevant international
law,”, and

(b)

in paragraph 2, before point (a) insert—

“(za)

section 9A makes provision about when the requirement
in paragraph 1 of this Article for authorisation by relevant international law is met;”.

(6)

The 2018 Act is amended in accordance with subsections (7) and (8) .

(7)

Before section 10 (and the italic heading before that section) insert—

“Relevant international law

9A Processing in reliance on relevant international law

(1)

Processing of personal data meets the requirement in Article 6(3),
8A(3)(e), 9(2)(g) or 10(1) of the UK GDPR for a basis in, or authorisation by, relevant international law only if it meets a condition in Schedule A1 .

(2)

A condition in Schedule A1 may be relied on for the purposes of any
of those provisions, unless that Schedule provides otherwise.

(3)

The Secretary of State may by regulations amend Schedule A1 by
adding, varying or omitting—

(a)

conditions,

(b)

provision about the purposes for which a condition may be
relied on, and

(c)

safeguards in connection with processing carried out in reliance
on a condition in the Schedule.

(4)

Regulations under this section may only add a condition relating
entirely or partly to a treaty ratified by the United Kingdom.

(5)

Regulations under this section are subject to the affirmative resolution
procedure.

(6)

In this section, “treaty” and “ratified” have the same meaning as in
Part 2 of the Constitutional Reform and Governance Act 2010 (see section 25 of that Act).”

(8)

Before Schedule 1 insert—

“Schedule A1

Section 9A

 Processing in reliance on relevant international law

This condition is met where the processing is necessary for the purposes of responding to a request made in accordance with the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3 October 2019.”

Processing of special categories of personal data

73 Elected representatives responding to requests

In paragraph 23 of Schedule 1 to the 2018 Act (processing of special categories of personal data: elected representatives responding to requests), in sub-paragraph (4), for “fourth day after” substitute “period of 30 days beginning with the day after”.

74 Processing of special categories of personal data

(1)

In Chapter 2 of the UK GDPR, after Article 11 insert—

“Article 11A Further provision about processing of special categories of personal data

1.

The Secretary of State may by regulations—

(a)

make provision so that an additional description of processing
of personal data is subject to the prohibition in Article 9(1),

(b)

make provision so that added processing is not subject to that
prohibition,

(c)

make provision so that an exception in Article 9(2) may or may
not be relied on in connection with added processing, and

(d)

make provision varying such an exception as it applies in
connection with added processing.

2.

In paragraph 1, “added processing” means a description of processing
which is subject to the prohibition in Article 9(1) by virtue of provision made under paragraph 1(a).

3.

Regulations made under this Article (in reliance on Article 91A(4)(b))
may amend section 5, 205 or 206 of the 2018 Act (interpretation).

4.

Regulations under this Article are subject to the affirmative resolution
procedure.”

(2)

The 2018 Act is amended in accordance with subsections (3) to (9) .

(3)

In section 33 (definitions of expressions used in Part 3), after subsection (6)
insert—

“(6A)

“Sensitive processing” has the meaning given in section 35(8).”

(4)

In section 35 (the first data protection principle)—

(a)

in subsection (6)(b) (power to omit conditions added to Schedule 8 by
regulations), after “by”, in the first place it occurs, insert “varying or”, and

(b)

in subsection (8) (definition of “sensitive processing”), for “section”
substitute “Part”.

(5)

After section 42 insert—

“42A Further provision about sensitive processing

(1)

The Secretary of State may by regulations—

(a)

make provision so that an additional description of processing
of personal data is sensitive processing for the purposes of this Part,

(b)

make provision so that added processing is not sensitive
processing for the purposes of this Part,

(c)

make provision so that a protected condition in Schedule 8
may or may not be relied on in connection with added processing, and

(d)

make provision varying such a condition as it relates to added
processing.

(2)

In subsection (1)


added processing means a description of processing which is
sensitive processing by virtue of provision made under subsection (1) (a) ;


protected condition in Schedule 8 means a condition in that
Schedule other than one that was added to the Schedule by regulations under section 35(6).

(3)

Regulations under this section may amend this Part and sections 205
and 206.

(4)

Regulations under this section are subject to the affirmative resolution
procedure.”

(6)

In section 84 (definitions of expressions used in Part 4), after subsection (6)
insert—

“(6A)

“Sensitive processing” has the meaning given in section 86(7).”

(7)

In section 86 (the first data protection principle)—

(a)

in subsection (3)(b) (power to omit conditions added to Schedule 10
by regulations), after “by”, in the first place it occurs, insert “varying or”, and

(b)

in subsection (7) (definition of “sensitive processing”), for “section”
substitute “Part”.

(8)

After section 91 insert—

“91A Further provision about sensitive processing

(1)

The Secretary of State may by regulations—

(a)

make provision so that an additional description of processing
of personal data is sensitive processing for the purposes of this Part,

(b)

make provision so that added processing is not sensitive
processing for the purposes of this Part,

(c)

make provision so that a protected condition in Schedule 10
may or may not be relied on in connection with added processing, and

(d)

make provision varying such a condition as it relates to added
processing.

(2)

In subsection (1)


added processing means a description of processing which is
sensitive processing by virtue of provision made under subsection (1) (a) ;


protected condition in Schedule 10 means a condition in that
Schedule other than one that was added to the Schedule by regulations under section 86(3).

(3)

Regulations under this section may amend this Part and sections 205
and 206.

(4)

Regulations under this section are subject to the affirmative resolution
procedure.”

(9)

In section 206 (index of defined expressions), in the Table, at the appropriate
place insert—

“sensitive processing (in Parts 3 and 4)

sections 35 and 86”.

(10)

The Investigatory Powers Act 2016 is amended in accordance with subsections (11) to (13) .

(11)

In section 202(4) (restrictions on use of class BPD warrants: definitions), omit
the definition of “sensitive personal data” and insert—

““
sensitive personal data means personal data whose retention, or (as
appropriate) retention and examination, would be sensitive processing;


sensitive processing means—

(a)

processing of personal data relating to a living individual that
is processing of a kind described in section 86(7)(a) to (e) of the Data Protection Act 2018, or

(b)

processing of personal data relating to a deceased individual
that would be that kind of processing if the personal data related to a living individual.”

(12)

After that section insert—

“202A Further provision about sensitive processing

(1)

The Secretary of State may by regulations—

(a)

make provision so that a description of Part 4 sensitive
processing, or of processing that would be such processing if the information processed related to a living individual, is sensitive processing for the purposes of section 202, and

(b)

make provision so that added processing is not sensitive
processing for the purposes of that section.

(2)

In this section—


added processing means a description of processing that is
sensitive processing for the purposes of section 202 by virtue of provision made under subsection (1) (a) ;


Part 4 sensitive processing means processing of personal data
that, at the time the regulations are made, is sensitive processing for the purposes of Part 4 of the Data Protection Act 2018 by virtue of regulations made under section 91A of that Act.

(3)

Regulations under this section may amend section 202.”

(13)

In section 267(3) (regulations subject to the affirmative procedure), after
paragraph (e) insert—

“(ea)

section 202A,”.

Data subject’s rights

75 Fees and reasons for responses to data subjects’ requests about law enforcement processing

(1)

The 2018 Act is amended as follows.

(2)

In section 53 (manifestly unfounded or excessive requests by the data subject
under Part 3)—

(a)

after subsection (4) insert—

“(4A)

The Secretary of State may by regulations—

(a)

require controllers of a description specified in the
regulations to produce and publish guidance about the fees that they charge in accordance with subsection (1)(a), and

(b)

specify what the guidance must include.”,

(b)

in subsection (5), for “subsection (4)” substitute “this section”, and

(c)

after subsection (5) insert—

“(6)

If, in reliance on subsection (1)(b), the controller does not take
action on the request, the controller must inform the data subject of—

(a)

the reasons for not doing so, and

(b)

the data subject’s right to lodge a complaint with the
Commissioner.

(7)

The controller must comply with subsection (6)—

(a)

without undue delay, and

(b)

in any event, before the end of the applicable time
period (as to which see section 54).”

(3)

In section 54(1) (meaning of “applicable time period”), for “and 48(2)(b)”
substitute “, 48(2)(b) and 53(7)”.

76 Time limits for responding to data subjects’ requests

(1)

The UK GDPR is amended in accordance with subsections (2) and (3) .

(2)

In Article 12 (transparent information, communication and modalities for the
exercise of rights of the data subject)—

(a)

in paragraph 3—

(i)

for “within one month of receipt of the request” substitute
“before the end of the applicable time period (see Article 12A)”, and

(ii)

omit the second and third sentences,

(b)

in paragraph 4, for “without delay and at the latest within one month
of receipt of the request” substitute “without undue delay, and in any event before the end of the applicable time period (see Article 12A),”, and

(c)

in paragraph 6—

(i)

after “may” insert “—

(a)”, and

(ii)

at the end insert “, and

(b)

delay dealing with the request until the identity
is confirmed.”

(3)

After Article 12 insert—

“Article 12A Meaning of “applicable time period”

1.

In Article 12, “the applicable time period” means the period of one
month beginning with the relevant time, subject to paragraph 3.

2.

“The relevant time” means the latest of the following—

(a)

when the controller receives the request in question;

(b)

when the controller receives the information (if any) requested
in connection with a request under Article 12(6);

(c)

when the fee (if any) charged in connection with the request
under Article 12(5) is paid.

3.

The controller may, by giving notice to the data subject, extend the
applicable time period by two further months where that is necessary by reason of—

(a)

the complexity of requests made by the data subject, or

(b)

the number of such requests.

4.

A notice under paragraph 3 must—

(a)

be given before the end of the period of one month beginning
with the relevant time, and

(b)

state the reasons for the delay.

5.

Where the controller reasonably requires further information in order
to identify the information or processing activities to which a request under Article 15 relates—

(a)

the controller may ask the data subject to provide the further
information, and

(b)

the period beginning with the day on which the controller makes
the request and ending with the day on which the controller receives the information does not count towards—

(i)

the applicable time period, or

(ii)

the period described in paragraph 4(a).

6.

An example of a case in which a controller may reasonably require
further information is where the controller processes a large amount of information concerning the data subject.”

(4)

The 2018 Act is amended in accordance with subsections (5) to (7) .

(5)

In section 45(5) (right of access by the data subject), after “delay” insert “and
in any event before the end of the applicable time period (as to which see section 54)”.

(6)

In section 54 (meaning of “applicable time period” for responding to data
subjects’ requests)—

(a)

in subsection (1), after “45(3)(b)” insert “and (5)”,

(b)

in subsection (2)—

(i)

for “1 month, or such longer period as may be specified in
regulations,” substitute “one month”, and

(ii)

at the end insert “, subject to subsection (3A) ”,

(c)

after subsection (3) insert—

“(3A)

The controller may, by giving notice to the data subject, extend
the applicable time period by two further months where that is necessary by reason of—

(a)

the complexity of requests made by the data subject, or

(b)

the number of such requests.

(3B)

A notice under subsection (3A) must—

(a)

be given before the end of the period of one month
beginning with the relevant time, and

(b)

state the reasons for the delay.

(3C)

Where the controller reasonably requires further information
in order to identify the information or processing activities to which a request under section 45(1) relates—

(a)

the controller may ask the data subject to provide the
further information, and

(b)

the period beginning with the day on which the
controller makes the request and ending with the day on which the controller receives the information does not count towards—

(i)

the applicable time period, or

(ii)

the period described in subsection (3B) (a) .

(3D)

An example of a case in which a controller may reasonably
require further information is where the controller processes a large amount of information concerning the data subject.”, and

(d)

omit subsections (4) to (6).

(7)

In section 94 (right of access under Part 4)—

(a)

in subsection (14), for the definition of “the applicable time period”
substitute—

““
the applicable time period means the period of one month
beginning with the relevant time, subject to subsection (14A) ;”, and

(b)

after subsection (14) insert—

“(14A)

The controller may, by giving notice to the data subject, extend
the applicable time period by two further months where that is necessary by reason of—

(a)

the complexity of requests made by the data subject, or

(b)

the number of such requests.

(14B)

A notice under subsection (14A) must—

(a)

be given before the end of the period of one month
beginning with the relevant time, and

(b)

state the reasons for the delay.”

77 Information to be provided to data subjects

(1)

In Article 13 of the UK GDPR (information to be provided where personal
data is collected from the data subject)—

(a)

in paragraph 4, for “shall not apply where and insofar as” substitute
“do not apply to the extent that”, and

(b)

at the end insert—

“5.

Paragraph 3 does not apply to the extent that—

(a)

the controller intends to further process the personal
data—

(i)

for (and only for) the purposes of scientific or
historical research, the purposes of archiving in the public interest or statistical purposes, and

(ii)

in accordance with Article 84B, and

(b)

providing the information is impossible or would involve
a disproportionate effort.

6.

For the purposes of paragraph 5(b), whether providing the
information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.

7.

A controller relying on paragraph 5 must take appropriate
measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.”

(2)

In Article 14 of the UK GDPR (information to be provided where personal
data has not been obtained from the data subject)—

(a)

in paragraph 5—

(i)

for “shall not apply where and insofar as” substitute “do not
apply to the extent that”,

(ii)

omit point (b),

(iii)

omit the “or” at the end of point (c),

(iv)

in point (d), omit “where”, and

(v)

after that point insert—

“(e)

providing the information is impossible or would
involve a disproportionate effort, or

(f)

the obligation referred to in paragraph 1 is likely
to render impossible or seriously impair the achievement of the objectives of the processing for which the personal data are intended.”, and

(b)

at the end insert—

“6.

For the purposes of paragraph 5(e), whether providing the
information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.

7.

A controller relying on paragraph 5(e) or (f) must take
appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.”

78 Searches in response to data subjects’ requests

(1)

In Article 15 of the UK GDPR (right of access by the data subject)—

(a)

after paragraph 1 insert—

“1A.

Under paragraph 1, the data subject is only entitled to such
confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph.”, and

(b)

in paragraph 3, after “processing” insert “to which the data subject is
entitled under paragraph 1”.

(2)

The 2018 Act is amended in accordance with subsections (3) and (4) .

(3)

In section 45 (law enforcement processing: right of access by the data subject),
after subsection (2) insert—

“(2A)

Under subsection (1), the data subject is only entitled to such
confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.”

(4)

In section 94 (intelligence services processing: right of access by the data
subject), after subsection (2) insert—

“(2A)

Under subsection (1), the data subject is only entitled to such
confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.”

(5)

The amendments made by this section are to be treated as having come into
force on 1 January 2024.

79 Data subjects’ rights to information: legal professional privilege exemption

(1)

The 2018 Act is amended as follows.

(2)

In section 43 (overview and scope of Chapter 3 of Part 3: rights of the data
subject in connection with law enforcement processing)—

(a)

in subsection (1)(a), for “section 44” substitute “sections 44 and 45A ”,
and

(b)

in subsection (1)(b), for “section 45” substitute “sections 45 and 45A ”.

(3)

For the italic heading before section 44 substitute—

“Data subject’s rights to information”.

(4)

In the heading of section 44, omit “Information:”.

(5)

Omit the italic heading before section 45.

(6)

After that section insert—

“45A Exemption from sections 44 and 45: legal professional privilege

(1)

Sections 44(2) and 45(1) do not require the controller to give the data
subject—

(a)

information in respect of which a claim to legal professional
privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or

(b)

information in respect of which a duty of confidentiality is
owed by a professional legal adviser to a client of the adviser.

(2)

A controller relying on the exemption in subsection (1) must inform
the data subject in writing without undue delay of—

(a)

the decision to rely on the exemption,

(b)

the reason for the decision,

(c)

the data subject’s right to make a request to the Commissioner
under section 51,

(d)

the data subject’s right to lodge a complaint with the
Commissioner under section 165, and

(e)

the data subject’s right to apply to a court under section 167.

(3)

Subsection (2) (a) and (b) do not apply to the extent that complying
with them would—

(a)

undermine a claim described in subsection (1) (a) , or

(b)

conflict with a duty described in subsection (1) (b) .

(4)

The controller must—

(a)

record the reason for a decision to rely on the exemption in
subsection (1) , and

(b)

if requested to do so by the Commissioner, make the record
available to the Commissioner.

(5)

The reference in subsection (1) to sections 44(2) and 45(1) includes
sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).”

(7)

In section 51 (exercise of rights through the Commissioner)—

(a)

in subsection (1), after paragraph (b) (but before the “or” at the end
of that paragraph) insert—

“(ba)

relies on the exemption from sections 44(2) and 45(1)
in section 45A (legal professional privilege),”,

(b)

in subsection (2), after paragraph (a) insert—

“(aa)

where subsection (1) (ba) applies, request the
Commissioner to check that the controller was entitled to rely on the exemption;”,

(c)

in subsection (4), after paragraph (a) insert—

“(aa)

where subsection (1) (ba) applies, whether the
Commissioner is satisfied that the controller was entitled to rely on the exemption;”, and

(d)

in subsection (6), after “(a)” insert “, (aa)”.

Automated decision-making

80 Automated decision-making

(1)

For Article 22 of the UK GDPR (automated individual decision-making,
including profiling) substitute—

“Section 4A Automated individual decision-making

Article 22A Automated processing and significant decisions

1.

For the purposes of Articles 22B and 22C—

(a)

a decision is based solely on automated processing if there is no
meaningful human involvement in the taking of the decision, and

(b)

a decision is a significant decision, in relation to a data subject,
if—

(i)

it produces a legal effect for the data subject, or

(ii)

it has a similarly significant effect for the data subject.

2.

When considering whether there is meaningful human involvement
in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.

Article 22B Restrictions on automated decision-making

1.

A significant decision based entirely or partly on processing described
in Article 9(1) (processing of special categories of personal data) may not be taken based solely on automated processing, unless one of the following conditions is met.

2.

The first condition is that the decision is based entirely on processing
of personal data to which the data subject has given explicit consent.

3.

The second condition is that—

(a)

the decision is—

(i)

necessary for entering into, or performing, a contract
between the data subject and a controller, or

(ii)

required or authorised by law, and

(b)

point (g) of Article 9(2) applies.

4.

A significant decision may not be taken based solely on automated
processing if the processing of personal data carried out by, or on behalf of, the decision-maker for the purposes of the decision is carried out entirely or partly in reliance on Article 6(1)(ea).

Article 22C Safeguards for automated decision-making

1.

Where a significant decision taken by or on behalf of a controller in
relation to a data subject is—

(a)

based entirely or partly on personal data, and

(b)

based solely on automated processing,

the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with paragraph 2 and any regulations under Article 22D(3).

2.

The safeguards must consist of or include measures which—

(a)

provide the data subject with information about decisions
described in paragraph 1 taken in relation to the data subject;

(b)

enable the data subject to make representations about such
decisions;

(c)

enable the data subject to obtain human intervention on the part
of the controller in relation to such decisions;

(d)

enable the data subject to contest such decisions.

Article 22D Further provision about automated decision-making

1.

The Secretary of State may by regulations provide that, for the
purposes of Article 22A(1)(a), there is, or is not, to be taken to be meaningful human involvement in the taking of a decision in cases described in the regulations.

2.

The Secretary of State may by regulations provide that, for the
purposes of Article 22A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant effect for the data subject.

3.

The Secretary of State may by regulations make the following types
of provision about the safeguards required under Article 22C(1)—

(a)

provision requiring the safeguards to include measures in
addition to those described in Article 22C(2),

(b)

provision imposing requirements which supplement what Article
22C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in Article 22C(2) must be done or be capable of being done), and

(c)

provision about measures which are not to be taken to satisfy
one or more of points (a) to (d) of Article 22C(2).

4.

Regulations under paragraph 3 may not amend Article 22C.

5.

Regulations under this Article are subject to the affirmative resolution
procedure.”

(2)

The 2018 Act is amended in accordance with subsections (3) to (5) .

(3)

For sections 49 and 50 (law enforcement processing: automated individual
decision making) substitute—

“50A Automated processing and significant decisions

(1)

For the purposes of sections 50B and 50C

(a)

a decision is based solely on automated processing if there is
no meaningful human involvement in the taking of the decision, and

(b)

a decision is a significant decision, in relation to a data subject,
if—

(i)

it produces an adverse legal effect for the data subject,
or

(ii)

it has a similarly significant adverse effect for the data
subject.

(2)

When considering whether there is meaningful human involvement
in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.

50B Restrictions on automated decision-making based on sensitive
processing

(1)

A significant decision based entirely or partly on sensitive processing
may not be taken based solely on automated processing, unless one of the following conditions is met.

(2)

The first condition is that the decision is based entirely on processing
of personal data to which the data subject has given explicit consent.

(3)

The second condition is that the decision is required or authorised by
law.

50C Safeguards for automated decision-making

(1)

Subject to subsection (3) , where a significant decision taken by or on
behalf of a controller in relation to a data subject is—

(a)

based entirely or partly on personal data, and

(b)

based solely on automated processing,

the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection (2) and any regulations under section 50D (4) .

(2)

The safeguards must consist of or include measures which—

(a)

provide the data subject with information about decisions
described in subsection (1) taken in relation to the data subject;

(b)

enable the data subject to make representations about such
decisions;

(c)

enable the data subject to obtain human intervention on the
part of the controller in relation to such decisions;

(d)

enable the data subject to contest such decisions.

(3)

Subsections (1) and (2) do not apply in relation to a significant decision
if—

(a)

exemption from those provisions is required for a reason listed
in subsection (4) ,

(b)

the controller reconsiders the decision as soon as reasonably
practicable, and

(c)

there is meaningful human involvement in the reconsideration
of the decision.

(4)

Those reasons are—

(a)

to avoid obstructing an official or legal inquiry, investigation
or procedure;

(b)

to avoid prejudicing the prevention, detection, investigation or
prosecution of criminal offences or the execution of criminal penalties;

(c)

to protect public security;

(d)

to safeguard national security;

(e)

to protect the rights and freedoms of others.

(5)

When considering whether there is meaningful human involvement
in the reconsideration of a decision, a person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling.

50D Further provision about automated decision-making

(1)

The Secretary of State may by regulations provide that, for the
purposes of sections 50A (1) (a) and 50C (3) (c) , there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations.

(2)

The Secretary of State may by regulations provide that, for the
purposes of section 50A (1) (b) (ii) , a description of decision is, or is not, to be taken to have a similarly significant adverse effect for the data subject.

(3)

Regulations under subsection (1) or (2) may amend section 50A .

(4)

The Secretary of State may by regulations make the following types
of provision about the safeguards required under section 50C (1)

(a)

provision requiring the safeguards to include measures in
addition to those described in section 50C (2) ,

(b)

provision imposing requirements which supplement what
section 50C (2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in section 50C (2) must be done or be capable of being done), and

(c)

provision about measures which are not to be taken to satisfy
one or more of paragraphs (a) to (d) of section 50C (2) .

(6)

Regulations under this section are subject to the affirmative resolution
procedure.”

(4)

In section 96 (intelligence services processing: right not to be subject to
automated decision-making)—

(a)

in subsection (1), for “solely on” substitute “on entirely”,

(b)

in subsection (3), after “section” insert “and section 97”, and

(c)

at the end insert—

“(4)

For the purposes of this section and section 97, a decision is
based on entirely automated processing if the decision-making process does not include an opportunity for a human being to accept, reject or influence the decision.”

(5)

In section 97 (intelligence services processing: right to intervene in automated
decision-making)—

(a)

in subsection (1)(a), for “solely on” substitute “on entirely”,

(b)

in subsection (4)(b), for “solely on” substitute “on entirely”, and

(c)

omit subsection (6).

(6)

Schedule 6 to this Act contains minor and consequential amendments.

Logging of law enforcement processing

81 Logging of law enforcement processing

In section 62 of the 2018 Act (logging of law enforcement processing)—

(a)

in subsection (2)(a), omit “justification for, and”, and

(b)

in subsection (3)(a), omit “justification for, and”.

Codes of conduct

82 General processing and codes of conduct

In Article 41 of the UK GDPR (monitoring of approved codes of conduct)—

(a)

in paragraph 4, omit the words from “, including suspension” to the
end, and

(b)

after that paragraph insert—

“4A.

If the action taken by a body under paragraph 4 consists of
suspending or excluding a controller or processor from the code, the body must inform the Commissioner, giving reasons for taking that action.”

83 Law enforcement processing and codes of conduct

(1)

The 2018 Act is amended as follows.

(2)

In section 55(1) (overview and scope of provisions about controllers and
processors), at the end insert—

“(e)

makes provision about codes of conduct (see section 71A ).”

(3)

In section 56 (general obligations of the controller), at the end insert—

“(4)

Adherence to a code of conduct approved under section 71A may be
used by a controller as a means of demonstrating compliance with the requirements of this Part.”

(4)

In section 59 (processors), after subsection (7) insert—

“(7A)

Adherence to a code of conduct approved under section 71A may be
used by a processor as a means of demonstrating sufficient guarantees as described in subsection (2).”

(5)

In section 66 (security of processing), at the end insert—

“(3)

Adherence to a code of conduct approved under section 71A may be
used by a controller or processor as a means of demonstrating compliance with subsection (1).”

(6)

After section 71 insert—

“Codes of conduct

71A Codes of conduct

(1)

The Commissioner must encourage expert public bodies to produce
codes of conduct intended to contribute to compliance with this Part.

(2)

Under subsection (1) , the Commissioner must, among other things,
encourage the production of codes which take account of the specific features of the various processing sectors.

(3)

For the purposes of this section—

(a)

“public body” means a body or other person whose functions
are, or include, functions of a public nature, and

(b)

a public body is “expert” if, in the Commissioner’s opinion,
the body has the knowledge and experience needed to produce a code of conduct described in subsection (1) .

(4)

A code of conduct described in subsection (1) may, for example, make
provision with regard to—

(a)

lawful and fair processing;

(b)

the collection of personal data;

(c)

the information provided to the public and to data subjects;

(d)

the exercise of the rights of data subjects;

(e)

the measures and procedures referred to in sections 56, 57 and
62;

(f)

the notification of personal data breaches to the Commissioner
and the communication of personal data breaches to data subjects;

(g)

the transfer of personal data to third countries or international
organisations;

(h)

out-of-court proceedings and other dispute resolution
procedures for resolving disputes between controllers and data subjects with regard to processing.

(5)

The Commissioner must encourage expert public bodies to submit
codes of conduct described in subsection (1) to the Commissioner in draft.

(6)

Where an expert public body does so, the Commissioner must—

(a)

provide the body with an opinion on whether the code correctly
reflects the requirements of this Part,

(b)

decide whether to approve the code, and

(c)

if the code is approved, register and publish the code.

(7)

Subsections (5) and (6) apply in relation to amendments of a code of
conduct that is for the time being approved under this section as they apply in relation to a code.”

International transfers of personal data

84 Transfers of personal data to third countries and international organisations

(1)

Schedule 7 amends Chapter 5 of the UK GDPR (general processing and
transfers of personal data to third countries and international organisations).

(2)

Schedule 8 amends Chapter 5 of Part 3 of the 2018 Act (law enforcement
processing and transfers of personal data to third countries and international organisations).

(3)

In Schedule 9

(a)

Part 1 contains minor and consequential amendments, and

(b)

Part 2 contains transitional provision.

Safeguards for processing for research etc purposes

85 Safeguards for processing for research etc purposes

(1)

The UK GDPR is amended in accordance with subsections (2) to (4) .

(2)

After Chapter 8 insert—

“CHAPTER 8A Safeguards for processing for research, archiving or statistical purposes

Article 84A Research, archives and statistics

1.

This Chapter makes provision about the processing of personal data—

(a)

for the purposes of scientific research or historical research,

(b)

for the purposes of archiving in the public interest, or

(c)

for statistical purposes.

2.

Those purposes are referred to in this Chapter as “RAS purposes”.

Article 84B Additional requirements when processing for RAS purposes

1.

Personal data may only be processed for RAS purposes if—

(a)

the processing consists of the collection of the personal data
(whether from the data subject or otherwise),

(b)

the processing is carried out in order to convert the personal
data into information which can be processed in a manner which does not permit the identification of a data subject, or

(c)

without the processing, the RAS purposes cannot be fulfilled.

2.

Processing of personal data for RAS purposes must be carried out
subject to appropriate safeguards for the rights and freedoms of the data subject.

Article 84C Appropriate safeguards

1.

This Article makes provision about when the requirement under Article
84B(2) for processing of personal data to be carried out subject to appropriate safeguards is satisfied.

2.

The requirement is not satisfied if the processing is likely to cause
substantial damage or substantial distress to a data subject to whom the personal data relates.

3.

The requirement is not satisfied if the processing is carried out for the
purposes of measures or decisions with respect to a particular data subject to whom the personal data relates, except where the purposes for which the processing is carried out include the purposes of approved medical research.

4.

The requirement is only satisfied if the safeguards include technical
and organisational measures for the purpose of ensuring respect for the principle of data minimisation (see Article 5(1)(c)), such as, for example, pseudonymisation.

5.

In this Article—


approved medical research means medical research carried
out by a person who has approval to carry out that research from—

(a)

a research ethics committee recognised or established by
the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, or

(b)

a body appointed by any of the following for the purpose
of assessing the ethics of research involving individuals—

(i)

the Secretary of State, the Scottish Ministers, the
Welsh Ministers or a Northern Ireland department;

(ii)

a relevant NHS body;

(iii)

United Kingdom Research and Innovation or a body
that is a Research Council for the purposes of the Science and Technology Act 1965;

(iv)

an institution that is a research institution for the
purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act);


relevant NHS body means—

(a)

an NHS trust or NHS foundation trust in England,

(b)

an NHS trust or Local Health Board in Wales,

(c)

a Health Board or Special Health Board constituted under
section 2 of the National Health Service (Scotland) Act 1978,

(d)

the Common Services Agency for the Scottish Health
Service, or

(e)

any of the health and social care bodies in Northern Ireland
falling within paragraphs (b) to (e) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)).

Article 84D Appropriate safeguards: further provision

1.

The Secretary of State may by regulations make further provision
about when the requirement for appropriate safeguards under Article 84B(2) is, or is not, satisfied.

2.

Regulations under this Article may not amend or revoke Article 84C(2),
(3) or (4) (but may change the meaning of “approved medical research” for the purposes of Article 84C).

3.

Regulations under this Article are subject to the affirmative resolution
procedure.”

(3)

In the heading of Chapter 9, after “relating to” insert “other”.

(4)

Omit Article 89 (safeguards and derogations relating to processing for
archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).

(5)

The 2018 Act is amended in accordance with subsections (6) and (7) .

(6)

Omit section 19 (processing for archiving, research and statistical purposes:
safeguards) and the italic heading before it.

(7)

In section 41(1) (safeguards: archiving), for “necessary” substitute “carried
out”.

86 Section 85 : consequential provision

(1)

In the UK GDPR—

(a)

in Article 5(1)(e) (storage limitation), for “Article 89(1)” to “data subject”
substitute “Article 84B”,

(b)

in Article 9(2)(j) (processing of special categories of personal data), for
“in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act)” substitute “, is carried out in accordance with Article 84B and is”,

(c)

in Article 17(3)(d) (right to erasure), for “Article 89(1)” substitute
“Article 84B”, and

(d)

in Article 21(6) (right to object), omit “pursuant to Article 89(1)”.

(2)

In the 2018 Act—

(a)

in section 24(4) (manual unstructured data held by FOI public
authorities), after paragraph (b) insert—

“(ba)

Chapter 8A (safeguards for processing for research,
archiving or statistical purposes);”,

(b)

in paragraph 4(b) of Schedule 1 (special categories of personal data
and criminal convictions etc data: research etc), for “Article 89(1) of the UK GDPR (as supplemented by section 19)” substitute “Article 84B of the UK GDPR”, and

(c)

in Schedule 2 (exemptions etc from the UK GDPR)—

(i)

in paragraph 27(3)(a) (research and statistics), for “Article 89(1)
of the UK GDPR (as supplemented by section 19)” substitute “Article 84B of the UK GDPR”, and

(ii)

in paragraph 28(3) (archiving), for “Article 89(1) of the UK
GDPR (as supplemented by section 19)” substitute “Article 84B of the UK GDPR”.

(3)

In section 279(2) of the Mental Health (Care and Treatment) (Scotland) Act
2003 (asp 13) (information for research), for “Article 89(1) of the UK GDPR (archiving in the public interest, scientific or historical research and statistics)” substitute “Article 84A of the UK GDPR (research, archives and statistics)”.

National security

87 National security exemption

(1)

The 2018 Act is amended in accordance with subsections (2) to (10) .

(2)

In section 26(2)(f) (national security and defence exemption), before
sub-paragraph (i) insert—

“(zi)

Article 77 (right to lodge a complaint with the
Commissioner);”.

(3)

In section 44 (controller’s general duties to provide information to data
subject)—

(a)

in subsection (4), omit paragraph (d) (grounds for restricting
information provided: national security),

(b)

in subsection (5), after “restricted” insert “under subsection (4)”, and

(c)

in subsection (7)(a), after “subsection (2)” insert “in reliance on
subsection (4)”.

(4)

In section 45 (right of access by the data subject)—

(a)

in subsection (4), omit paragraph (d) (grounds for restricting
information provided: national security),

(b)

in subsection (5), after “restricted” insert “under subsection (4)”, and

(c)

in subsection (7)(a), after “subsection (1)” insert “in reliance on
subsection (4)”.

(5)

In section 48 (requests by data subject for rectification or erasure of personal
data)—

(a)

in subsection (3), omit paragraph (d) (grounds for restricting
information provided: national security),

(b)

in subsection (4)—

(i)

for “(1)” substitute “(1)(b)(i)”, and

(ii)

after “restricted” insert “under subsection (3)”, and

(c)

in subsection (6)(a), after “subsection (1)(b)(i)” insert “in reliance on
subsection (3)”.

(6)

In section 68(7) (communication of a personal data breach to the data subject:
grounds for restricting information provided), omit paragraph (d) (national security).

(7)

In Chapter 6 of Part 3 (law enforcement processing: supplementary), before
section 79 insert—

“78A National security exemption

(1)

A provision mentioned in subsection (2) does not apply to personal
data processed for law enforcement purposes if exemption from the provision is required for the purposes of safeguarding national security.

(2)

The provisions are—

(a)

Chapter 2 of this Part (principles), except for the provisions
listed in subsection (3) ;

(b)

Chapter 3 of this Part (rights of the data subject);

(c)

in Chapter 4 of this Part—

(i)

section 67 (notification of personal data breach to the
Commissioner);

(ii)

section 68 (communication of personal data breach to
the data subject);

(d)

Chapter 5 of this Part (transfers of personal data to third
countries etc), except for the provisions listed in subsection (4) ;

(e)

in Part 5—

(i)

section 119 (inspection in accordance with international
obligations);

(ii)

in Schedule 13 (other general functions of the
Commissioner), paragraphs 1(1)(a) and (g) and 2;

(f)

in Part 6—

(i)

sections 142 to 154 and Schedule 15 (Commissioner’s
notices and powers of entry and inspection);

(ii)

sections 170 to 173 (offences relating to personal data);

(g)

in Part 7, section 187 (representation of data subjects).

(3)

The provisions of Chapter 2 of this Part (principles) which are excepted
from the list in subsection (2) are—

(a)

section 35(1) (the first data protection principle) so far as it
requires processing of personal data to be lawful;

(b)

section 35(2) to (5) (lawfulness of processing and restrictions
on sensitive processing);

(c)

section 42 (safeguards: sensitive processing);

(d)

Schedule 8 (conditions for sensitive processing).

(4)

The provisions of Chapter 5 of this Part (transfers of personal data to
third countries etc) which are excepted from the list in subsection (2) are—

(a)

the following provisions of section 73—

(i)

subsection (1)(a) (conditions for transfer), so far as it
relates to the condition in subsection (2) of that section, and subsection (2) (transfer must be necessary for a law enforcement purpose);

(ii)

subsections (1)(b), (5) and (6) (conditions for transfer of
personal data originally made available by a member State);

(b)

section 78 (subsequent transfers).”

(8)

In section 79 (national security: certificate)—

(a)

omit subsections (1) to (3),

(b)

after subsection (3) insert—

“(3A)

Subject to subsection (5), a certificate signed by a Minister of
the Crown certifying that exemption from all or any of the provisions listed in section 78A (2) is, or at any time was, required in relation to any personal data for the purposes of safeguarding national security is conclusive evidence of that fact.”,

(c)

in subsection (4), for “subsection (1)” substitute “subsection (3A)

(a)

may identify the personal data to which it applies by
means of a general description, and

(b)”,

(d)

in subsection (5), for “subsection (1)” substitute “subsection (3A)”,

(e)

in subsection (7)—

(i)

for “a restriction falls within a general description in a certificate
issued under subsection (1)” substitute “a certificate under subsection (3A) which identifies the personal data to which it applies by means of a general description applies to any personal data”, and

(ii)

for “the restriction does not fall within that description”
substitute “the certificate does not apply to the personal data in question”,

(f)

in subsection (8)—

(i)

for “the restriction” substitute “the certificate”, and

(ii)

for “to fall within the general description” substitute “so to
apply”,

(g)

in subsection (10), for “subsection (1)” substitute “subsection (3A) ”,

(h)

in subsection (11), for “subsection (1)” substitute “subsection (3A) ”,

(i)

in subsection (12), for “subsection (1)” substitute “subsection (3A) ”,
and

(j)

omit subsection (13).

(9)

In section 110(2) (intelligence services processing: national security)—

(a)

in paragraph (a), after “Chapter 2” insert “of this Part”,

(b)

in paragraph (b), after “Chapter 3” insert “of this Part”, and

(c)

in paragraph (c), after “Chapter 4” insert “of this Part”.

(10)

In section 186(3) (data subject’s rights etc: exceptions), after paragraph (c)
insert—

“(ca)

in Part 3 of this Act, section 78A , and”.

(11)

In the provisions listed in subsection (12) , for “subsection (4) of that section”
substitute “section 45(4) or 78A of that Act”.

(12)

The provisions are—

(a)

section 40(4A)(b) and (5B)(d) of the Freedom of Information Act 2000
(personal data which is exempt information);

(b)

section 38(3A)(b) of the Freedom of Information (Scotland) Act 2002
(asp 13) (personal data which is exempt information);

(c)

regulation 13(3A)(b) and (5B)(d) of the Environmental Information
Regulations 2004 (S.I. 2004/3391) (restriction on disclosure of personal data);

(d)

regulation 11(4A)(b) of the Environmental Information (Scotland)
Regulations 2004 (S.S.I. 2004/520) (restriction on disclosure of personal data);

(e)

regulation 45(1C)(b) of the Civil Contingencies Act 2004 (Contingency
Planning) Regulations 2005 (S.I. 2005/2042) (personal data which is sensitive information);

(f)

regulation 39(1C)(b) of the Civil Contingencies Act 2004 (Contingency
Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494) (personal data which is sensitive information).

Intelligence services

88 Joint processing by intelligence services and competent authorities

(1)

Part 4 of the 2018 Act (intelligence services processing) is amended as follows.

(2)

In section 82 (processing to which Part 4 applies)—

(a)

before subsection (1) insert—

“(A1)

This Part—

(a)

applies to processing of personal data by an intelligence
service, and

(b)

applies to processing of personal data by a qualifying
competent authority where the processing is the subject of a designation notice that is for the time being in force (see sections 82A to 82E ).”,

(b)

in subsection (1)—

(i)

after “applies” insert “only”,

(ii)

in paragraph (a), for “the processing by an intelligence service”
substitute “processing”, and

(iii)

in paragraph (b), for “the processing by an intelligence service”
substitute “processing”,

(c)

after subsection (2) insert—

“(2A)

In this Part—


competent authority has the same meaning as in Part
3;


qualifying competent authority means a competent
authority specified or described in regulations made by the Secretary of State.”, and

(d)

after subsection (3) insert—

“(4)

Regulations under this section are subject to the affirmative
resolution procedure.”

(3)

After section 82 insert—

“82A Designation of processing by a qualifying competent authority

(1)

For the purposes of this Part, the Secretary of State may give a notice
designating processing of personal data by a qualifying competent authority (a “designation notice”) where—

(a)

an application for designation of the processing is made in
accordance with this section, and

(b)

the Secretary of State considers that designation of the
processing is required for the purposes of safeguarding national security.

(2)

The Secretary of State may only designate processing by a qualifying
competent authority that is carried out by the authority as a joint controller with at least one intelligence service.

(3)

The Secretary of State may not designate processing by a qualifying
competent authority that consists of the transfer of personal data to—

(a)

a country or territory outside the United Kingdom, or

(b)

an international organisation.

(4)

A designation notice must—

(a)

specify or describe the processing and qualifying competent
authority that are designated, and

(b)

be given to the applicants for the designation (and see also
section 82D ).

(5)

An application for designation of processing of personal data by a
qualifying competent authority must be made jointly by—

(a)

the qualifying competent authority, and

(b)

the intelligence service with which the processing is to be
carried out.

(6)

An application may be made in respect of more than one qualifying
competent authority and in respect of processing with more than one intelligence service.

(7)

The application must—

(a)

describe the processing, including the intended purposes and
means of processing, and

(b)

explain why the applicants consider that designation is required
for the purposes of safeguarding national security.

(8)

Before giving a designation notice, the Secretary of State must consult
the Commissioner.

(9)

In this section, “joint controller”, in relation to processing of personal
data, means a controller whose responsibilities for compliance with this Part in relation to the processing are determined in an arrangement under section 104.

82B Duration of designation notice

(1)

A designation notice must state when it comes into force.

(2)

A designation notice ceases to be in force at the earliest of the following
times—

(a)

at the end of the period of 5 years beginning when the notice
comes into force;

(b)

(if relevant) at the end of a shorter period specified in the
notice;

(c)

when the notice is withdrawn under section 82C .

(3)

The Secretary of State may give a further designation notice in respect
of processing that is, or has been, the subject of a previous designation notice.

82C Review and withdrawal of designation notice

(1)

Subsections (2) to (4) apply where processing is the subject of a
designation notice for the time being in force.

(2)

A person who applied for the designation of the processing must
notify the Secretary of State without undue delay if the person considers that the designation is no longer required for the purposes of safeguarding national security.

(3)

A person who applied for the designation of the processing must, on
a request from the Secretary of State, provide—

(a)

a description of the processing that is being, or is intended to
be, carried out in reliance on the notice, and

(b)

an explanation of why the person considers that designation
of the processing continues to be required for the purposes of safeguarding national security.

(4)

The Secretary of State must at least annually—

(a)

review each designation notice that is for the time being in
force, and

(b)

consider whether designation of the processing which is the
subject of the notice continues to be required for the purposes of safeguarding national security.

(5)

The Secretary of State—

(a)

may withdraw a designation notice by giving a further notice
(a “withdrawal notice”) to the persons who applied for the designation, and

(b)

must give a withdrawal notice if the Secretary of State considers
that designation of some or all of the processing to which the notice applies is no longer required for the purposes of safeguarding national security (whether as a result of a review required under subsection (4) or otherwise).

(6)

A withdrawal notice must—

(a)

withdraw the designation notice completely, and

(b)

state when it comes into force.

(7)

In determining when a withdrawal notice required under subsection
(5) (b) comes into force, the Secretary of State must consider—

(a)

the desirability of the processing ceasing to be designated as
soon as possible, and

(b)

where relevant, the time needed to effect an orderly transition
to new arrangements for the processing of personal data.

82D Records of designation notices

(1)

Where the Secretary of State gives a designation notice—

(a)

the Secretary of State must send a copy of the notice to the
Commissioner, and

(b)

the Commissioner must publish a record of the notice.

(2)

The record must contain—

(a)

the Secretary of State’s name,

(b)

the date on which the notice was given,

(c)

the date on which the notice ceases to have effect (if not
previously withdrawn), and

(d)

subject to subsection (3) , the rest of the text of the notice.

(3)

The Commissioner must not publish the text, or a part of the text, of
the notice if—

(a)

the Secretary of State has determined that publishing the text
or that part of the text—

(i)

would be against the interests of national security,

(ii)

would be contrary to the public interest, or

(iii)

might jeopardise the safety of any person, and

(b)

the Secretary of State has notified the Commissioner of that
determination.

(4)

The Commissioner must keep the record of the notice available to the
public while the notice is in force.

(5)

Where the Secretary of State gives a withdrawal notice, the Secretary
of State must send a copy of the notice to the Commissioner.

82E Appeal against designation notice

(1)

A person directly affected by a designation notice may appeal to the
Tribunal against the notice.

(2)

If, on an appeal under this section, the Tribunal finds that, applying
the principles applied by a court on an application for judicial review, the Secretary of State did not have reasonable grounds for giving the notice, the Tribunal may—

(a)

allow the appeal, and

(b)

quash the notice.”

89 Joint processing: consequential amendments

(1)

The 2018 Act is amended as follows.

(2)

In section 1(5) (overview: Part 4), at the end insert “(and certain processing
carried out by competent authorities jointly with the intelligence services)”.

(3)

In section 29 (processing to which Part 3 applies), after subsection (1) insert—

“(1A)

This Part does not apply to processing to which Part 4 applies by
virtue of a designation notice (see section 82A ).”

(4)

In section 83 (meaning of “controller” and “processor” in Part 4)—

(a)

before subsection (1) insert—

“(A1)

For the purposes of this Part—

(a)

an intelligence service is the “controller” in relation to
the processing of personal data if it satisfies subsection (1) alone or jointly with others, and

(b)

a qualifying competent authority is the “controller” in
relation to the processing of personal data that is the subject of a designation notice that is for the time being in force if the authority satisfies subsection (1) jointly with others.”,

(b)

in subsection (1), for the words before paragraph (a) substitute “This
subsection is satisfied by a person who—”, and

(c)

in subsection (2), for “intelligence service on which” substitute “person
on whom”.

(5)

In section 84 (other definitions)—

(a)

after subsection (2) insert—

“(2A)

“Designation notice” has the meaning given in section 82A .”, and

(b)

before subsection (7) insert—

“(6B)

“Withdrawal notice” has the meaning given in section 82C .”

(6)

In section 104(1) (joint controllers), for “intelligence services” substitute
“controllers”.

(7)

In section 202(1)(a)(i) (proceedings in the First-tier Tribunal: contempt) after
“79,” insert “ 82E ,”.

(8)

In section 203(1) (Tribunal Procedure Rules), after “79,” insert “ 82E ,”.

(9)

In section 206 (index of defined expressions), in the Table—

(a)

in the entry for “competent authority”—

(i)

for “Part 3” substitute “Parts 3 and 4”, and

(ii)

for “section 30” substitute “sections 30 and 82”, and

(b)

at the appropriate places insert—

“designation notice (in Part 4)

section 84”;

“qualifying competent authority (in Part 4)

section 82”;

“withdrawal notice (in Part 4)

section 84”.

Information Commissioner’s role

90 Duties of the Commissioner in carrying out functions

(1)

The 2018 Act is amended as follows.

(2)

Omit section 2(2) (duty of Commissioner when carrying out functions).

(3)

After section 120 insert—

“Duties in carrying out functions

120A Principal objective

It is the principal objective of the Commissioner, in carrying out functions under the data protection legislation—

(a)

to secure an appropriate level of protection for personal data,
having regard to the interests of data subjects, controllers and others and matters of general public interest, and

(b)

to promote public trust and confidence in the processing of
personal data.

120B Duties in relation to functions under the data protection legislation

In carrying out functions under the data protection legislation, the Commissioner must have regard to such of the following as appear to the Commissioner to be relevant in the circumstances—

(a)

the desirability of promoting innovation;

(b)

the desirability of promoting competition;

(c)

the importance of the prevention, investigation, detection and
prosecution of criminal offences;

(d)

the need to safeguard public security and national security;

(e)

the fact that children may be less aware of the risks and
consequences associated with processing of personal data and of their rights in relation to such processing.

120C Strategy

(1)

The Commissioner must prepare a strategy for carrying out the
Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under—

(a)

sections 120A and 120B ,

(b)

section 108 of the Deregulation Act 2015 (exercise of regulatory
functions: economic growth), and

(c)

section 21 of the Legislative and Regulatory Reform Act 2006
(exercise of regulatory functions: principles).

(2)

The Commissioner must—

(a)

review the strategy from time to time, and

(b)

revise the strategy as appropriate.

(3)

The Commissioner must publish the strategy and any revised strategy.

120D Duty to consult other regulators

(1)

The Commissioner must, at such times as the Commissioner considers
appropriate, consult the persons mentioned in subsection (2) about how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition.

(2)

The persons are—

(a)

such persons exercising regulatory functions as the
Commissioner considers appropriate;

(b)

such other persons as the Commissioner considers appropriate.

(3)

In this section, “regulatory function” has the meaning given by section
111 of the Deregulation Act 2015.”

(4)

In section 139 (reporting to Parliament), after subsection (1) insert—

“(1A)

In connection with the Commissioner’s functions under the data
protection legislation, the report must contain (among other things)—

(a)

a review of what the Commissioner has done during the
reporting period to comply with the duties under—

(i)

sections 120A and 120B ,

(ii)

section 108 of the Deregulation Act 2015, and

(iii)

section 21 of the Legislative and Regulatory Reform Act
2006,

including a review of the operation of the strategy prepared and published under section 120C ;

(b)

a review of what the Commissioner has done during the
reporting period to comply with the duty under section 120D .

(1B)

In subsection (1A) , “the reporting period” means the period to which
the report relates.”

(5)

The Commissioner must prepare and publish a strategy in accordance with section 120C of the 2018 Act before the end of the period of 18 months
beginning with the day on which this section comes into force.

91 Codes of practice for the processing of personal data

(1)

The 2018 Act is amended in accordance with subsections (2) to (6) .

(2)

After section 124 insert—

“124A Other codes of practice

(1)

The Commissioner must prepare appropriate codes of practice giving
guidance as to good practice in the processing of personal data if required to do so by regulations made by the Secretary of State.

(2)

Regulations under this section—

(a)

must describe the personal data or processing to which the
code of practice is to relate, and

(b)

may describe the persons or classes of person to whom it is to
relate.

(3)

Where a code under this section is in force, the Commissioner may
prepare amendments of the code or a replacement code.

(4)

Before preparing a code or amendments under this section, the
Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—

(a)

trade associations;

(b)

data subjects;

(c)

persons who appear to the Commissioner to represent the
interests of data subjects.

(5)

A code under this section may include transitional provision or savings.

(6)

Regulations under this section are subject to the negative resolution
procedure.

(7)

In this section—


good practice in the processing of personal data means such
practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation;


trade association includes a body representing controllers or
processors.”

(3)

In section 125 (approval of codes prepared under sections 121 to 124)—

(a)

in the heading, for “124” substitute “ 124A ”,

(b)

in subsection (1), for “or 124” substitute “, 124 or 124A ”,

(c)

in subsection (3), for “or 124” substitute “, 124 or 124A ”,

(d)

for subsection (5) substitute—

“(5)

If the Commissioner is prevented by subsection (3) from issuing
a code that is not a replacement code, the Commissioner must prepare another version of the code.”, and

(e)

in subsection (9), for “or 124” substitute “, 124 or 124A ”.

(4)

In section 126 (publication and review of codes issued under section 125(4)),
in subsection (4), for “or 124(2)” substitute “, 124A (2) or 124A (3) ”.

(5)

Omit section 128 (other codes of practice).

(6)

In section 129 (consensual audits), in subsection (3), for “128” substitute “ 124A ”.

(7)

In section 19AC of the Registration Service Act 1953 (code of practice), in
subsection (11), for “128” substitute “ 124A ”.

(8)

In the Statistics and Registration Service Act 2007—

(a)

in section 45 (information held by HMRC), in subsection (4A), for
“128” substitute “ 124A ”,

(b)

in section 45A (information held by other public authorities), in
subsection (8), for “128” substitute “ 124A ”,

(c)

in section 45E (further provisions about powers in sections 45B, 45C
and 45D), in subsection (16), for “128” substitute “ 124A ”, and

(d)

in section 53A (disclosure by the Board to devolved administrations),
in subsection (9), for “128” substitute “ 124A ”.

(9)

In the Digital Economy Act 2017—

(a)

in section 43 (code of practice), in subsection (13), for “128” substitute
124A ”,

(b)

in section 52 (code of practice), in subsection (13), for “128” substitute
124A ”,

(c)

in section 60 (code of practice), in subsection (13), for “128” substitute
124A ”, and

(d)

in section 70 (code of practice), in subsection (15), for “128” substitute
124A ”.

92 Codes of practice: panels and impact assessments

In the 2018 Act, after section 124A (inserted by section 91 of this Act) insert—

“124B Panels to consider codes of practice

(1)

This section applies where a code is prepared under section 121, 122,
123, 124 or 124A , subject to subsection (11) .

(2)

The Commissioner must establish a panel of individuals to consider
the code.

(3)

The panel must consist of—

(a)

individuals the Commissioner considers have expertise in the
subject matter of the code, and

(b)

individuals the Commissioner considers—

(i)

are likely to be affected by the code, or

(ii)

represent persons likely to be affected by the code.

(4)

Before the panel begins to consider the code, the Commissioner must—

(a)

publish the code in draft, and

(b)

publish a statement that—

(i)

states that a panel has been established to consider the
code,

(ii)

identifies the members of the panel,

(iii)

explains the process by which they were selected, and

(iv)

explains the reasons for their selection.

(5)

Where at any time it appears to the Commissioner that a member of
the panel is not willing or able to serve as a member of the panel, the Commissioner may select another individual to be a member of the panel.

(6)

Where the Commissioner selects an individual to be a member of the
panel under subsection (5) , the Commissioner must publish a statement that—

(a)

identifies the member of the panel,

(b)

explains the process by which the member was selected, and

(c)

explains the reasons for the member’s selection.

(7)

The Commissioner must make arrangements—

(a)

for the members of the panel to consider the code with one
another (whether in person or otherwise), and

(b)

for the panel to prepare and submit to the Commissioner a
report on the code within such reasonable period as is determined by the Commissioner.

(8)

If the panel submits to the Commissioner a report on the code within
the period determined by the Commissioner, the Commissioner must as soon as reasonably practicable—

(a)

make any alterations to the code that the Commissioner
considers appropriate in the light of the report, and

(b)

publish—

(i)

the code in draft,

(ii)

the report or a summary of it, and

(iii)

in a case where a recommendation in the report to alter
the code has not been accepted by the Commissioner, an explanation of why it has not been accepted.

(9)

The Commissioner may pay remuneration and expenses to the
members of the panel.

(10)

This section applies in relation to amendments prepared under section
121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections, subject to subsection (11) .

(11)

The Secretary of State may by regulations provide that this section
does not apply, or applies with modifications, in the case of a code or amendments of a code that—

(a)

is prepared under section 124A , and

(b)

is specified in the regulations.

(12)

Regulations under this section are subject to the negative resolution
procedure.

124C Impact assessments for codes of practice

(1)

Where a code is prepared under section 121, 122, 123, 124 or 124A , the Commissioner must carry out and publish an assessment of—

(a)

who would be likely to be affected by the code, and

(b)

the effect the code would be likely to have on them.

(2)

This section applies in relation to amendments prepared under section
121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections.”

93 Manifestly unfounded or excessive requests to the Commissioner

(1)

The 2018 Act is amended in accordance with subsections (2) and (3) .

(2)

In section 135 (manifestly unfounded or excessive requests made to the
Commissioner)—

(a)

before subsection (1) insert—

“(A1)

This section makes provision about cases in which a request
made to the Commissioner, to which the Commissioner is required or authorised to respond under the data protection legislation, is manifestly unfounded or excessive.”,

(b)

in subsection (1) omit the words from the beginning to “excessive,”,

(c)

after subsection (1) insert—

“(1A)

In subsection (1)—

(a)

the reference in paragraph (a) to charging a reasonable
fee is, in a case in which section 134 is relevant, a reference to doing so under that section, and

(b)

paragraph (b) is not to be read as implying anything
about whether the Commissioner may refuse to act on requests that are neither manifestly unfounded nor excessive.”,

(d)

in subsection (3), for “(1)” substitute “(A1)”,

(e)

omit subsection (4), and

(f)

after that subsection insert—

“(5)

Article 57(3) of the UK GDPR (performance of Information
Commissioner’s tasks generally to be free of charge for data subject) has effect subject to this section.”

(3)

In section 136(1) (guidance about fees), omit paragraph (b) and the “or” before
it.

(4)

In Article 57 of the UK GDPR (Information Commissioner’s tasks), omit
paragraph 4.

94 Analysis of performance

In the 2018 Act, after section 139 insert—

“139A Analysis of performance

(1)

The Commissioner must prepare and publish an analysis of the
Commissioner’s performance using key performance indicators.

(2)

The analysis must be prepared and published at least annually.

(3)

In this section, “key performance indicators” means factors by reference
to which the Commissioner’s performance can be measured most effectively.

Documents and notices”.

95 Notices from the Commissioner

(1)

The 2018 Act is amended in accordance with subsections (2) and (3) .

(2)

Omit section 141 (notices from the Commissioner).

(3)

After that section insert—

“141A Notices from the Commissioner

(1)

This section applies in relation to a notice authorised or required by
this Act to be given to a person by the Commissioner.

(2)

The notice may be given to the person by—

(a)

delivering it by hand to a relevant individual,

(b)

leaving it at the person’s proper address,

(c)

sending it by post to the person at that address, or

(d)

sending it by email to the person’s email address.

(3)

A “relevant individual” means—

(a)

in the case of a notice to an individual, that individual;

(b)

in the case of a notice to a body corporate (other than a
partnership), an officer of that body;

(c)

in the case of a notice to a partnership, a partner in the
partnership or a person who has the control or management of the partnership business;

(d)

in the case of a notice to an unincorporated body (other than
a partnership), a member of its governing body.

(4)

For the purposes of subsection (2) (b) and (c) , and section 7 of the
Interpretation Act 1978 (services of documents by post) in its application to those provisions, a person’s proper address is—

(a)

in a case where the person has specified an address as one at
which the person, or someone acting on the person’s behalf, will accept service of notices or other documents, that address;

(b)

in any other case, the address determined in accordance with
subsection (5) .

(5)

The address is—

(a)

in a case where the person is a body corporate with a registered
office in the United Kingdom, that office;

(b)

in a case where paragraph (a) does not apply and the person
is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;

(c)

in any other case, an address in the United Kingdom at which
the Commissioner believes, on reasonable grounds, that the notice will come to the attention of the person.

(6)

A person’s email address is—

(a)

an email address published for the time being by that person
as an address for contacting that person, or

(b)

if there is no such published address, an email address by
means of which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of that person.

(7)

A notice sent by email is treated as given 48 hours after it was sent,
unless the contrary is proved.

(8)

In this section, “officer”, in relation to a body corporate, means a
director, manager, secretary or other similar officer of the body.

(9)

This section does not limit other lawful means of giving a notice.”

(4)

In Schedule 2 to the Electronic Identification and Trust Services for Electronic
Transactions Regulations 2016 (S.I. 2016/696) (Commissioner’s enforcement powers), in paragraph 1(b), for “141” substitute “141A”.

Enforcement

96 Power of the Commissioner to require documents

(1)

The 2018 Act is amended as follows.

(2)

In section 142 (information notices)—

(a)

in subsection (1)—

(i)

in paragraph (a), after “information” insert “or documents”,
and

(ii)

in paragraph (b), after “information” insert “or documents”,

(b)

in subsection (2)(b), after “information” insert “or documents”,

(c)

in subsection (3)—

(i)

in paragraph (a), after “information”, in both places it occurs,
insert “or documents”,

(ii)

in paragraph (b), after “information” insert “or documents”,

(iii)

in paragraph (c), after “information” insert “or documents”,
and

(iv)

in paragraph (d), after “information” insert “or documents”,

(d)

in subsection (5), after “information”, in the second place it occurs,
insert “or documents”,

(e)

in subsection (6), after “information”, in the second place it occurs,
insert “or documents”, and

(f)

in subsection (7)—

(i)

in paragraph (a), for “is” substitute “or documents are”, and

(ii)

in the words after paragraph (b), after “information” insert “or
documents”.

(3)

In section 143 (information notices: restrictions)—

(a)

in subsection (1)(b)(ii), for “is” substitute “or documents are”,

(b)

in subsection (2), after “information”, in the second place it occurs,
insert “or documents”,

(c)

in subsection (3), for “in respect” substitute “or documents to the extent
that requiring the person to do so would result in the disclosure”,

(d)

in subsection (4), for “in respect” substitute “or documents to the extent
that requiring the person to do so would result in the disclosure”, and

(e)

in subsection (6), after “information”, in the second place it occurs,
insert “or documents”.

(4)

In section 145 (information orders)—

(a)

in subsection (2)—

(i)

in paragraph (a), after “information”, in the first place it occurs,
insert “or documents”, and

(ii)

in paragraph (b), after “information” insert “or documents”,
and

(b)

in subsection (3)—

(i)

in paragraph (a), after “information” insert “or documents”,

(ii)

in paragraph (b), after “information” insert “or documents”,
and

(iii)

in paragraph (c), after “information” insert “or documents”.

(5)

In section 148(1) (destroying or falsifying information and documents etc), in
paragraph (a), after “information”, in the second place it occurs, insert “or a document”.

(6)

In section 160 (guidance about regulatory action), in subsection (3)(a), for “is”
substitute “or documents are”.

(7)

In Schedule 17 (review of processing of personal data for the purposes of
journalism), in paragraph 2(2) (information notices)—

(a)

in paragraph (a), for “is” substitute “or documents are”, and

(b)

in the words after paragraph (b), after “information” insert “or
documents”.

97 Power of the Commissioner to require a report

(1)

The 2018 Act is amended as follows.

(2)

In section 146 (assessment notices)—

(a)

in subsection (2), after paragraph (i), insert—

“(j)

make arrangements for an approved person to prepare
a report on a specified matter;

(k)

provide to the Commissioner a report prepared in
pursuance of such arrangements.”,

(b)

after subsection (3) insert—

“(3A)

An assessment notice that requires a controller or processor to
make arrangements for an approved person to prepare a report may require the arrangements to include specified terms as to—

(a)

the preparation of the report;

(b)

the contents of the report;

(c)

the form in which the report is to be provided;

(d)

the date by which the report is to be completed.”,

(c)

after subsection (11) insert—

“(11A)

Where the Commissioner gives an assessment notice that
requires the controller or processor to make arrangements for an approved person to prepare a report, the controller or processor is liable for the payment of the approved person’s remuneration and expenses under the arrangements.”, and

(d)

in subsection (12), before the definition of “domestic premises” insert—

““
approved person, in relation to a report, means a person
approved to prepare the report in accordance with section
146A ;”.

(3)

After section 146 insert—

“146A Assessment notices: approval of person to prepare report etc

(1)

This section applies where an assessment notice requires a controller
or processor to make arrangements for an approved person to prepare a report.

(2)

The controller or processor must, within such period as is specified
in the assessment notice, nominate to the Commissioner a person to prepare the report.

(3)

If the Commissioner is satisfied that the nominated person is a suitable
person to prepare the report, the Commissioner must by written notice to the controller or processor approve the nominated person to prepare the report.

(4)

If the Commissioner is not satisfied that the nominated person is a
suitable person to prepare the report, the Commissioner must by written notice to the controller or processor—

(a)

inform the controller or processor that the Commissioner has
decided not to approve the nominated person to prepare the report,

(b)

inform the controller or processor of the reasons for that
decision, and

(c)

approve a person who the Commissioner is satisfied is a
suitable person to prepare the report to do so.

(5)

If the controller or processor does not nominate a person within the
period specified in the assessment notice, the Commissioner must by written notice to the controller or processor approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so.

(6)

It is the duty of the controller or processor to give the person approved
to prepare the report all such assistance as the person may reasonably require to prepare the report.”

(4)

In section 155 (penalty notices), in subsection (1)—

(a)

omit the “or” at the end of paragraph (a), and

(b)

at the end of paragraph (b) insert “, or

(c)

has failed to comply with a duty imposed on the person
by section 146A (6) .”

(5)

In section 160 (guidance about regulatory action), in subsection (4), after
paragraph (a) insert—

“(aa)

provision specifying factors to be considered in determining
whether to give an assessment notice to a person that imposes a requirement of a sort mentioned in section 146(2)(j);

(ab)

provision about the factors the Commissioner may take into
account when determining the suitability of a person to prepare a report of a sort mentioned in section 146(2)(j);”.

98 Assessment notices: removal of OFSTED restriction

In section 147 of the 2018 Act (assessment notices: restrictions), in subsection (6), omit paragraph (b) and the “or” before it.

99 Interview notices

(1)

The 2018 Act is amended as follows.

(2)

After section 148 insert—

“Interview notices

148A Interview notices

(1)

This section applies where the Commissioner suspects that a controller
or processor—

(a)

has failed or is failing as described in section 149(2), or

(b)

has committed or is committing an offence under this Act.

(2)

For the purpose of investigating the suspected failure or offence, the
Commissioner may, by written notice (an “interview notice”), require an individual within subsection (3) to—

(a)

attend at a place specified in the notice, and

(b)

answer questions with respect to any matter relevant to the
investigation.

(3)

An individual is within this subsection if the individual—

(a)

is the controller or processor,

(b)

is or was at any time employed by, or otherwise working for,
the controller or processor, or

(c)

is or was at any time concerned in the management or control
of the controller or processor.

(4)

An interview notice must specify the time at which the individual
must attend at the specified place and answer questions (but see the restrictions in subsections (6) and (7) ).

(5)

An interview notice must—

(a)

indicate the nature of the suspected failure or offence that is
the subject of the investigation,

(b)

provide information about the consequences of failure to
comply with the notice, and

(c)

provide information about the rights under sections 162 and
164 (appeals etc).

(6)

An interview notice may not require an individual to attend at the
specified place and answer questions before the end of the period within which an appeal can be brought against the notice.

(7)

If an appeal is brought against an interview notice, the individual to
whom the notice is given need not attend at the specified place and answer questions pending the determination or withdrawal of the appeal.

(8)

If an interview notice—

(a)

states that, in the Commissioner’s opinion, it is necessary for
the individual to attend at the specified place and answer questions urgently, and

(b)

gives the Commissioner’s reasons for reaching that opinion,

subsections (6) and (7) do not apply but the notice must not require the individual to attend at the specified place and answer questions before the end of the period of 24 hours beginning when the notice is given.

(9)

The Commissioner may cancel or vary an interview notice by written
notice to the individual to whom it was given.

148B Interview notices: restrictions

(1)

An interview notice does not require an individual to answer questions
to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.

(2)

An interview notice does not require an individual to answer questions
in respect of a communication which is made—

(a)

between a professional legal adviser and the adviser’s client,
and

(b)

in connection with the giving of legal advice to the client with
respect to obligations, liabilities or rights under the data protection legislation.

(3)

An interview notice does not require an individual to answer questions
in respect of a communication which is made—

(a)

between a professional legal adviser and the adviser’s client
or between such an adviser or client and another person,

(b)

in connection with or in contemplation of proceedings under
or arising out of the data protection legislation, and

(c)

for the purposes of such proceedings.

(4)

In subsections (2) and (3) , references to the client of a professional
legal adviser include references to a person acting on behalf of the client.

(5)

An interview notice does not require an individual to answer questions
if doing so would, by revealing evidence of the commission of an offence, expose the individual to proceedings for that offence.

(6)

The reference to an offence in subsection (5) does not include an offence
under—

(a)

this Act;

(b)

section 5 of the Perjury Act 1911 (false statements made
otherwise than on oath);

(c)

section 44(2) of the Criminal Law (Consolidation) (Scotland)
Act 1995 (false statements made otherwise than on oath);

(d)

Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I.
1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

(7)

A statement made by an individual in response to an interview notice
may not be used in evidence against that individual on a prosecution for an offence under this Act (other than an offence under section 148C ) unless in the proceedings—

(a)

in giving evidence the individual provides information
inconsistent with the statement, and

(b)

evidence relating to the statement is adduced, or a question
relating to it is asked, by that individual or on that individual’s behalf.

(8)

The Commissioner may not give an interview notice with respect to
the processing of personal data for the special purposes.

(9)

The Commissioner may not give an interview notice to an individual
for the purpose of investigating a suspected failure or offence if the controller or processor suspected of the failure or offence is a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters).

148C False statements made in response to interview notices

It is an offence for an individual, in response to an interview notice—

(a)

to make a statement which the individual knows to be false in
a material respect, or

(b)

recklessly to make a statement which is false in a material
respect.”

(3)

In section 149 (enforcement notices), in subsection (9)(b)—

(a)

after “an assessment notice” insert “, an interview notice”, and

(b)

after “147” insert “, 148A , 148B ”.

(4)

In section 155 (penalty notices), in subsection (1)(b), after “assessment notice”
insert “, an interview notice”.

(5)

In section 157 (maximum amount of penalty), in subsection (4), after
“assessment notice” insert “, an interview notice”.

(6)

In section 160 (guidance about regulatory action)—

(a)

in subsection (1), after paragraph (b) insert—

“(ba)

interview notices,”, and

(b)

after subsection (5) insert—

“(5A)

In relation to interview notices, the guidance must include—

(a)

provision specifying factors to be considered in
determining whether to give an interview notice to an individual;

(b)

provision about the circumstances in which the
Commissioner would consider it appropriate to give an interview notice to an individual in reliance on section
148A (8) (urgent cases);

(c)

provision about the circumstances in which the
Commissioner would consider it appropriate to vary the place or time specified in an interview notice at the request of the individual to whom the notice is given;

(d)

provision about the nature of interviews carried out in
accordance with an interview notice;

(e)

provision about how the Commissioner will determine
how to proceed if an individual does not comply with an interview notice.”

(7)

In section 162 (rights of appeal), in subsection (1), after paragraph (b) insert—

“(ba)

an interview notice;”.

(8)

In section 164 (applications in respect of urgent notices)—

(a)

in subsection (1), after “assessment notice” insert “, an interview notice”,
and

(b)

in subsection (5), after paragraph (b) (but before the “and” at the end
of that paragraph) insert—

“(ba)

in relation to an interview notice, a statement under section 148A (8) (a) ,”.

(9)

In section 181 (interpretation of Part 6), at the appropriate place, insert—

“interview notice” has the meaning given in section 148A ;”.

(10)

In section 196 (penalties for offences), in subsection (2), after “148,” insert
148C ,”.

(11)

In section 206 (index of defined expressions), at the appropriate place, insert—

“interview notice (in Part 6)

section 181”.

(12)

In Schedule 17 (review of processing of personal data for the purposes of
journalism)—

(a)

after paragraph 3 insert—

“Interview notices

3A

(1)

Sub-paragraph (2) applies where the Commissioner gives an
interview notice to an individual during a relevant period.

(2)

If the interview notice—

(a)

states that, in the Commissioner’s opinion, it is
necessary for the individual to comply with a requirement in the notice for the purposes of the relevant review, and

(b)

gives the Commissioner’s reasons for reaching that
opinion,

subsections (6) and (7) of section 148A do not apply but the notice must not require the individual to comply with the requirement before the end of the period of 24 hours beginning when the notice is given.

(3)

During a relevant period, section 148B has effect as if for
subsection (8) there were substituted—

“(8)

The Commissioner may not give an individual an
interview notice with respect to the processing of personal data for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.”

(b)

in paragraph 4 (applications in respect of urgent notices)—

(i)

for “or assessment notice” substitute “, assessment notice or
interview notice”,

(ii)

for “or 3(2)(a)” substitute “, 3(2)(a) or 3A(2)(a)”, and

(iii)

for “or 146(8)(a)” substitute “, 146(8)(a) or 148A (8) (a) ”.

100 Penalty notices

(1)

The 2018 Act is amended as follows.

(2)

In paragraph 2 of Schedule 16 (notice of intent to impose penalty), omit
sub-paragraphs (2) and (3).

(3)

In paragraph 4 of that Schedule (giving a penalty notice)—

(a)

before sub-paragraph (1) insert—

“(A1)

This paragraph applies where the Commissioner gives a notice
of intent to a person.

(A2)

Within the period of 6 months beginning when the notice is
given, or as soon as reasonably practicable thereafter, the Commission must give to the person—

(a)

a penalty notice, or

(b)

written notice that the Commissioner has decided not
to give a penalty notice to the person.”,

(b)

in sub-paragraph (1)—

(i)

at the beginning, insert “But”, and

(ii)

after “penalty notice” insert “to the person”, and

(c)

in sub-paragraph (2), for “a person” substitute “the person”.

(4)

In section 160 (guidance about regulatory action), in subsection (7), after
paragraph (d) insert—

“(e)

provision about the circumstances in which the Commissioner
would consider it necessary to comply with the duty in paragraph 4 (A2) of Schedule 16 after the period of 6 months mentioned in that paragraph.”

101 Annual report on regulatory action

(1)

The 2018 Act is amended as follows.

(2)

In section 139 (reporting to Parliament), before subsection (3) insert—

“(2A)

The report under this section may include the annual report under section 161A .”

(3)

In the italic heading before section 160, at the end insert “and report”.

(4)

After section 161 insert—

“161A Annual report on regulatory action

(1)

The Commissioner must produce and publish an annual report
containing the information described in subsections (2) to (5) .

(2)

The report must include the following information about UK GDPR
investigations—

(a)

the number of investigations begun, continued or completed
by the Commissioner during the reporting period,

(b)

the different types of act and omission that were the subject
matter of the investigations,

(c)

the enforcement powers exercised by the Commissioner in the
reporting period in connection with the investigations,

(d)

the duration of investigations that ended in the reporting
period, and

(e)

the different types of outcome in investigations that ended in
that period.

(3)

The report must include information about the enforcement powers
exercised by the Commissioner in the reporting period in connection with—

(a)

processing of personal data by a competent authority for any
of the law enforcement purposes, and

(b)

processing of personal data to which Part 4 applies.

(4)

The information included in the report in accordance with subsections (2) and (3) must include information about—

(a)

the number of penalty notices given in the reporting period
that were given more than 6 months after the notice of intent was given under paragraph 2 of Schedule 16, and

(b)

the reasons why that happened.

(5)

The report must include a review of how the Commissioner had regard
to the guidance published under section 160 when exercising the Commissioner’s enforcement powers as described in subsections (2) (c) and (3) .

(6)

In this section—


enforcement powers means the powers under—

(a)

Article 58(1)(c) and (d) and (2)(a) and (b) of the UK
GDPR,

(b)

sections 142 to 159 of this Act,

(c)

paragraph 2(a), (b) and (c) of Schedule 13 to this Act,

(d)

Schedules 15 and 16 to this Act;


the law enforcement purposes has the meaning given in section
31 of this Act;


the reporting period means the period to which the report
relates;


UK GDPR investigation means an investigation required under
Article 57(1)(h) of the UK GDPR (investigations on the application of the UK GDPR).”

102 Complaints by data subjects

(1)

The 2018 Act is amended in accordance with subsections (2) and (3) .

(2)

Before section 165 (but after the italic heading before it) insert—

“164A Complaints by data subjects to controllers

(1)

A data subject may make a complaint to the controller if the data
subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act.

(2)

A controller must facilitate the making of complaints under this section
by taking steps such as providing a complaint form which can be completed electronically and by other means.

(3)

If a controller receives a complaint under this section, the controller
must acknowledge receipt of the complaint within the period of 30 days beginning when the complaint is received.

(4)

If a controller receives a complaint under this section, the controller
must without undue delay—

(a)

take appropriate steps to respond to the complaint, and

(b)

inform the complainant of the outcome of the complaint.

(5)

The reference in subsection (4) (a) to taking appropriate steps to respond
to the complaint includes—

(a)

making enquiries into the subject matter of the complaint, to
the extent appropriate, and

(b)

informing the complainant about progress on the complaint.

164B Controllers to notify the Commissioner of the number of complaints

(1)

The Secretary of State may by regulations require a controller to notify
the Commissioner of the number of complaints made to the controller under section 164A in periods specified or described in the regulations.

(2)

Regulations under this section may provide that a controller is required
to make a notification to the Commissioner in respect of a period only in circumstances specified in the regulations.

(3)

Regulations under this section may include—

(a)

provision about a matter listed in subsection (4) , or

(b)

provision conferring power on the Commissioner to determine
those matters.

(4)

The matters are—

(a)

the form and manner in which a notification must be made,

(b)

the time at which, or period within which, a notification must
be made, and

(c)

how the number of complaints made to a controller during a
period is to be calculated.

(5)

Regulations under this section are subject to the negative resolution
procedure.”

(3)

In section 165 (complaints by data subjects to the Commissioner)—

(a)

omit subsection (1), and

(b)

in subsection (2), after “infringement of” insert “the UK GDPR or”.

(4)

The UK GDPR is amended in accordance with subsections (5) and (6) .

(5)

In Article 57 (Information Commissioner’s tasks)—

(a)

in paragraph 1, omit point (f), and

(b)

omit paragraph 2.

(6)

Omit Article 77 (right to lodge a complaint with the Commissioner).

(7)

Schedule 10 to this Act contains minor and consequential amendments.

103 Court procedure in connection with subject access requests

(1)

The 2018 Act is amended as follows.

(2)

For the italic heading before section 180 substitute—

“Jurisdiction and court procedure”.

(3)

After section 180 insert—

“180A Procedure in connection with subject access requests

(1)

This section applies where a court is required to determine whether
a data subject is entitled to information by virtue of a right under—

(a)

Article 15 of the UK GDPR (right of access by the data subject);

(b)

Article 20 of the UK GDPR (right to data portability);

(c)

section 45 of this Act (law enforcement processing: right of
access by the data subject);

(d)

section 94 of this Act (intelligence services processing: right of
access by the data subject).

(2)

The court may require the controller to make available for inspection
by the court so much of the information as is available to the controller.

(3)

But, unless and until the question in subsection (1) has been determined
in the data subject’s favour, the court may not require the information to be disclosed to the data subject or the data subject’s representatives, whether by discovery (or, in Scotland, recovery) or otherwise.

(4)

Where the question in subsection (1) relates to a right under a provision
listed in subsection (1) (a) , (c) or (d) , this section does not confer power on the court to require the controller to carry out a search for information that is more extensive than the reasonable and proportionate search required by that provision.”

104 Consequential amendments to the EITSET Regulations

(1)

Schedule 2 to the Electronic Identification and Trust Services for Electronic
Transactions Regulations 2016 (S.I. 2016/696) (Commissioner’s enforcement powers) is amended as follows.

(2)

In paragraph 1 (provisions of the 2018 Act applied for enforcement purposes)—

(a)

after paragraph (g) insert—

“(ga)

section 146A (assessment notices: approval of person
to prepare report etc);”, and

(b)

after paragraph (i) insert—

“(ia)

section 148A (interview notices);

(ib)

section 148B (interview notices: restrictions);

(ic)

section 148C (false statements made in response
to interview notices);”.

(3)

In paragraph 4(2) (modification of section 143 (information notices:
restrictions))—

(a)

in paragraph (b), for “or 148” substitute “, 148 or 148C ”, and

(b)

in paragraph (c), after “148” insert “or 148C ”.

(4)

In paragraph 6 (modification of section 146 (assessment notices)), in
sub-paragraph (2)—

(a)

for paragraph (b) substitute—

“(b)

subsection (2) has effect as if—

(i)

for “controller or processor” there were
substituted “trust service provider”;

(ii)

paragraphs (h) and (i) were omitted;”,

(b)

in paragraph (c), for “subsections (7), (8), (9) and (10)” substitute
“subsections (3A), (7), (8), (9), (10) and (11A)”, and

(c)

in paragraph (d), for “or 148” substitute “, 148 or 148C ”.

(5)

After paragraph 6 insert—

“Modification of section 146A (assessment notices: approval of person to prepare report etc)

6A

Section 146A has effect as if for “controller or processor” (in each
place) there were substituted “trust service provider”.”

(6)

After paragraph 7 insert—

“Modification of section 148A (interview notices)

7A

Section 148A has effect as if—

(a)

in subsection (1)—

(i)

for “controller or processor” there were substituted
“trust service provider”;

(ii)

in paragraph (a), for “as described in section 149(2)”
there were substituted “to comply with the eIDAS requirements”;

(iii)

in paragraph (b), for “this Act” there were substituted
“section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(b)

in subsection (3), for “controller or processor” (in each place)
there were substituted “trust service provider”.

Modification of section 148B (interview notices: restrictions)

7B

(1)

Section 148B has effect as if subsections (8) and (9) were omitted.

(2)

In that section—

(a)

subsections (2)(b) and (3)(b) have effect as if for “the data
protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;

(b)

subsection (6)(a) has effect as if for “this Act” there were
substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(c)

subsection (7) has effect as if for “this Act (other than an
offence under section 148C )” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”.”

(7)

In paragraph 12 (modification of Schedule 15 (powers of entry and inspection)),
in sub-paragraph (2), in the substituted paragraph (a), for “or 148” substitute “, 148 or 148C ”.

(8)

In paragraph 13 (modification of section 155 (penalty notices)), in
sub-paragraph (3)(c), for “for “data subjects”” there were substituted “for the words from “data subjects” to the end”.

(9)

Omit paragraph 21 (modification of section 182 (regulations and consultation))
and the heading before it.

(10)

In paragraph 22 (modification of section 196 (penalties for offences)), in
sub-paragraph (2)(b)—

(a)

after “148”, in the first place it occurs, insert “, 148C ”, and

(b)

for “or 148” substitute “, 148 or 148C ”.

Protection of prohibitions, restrictions and data subject’s rights

105 Protection of prohibitions, restrictions and data subject’s rights

(1)

The 2018 Act is amended in accordance with subsections (2) to (5) .

(2)

After section 183 insert—

“Prohibitions and restrictions etc on processing

183A Protection of prohibitions and restrictions etc on processing: relevant
enactments

(1)

A relevant enactment or rule of law which imposes a duty, or confers
a power, to process personal data does not override a requirement under the main data protection legislation relating to the processing of personal data.

(2)

Subsection (1) does not apply—

(a)

to a relevant enactment forming part of the main data
protection legislation, or

(b)

to the extent that an enactment makes express provision to the
contrary referring to this section or to the main data protection legislation (or a provision of that legislation).

(3)

Subsection (1) does not prevent a duty or power to process personal
data from being taken into account for the purpose of determining whether it is possible to rely on an exception to a requirement under the main data protection legislation that is available where there is such a duty or power.

(4)

In this section—


the main data protection legislation means the data protection
legislation other than provision of or made under—

(a)

Chapter 6 or 8 of the UK GDPR, or

(b)

Parts 5 to 7 of this Act;


relevant enactment means an enactment so far as passed or
made on or after the day on which section 105 (2) of the Data (Use and Access) Act 2024 comes into force;


requirement includes a prohibition or restriction.

(5)

The reference in subsection (1) to an enactment or rule of law which
imposes a duty, or confers a power, to process personal data is a reference to an enactment or rule of law which, directly or indirectly, requires or authorises the processing of personal data, including (for example)—

(a)

by authorising one person to require another person to process
personal data, or

(b)

by removing restrictions on processing personal data,

and the references in subsection (3) to a duty or power are to be read accordingly.”

(3)

Before section 184 (and the italic heading before it) insert—

“183B Protection of prohibitions and restrictions etc on processing: other
enactments

(1)

This section is about the relationship between—

(a)

a pre-commencement enactment which imposes a duty, or
confers a power, to process personal data, and

(b)

a provision of the main data protection legislation containing
a requirement relating to the processing of personal data.

(2)

The relationship is not changed by section 5(A1) of the European
Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).

(3)

Where the provision described in subsection (1) (b) is a provision of,
or made under, the UK GDPR, section 5(A2) of the European Union (Withdrawal) Act 2018 (assimilated direct legislation subject to domestic enactments) does not apply to the relationship.

(4)

Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision with similar effect to
section 183A (1) (or applying that provision) is made in connection with one such relationship but not another.

(5)

In this section—

(a)

“the main data protection legislation” and “requirement” have
the same meaning as in section 183A , and

(b)

“pre-commencement enactment” means an enactment so far as
passed or made before the day on which section 105 (2) of the Data (Use and Access) Act 2024 comes into force.

(6)

Section 183A (5) applies for the purposes of subsection (1) (a) of this
section as it applies for the purposes of section 183A (1) .”

(4)

In section 186 (data subject’s rights and other prohibitions and restrictions)—

(a)

for the heading substitute “Protection of data subject’s rights”,

(b)

in subsection (1) omit “, except as provided by or under the provisions
listed in subsection (3)”,

(c)

after subsection (2) insert—

“(2A)

Subsection (1) does not apply—

(a)

to an enactment contained in, or made under, a
provision listed in subsection (2),

(b)

to an enactment contained in, or made under, a
provision listed in subsection (3),

(c)

to the extent that an enactment makes express provision
to the contrary referring to this section or to a provision listed in subsection (2), or

(d)

to the extent that subsection (1) is disapplied by section 186A (3) .”, and

(d)

in subsection (3)—

(i)

for “provisions providing exceptions” substitute “provisions
referred to in subsection (2A) (b) ”, and

(ii)

omit paragraph (c) (and the “and” after it).

(5)

After section 186 insert—

“186A Protection of data subject’s rights: further provision

(1)

This section is about the relationship between—

(a)

a pre-commencement enactment which prohibits or restricts
the disclosure of information or authorises the withholding of information, and

(b)

a provision of the UK GDPR or this Act listed in section 186(2).

(2)

The relationship is not changed by section 5(A1) of the European
Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).

(3)

Subsection (1) of section 186 does not apply to the relationship so far
as there is a contrary intention, whether express or implied (taking account of, among other things, subsection (2) of this section).

(4)

Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision stating that section
186(1) applies (or with similar effect) is made in connection with one such relationship but not another.

(5)

In this section, “pre-commencement enactment” means an enactment
so far as passed or made before the day on which section 105 (4) of the Data (Use and Access) Act 2024 comes into force, other than an enactment contained in, or made under, a provision listed in section 186(2) or (3).”

(6)

In section 5 of the European Union (Withdrawal) Act 2018 (exceptions to
savings and incorporation), in subsection (A3)(a)—

(a)

for “section” substitute “sections 183A and”,

(b)

for “(data subject’s rights and other prohibitions and restrictions)”
substitute “(protection of prohibitions, restrictions and data subject’s rights)”, and

(c)

at the end insert “(and see also section 183B (3) of that Act)”.

(7)

Subsections (3) , (5) and (6) (c) are to be treated as having come into force on
1 January 2024.

Miscellaneous

106 Regulations under the UK GDPR

(1)

In the UK GDPR, after Chapter 9 insert—

“CHAPTER 9A Regulations

Article 91A Regulations made by Secretary of State

1.

This Article makes provision about regulations made by the Secretary
of State under this Regulation (“UK GDPR regulations”).

2.

Before making UK GDPR regulations, the Secretary of State must
consult—

(a)

the Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

3.

Paragraph 2 does not apply to regulations made under Article 49 or
49A where the Secretary of State has made an urgency statement in respect of them.

4.

UK GDPR regulations may—

(a)

make different provision for different purposes;

(b)

include consequential, supplementary, incidental, transitional,
transitory or saving provision.

5.

UK GDPR regulations are to be made by statutory instrument.

6.

For the purposes of this Regulation, where regulations are subject to
“the negative resolution procedure”, the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament.

7.

For the purposes of this Regulation, where regulations are subject to
“the affirmative resolution procedure”, the regulations may not be made unless a draft of the statutory instrument containing them has been laid before Parliament and approved by a resolution of each House of Parliament.

8.

For the purposes of this Regulation, where regulations are subject to
“the made affirmative resolution procedure”—

(a)

the statutory instrument containing the regulations must be laid
before Parliament after being made, together with the urgency statement in respect of them, and

(b)

the regulations cease to have effect at the end of the period of
120 days beginning with the day on which the instrument is made, unless within that period the instrument is approved by a resolution of each House of Parliament.

9.

In calculating the period of 120 days, no account is to be taken of any
whole days that fall within a period during which—

(a)

Parliament is dissolved or prorogued, or

(b)

both Houses of Parliament are adjourned for more than 4 days.

10.

Where regulations cease to have effect as a result of paragraph 8, that
does not—

(a)

affect anything previously done under the regulations, or

(b)

prevent the making of new regulations.

11.

Any provision that may be included in UK GDPR regulations subject
to the negative resolution procedure may be made by regulations made under this Regulation or another enactment that are subject to the affirmative resolution procedure or the made affirmative resolution procedure.

12.

A requirement under this Article to consult may be satisfied by
consultation before, as well as by consultation after, the provision conferring the power to make regulations comes into force.

13.

In this Article, “urgency statement”, in relation to regulations, means
a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.”

(2)

In section 3(9) of the 2018 Act (definition of “data protection legislation”), in
paragraph (d), after “Act” insert “or the UK GDPR”.

107 Further minor provision about data protection

Schedule 11 contains further minor provision about data protection.

Chapter 2 Privacy and electronic communications

108 The PEC Regulations

In this Chapter, “the PEC Regulations” means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426).

109 Interpretation of the PEC Regulations

(1)

Regulation 2 of the PEC Regulations (interpretation) is amended as follows.

(2)

In paragraph (1)—

(a)

in the definition of “call”, at the end insert “, and a reference to making
a call includes a reference to attempting to establish such a connection”,

(b)

in the definition of “communication”—

(i)

for “exchanged or conveyed between” substitute “transmitted
to”, and

(ii)

for “conveyed”, in the second place it occurs, substitute
“transmitted”, and

(c)

at the appropriate place insert—

““
direct marketing means the communication (by whatever means)
of advertising or marketing material which is directed to particular individuals;”.

(3)

After paragraph (1) insert—

“(1A)

In the application of these Regulations in relation to—

(a)

information that is sent but not received,

(b)

a communication that is transmitted but not received,

(c)

an electronic mail that is sent but not received, or

(d)

an unsuccessful attempt to make a call,

a reference to the recipient of the information, communication, electronic mail or call is to be read as a reference to the intended recipient.”

(4)

In paragraph (4) omit “, without prejudice to paragraph (3),”.

(5)

After that paragraph insert—

“(5)

References in these Regulations to a period expressed in hours, days,
weeks, months or years are to be interpreted in accordance with Article 3 of the Periods of Time Regulation, except that Article 3(4) of that Regulation does not apply to the interpretation of a reference to a period in regulation 16A.

(6)

In paragraph (5) , “the Periods of Time Regulation” means Regulation
(EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”

110 Duty to notify the Commissioner of personal data breach: time periods

(1)

In regulation 5A of the PEC Regulations (personal data breach)—

(a)

in paragraph (2), after “delay” insert “and, where feasible, not later
than 72 hours after having become aware of it”, and

(b)

after paragraph (3) insert—

“(3A)

Where notification under paragraph (2) is not made within 72
hours, it must be accompanied by reasons for the delay.”

(2)

In regulation 5C of the PEC Regulations (personal data breach: fixed monetary
penalty)—

(a)

in paragraph (4)(f), for “from the service of the notice of intent”
substitute “beginning when the notice of intent is served”, and

(b)

in paragraph (5), for “21 days of receipt of the notice of intent”
substitute “the period of 21 days beginning when the notice of intent is received”.

(3)

In Article 2 of Commission Regulation (EU) No 611/2013 of 24 June 2013 on
the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (notification to the Information Commissioner)—

(a)

in paragraph 2—

(i)

in the first subparagraph, for the words from “no” to “feasible”
substitute “without undue delay and, where feasible, not later than 72 hours after having becoming aware of it”,

(ii)

in the second subparagraph, after “shall” insert “, subject to
paragraph 3,”, and

(iii)

after the third subparagraph insert—

“This paragraph is to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”, and

(b)

for paragraph 3 substitute—

“3.

To the extent that the information set out in Annex 1 is not
available to be included in the notification, it may be provided in phases without undue further delay.”

111 Storing information in the terminal equipment of a subscriber or user

(1)

The PEC Regulations are amended as follows.

(2)

For regulation 6 (storing information, or gaining access to information stored,
in the terminal equipment of a subscriber or user) substitute—

“Storing information in the terminal equipment of a subscriber or user 6.

(1)

Subject to Schedule A1 , a person must not store information, or
gain access to information stored, in the terminal equipment of a subscriber or user.

(2)

In paragraph (1) and Schedule A1

(a)

a reference (however expressed) to storing information, or gaining
access to information stored, in the terminal equipment of a subscriber or user includes a reference to instigating the storage or access, and

(b)

except as otherwise provided, a reference (however expressed) to
gaining access to information stored in the terminal equipment of a subscriber or user includes a reference to collecting or monitoring information automatically emitted by the terminal equipment.”

(3)

After regulation 6 insert—

“Power to provide exceptions to regulation 6(1) 6A.

(1)

The Secretary of State may by regulations made by statutory
instrument—

(a)

amend these Regulations—

(i)

by adding an exception to the prohibition in regulation 6(1), or

(ii)

by omitting or varying an exception to that prohibition, and

(b)

make consequential, supplementary, incidental, transitional, transitory
or saving provision, including provision amending these Regulations.

(2)

Regulations under paragraph (1) may make different provision for
different purposes.

(3)

Before making regulations under paragraph (1) , the Secretary of State
must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

(4)

A statutory instrument containing regulations under paragraph (1) may
not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”

(4)

Schedule 12 to this Act inserts Schedule A1 to the PEC Regulations.

(5)

A requirement to consult under regulation 6A of the PEC Regulations (inserted
by subsection (3) of this section) may be satisfied by consultation undertaken before the day on which this Act is passed.

112 Emergency alerts: interpretation of time periods

In regulation 16A of the PEC Regulations (emergency alerts), in paragraph (6), for the words from “7 days” to “paragraph (3)(b)” substitute “the period of 7 days beginning with the day on which the time period specified by the relevant public authority pursuant to paragraph (3)(b) expires”.

113 Commissioner’s enforcement powers

(1)

The PEC Regulations are amended in accordance with subsections (2) to (8) .

(2)

In regulation 5 (security of public electronic communications services), omit
paragraph (6).

(3)

Omit regulation 5B (personal data breach: audit).

(4)

In regulation 5C (personal data breach: fixed monetary penalty)—

(a)

in paragraph (10)—

(i)

omit “and Northern Ireland”, and

(ii)

in paragraph (a), for “a county court” substitute “the county
court”, and

(b)

after paragraph (11) insert—

“(12)

In Northern Ireland, the penalty is recoverable—

(a)

if a county court so orders, as if it were payable under an
order of that court;

(b)

if the High Court so orders, as if it were payable under an
order of that court.

(13)

The Secretary of State may by regulations made by statutory
instrument amend this regulation so as to substitute a different amount for the amount for the time being specified in paragraph (2) or (5).

(14)

Regulations under paragraph (13) may make transitional
provision.

(15)

Before making regulations under paragraph (13) , the Secretary
of State must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers
appropriate.

(16)

A statutory instrument containing regulations under this
regulation may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”

(5)

For regulation 31 substitute—

“Information Commissioner’s enforcement powers 31.

(1)

Schedule 1 provides for certain provisions of Parts 5 to 7 of the
Data Protection Act 2018 to apply with modifications for the purposes of enforcing these Regulations.

(2)

In regulations 32 and 33, “enforcement functions” means the functions
of the Information Commissioner under those provisions, as applied by that Schedule.”

(6)

Omit regulation 31A (third party information notices).

(7)

Omit regulation 31B (appeals against third party information notices).

(8)

For Schedule 1 substitute the Schedule set out in Schedule 13 to this Act.

(9)

In paragraph 58(1) of Schedule 20 to the Data Protection Act 2018 (transitional
provision relating to the PEC Regulations) for “regulations 2, 31 and 31B of, and Schedule 1 to,” substitute “regulation 2 of”.

(10)

A requirement to consult under regulation 5C (15) of the PEC Regulations
(inserted by subsection (4) (b) of this section) may be satisfied by consultation undertaken before the day on which this Act is passed.

114 Codes of conduct

(1)

The PEC Regulations are amended as follows.

(2)

After regulation 32 insert—

“Codes of conduct 32A.

(1)

The Commissioner must encourage representative bodies to
produce codes of conduct intended to contribute to compliance with these Regulations.

(2)

Under paragraph (1) , the Commissioner must encourage representative
bodies to produce codes which take account of, among other things, the specific features of different sectors.

(3)

A code of conduct described in paragraph (1) may, for example, make
provision with regard to—

(a)

rights and obligations under these Regulations;

(b)

out-of-court proceedings and other dispute resolution procedures for
resolving disputes arising in connection with these Regulations.

(4)

The Commissioner must encourage representative bodies to submit codes
of conduct described in paragraph (1) to the Commissioner in draft.

(5)

Where a representative body does so, the Commissioner must—

(a)

provide the representative body with an opinion on whether the code
correctly reflects the requirements of these Regulations,

(b)

decide whether to approve the code, and

(c)

if the code is approved, register and publish the code.

(6)

The Commissioner may only approve a code if, among other things—

(a)

the code contains a mechanism for monitoring whether persons who
undertake to apply the code comply with its provisions, and

(b)

in relation to persons other than public bodies, the mechanism
involves monitoring by a body which is accredited for that purpose by the Commissioner under regulation 32B.

(7)

In relation to amendments of a code of conduct that is for the time being
approved under this regulation—

(a)

paragraphs (4) and (5) apply as they apply in relation to a code, and

(b)

the requirements in paragraph (6) must be satisfied by the code as
amended.

(8)

A code of conduct described in paragraph (1) may be contained in the
same document as a code of conduct described in Article 40 of the UK GDPR (and a provision contained in such a document may be a provision of both codes).

(9)

In this regulation—


public body has the meaning given in section 7 of the Data Protection
Act 2018 (for the purposes of the UK GDPR);


representative body means an association or other body representing
categories of—

(a)

communications providers, or

(b)

other persons engaged in activities regulated by these
Regulations;


the UK GDPR has the meaning given in section 3(10) of the Data
Protection Act 2018.

Accreditation of bodies monitoring compliance with codes of conduct 32B.

(1)

The Commissioner may, in accordance with this regulation,
accredit a body for the purpose of monitoring whether persons other than public bodies comply with a code of conduct described in regulation 32A(1).

(2)

The Commissioner may accredit a body only where the Commissioner
is satisfied that the body has—

(a)

demonstrated its independence,

(b)

demonstrated that it has an appropriate level of expertise in relation
to the subject matter of the code,

(c)

established procedures which allow it—

(i)

to assess a person’s eligibility to apply the code,

(ii)

to monitor compliance with the code, and

(iii)

to review the operation of the code periodically,

(d)

established procedures and structures to handle complaints about
infringements of the code or about the manner in which the code has been, or is being, implemented by a person,

(e)

made arrangements to publish information about the procedures and
structures described in sub-paragraph (d) , and

(f)

demonstrated that it does not have a conflict of interest.

(3)

The Commissioner must prepare and publish guidance about how the
Commissioner proposes to take decisions about accreditation under this regulation.

(4)

A body accredited under this regulation in relation to a code must take
appropriate action where a person infringes the code.

(5)

If the action taken by a body under paragraph (4) consists of suspending
or excluding a person from the code, the body must inform the Commissioner, giving reasons for taking that action.

(6)

The Commissioner must revoke the accreditation of a body under this
regulation if the Commissioner considers that the body—

(a)

no longer meets the requirements for accreditation, or

(b)

has failed, or is failing, to comply with paragraph (4) or (5) .

(7)

In this regulation, “public body” has the same meaning as in regulation
32A.

Effect of codes of conduct 32C.

Adherence to a code of conduct approved under regulation 32A may
be used by a person as a means of demonstrating compliance with these Regulations.”

(3)

In regulation 33 (technical advice to the Commissioner)—

(a)

omit “, in connection with his enforcement functions,” and

(b)

at the end insert “where the request is made in connection with—

(a)

the Commissioner’s enforcement functions, or

(b)

the Commissioner’s functions under regulation 32A or
32B (codes of conduct).”

(4)

In Schedule 1 (Information Commissioner’s enforcement powers) (inserted
by Schedule 13 to this Act), in paragraph 18(b)(ii) (maximum amount of penalty), for “or 24” substitute “, 24 or 32B(4) or (5)”.

Part 6 The Information Commission

115 The Information Commission

(1)

The Data Protection Act 2018 is amended in accordance with subsections (2) to (5) .

(2)

After section 114 insert—

“The Information Commission

114A The Information Commission

(1)

A body corporate called the Information Commission is established.

(2)

Schedule 12A makes further provision about the Commission.”

(3)

In section 3 (terms relating to the processing of personal data), after subsection
(8) insert—

“(8A)

“The Commission” means the Information Commission (see section
114A ).”

(4)

In section 205(2) (references to periods of time)—

(a)

omit paragraph (l), and

(b)

after that paragraph insert—

“(la)

paragraph 22 (6) of Schedule 12A ;”.

(5)

In section 206 (index of defined expressions), in the Table, at the appropriate
place insert—

“the Commission

section 3”.

(6)

Schedule 14 to this Act—

(a)

inserts Schedule 12A to the Data Protection Act 2018, and

(b)

makes transitional provision relating to—

(i)

the person who holds the office of Information Commissioner
immediately before the day on which Schedule 14 comes into force, and

(ii)

consultation about certain appointments.

116 Abolition of the office of Information Commissioner

(1)

The office of Information Commissioner is abolished.

(2)

Accordingly, the Data Protection Act 2018 is amended as follows.

(3)

In section 3 (terms relating to the processing of personal data) omit subsection
(8).

(4)

Omit section 114 (the Information Commissioner) and the italic heading before
that section.

(5)

In section 206 (index of defined expressions), in the Table, omit the entry for
the Commissioner.

(6)

In section 214(1) (extent)—

(a)

omit “and” at the end of paragraph (a), and

(b)

omit paragraph (b).

(7)

Omit Schedule 12 (the Information Commissioner).

117 Transfer of functions to the Information Commission

(1)

The functions of the Information Commissioner are transferred to the
Information Commission.

(2)

So far as is appropriate in consequence of subsection (1) , a reference to the
Information Commissioner (however expressed) in an enactment or other document whenever passed or made (including this Act) is to be treated as a reference to the Information Commission.

(3)

In this section, “enactment” includes—

(a)

an enactment comprised in subordinate legislation (as defined in
section 21 of the Interpretation Act 1978),

(b)

an enactment comprised in, or in an instrument made under, a Measure
or Act of Senedd Cymru,

(c)

an enactment comprised in, or in an instrument made under, an Act
of the Scottish Parliament,

(d)

an enactment comprised in, or in an instrument made under, Northern
Ireland legislation, and

(e)

assimilated direct legislation.

118 Transfer of property etc to the Information Commission

(1)

The Secretary of State may make a scheme for the transfer of property, rights
and liabilities from the Information Commissioner to the Information Commission.

(2)

The things that may be transferred under a transfer scheme include—

(a)

property, rights and liabilities that could not otherwise be transferred;

(b)

property acquired, and rights and liabilities arising, after the making
of the scheme.

(3)

A transfer scheme may—

(a)

make provision about the continuing effect of things done by the
Information Commissioner in respect of anything transferred;

(b)

make provision about the continuation of things (including legal
proceedings) in the process of being done by, on behalf of or in relation to the Information Commissioner in respect of anything transferred;

(c)

make provision for references to the Information Commissioner in an
instrument or other document in respect of anything transferred under a transfer scheme to be treated as references to the Information Commission;

(d)

make provision which is the same as or similar to the Transfer of
Undertakings (Protection of Employment) Regulations 2006 (S.I. 2006/246);

(e)

make other consequential, supplementary, incidental or transitional
provision.

(4)

A transfer scheme may provide—

(a)

for modifications by agreement;

(b)

for modifications to have effect from the date when the original scheme
came into effect.

(5)

In this section, references to rights and liabilities include rights and liabilities
relating to a contract of employment.

Part 7 Other provision about use of, or access to, data

Information standards for health and social care

119 Information standards for health and adult social care in England

Schedule 15 makes provision about information standards for health and
adult social care in England (under Part 9 of the Health and Social Care Act 2012) and information technology.

Smart meter communication services

120 Grant of smart meter communication licences

Schedule 16 makes provision in connection with the grant of smart meter communication licences.

Information to improve public service delivery

121 Disclosure of information to improve public service delivery to undertakings

(1)

Section 35 of the Digital Economy Act 2017 (disclosure of information to
improve public service delivery) is amended as follows.

(2)

In subsection (9)—

(a)

in paragraph (a), for “or households” substitute “, households or
undertakings”, and

(b)

in paragraph (b), for “or households” substitute “, households or
undertakings”.

(3)

In subsection (10)—

(a)

the words after “its purpose” become paragraph (a), and

(b)

at the end of that paragraph, insert “, or

(b)

the assisting of undertakings in connection with any
trade, business or charitable purpose.”

(4)

After subsection (12) insert—

“(13)

In this section “undertaking” means—

(a)

any person, other than a public authority, carrying on a trade
or business, whether or not with a view to profit, or

(b)

any body, or the trustees of a trust, established for charitable
purposes only.

(14)

In this section, in so far as it forms part of the law of Scotland or
Northern Ireland, “charitable purpose” has the same meaning as it has in the law of England and Wales (see section 2 of the Charities Act 2011).”

Retention of information by providers of internet services

122 Retention of information by providers of internet services in connection with death of child

(1)

The Online Safety Act 2023 is amended as follows.

(2)

In section 100 (power to require information)—

(a)

omit subsection (7);

(b)

after subsection (8) insert—

“(8A)

The power to give a notice conferred by subsection (1) does
not include power to require processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed by the notice is to be taken into account).”

(3)

In section 101 (information in connection with investigation into death of
child)—

(a)

before subsection (1) insert—

“(A1)

Subsection (C1) applies if a senior coroner (in England and
Wales), a procurator fiscal (in Scotland) or a coroner (in Northern Ireland) (“the investigating authority”)—

(a)

notifies OFCOM that they are conducting an
investigation in connection with the death of a child, and

(b)

provides OFCOM with the details in subsection (B1) .

(B1)

The details are—

(a)

the name of the child who has died,

(b)

the child’s date of birth,

(c)

any email addresses used by the child (so far as the
investigating authority knows), and

(d)

if any regulated service has been brought to the
attention of the investigating authority as being of interest in connection with the child’s death, the name of the service.

(C1)

Where this subsection applies, OFCOM—

(a)

must give a notice to the provider of a service within
subsection (E1) requiring the provider to ensure the retention of information relating to the use of the service by the child who has died, and

(b)

may give a notice to any other relevant person requiring
the person to ensure the retention of information relating to the use of a service within subsection (E1) by that child.

(D1)

The references in subsection (C1) to ensuring the retention of
information relating to the child’s use of a service include taking all reasonable steps, without delay, to prevent the deletion of such information by the routine operation of systems or processes.

(E1)

A service is within this subsection if it is—

(a)

a regulated service of a kind described in regulations
made by the Secretary of State, or

(b)

a regulated service notified to OFCOM by the
investigating authority as described in subsection (B1) (d) .

(F1)

A notice under subsection (C1) may require information
described in that subsection to be retained only if it is information—

(a)

of a kind which OFCOM have power to require under
a notice under subsection (1) (see, in particular, subsection (2)(a) to (d)), or

(b)

which a person might need to retain to enable the
person to provide information in response to a notice under subsection (1) (if such a notice were given).

(G1)

OFCOM must share with the investigating authority any
information they receive in response to requirements mentioned in section 102 (5A) (d) that are included in a notice under subsection (C1) .”;

(b)

in subsection (3), for “power conferred by subsection (1) includes”
substitute “powers conferred by this section include”;

(c)

after subsection (5) insert—

“(5A)

The powers to give a notice conferred by this section do not
include power to require processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed by the notice is to be taken into account).”

(4)

In section 102 (information notices)—

(a)

in subsection (1), for “101(1)” substitute “101 (C1) or (1)”;

(b)

in subsection (3)—

(i)

after “information notice” insert “under section 100(1) or 101(1)”;

(ii)

omit the “and” at the end of paragraph (c);

(iii)

after paragraph (c) insert—

“(ca)

specify when the information must be provided
(which may be on or by a specified date, within a specified period, or at specified intervals), and”;

(c)

omit subsection (4);

(d)

after subsection (5) insert—

“(5A)

An information notice under section 101 (C1) must—

(a)

specify or describe the information to be retained,

(b)

specify why OFCOM require the information to be
retained,

(c)

require the information to be retained for the period of
one year beginning with the date of the notice,

(d)

require the person to whom the notice is given—

(i)

if the child to whom the notice relates used the
service in question, to notify OFCOM by a specified date of steps taken to ensure the retention of information;

(ii)

if the child did not use the service, or the person
does not hold any information of the kind required, to notify OFCOM of that fact by a specified date, and

(e)

contain information about the consequences of not
complying with the notice.

(5B)

If OFCOM give an information notice to a person under section
101 (C1) , they may, in response to information received from the investigating authority, extend the period for which the person is required to retain information by a maximum period of six months.

(5C)

The power conferred by subsection (5B) is exercisable—

(a)

by giving the person a notice varying the notice under
section 101 (C1) and stating the further period for which information must be retained and the reason for the extension;

(b)

any number of times.”;

(e)

after subsection (9) insert—

“(9A)

OFCOM must cancel an information notice under section
101 (C1) by notice to the person to whom it was given if advised by the investigating authority that the information in question no longer needs to be retained.”;

(f)

in subsection (10), after the definition of “information” insert—

““
the investigating authority has the same meaning as in section
101;”.

(5)

In section 109 (offences in connection with information notices)—

(a)

in subsection (2)(b), for “all reasonable steps” substitute “all of the
steps that it was reasonable, and reasonably practicable, to take”;

(b)

after subsection (6) insert—

“(6A)

A person who is given an information notice under section
101 (C1) commits an offence if—

(a)

the person deletes or alters, or causes or permits the
deletion or alteration of, any information required by the notice to be retained, and

(b)

the person’s intention was to prevent the information
being available, or (as the case may be) to prevent it being available in unaltered form, for the purposes of any official investigation into the death of the child to whom the notice relates.

(6B)

For the purposes of subsection (6A) information has been
deleted if it is irrecoverable (however that occurred).”

(6)

In section 110 (senior managers’ liability: information offences)—

(a)

after subsection (6) insert—

“(6A)

An individual named as a senior manager of an entity commits
an offence if—

(a)

the entity commits an offence under section 109 (6A) (deletion etc of information), and

(b)

the individual has failed to take all reasonable steps to
prevent that offence being committed.”;

(b)

in subsection (7), for “or (6)” substitute “, (6) or (6A) ”.

(7)

In section 113 (penalties for information offences), in subsection (2)—

(a)

for “(4) or (5)” substitute “(4), (5) or (6A) ”;

(b)

for “(5) or (6)” substitute “(5), (6) or (6A) ”.

(8)

In section 114 (co-operation and disclosure of information: overseas regulators),
in subsection (7), omit the definition of “the data protection legislation”.

(9)

In section 225 (Parliamentary procedure for regulations), in subsection (10),
after paragraph (c) insert—

“(ca)

regulations under section 101 (E1) (a) ,”.

(10)

In section 236(1) (interpretation)—

(a)

after the definition of “country” insert—

““
the data protection legislation has the same meaning as in the
Data Protection Act 2018 (see section 3(9) of that Act);”;

(b)

in the definition of “information notice”, for “101(1)” substitute “101 (C1) or (1)”.

(11)

In section 237 (index of defined terms), after the entry for “CSEA content”
insert—

“the data protection legislation

section 236”.

Information for research about online safety matters

123 Information for research about online safety matters

(1)

The Online Safety Act 2023 is amended as follows.

(2)

After section 154 insert—

“154A Information for research about online safety matters

(1)

The Secretary of State may by regulations require providers of
regulated services to provide information for purposes related to the carrying out of independent research into online safety matters.

(2)

Regulations under this section may (for example) provide for—

(a)

the making of applications by persons seeking information;

(b)

the procedure to be followed in the making and determination
of applications;

(c)

the grounds on which applications are to be determined;

(d)

the imposition of requirements described in subsection (1) to
be effected by means of notices given to providers of regulated services (“researcher access notices”);

(e)

the contents of researcher access notices;

(f)

the procedure to be followed in the giving of researcher access
notices;

(g)

the form in which, and the means by which, information is to
be provided;

(h)

the safeguards to be applied in respect of the handling of
information;

(i)

the charging of fees payable by applicants for information
under the regulations and by providers of regulated services;

(j)

the enforcement of requirements imposed by the regulations;

(k)

appeals in respect of decisions taken under the regulations.

(3)

Provision about enforcement under subsection (2)(j) may include
provision—

(a)

about investigations (including the making of reports);

(b)

conferring powers of entry, inspection and audit;

(c)

imposing monetary penalties;

(d)

creating offences, but such provision may not impose a penalty
for an offence that is greater than a penalty of any of the descriptions mentioned in section 113.

(4)

Regulations under this section—

(a)

may authorise or require anything that is to be done under, or
for the purposes of, the regulations to be done by an appropriate person;

(b)

may confer a discretion on an appropriate person for the
purposes of provision under paragraph (a);

(c)

may apply (with or without modifications) other provisions of
this Act.

(5)

Regulations under this section may apply generally or only in relation
to specified descriptions of—

(a)

regulated services;

(b)

persons carrying out independent research;

(c)

research into online safety matters or the purposes of such
research;

(d)

information,

and provision made by virtue of section 224(1) in connection with this section may, in particular, make different provision for different descriptions of services, researchers, research or information.

(6)

Regulations under this section may not require—

(a)

processing of personal data that would contravene the data
protection legislation (but in determining whether processing of personal data would do so, the duty imposed under the regulations to provide information is to be taken into account);

(b)

provision of information in respect of which a claim to legal
professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.

(7)

Before making regulations under this section the Secretary of State
must consult—

(a)

OFCOM,

(b)

the Information Commissioner,

(c)

persons who appear to the Secretary of State to represent
providers of regulated services,

(d)

persons who appear to the Secretary of State to represent the
interests of persons carrying out independent research into online safety matters, and

(e)

such other persons as the Secretary of State considers
appropriate.

(8)

For the purposes of this section—

(a)

“independent research” is research carried out other than on
behalf of a provider of a regulated service;

(b)

references to an “appropriate person” are references to—

(i)

OFCOM, or

(ii)

such other person as the Secretary of State considers
appropriate to carry out functions under regulations made under this section (and the regulations may include provision establishing a body for this purpose).”

(3)

In section 162 (OFCOM’s report about researchers’ access to information),
omit subsections (7) to (10).

(4)

In section 225 (Parliamentary procedure for regulations), for subsections (8)
and (9) substitute—

“(8)

A statutory instrument containing (whether alone or with other
provision) the first regulations under the following provisions may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament—

(a)

section 154A(1);

(b)

paragraph 1(1) of Schedule 11.

(9)

Any other statutory instrument containing regulations under a
provision mentioned in subsection (8) is subject to annulment in pursuance of a resolution of either House of Parliament.”

(5)

The requirement to consult under section 154A(7) of the Online Safety Act
2023 (as inserted by subsection (2) of this section) may be satisfied by consultation undertaken before the day on which this Act is passed.

Retention of biometric data

124 Retention of biometric data and recordable offences

(1)

Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share
information) is amended in accordance with subsections (2) to (10) .

(2)

In section 18A(3) (retention of material: general), after “recordable offence”
insert “or recordable-equivalent offence”.

(3)

Section 18E (supplementary provision) is amended in accordance with
subsections (4) to (10) .

(4)

In subsection (1), after the definition of “recordable offence” insert—

““
recordable-equivalent offence means an offence under the law of a
country or territory outside England and Wales and Northern Ireland where the act constituting the offence would constitute a recordable offence if done in England and Wales or Northern Ireland (whether or not the act constituted such an offence when the person was convicted);”.

(5)

In subsection (3), in the words before paragraph (a), after “offence” insert “in
England and Wales or Northern Ireland”.

(6)

After subsection (5) insert—

“(5A)

For the purposes of section 18A, a person is to be treated as having
been convicted of an offence in a country or territory outside England and Wales and Northern Ireland if, in respect of such an offence, a court exercising jurisdiction under the law of that country or territory has made a finding equivalent to—

(a)

a finding that the person is not guilty by reason of insanity,
or

(b)

a finding that the person is under a disability and did the act
charged against the person in respect of the offence.”

(7)

In subsection (6)(a)—

(a)

after “convicted” insert “—

(i)”, and

(b)

after “offence,” insert “or

(ii)

in a country or territory outside England and
Wales and Northern Ireland, of a recordable-equivalent offence,”.

(8)

In subsection (6)(b)—

(a)

omit “of a recordable offence”, and

(b)

for “a recordable offence, other than a qualifying offence” substitute
“an offence, other than a qualifying offence or qualifying-equivalent offence”.

(9)

In subsection (7), for “subsection (6)” substitute “this section”.

(10)

After subsection (7) insert—

“(7A)

In subsection (6), “qualifying-equivalent offence” means an offence
under the law of a country or territory outside England and Wales and Northern Ireland where the act constituting the offence would constitute a qualifying offence if done in England and Wales or Northern Ireland (whether or not the act constituted such an offence when the person was convicted).”

(11)

The amendments made by this section apply only in connection with the
retention of section 18 material that is or was obtained or acquired by a law enforcement authority—

(a)

on or after the commencement day, or

(b)

in the period of 3 years ending immediately before the commencement
day.

(12)

Subsection (13) of this section applies where—

(a)

at the beginning of the commencement day, a law enforcement
authority has section 18 material which it obtained or acquired in the period of 3 years ending immediately before the commencement day,

(b)

at a time before the commencement day (a “pre-commencement time”),
the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material, and

(c)

at the pre-commencement time, the law enforcement authority could
have retained the material under section 18A of the Counter-Terrorism Act 2008, as it has effect taking account of the amendments made by subsections (2) to (10) of this section, if those amendments had been in force.

(13)

Where this subsection applies—

(a)

the law enforcement authority is to be treated as not having been
required to destroy the material at the pre-commencement time, but

(b)

the material may not be used in evidence against the person to whom
the material relates—

(i)

in criminal proceedings in England and Wales, Northern Ireland
or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or

(ii)

in criminal proceedings in any other country or territory.

(14)

In this section—


the commencement day means the day on which this Act is passed;


law enforcement authority has the meaning given by section 18E(1) of
the Counter-Terrorism Act 2008;


section 18 material has the meaning given by section 18(2) of that Act.

(15)

For the purposes of this section, proceedings in relation to an offence are
instituted—

(a)

in England and Wales, when they are instituted for the purposes of
Part 1 of the Prosecution of Offences Act 1985 (see section 15(2) of that Act);

(b)

in Northern Ireland, when they are instituted for the purposes of Part
2 of the Justice (Northern Ireland) Act 2002 (see section 44(1) and (2) of that Act);

(c)

in Scotland, when they are instituted for the purposes of Part 3 of the
Proceeds of Crime Act 2002 (see section 151(1) and (2) of that Act).

125 Retention of pseudonymised biometric data

(1)

Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share
information) is amended in accordance with subsections (2) to (6) .

(2)

Section 18A (retention of material: general) is amended in accordance with
subsections (3) to (5) .

(3)

In subsection (1), for “subsection (5)” substitute “subsections (4) to (9)”.

(4)

In subsection (4)(a), after “relates” insert “(a “pseudonymised form”)”.

(5)

After subsection (6) insert—

“(7)

Section 18 material which is not a DNA sample may be retained
indefinitely by a law enforcement authority if—

(a)

the authority obtains or acquires the material directly or
indirectly from an overseas law enforcement authority,

(b)

the authority obtains or acquires the material in a form which
includes information which identifies the person to whom the material relates,

(c)

as soon as reasonably practicable after obtaining or acquiring
the material, the authority takes the steps necessary for it to hold the material in a pseudonymised form, and

(d)

having taken those steps, the law enforcement authority
continues to hold the material in a pseudonymised form.

(8)

In a case where section 18 material is being retained by a law
enforcement authority under subsection (7) , if—

(a)

the law enforcement authority ceases to hold the material in a
pseudonymised form, and

(b)

the material relates to a person who has no previous convictions
or only one exempt conviction,

the material may be retained by the law enforcement authority until the end of the retention period specified in subsection (9) .

(9)

The retention period is the period of 3 years beginning with the date
on which the law enforcement authority first ceases to hold the material in a pseudonymised form.”

(6)

In section 18E(1) (supplementary provision)—

(a)

in the definition of “law enforcement authority”, for paragraph (d)
substitute—

“(d)

an overseas law enforcement authority;”, and

(b)

after that definition insert—

““
overseas law enforcement authority means a person formed or
existing under the law of a country or territory outside the United Kingdom so far as exercising functions which—

(a)

correspond to those of a police force, or

(b)

otherwise involve the investigation or prosecution of
offences;”.

(7)

The amendments made by this section apply only in connection with the
retention of section 18 material that is or was obtained or acquired by a law enforcement authority—

(a)

on or after the commencement day, or

(b)

in the period of 3 years ending immediately before the commencement
day.

(8)

Subsections (9) to (12) of this section apply where, at the beginning of the
commencement day, a law enforcement authority has section 18 material which it obtained or acquired in the period of 3 years ending immediately before the commencement day.

(9)

Where the law enforcement authority holds the material in a pseudonymised
form at the beginning of the commencement day, the authority is to be treated for the purposes of section 18A(7)(c) and (d) of the Counter-Terrorism Act 2008 as having—

(a)

taken the steps necessary for it to hold the material in a pseudonymised
form as soon as reasonably practicable after obtaining or acquiring the material, and

(b)

continued to hold the material in a pseudonymised form until the
commencement day.

(10)

Where the law enforcement authority does not hold the material in a
pseudonymised form at the beginning of the commencement day, the authority is to be treated for the purposes of section 18A(7)(c) of the Counter-Terrorism Act 2008 as taking the steps necessary for it to hold the material in a pseudonymised form as soon as reasonably practicable after obtaining or acquiring the material if it takes those steps on, or as soon as reasonably practicable after, the commencement day.

(11)

Subsection (12) of this section applies where, at a time before the
commencement day (a “pre-commencement time”), the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material but—

(a)

at the pre-commencement time, the law enforcement authority could
have retained the material under section 18A(7) to (9) of the Counter-Terrorism Act 2008 (as inserted by this section) if those provisions had been in force, or

(b)

on or after the commencement day, the law enforcement authority
may retain the material under those provisions by virtue of subsection (9) or (10) of this section.

(12)

Where this subsection applies—

(a)

the law enforcement authority is to be treated as not having been
required to destroy the material at the pre-commencement time, but

(b)

the material may not be used in evidence against the person to whom
the material relates—

(i)

in criminal proceedings in England and Wales, Northern Ireland
or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or

(ii)

in criminal proceedings in any other country or territory.

(13)

In this section—


the commencement day, “law enforcement authority” and “section 18
material” have the meaning given in section 124 (14) ;


in a pseudonymised form has the meaning given by section 18A(4) of
the Counter-Terrorism Act 2008 (as amended by this section);


instituted, in relation to proceedings, has the meaning given in section 124 (15) .

126 Retention of biometric data from INTERPOL

(1)

Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share
information) is amended in accordance with subsections (2) to (4) .

(2)

In section 18(4) (destruction of national security material not subject to existing
statutory restrictions), after “18A” insert “, 18AA”.

(3)

After section 18A insert—

“18AA Retention of material from INTERPOL

(1)

This section applies to section 18 material which is not a DNA sample
where the law enforcement authority obtained or acquired the material as part of a request for assistance, or a notification of a threat, sent to the United Kingdom via INTERPOL’s systems.

(2)

The law enforcement authority may retain the material until the
National Central Bureau informs the authority that the request or notification has been cancelled or withdrawn.

(3)

If the law enforcement authority is the National Central Bureau, it
may retain the material until it becomes aware that the request or notification has been cancelled or withdrawn.

(4)

In this section—


INTERPOL means the organisation called the International
Criminal Police Organization - INTERPOL;


the National Central Bureau means the body appointed for the
time being in accordance with INTERPOL’s constitution to serve as the United Kingdom’s National Central Bureau.

(5)

The reference in subsection (1) to material obtained or acquired as
part of a request or notification includes material obtained or acquired as part of a communication, sent to the United Kingdom via INTERPOL’s systems, correcting, updating or otherwise supplementing the request or notification.

18AB Retention of material from INTERPOL: supplementary

(1)

The Secretary of State may by regulations amend section 18AA to
make such changes as the Secretary of State considers appropriate in consequence of—

(a)

changes to the name of the organisation which, when section
18AA was enacted, was called the International Criminal Police Organization - INTERPOL (“the organisation”),

(b)

changes to arrangements made by the organisation which
involve fingerprints or DNA profiles being provided to members of the organisation (whether changes to existing arrangements or changes putting in place new arrangements), or

(c)

changes to the organisation’s arrangements for liaison between
the organisation and its members or between its members.

(2)

Regulations under this section are subject to affirmative resolution
procedure.”

(4)

In section 18BA(5)(a) (retention of further fingerprints), after “18A” insert “,
18AA”.

(5)

Section 18AA of the Counter-Terrorism Act 2008 applies in relation to section
18 material obtained or acquired by a law enforcement authority before the commencement day (as well as material obtained or acquired on or after that day), except where the law enforcement authority was informed, or became aware, as described in subsection (2) or (3) of that section before the commencement day.

(6)

Subsection (7) of this section applies where—

(a)

at the beginning of the commencement day, a law enforcement
authority has section 18 material,

(b)

at a time before the commencement day (a “pre-commencement time”),
the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material, but

(c)

at the pre-commencement time, the law enforcement authority could
have retained the material under section 18AA of that Act (as inserted by this section) if it had been in force.

(7)

Where this subsection applies—

(a)

the law enforcement authority is to be treated as not having been
required to destroy the material at the pre-commencement time, but

(b)

the material may not be used in evidence against the person to whom
the material relates—

(i)

in criminal proceedings in England and Wales, Northern Ireland
or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or

(ii)

in criminal proceedings in any other country or territory.

(8)

In this section—


the commencement day, “law enforcement authority” and “section 18
material” have the meaning given in section 124 (14) ;


instituted, in relation to proceedings, has the meaning given in section 124 (15) .

Trust services

127 The eIDAS Regulation

In sections 128 to 132 , “the eIDAS Regulation” means Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.

128 Recognition of EU conformity assessment bodies

In Chapter 3 of the eIDAS Regulation (trust services), after Article 24A insert—

“Article 24B Recognition of EU conformity assessment bodies

For the purposes of Articles 20(1), 21 and 24(1)(d), a body is to be treated as if it were a conformity assessment body in relation to a description of trust services provider (and trust service) if it is a conformity assessment body in relation to that description of provider (and service) for the purposes of the equivalent EU law.”

129 Removal of recognition of EU standards etc

(1)

The Secretary of State may by regulations—

(a)

amend Article 24A of the eIDAS Regulation (recognition of EU
standards etc for qualified trust services) so as to remove circumstances in which something is to be treated as qualified under that Regulation for the purposes of a provision or measure specified in paragraph 1 of that Article;

(b)

revoke that Article;

(c)

revoke Article 24B of the eIDAS Regulation (recognition of EU
conformity assessment bodies);

(d)

revoke Article 51 of the eIDAS Regulation (transitional measures for
electronic signatures);

(e)

amend a provision listed in subsection (3) so as to remove a reference
to a trust service provider established in the EU;

(f)

amend a provision listed in subsection (4) so as to remove a reference
to European standards or provisions of equivalent EU law.

(2)

The power under subsection (1) (a) includes power to amend or remove an
assumption in Article 24A(2) of the eIDAS Regulation.

(3)

The provisions mentioned in subsection (1) (e) are—

(a)

Article 13(1) of the eIDAS Regulation;

(b)

Articles 2(1)(a) and 4(1)(a) of the Implementing Decision.

(4)

The provisions mentioned in subsection (1) (f) are—

(a)

Article 24(2)(b) of the eIDAS Regulation;

(b)

Articles 2(2)(c)(7) and 4(2)(c)(7) of the Implementing Decision.

(5)

Regulations under this section may—

(a)

include transitional provision or savings, and

(b)

make different provision for different purposes, including for the
purposes of different provisions of the eIDAS Regulation.

(6)

Regulations under this section are subject to the negative resolution procedure.

(7)

In this section, “the Implementing Decision” means Commission Implementing
Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of the eIDAS Regulation.

130 Recognition of overseas trust products

(1)

The eIDAS Regulation is amended as follows.

(2)

In Chapter 3 (trust services), after Article 45 insert—

“SECTION 9 Recognition of overseas trust services

Article 45A Legal effects of overseas electronic signatures etc

1.

The Secretary of State may by regulations provide that, for the
purposes of Articles 25(2), 35(2), 41(2) and 43(2), an overseas trust product of a specified description is to be treated as qualified.

2.

In this Article—


overseas, in relation to a trust product, means provided by a
person established in a country or territory outside the United Kingdom;


specified means specified by regulations under this Article;


trust product means an electronic signature, an electronic seal,
an electronic time stamp or an electronic registered delivery service.

3.

The Secretary of State may not make regulations under this Article
specifying a description of overseas trust product unless satisfied that the reliability of such a product is at least equivalent to the reliability of a comparable trust product that is qualified.

4.

When making regulations under this Article in relation to a description
of overseas trust product, the Secretary of State must have regard to (among other things) the law in the other country or territory relevant to that description of product and related trust services.

Article 45B Overseas signatures and seals in public service

1.

The Secretary of State may by regulations provide that an overseas
electronic signature of a specified description is to be treated—

(a)

for the purposes of Article 27(1), as an advanced electronic
signature that complies with the Implementing Decision;

(b)

for the purposes of Article 27(2), as an advanced electronic
signature based on a qualified certificate for electronic signature, or a qualified signature, that complies with the Implementing Decision.

2.

The Secretary of State may by regulations provide that an overseas
electronic seal of a specified description is to be treated—

(a)

for the purposes of Article 37(1), as an advanced electronic seal
that complies with the Implementing Decision;

(b)

for the purposes of Article 37(2), as an advanced electronic seal
based on a qualified certificate for electronic seal, or a qualified seal, that complies with the Implementing Decision.

3.

In this Article—


the Implementing Decision means Commission Implementing
Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies;


overseas, in relation to an electronic signature or electronic
seal, means provided by a person established in a country or territory outside the United Kingdom;


specified means specified by regulations made under this
Article.

4.

The Secretary of State may not make regulations under point (a) or
(b) of paragraph 1 or point (a) or (b) of paragraph 2 specifying a description of overseas electronic signature or overseas electronic seal unless satisfied that the reliability of such a signature or seal is at least equivalent to the reliability of a signature or seal described in that point.

5.

When making regulations under this Article in relation to a description
of overseas electronic signature or overseas electronic seal, the Secretary of State must have regard to (among other things) the law in the other country or territory relevant to that description of signature or seal and related trust services.

Article 45C Regulations under this Section

1.

Before making regulations under Article 45A or 45B, the Secretary of
State must consult the supervisory body.

2.

Regulations under Article 45A or 45B—

(a)

may describe something by (among other things) describing
something that meets a condition specified in the regulations or is provided by a person who meets such a condition, and

(b)

may include a condition referring to (among other things) the
law of the other country or territory or a standard or other document, including the law, standard or other document as amended from time to time.

3.

Regulations under Article 45A or 45B may—

(a)

make different provision for different purposes, including for
the purposes of different provisions of this Regulation, and

(b)

include transitional or transitory provision or savings.

4.

Regulations under Article 45A or 45B are to be made by statutory
instrument.

5.

A statutory instrument containing regulations under Article 45A or
45B is subject to annulment in pursuance of either House of Parliament.”

(3)

In Article 3(21) (definition of “product”), at the end insert “(except in the
expression “trust product”)”.

131 Co-operation between supervisory authority and overseas authorities

(1)

Article 18 of the eIDAS Regulation (co-operation with EU authorities) is
amended as follows.

(2)

In the heading, for “EU” substitute “overseas”.

(3)

In paragraph 1, for “public authority in the EU” substitute “designated
overseas authority”.

(4)

In paragraph 2, for “other than in accordance with the data protection
legislation” substitute “if the processing would contravene the data protection legislation (but in determining whether processing would do so, take into account the power conferred by that paragraph)”.

(5)

After paragraph 2 insert—

“3.

In this Article—


designated means designated by regulations made by the
Secretary of State that are in force;


overseas authority means a person, or description of person,
with functions relating to the regulation or supervision of trust services outside the United Kingdom.

4.

Before making regulations under this Article, the Secretary of State
must consult the supervisory body.

5.

Regulations under this Article may include transitional or transitory
provision or savings.

6.

Regulations under this Article are to be made by statutory instrument.

7.

A statutory instrument containing regulations under this Article is
subject to annulment in pursuance of either House of Parliament.”

132 Time periods: the eIDAS Regulation and the EITSET Regulations

(1)

In Chapter 1 of the eIDAS Regulation (general provisions), after Article 3
insert—

“Article 3A Periods of time

References in this Regulation to a period expressed in hours, days, months or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”

(2)

The Electronic Identification and Trust Services for Electronic Transactions
Regulations 2016 (S.I. 2016/696) are amended as follows.

(3)

In regulation 2 (interpretation), at the end insert—

“(3)

References in these regulations to a period expressed in days or years
are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”

(4)

In Schedule 1 (monetary penalties)—

(a)

in paragraph 4(f), for the words from “a period” to the end substitute
“the period of 21 days beginning when the notice of intent is served”,

(b)

in paragraph 5, for the words from “a period” to the end substitute
“the period of 21 days beginning when the notice of intent is received”, and

(c)

in paragraph 6, for the words from “a period” to the end substitute
“the period of 21 days beginning when the notice of intent is served”.

Part 8 Final provisions

133 Power to make consequential amendments

(1)

The Secretary of State may by regulations make provision that is consequential
on any provision made by this Act.

(2)

Regulations under this section—

(a)

may make different provision for different purposes;

(b)

may include transitional, transitory or saving provision;

(c)

may amend, repeal or revoke any provision made by an enactment.

(3)

The reference in subsection (2) (c) to provision made by an enactment is—

(a)

where the amendment, repeal or revocation is consequential on section
115 , 116 or 117 (1) or Schedule 14 , a reference to provision made by
an enactment whenever passed or made (including this Act), and

(b)

in any other case, a reference to provision made by an enactment
passed or made before the end of the Session in which this Act is passed.

(4)

Regulations under this section made in consequence of section 183A of the
Data Protection Act 2018 (inserted by section 105 of this Act) may amend, repeal or revoke provision which refers to the data protection legislation (as defined in section 3 of the Data Protection Act 2018) as they could if the provision referred instead to the main data protection legislation (as defined in section 183A of that Act).

(5)

Regulations under this section that amend, repeal or revoke primary legislation
are subject to the affirmative resolution procedure.

(6)

Any other regulations under this section are subject to the negative resolution
procedure.

(7)

In this section—


enactment includes—

(a)

an enactment comprised in subordinate legislation (as defined
in section 21 of the Interpretation Act 1978),

(b)

an enactment comprised in, or in an instrument made under,
a Measure or Act of Senedd Cymru,

(c)

an enactment comprised in, or in an instrument made under,
an Act of the Scottish Parliament,

(d)

an enactment comprised in, or in an instrument made under,
Northern Ireland legislation, and

(e)

assimilated direct legislation;


primary legislation means—

(a)

an Act of Parliament;

(b)

an Act of the Scottish Parliament;

(c)

a Measure or Act of Senedd Cymru;

(d)

Northern Ireland legislation.

134 Regulations

(1)

Regulations under this Act are to be made by statutory instrument.

(2)

Where regulations under this Act are subject to “the affirmative resolution
procedure” the regulations may not be made unless a draft of the statutory instrument containing them has been laid before Parliament and approved by a resolution of each House of Parliament.

(3)

Where regulations under this Act are subject to “the negative resolution
procedure” the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament.

(4)

Any provision that may be included in regulations under this Act made by
the Secretary of State or the Treasury subject to the negative resolution procedure may be made by regulations subject to the affirmative resolution procedure.

135 Extent

(1)

This Act extends to England and Wales, Scotland and Northern Ireland, subject
to subsections (2) to (5) .

(2)

In Part 3 (National Underground Asset Register)—

(a)

sections 56 , 57 (1) to (9) and 60 (1) and Schedule 1 extend to England
and Wales only, and

(b)

sections 58 , 59 and 60 (2) and Schedule 2 (National Underground Asset
Register: Northern Ireland) extend to Northern Ireland only.

(3)

In Part 4 (registers of births and deaths)—

(a)

sections 61 to 64 extend to England and Wales only, and

(b)

an amendment or repeal made by Schedule 3 (minor and consequential
amendments) has the same extent as the enactment amended or repealed.

(4)

In Part 6 (the Information Commission), paragraph 23 of Schedule 12A to the
Data Protection Act 2018 (inserted by Schedule 14 to this Act) extends to England and Wales and Northern Ireland only.

(5)

In Part 7

(a)

section 119 and Schedule 15 (information standards for health and
adult social care) extend to England and Wales only;

(b)

paragraphs 2 , 3 and 5 to 7 of Schedule 16 (grant of smart meter
communication licences) extend to England and Wales and Scotland only.

(6)

In this section, “enactment” has the same meaning as in section 133 .

136 Commencement

(1)

Except as provided by subsections (2) to (4) , this Act comes into force on such
day as the Secretary of State may by regulations appoint.

(2)

The following provisions come into force on the day on which this Act is
passed—

(a)

section 78 (searches in response to data subjects’ requests);

(b)

Part 1 of Schedule 16 (grant of smart meter communication licences)
and section 120 so far as relating to that Part of that Schedule;

(c)

section 124 (retention of biometric data and recordable offences);

(d)

section 125 (retention of pseudonymised biometric data);

(e)

section 126 (retention of biometric data from INTERPOL);

(f)

this Part;

(g)

any other provision of this Act (including provision modifying other
legislation) so far as it confers power to make regulations or is otherwise necessary for enabling the exercise of such a power on or after the day on which this Act is passed.

(3)

The following provisions come into force at the end of the period of two
months beginning with the day on which this Act is passed—

(a)

section 69 (consent to law enforcement processing);

(b)

section 81 (logging of law enforcement processing);

(c)

section 95 (notices from the Information Commissioner);

(d)

section 96 (power of the Information Commissioner to require
documents).

(4)

Part 2 of Schedule 16 (grant of smart meter communication licences), and
section 120 so far as relating to that Part of that Schedule, come into force on the day on which the first regulations under section 91A (1) of the Energy Act 2008 (inserted by Part 1 of Schedule 16 ) come into force.

(5)

Regulations under this section may make different provision for different
purposes.

137 Transitional, transitory and saving provision

(1)

The Secretary of State may by regulations make transitional, transitory or
saving provision in connection with the coming into force of any provision of this Act.

(2)

Regulations under this section may amend Schedule 21 to the Data Protection
Act 2018 or Part 2 of Schedule 9 to this Act by adding, varying or repealing provision.

(3)

Regulations under this section containing provision described in subsection
(2) are subject to the negative resolution procedure.

(4)

Regulations under this section may make different provision for different
purposes.

138 Short title

This Act may be cited as the Data (Use and Access) Act 2024.

Schedules

Schedule 1

Section 56

National Underground Asset Register (England and Wales): monetary penalties

In the New Roads and Street Works Act 1991, after Schedule 5 insert—

“Schedule 5A

Section 106F

Monetary penalties in relation to requirements under Part 3A

Power to impose monetary penalties

1

(1)

The Secretary of State may give a notice (a “penalty notice”) imposing a
penalty on a person if satisfied on the balance of probabilities that the person—

(a)

has failed to comply with a requirement imposed on the person
to—

(i)

pay a fee in accordance with regulations under section
106D (1) , or

(ii)

provide information in accordance with regulations under section 106E (1) or (2) , or

(b)

has, in purported compliance with a requirement imposed on the
person under regulations under section 106E (1) or (2) , provided information that is false or misleading in a material respect.

(2)

The amount of a penalty imposed by a penalty notice must be such amount
as is specified in, or determined in accordance with, regulations made by the Secretary of State.

(3)

A penalty imposed by a penalty notice must be paid to the Secretary of
State within such period as may be specified in the notice.

(4)

The Secretary of State may not give more than one penalty notice to a
person in respect of the same failure or conduct.

(5)

Regulations under this paragraph are subject to the affirmative procedure.

Warning notices

2

(1)

Where the Secretary of State proposes to give a penalty notice to a person
the Secretary of State must give the person a notice (a “warning notice”) notifying the person of the Secretary of State’s proposal.

(2)

A warning notice must—

(a)

state the name and address of the person to whom the Secretary of
State proposes to give a penalty notice;

(b)

give reasons why the Secretary of State proposes to give the person
a penalty notice;

(c)

state the amount of the proposed penalty;

(d)

specify the date before which the person may make written
representations to the Secretary of State.

(3)

The date specified under sub-paragraph (2) (d) must be a date falling at
least 28 days after the day on which the warning notice is given.

Penalty notices

3

(1)

Within the period of six months beginning with the day on which a warning
notice is given to a person the Secretary of State must give to the person—

(a)

a notice stating that the Secretary of State has decided not to give
a penalty notice to the person, or

(b)

a penalty notice.

(2)

But the Secretary of State may not give a penalty notice to a person before
the date specified in the warning notice in accordance with paragraph 2(2)(d).

(3)

A penalty notice given to a person must—

(a)

state the name and address of the person;

(b)

give details of the warning notice given to the person;

(c)

state whether or not the Secretary of State has received written
representations in accordance with that notice;

(d)

give reasons for the Secretary of State’s decision to impose a penalty
on the person;

(e)

state the amount of the penalty;

(f)

give details of how the penalty may be paid;

(g)

specify the date before which the penalty must be paid;

(h)

give details about the person’s rights of appeal;

(i)

give details about the consequences of non-payment.

(4)

The date specified under sub-paragraph (3) (g) must be a date falling at
least 28 days after the day on which the penalty notice is given.

(5)

The Secretary of State may cancel a penalty notice by giving a notice to
that effect to the person to whom the penalty notice is given.

(6)

If a penalty notice is cancelled the Secretary of State—

(a)

may not give a further penalty notice in relation to the failure or
conduct to which the notice relates, and

(b)

must repay any amount that has been paid in accordance with the
notice.

Enforcement

4

If a person does not pay the whole or any part of a penalty which the
person is liable to pay under this Schedule the penalty or part of the penalty is recoverable—

(a)

if the county court so orders, as if it were payable under an order
of that court;

(b)

if the High Court so orders, as if it were payable under an order
of that court.

Appeals

5

(1)

A person who is given a penalty notice may appeal to the First-tier Tribunal
(“the Tribunal”) against the decision to give the notice or any requirement of it.

(2)

An appeal may be on the ground that the decision or requirement—

(a)

is based on an error of fact,

(b)

is wrong in law, or

(c)

is unreasonable.

(3)

But an appeal against the amount of a penalty may not be made on the
ground mentioned in sub-paragraph (2) (c) .

(4)

An appeal under this paragraph must be made before the end of the period
of 28 days beginning with the day on which the penalty notice is given.

(5)

On an appeal the Tribunal may—

(a)

confirm or quash the decision to give the penalty notice, or

(b)

confirm or vary any requirement of it.

(6)

In determining an appeal the Tribunal may—

(a)

review any determination of fact on which the decision or
requirement appealed against is based, and

(b)

take into account evidence which was not available to the Secretary
of State when giving the notice.

(7)

Where an appeal in respect of a penalty notice is made under this paragraph
the notice is of no effect until the appeal is determined or withdrawn.

(8)

Where an appeal is or may be made to the Upper Tribunal in relation to
a decision of the Tribunal under this paragraph, the Upper Tribunal may suspend the notice to which the appeal relates until the appeal is determined or withdrawn.

(9)

If the Tribunal confirms or varies a decision or requirement appealed against
under this paragraph, the person to whom the penalty notice is given must comply with the notice or the notice as varied (as the case may be)—

(a)

within such period as may be specified by the Tribunal, or

(b)

if the Tribunal does not specify a period, within such period as may
be specified by the Secretary of State and notified to the person.”

Schedule 2

Section  58

National Underground Asset Register (Northern Ireland): monetary penalties

In the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)), after Schedule 2 insert—

“Schedule 2ZA

Article 45F

Monetary penalties in relation to requirements under Articles 45D and 45E

Power to impose monetary penaltiesamen

1

(1)

The Secretary of State may give a notice (a “penalty notice”) imposing a
penalty on a person if satisfied on the balance of probabilities that the person—

(a)

has failed to comply with a requirement imposed on the person
to—

(i)

pay a fee in accordance with regulations under Article 45D (1) , or

(ii)

provide information in accordance with regulations under
Article 45E (1) or (2) , or

(b)

has, in purported compliance with a requirement imposed on the
person under regulations under Article 45E (1) or (2) , provided information that is false or misleading in a material respect.

(2)

The amount of a penalty imposed by a penalty notice must be such amount
as is specified in, or determined in accordance with, regulations made by the Secretary of State.

(3)

A penalty imposed by a penalty notice must be paid to the Secretary of
State within such period as may be specified in the notice.

(4)

The Secretary of State may not give more than one penalty notice to a
person in respect of the same failure or conduct.

Warning notices

2

(1)

Where the Secretary of State proposes to give a penalty notice to a person
the Secretary of State must give the person a notice (a “warning notice”) notifying the person of the Secretary of State’s proposal.

(2)

A warning notice must—

(a)

state the name and address of the person to whom the Secretary of
State proposes to give a penalty notice;

(b)

give reasons why the Secretary of State proposes to give the person
a penalty notice;

(c)

state the amount of the proposed penalty;

(d)

specify the date before which the person may make written
representations to the Secretary of State.

(3)

The date specified under sub-paragraph (2) (d) must be a date falling at
least 28 days after the day on which the warning notice is given.

Penalty notices

3

(1)

Within the period of six months beginning with the day on which a warning
notice is given to a person the Secretary of State must give to the person—

(a)

a notice stating that the Secretary of State has decided not to give
a penalty notice to the person, or

(b)

a penalty notice.

(2)

But the Secretary of State may not give a penalty notice to a person before
the date specified in the warning notice in accordance with paragraph
2 (2) (d) .

(3)

A penalty notice given to a person must—

(a)

state the name and address of the person;

(b)

give details of the warning notice given to the person;

(c)

state whether or not the Secretary of State has received written
representations in accordance with that notice;

(d)

give reasons for the Secretary of State’s decision to impose a penalty
on the person;

(e)

state the amount of the penalty;

(f)

give details of how the penalty may be paid;

(g)

specify the date before which the penalty must be paid;

(h)

give details about the person’s rights of appeal;

(i)

give details about the consequences of non-payment.

(4)

The date specified under sub-paragraph (3) (g) must be a date falling at
least 28 days after the day on which the penalty notice is given.

(5)

The Secretary of State may cancel a penalty notice by giving a notice to
that effect to the person to whom the penalty notice is given.

(6)

If a penalty notice is cancelled the Secretary of State—

(a)

may not give a further penalty notice in relation to the failure or
conduct to which the notice relates, and

(b)

must repay any amount that has been paid in accordance with the
notice.

Enforcement

4

If a person does not pay the whole or any part of a penalty which the
person is liable to pay under this Schedule the penalty or part of the penalty is recoverable—

(a)

if a county court so orders, as if it were payable under an order of
that court;

(b)

if the High Court so orders, as if it were payable under an order
of that court.

Appeals

5

(1)

A person who is given a penalty notice may appeal to the First-tier Tribunal
(“the Tribunal”) against the decision to give the notice or any requirement of it.

(2)

An appeal may be on the ground that the decision or requirement—

(a)

is based on an error of fact,

(b)

is wrong in law, or

(c)

is unreasonable.

(3)

But an appeal against the amount of a penalty may not be made on the
ground mentioned in sub-paragraph (2) (c) .

(4)

An appeal under this paragraph must be made before the end of the period
of 28 days beginning with the day on which the penalty notice is given.

(5)

On an appeal the Tribunal may—

(a)

confirm or quash the decision to give the penalty notice, or

(b)

confirm or vary any requirement of it.

(6)

In determining an appeal the Tribunal may—

(a)

review any determination of fact on which the decision or
requirement appealed against is based, and

(b)

take into account evidence which was not available to the Secretary
of State when giving the notice.

(7)

Where an appeal in respect of a penalty notice is made under this paragraph
the notice is of no effect until the appeal is determined or withdrawn.

(8)

Where an appeal is or may be made to the Upper Tribunal in relation to
a decision of the Tribunal under this paragraph, the Upper Tribunal may suspend the notice to which the appeal relates until the appeal is determined or withdrawn.

(9)

If the Tribunal confirms or varies a decision or requirement appealed against
under this paragraph, the person to whom the penalty notice is given must comply with the notice or the notice as varied (as the case may be)—

(a)

within such period as may be specified by the Tribunal, or

(b)

if the Tribunal does not specify a period, within such period as may
be specified by the Secretary of State and notified to the person.”

Schedule 3

Section 65

Registers of births and deaths: minor and consequential amendments

Part 1 Amendments of the Births and Deaths Registration Act 1953

1

The Births and Deaths Registration Act 1953 is amended as follows.

2

(1)

Section 3A (registration of births of abandoned children) is amended as
follows.

(2)

In subsection (5), for the words from “direct” to the end substitute “enter
in the margin of the relevant register of births a reference to the re-registration of the birth or, if the relevant register of births is in hard copy form, shall direct the officer having custody of that register to do so.”

(3)

After that subsection insert—

“(6)

In subsection (5) “the relevant register of births”, in relation to the
re-registration of the birth of a child, means the register of births in which the entry relating to the child was previously made.”

3

(1)

Section 13 (registration of name of child or of alteration of name) is amended
as follows.

(2)

In subsection (1), for “the registrar or superintendent registrar having the
custody of the register” substitute “the relevant registration officer for the register”.

(3)

In subsection (1A), for “The registrar or superintendent registrar having
custody of the register in question” substitute “The relevant registration officer”.

(4)

In subsection (1B), for “the registrar or superintendent registrar” substitute
“the relevant registration officer”.

(5)

After subsection (2) insert—

“(2A)

In this section the “relevant registration officer” for a register
means—

(a)

the registrar of births and deaths for the sub-district for
which the register is or has been kept, or

(b)

the superintendent registrar for the district containing that
sub-district.”

4

In Part 3 (general), the italic heading before section 25 becomes “Registers,
etc ”.

5

(1)

Section 29 (correction of errors in registers) is amended as follows.

(2)

In subsection (3), for “the officer having the custody of the register”
substitute “the appropriate registration officer”.

(3)

In subsection (3A)(b), for “the officer having the custody of the register”
substitute “the appropriate registration officer”.

(4)

In subsection (3B)(b), for “the officer having the custody of the register”
substitute “the appropriate registration officer”.

(5)

In subsection (4), for “the officer having the custody of the register”
substitute “the appropriate registration officer for the register”.

(6)

After subsection (4) insert—

“(5)

In this section the “appropriate registration officer”, in relation to
a register, means—

(a)

in the case of a register of live-births or of deaths in hard
copy form, the superintendent registrar having custody of the register;

(b)

in the case of a register of live-births or of deaths not in hard
copy form—

(i)

the registrar of births and deaths for the sub-district
for which the register is or has been kept, or

(ii)

the superintendent registrar for the district containing
that sub-district;

(c)

in the case of a register of still-births, the Registrar General.”

6

In section 29A (alternative procedure for certain corrections), in subsection
(4)—

(a)

for “the officer having custody of the register” substitute “the
appropriate registration officer”;

(b)

at the end insert—

““
Appropriate registration officer has the same meaning as in
section 29 of this Act.”

7

(1)

Section 30 (searches of indexes kept by Registrar General) is amended as
follows.

(2)

After subsection (1) insert—

“(1ZA)

The Registrar General shall cause the following indexes to be made
and kept in the General Register Office—

(a)

an index of the entries in the registers kept under section 1
of this Act;

(b)

an index of the entries in the registers kept under section 15
of this Act.”

(3)

In subsection (2), after “certified copies” insert “or in the said registers (as
the case may be)”.

(4)

In subsection (3)—

(a)

for “to certified copies of entries in” substitute “in relation to”;

(b)

for the words from “any such” to the end substitute “any register
of still-births”.

8

In section 31 (searches of indexes kept by superintendent registrars), for
subsection (1) substitute—

“(1)

The superintendent registrar for each district shall cause the
following indexes to be made—

(a)

an index of the entries in the registers of live-births kept for
the sub-districts within that district;

(b)

an index of the entries in the registers of deaths kept for the
sub-districts within that district.

(1A)

The indexes must be kept with the other records of the register
office for the district.”

9

For section 32 (searches in registers kept by registrars) substitute—

“32 Obtaining copies of entries from registrars

(1)

Any person is entitled to obtain from a registrar for a sub-district,
at any time when the registrar’s office is required to be open for the transaction of public business, a copy certified by the registrar of any entry in any register of births or register of deaths kept for that sub-district.

(2)

But subsection (1) does not apply in relation to any register of
still-births except as the registrar may, with the consent of the Registrar General, in any particular case allow.”

10

(1)

Section 33 (short certificate of birth) is amended as follows.

(2)

In subsection (1), for “the Registrar General, a superintendent registrar or
a registrar” substitute “the appropriate registration officer”.

(3)

After subsection (1) insert—

“(1A)

In subsection (1) the “appropriate registration officer” means—

(a)

in the case of a live-birth, the Registrar General, a
superintendent registrar or a registrar;

(b)

in the case of a still-birth—

(i)

the Registrar General, or

(ii)

a registrar acting at the time of the registration of the
still-birth or with the consent of the Registrar General.”

(4)

In subsection (2)—

(a)

for the words from “the records and registers” to “may be” substitute
“the register in which the entry relating to the birth is made, or, in the case of the Registrar General, from the records in the Registrar General’s custody”;

(b)

for “any such records or registers” substitute “any register of births
or in any such records”.

11

In section 33A (short certificate of death), in subsection (2), for the words
from “the records and registers” to “may be” substitute “the register in which the entry relating to the death is made, or, in the case of the Registrar General, from the records in the Registrar General’s custody”.

12

In section 34 (entry in register as evidence of birth or death), in subsection
(5), before “on which” insert “in or”.

13

(1)

Section 34A (searches and records of information: additional provision) is
amended as follows.

(2)

In subsection (1)—

(a)

after paragraph (a) insert—

“(aa)

to carry out, on request, a search to find out whether
any of the registers kept under this Act contains a particular entry;”;

(b)

in paragraph (b), after “copies” insert “or in such a register”.

(3)

In subsection (5), at the end insert “or in a register kept under this Act”.

14

In section 35 (offences relating to registers), in paragraph (b), after “deaths”
insert “kept in hard copy form”.

15

In section 40 (sending and providing notices, information or other
documents), omit “, return”.

16

In section 41 (interpretation), after subsection (3) insert—

“(4)

For the purposes of this Act a register is in hard copy form if it
consists of a paper copy or similar form capable of being read with the naked eye.”

Part 2 Amendments of other legislation

Registration Service Act 1953

17

The Registration Service Act 1953 is amended as follows.

18

In section 10 (district register offices), in subsection (1), omit the words
from “, and shall provide” to the end.

19

In section 12 (provision of register boxes), omit “registrar of births and
deaths and”.

20

In section 13 (local schemes of organisation), in subsection (2), after
paragraph (b) insert—

“(ba)

determining the equipment or facilities to be provided at
those offices and stations by the council for the non-metropolitan county or metropolitan district;”.

Public Records Act 1958

21

In Schedule 1 to the Public Records Act 1958 (definition of public records),
in paragraph 2(2)(b), after “adoptions,” insert “or to any other records held by the Registrar General of information entered in any register of births or deaths kept under any such enactment,”.

Social Security Administration Act 1992

22

In section 124 of the Social Security Administration Act 1992 (provisions
relating to age, death and marriage), after subsection (5) insert—

“(6)

The reference in subsection (1) above to a register in the custody of
a registrar or superintendent registrar includes, in relation to registers of births or deaths kept under the Births and Deaths Registration Act 1953, a reference to any such register kept for the registrar’s sub-district or (as the case may be) for a sub-district within the superintendent registrar’s district; and references in subsection (3) above to the custodian of the register are to be read accordingly.”

Education Act 1996

23

(1)

Section 564 of the Education Act 1996 (certificates of birth and registrars’
returns) is amended as follows.

(2)

In subsection (1), for “the registrar having the custody of the register of
births and deaths” substitute “the relevant registrar for the register”.

(3)

In subsection (3)—

(a)

for “A registrar” substitute “The relevant registrar for a register”;

(b)

for “any register of births and deaths in his custody” substitute “the
register”.

(4)

In subsection (4)—

(a)

in the definition of “the appropriate fee”, for “the registrar having
custody of the register concerned” substitute “the relevant registrar for a register”;

(b)

for the definition of “register of births and deaths” substitute—

““
register means a register of births or register of deaths kept
under that Act,”;

(c)

at the end insert—

““
the relevant registrar for a register means—

(a)

in the case of a register in hard copy form (within
the meaning of the Births and Deaths Registration Act 1953), the superintendent registrar having custody of the register;

(b)

in the case of a register not in hard copy form (within
the meaning of that Act)—

(i)

the registrar of births and deaths for the
sub-district for which the register is or has been kept, or

(ii)

the superintendent registrar for the district
containing that sub-district.”

Adoption and Children Act 2002

24

In section 78 of the Adoption and Children Act 2002 (Adopted Children
Register: searches and copies), in subsection (4)—

(a)

in paragraph (a), omit “certified copies of”;

(b)

in paragraph (b), for “certified copies”, in the second place it occurs,
substitute “registers”.

Gender Recognition Act 2004

25

The Gender Recognition Act 2004 is amended as follows.

26

(1)

Section 10 (registration) is amended as follows.

(2)

In subsection (2), omit the “or” after paragraph (a) and after paragraph (b)
insert “, or

(c)

an entry in a register kept under section 1 of the Births and
Deaths Registration Act 1953,”.

(3)

For subsection (3) substitute—

“(3)

“The appropriate Registrar General” means—

(a)

in relation to a UK birth register entry of which a certified
copy is kept by a Registrar General or which is in a register so kept, whichever Registrar General keeps that certified copy or that register;

(b)

in relation to a UK birth register entry in a register kept
under section 1 of the Births and Deaths Registration Act 1953, the Registrar General for England and Wales.

(3A)

For the purposes of this section each of the following is a Registrar
General—

(a)

the Registrar General for England and Wales;

(b)

the Registrar General for Scotland;

(c)

the Registrar General for Northern Ireland.”

27

In Part 1 of Schedule 3 (registration: England and Wales), in paragraphs
5(3) and 8(2), for “or (b)” substitute “, (b) or (c)”.

Presumption of Death Act 2013

28

In Schedule 1 to the Presumption of Death Act 2013 (Register of Presumed
Deaths), in paragraph 7 (interpretation)—

(a)

after “means” insert “—

(a)”;

(b)

at the end insert “, or

(b)

the index kept in the General Register Office of such
entries.”

Schedule 4

Section 70

Lawfulness of processing: recognised legitimate interests

In the UK GDPR, at the end insert—

“ANNEX 1 LAWFULNESS OF PROCESSING: RECOGNISED LEGITIMATE INTERESTS

Disclosure for purposes of processing described in Article 6(1)(e)

1.

This condition is met where—

(a)

the processing is necessary for the purposes of making a disclosure of
personal data to another person in response to a request from the other person, and

(b)

the request states that the other person needs the personal data for the
purposes of carrying out processing described in Article 6(1)(e) that has a legal basis that satisfies Article 6(3).

National security, public security and defence

2.

This condition is met where the processing is necessary—

(a)

for the purposes of safeguarding national security,

(b)

for the purposes of protecting public security, or

(c)

for defence purposes.

Emergencies

3.

This condition is met where the processing is necessary for the purposes of
responding to an emergency.

4.

In paragraph 3, “emergency” has the same meaning as in Part 2 of the Civil
Contingencies Act 2004.

Crime

5.

This condition is met where the processing is necessary for the purposes of—

(a)

detecting, investigating or preventing crime, or

(b)

apprehending or prosecuting offenders.

Safeguarding vulnerable individuals

6.

This condition is met where the processing is necessary for the purposes of
safeguarding a vulnerable individual.

7.

In paragraph 6—


safeguarding, in relation to a vulnerable individual, means—

(a)

protecting a vulnerable individual from neglect or physical, mental
or emotional harm, or

(b)

protecting the physical, mental or emotional well-being of a
vulnerable individual;


vulnerable individual means an individual—

(a)

aged under 18, or

(b)

aged 18 or over and at risk.

8.

For the purposes of paragraph 7—

(a)

protection of an individual, or of the well-being of an individual, includes
both protection relating to a particular individual and protection relating to a type of individual, and

(b)

an individual aged 18 or over is “at risk” if the controller has reasonable
cause to suspect that the individual—

(i)

has needs for care and support,

(ii)

is experiencing, or at risk of, neglect or physical, mental or emotional
harm, and

(iii)

as a result of those needs is unable to protect themselves against the
neglect, harm or risk.”

Schedule 5

Section 71

Purpose limitation: processing to be treated as compatible with original purpose

In the UK GDPR, after Annex 1 (inserted by Schedule 4 to this Act) insert—

“ANNEX 2 PURPOSE LIMITATION: PROCESSING TO BE TREATED AS COMPATIBLE WITH ORIGINAL PURPOSE

Disclosure for purposes of processing described in Article 6(1)(e)

1.

This condition is met where—

(a)

the processing—

(i)

is necessary for the purposes of making a disclosure of personal data
to another person in response to a request from the other person, and

(ii)

is not carried out by a public authority in the performance of its
tasks, and

(b)

the request states that the other person needs the personal data for the
purposes of carrying out processing that—

(i)

is described in Article 6(1)(e),

(ii)

has a legal basis that satisfies Article 6(3), and

(iii)

is necessary to safeguard an objective listed in Article 23(1)(c) to (j).

Disclosure for the purposes of archiving in the public interest

2.

This condition is met where—

(a)

the processing—

(i)

is necessary for the purposes of making a disclosure of personal data
to another person (“R”) in response to a request from R, and

(ii)

is carried out in accordance with Article 84B,

(b)

the controller in relation to the processing collected the personal data
based on Article 6(1)(a) (data subject’s consent),

(c)

the request from R states that R intends to process the personal data only
for the purposes of archiving in the public interest, and

(d)

the controller reasonably believes that R will carry out that processing in
accordance with generally recognised standards relevant to R’s archiving in the public interest.

Public security

3.

This condition is met where the processing is necessary for the purposes of
protecting public security.

Emergencies

4.

This condition is met where the processing is necessary for the purposes of
responding to an emergency.

5.

In paragraph 4, “emergency has the same meaning as in Part 2 of the Civil
Contingencies Act 2004.

Crime

6.

This condition is met where the processing is necessary for the purposes of—

(a)

detecting, investigating or preventing crime, or

(b)

apprehending or prosecuting offenders.

Protection of vital interests of data subjects and others

7.

This condition is met where the processing is necessary for the purposes of
protecting the vital interests of the data subject or another individual.

Safeguarding vulnerable individuals

8.

This condition is met where the processing is necessary for the purposes of
safeguarding a vulnerable individual.

9.

In paragraph 8—


safeguarding, in relation to vulnerable individual, means —

(a)

protecting a vulnerable individual from neglect or physical, mental
or emotional harm, or

(b)

protecting the physical, mental or emotional well-being of a
vulnerable individual;


vulnerable individual means an individual—

(a)

aged under 18, or

(b)

aged 18 or over and at risk.

10.

For the purposes of paragraph 9—

(a)

protection of an individual, or of the well-being of an individual, includes
both protection relating to a particular individual and protection relating to a type of individual, and

(b)

an individual aged 18 or over is “at risk” if the controller has reasonable
cause to suspect that the individual—

(i)

has needs for care and support,

(ii)

is experiencing, or at risk of, neglect or physical, mental or emotional
harm, and

(iii)

as a result of those needs is unable to protect themselves against the
neglect, harm or risk.

Taxation

11.

This condition is met where the processing is necessary for the purposes of the
assessment or collection of a tax or duty or an imposition of a similar nature.

Legal obligations

12.

This condition is met where the processing is necessary for the purposes of
complying with an obligation of the controller under an enactment, a rule of law or an order of a court or tribunal.”

Schedule 6

Section 80

Automated decision-making: minor and consequential amendments

The UK GDPR

1

The UK GDPR is amended as follows.

2

(1)

Article 12 (transparent information, communication and modalities for the
exercise of the rights of the data subject) is amended as follows.

(2)

In paragraph 1, for “under Articles 15 to 22” substitute “made under or by
virtue of Articles 15 to 22D”.

(3)

In paragraph 2—

(a)

for “under Articles 15 to 22”, in the first place it occurs, substitute
“arising under or by virtue of Articles 15 to 22D”, and

(b)

for “his or her rights under Articles 15 to 22” substitute “those
rights”.

(4)

In paragraph 3, for “under Articles 15 to 22” substitute “made under or by
virtue of Articles 15 to 22D”.

(5)

In paragraph 5, for “under Articles 15 to 22” substitute “under or by virtue
of Articles 15 to 22D”.

(6)

In paragraph 6, for “referred to in Articles 15 to 21” substitute “made under
or by virtue of Articles 15 to 22D”.

3

In Article 13(2)(f) (information about automated decision-making to be
provided where personal data is collected from the data subject), for “referred to in Article 22(1) and (4)” substitute “which is subject to the requirement to provide safeguards under Article 22C”.

4

In Article 14(2)(g) (information about automated decision-making to be
provided where personal data is not obtained from the data subject), for “referred to in Article 22(1) and (4)” substitute “which is subject to the requirement to provide safeguards under Article 22C”.

5

In Article 15(1)(h) (right of access by the data subject), for “referred to in
Article 22(1) and (4)” substitute “which is subject to the requirement to provide safeguards under Article 22C”.

6

In the heading of Section 4 of Chapter 3, omit “and automated
decision-making”.

7

In Article 23(1) (restrictions), for “provided for in Articles 12 to 22”, in both
places it occurs, substitute “arising under or by virtue of Articles 12 to 22D”.

8

In Article 47(2)(e) (binding corporate rules), for the words from “the right
not” to “Article 22” substitute “the right to protection in accordance with, and with regulations made under, Articles 22A to 22D in connection with decisions based solely on automated processing (including decisions reached by means of profiling)”.

9

In Article 83(5) (general conditions for imposing administrative fines)—

(a)

in point (b), for “22” substitute “21”, and

(b)

after that point insert—

“(ba)

Article 22B or 22C (restrictions on, and safeguards
for, automated decision-making);”.

The 2018 Act

10

The 2018 Act is amended as follows.

11

Omit section 14 (automated decision-making authorised by law: safeguards).

12

In section 43(1)(d) (overview and scope of provisions in Part 3 about rights
of the data subject), for “sections 49 and 50” substitute “sections 50A to 50D ”.

13

(1)

Section 52 (form of provision of information etc) is amended as follows.

(2)

In subsection (1), after “by” insert “or under”.

(3)

In subsection (3), for “by the data subject under section 45, 46, 47 or 50”
substitute “made by the data subject under or by virtue of any of sections 45, 46, 47, 50C or 50D”.

(4)

In subsection (4), for “under section 45, 46 or 47” substitute “under or by
virtue of any of sections 45, 46, 47, 50C or 50D ”.

(5)

In subsection (5), after “by” insert “or under”.

(6)

In subsection (6), for “under sections 45 to 50” substitute “arising under or
by virtue of sections 45 to 50D”.

14

(1)

Section 53 (manifestly unfounded or excessive requests by the data subject)
is amended as follows.

(2)

In subsection (1), for “from a data subject under section 45, 46, 47 or 50”
substitute “made by a data subject under or by virtue of any of sections 45, 46, 47, 50C or 50D ”.

(3)

In subsection (3), for “under section 45, 46, 47 or 50” substitute “described
in subsection (1)”.

15

In section 149(2)(b) (enforcement notices)—

(a)

after “provision of” insert “or made under”, and

(b)

for “22” substitute “22D”.

16

In section 157(2)(a) (maximum amount of penalty), for “49,” substitute “ 50B , 50C ,”.

Schedule 7

Section 84

Transfers of personal data to third countries etc: general processing

Introduction

1

Chapter 5 of the UK GDPR (transfers of personal data to third countries
or international organisations) is amended as follows.

General principles for transfers

2

(1)

Omit Article 44 (transfers of personal data to third countries etc: general
principles for transfers).

(2)

After that Article insert—

“Article 44A General principles for transfers

1.

A controller or processor may transfer personal data to a third
country or an international organisation only if—

(a)

the condition in paragraph 2 is met, and

(b)

the transfer is carried out in compliance with the other
provisions of this Regulation.

2.

The condition is met if the transfer—

(a)

is approved by regulations under Article 45A that are in force
at the time of the transfer,

(b)

is made subject to appropriate safeguards (see Article 46), or

(c)

is made in reliance on a derogation for specific situations (see
Article 49).

3.

A transfer may not be made in reliance on paragraph 2(b) or (c) if,
or to the extent that, it would breach a restriction in regulations under Article 49A.”

Transfers approved by regulations

3

Omit Article 45 (transfers on the basis of an adequacy decision).

4

After that Article insert—

“Article 45A Transfers approved by regulations

1.

For the purposes of Article 44A, the Secretary of State may by
regulations approve transfers of personal data to—

(a)

a third country, or

(b)

an international organisation.

2.

The Secretary of State may only make regulations under this Article
approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see Article 45B).

3.

In making regulations under this Article, the Secretary of State
may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom.

4.

Regulations under this Article may, among other things—

(a)

make provision in relation to a third country or international
organisation specified in the regulations or a description of country or organisation;

(b)

approve all transfers of personal data to a third country or
international organisation or only transfers specified or described in the regulations;

(c)

identify a transfer of personal data by any means, including
by reference to—

(i)

a sector or geographic area within a third country,

(ii)

the controller or processor,

(iii)

the recipient of the personal data,

(iv)

the personal data transferred,

(v)

the means by which the transfer is made, or

(vi)

relevant legislation, schemes, lists or other arrangements
or documents, as they have effect from time to time;

(d)

confer a discretion on a person.

5.

Regulations under this Article are subject to the negative resolution
procedure.

Article 45B The data protection test

1.

For the purposes of Article 45A, the data protection test is met in
relation to transfers of personal data to a third country or international organisation if the standard of the protection provided for data subjects with regard to general processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under—

(a)

this Regulation,

(b)

Part 2 of the 2018 Act, and

(c)

Parts 5 to 7 of that Act, so far as relevant to general
processing.

2.

In considering whether the data protection test is met in relation
to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things—

(a)

respect for the rule of law and for human rights in the
country or by the organisation,

(b)

the existence, and powers, of an authority responsible for
enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation,

(c)

arrangements for judicial or non-judicial redress for data
subjects in connection with such processing,

(d)

rules about the transfer of personal data from the country
or by the organisation to other countries or international organisations,

(e)

relevant international obligations of the country or
organisation, and

(f)

the constitution, traditions and culture of the country or
organisation.

3.

In paragraphs 1 and 2—

(a)

the references to the protection provided for data subjects
are to that protection taken as a whole,

(b)

the references to general processing are to processing to
which this Regulation applies or equivalent types of processing in the third country or by the international organisation (as appropriate), and

(c)

the references to processing of personal data in the third
country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Regulation applies as described in Article 3.

4.

When the data protection test is applied only to certain transfers
to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with Article 45A(4)(b))—

(a)

the references in paragraphs 1 to 3 to personal data are to
be read as references only to personal data likely to be the subject of such transfers, and

(b)

the reference in paragraph 2(d) to transfer to other countries
or international organisations is to be read as including transfer within the third country or international organisation.”

Transfers approved by regulations: monitoring

5

After Article 45B (inserted by paragraph 4 ) insert—

“Article 45C Transfers approved by regulations: monitoring

1.

The Secretary of State must, on an ongoing basis, monitor
developments in third countries and international organisations that could affect decisions to make regulations under Article 45A or to amend or revoke such regulations.

2.

Where the Secretary of State becomes aware that the data protection
test is no longer met in relation to transfers approved, or of a description approved, in regulations under Article 45A, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

3.

Where regulations under Article 45A are amended or revoked in
accordance with paragraph 2, the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to improving the protection provided to data subjects with regard to the processing of personal data in the country or by the organisation.

4.

The Secretary of State must publish—

(a)

a list of the third countries and international organisations,
and the descriptions of such countries and organisations, which are for the time being approved by regulations under Article 45A as places or persons to which personal data may be transferred, and

(b)

a list of the third countries and international organisations,
and the descriptions of such countries and organisations, which have been but are no longer approved by such regulations.

5.

In the case of regulations under Article 45A which approve only
certain transfers to a third country or international organisation specified or described in the regulations (in accordance with Article 45A(4)(b)), the lists published under paragraph 4 must specify or describe the relevant transfers.”

Transfers subject to appropriate safeguards

6

(1)

Article 46 (transfers subject to appropriate safeguards) is amended as
follows.

(2)

Omit paragraph 1.

(3)

After that paragraph insert—

“1A.

A transfer of personal data to a third country or an international
organisation by a controller or processor is made subject to appropriate safeguards only—

(a)

in a case in which—

(i)

safeguards are provided in connection with the transfer
as described in paragraph 2 or 3 or regulations made under Article 47A(4), and

(ii)

the controller or processor, acting reasonably and
proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see paragraph 6), or

(b)

in a case in which—

(i)

safeguards are provided in accordance with paragraph
2(a) by an instrument that is intended to be relied on in connection with the transfer or that type of transfer, and

(ii)

each public body that is a party to the instrument, acting
reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see paragraph 6).”

(4)

In paragraph 2—

(a)

in the words before point (a)—

(i)

omit “appropriate”, and

(ii)

for “paragraph 1” substitute “paragraph 1A(a)”,

(b)

in point (a), for “public authorities or bodies” substitute “a public
body and another relevant person or persons”,

(c)

in point (b), after “rules” insert “approved”,

(d)

in point (c), for “section 17C of the 2018 Act” substitute “Article
47A(1)”,

(e)

in point (e), for “appropriate safeguards” substitute “safeguards
provided by the code”, and

(f)

in point (f), for “appropriate safeguards” substitute “safeguards
provided by the mechanism”.

(5)

In paragraph 3, in the words before point (a)—

(a)

omit “appropriate”,

(b)

for “paragraph 1” substitute “paragraph 1A(a)”,

(c)

omit “, in particular,”, and

(d)

in point (b), for “public authorities or bodies” substitute “a public
body and another relevant person or persons”.

(6)

At the end insert—

“6.

For the purposes of this Article, the data protection test is met in
relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data by the safeguards required under paragraph 1A, and (where relevant) by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under—

(a)

this Regulation,

(b)

Part 2 of the 2018 Act, and

(c)

Parts 5 to 7 of that Act, so far as relevant to processing to
which this Regulation applies.

7.

For the purposes of paragraph 1A(a)(ii) and (b)(ii), what is
reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred.

8.

In this Article—

(a)

references to the protection provided for the data subject are
to that protection taken as a whole;

(b)

“relevant person” means a public body or another person
exercising functions of a public nature.”

7

In the heading of Article 47 (binding corporate rules) at the beginning insert
“Transfers subject to appropriate safeguards:”.

8

After Article 47 insert—

“Article 47A Transfers subject to appropriate safeguards: further provision

1.

The Secretary of State may by regulations specify standard data
protection clauses which the Secretary of State considers are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations.

2.

The Secretary of State must keep under review the standard data
protection clauses specified in regulations under paragraph 1 that are for the time being in force.

3.

Regulations under paragraph 1 are subject to the negative
resolution procedure.

4.

The Secretary of State may by regulations make provision about
further safeguards that may be relied on for the purposes of Article 46(1A)(a).

5.

The Secretary of State may only make regulations under paragraph
4 if the Secretary of State considers that the further safeguards are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations.

6.

Regulations under paragraph 4 may, among other things—

(a)

make provision by adopting safeguards prepared or
published by another person;

(b)

make provision about ways of providing safeguards which
require authorisation from the Commissioner.

7.

Regulations under paragraph 4 which amend Article 46 may do
so only in the following ways—

(a)

by adding ways of providing safeguards, or

(b)

by varying or omitting ways of providing safeguards which
were added by regulations under this Article.

8.

Regulations under paragraph 4 are subject to the affirmative
resolution procedure.”

Derogations for specific situations

9

(1)

Article 49 (derogations for specific situations) is amended as follows.

(2)

In paragraph 1, in the first subparagraph—

(a)

for “adequacy regulations under section 17A of the 2018 Act, or of
appropriate safeguards pursuant to Article 46, including binding corporate rules” substitute “approval by regulations under Article 45A and of compliance with Article 46 (appropriate safeguards)”, and

(b)

in point (a), for “an adequacy decision” substitute “approval by
regulations under Article 45A”.

(3)

In paragraph 1, in the second subparagraph, for “a provision in Article 45”
substitute “Article 45A”.

(4)

In paragraph 4, for “section 18(1) of the 2018 Act” substitute “paragraph
4A”.

(5)

After paragraph 4 insert—

“4A

The Secretary of State may by regulations specify for the purposes
of point (d) of paragraph 1—

(a)

circumstances in which a transfer of personal data to a
third country or international organisation is to be taken to be necessary for important reasons of public interest, and

(b)

circumstances in which a transfer of personal data to a
third country or international organisation which is not required by an enactment is not to be taken to be necessary for important reasons of public interest.”

(6)

Omit paragraph 5A.

(7)

After paragraph 6 insert—

“7.

Regulations under this Article—

(a)

are subject to the made affirmative resolution procedure where
the Secretary of State has made an urgency statement in respect of them;

(b)

otherwise, are subject to the affirmative resolution procedure.

8.

For the purposes of this Article, an urgency statement is a reasoned
statement that the Secretary of State considers it desirable for the regulations to come into force without delay.”

Public interest restrictions

10

After Article 49 insert—

“Article 49A Restriction in the public interest

1.

The Secretary of State may by regulations restrict the transfer of
a category of personal data to a third country or international organisation where—

(a)

the transfer is not approved by regulations under Article 45A
for the time being in force, and

(b)

the Secretary of State considers the restriction to be necessary
for important reasons of public interest.

2.

Regulations under this Article—

(a)

are subject to the made affirmative resolution procedure
where the Secretary of State has made an urgency statement in respect of them;

(b)

otherwise, are subject to the affirmative resolution procedure.

3.

For the purposes of this Article, an urgency statement is a reasoned
statement that the Secretary of State considers it desirable for the regulations to come into force without delay.”

Schedule 8

Section 84

Transfers of personal data to third countries etc: law enforcement processing

Introduction

1

Chapter 5 of Part 3 of the 2018 Act (transfers of personal data to third
countries etc) is amended as follows.

Overview and interpretation

2

Section 72 (overview and interpretation), in subsection (1)(b)—

(a)

for “the special conditions that apply” substitute “additional
conditions that apply in certain cases”, and

(b)

after “organisation” insert “(see section 73(4)(b))”.

General principles for transfer

3

(1)

Section 73 (general principles for transfers) is amended as follows.

(2)

Before subsection (1) insert—

“(A1)

This section applies in relation to a transfer of personal data to a
third country or international organisation for a law enforcement purpose.”

(3)

In subsection (1)—

(a)

for the words before paragraph (a) substitute “The controller in
relation to the transfer must secure that the transfer takes place only if—”,

(b)

omit the “and” at the end of paragraph (a), and

(c)

after paragraph (b) insert “, and—

(c)

the transfer is carried out in accordance with the other
provisions of this Part.”

(4)

For subsection (3) substitute—

“(3)

Condition 2 is that the transfer—

(a)

is approved by regulations under section 74AA that are in
force at the time of the transfer,

(b)

is made subject to appropriate safeguards (see section 75),
or

(c)

is based on special circumstances (see section 76).”

(5)

In subsection (4)—

(a)

after paragraph (a) (but before the “or” at the end of that paragraph)
insert—

“(aa)

the intended recipient is a person in a third country
who—

(i)

is not a person described in paragraph (a),
but

(ii)

is a processor whose processing, on behalf of
the controller, of the personal data transferred is governed by, or authorised in accordance with, a contract with the controller that complies with section 59,”, and

(b)

in paragraph (b)(i), for “other than a relevant authority” substitute
“who is not a person described in paragraph (a) or (aa) ”.

(6)

In subsection (5)(a), for the words from “either” to “State” substitute “to
the public security, national security or essential interests of a third country or the United Kingdom”.

Transfers approved by regulations

4

(1)

Omit section 74A (transfers based on adequacy regulations).

(2)

After that section insert—

“74AA Transfers approved by regulations

(1)

For the purposes of section 73, the Secretary of State may by
regulations approve transfers of personal data to—

(a)

a third country, or

(b)

an international organisation.

(2)

The Secretary of State may only make regulations under this section
approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see section 74AB ).

(3)

In making regulations under this section, the Secretary of State may
have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom.

(4)

Regulations under this section may, among other things—

(a)

make provision by reference to a third country or
international organisation specified in the regulations or a description of country or organisation;

(b)

approve all transfers of personal data to a third country or
international organisation or only transfers specified or described in the regulations;

(c)

identify a transfer of personal data by any means, including
by reference to—

(i)

a sector or geographic area within a third country,

(ii)

the controller or processor,

(iii)

the recipient of the personal data,

(iv)

the personal data transferred,

(v)

the means by which the transfer is made, or

(vi)

relevant legislation, schemes, lists or other
arrangements or documents, as they have effect from time to time;

(d)

confer a discretion on a person.

(5)

Regulations under this section are subject to the negative resolution
procedure.

74AB The data protection test

(1)

For the purposes of section 74AA , the data protection test is met in
relation to transfers to a third country or international organisation if the standard of the protection provided for data subjects with regard to law enforcement processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under—

(a)

this Part, and

(b)

Parts 5 to 7, so far as relevant to law enforcement processing.

(2)

In considering whether the data protection test is met in relation to
transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things—

(a)

respect for the rule of law and for human rights in the
country or by the organisation,

(b)

the existence, and powers, of an authority responsible for
enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation,

(c)

arrangements for judicial or non-judicial redress for data
subjects in connection with such processing,

(d)

rules about the transfer of personal data from the country
or by the organisation to other countries or international organisations,

(e)

relevant international obligations of the country or
organisation, and

(f)

the constitution, traditions and culture of the country or
organisation.

(3)

In subsections (1) and (2)

(a)

the references to the protection provided for data subjects
are to that protection taken as a whole,

(b)

the references to law enforcement processing are to
processing by a competent authority for any of the law enforcement purposes or equivalent types of processing in the third country or by the international organisation (as appropriate), and

(c)

the references to processing of personal data in the third
country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Act applies as described in section 207(2).

(4)

When the data protection test is applied only to certain transfers to
a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with section 74AA (4) (b) )—

(a)

the references in subsections (1) to (3) to personal data are
to be read as references only to personal data likely to be the subject of such transfers, and

(b)

the reference in subsection (2) (d) to transfer to other countries
or international organisations is to be read as including transfer within the third country or international organisation.”

Transfers approved by regulations: monitoring

5

(1)

Section 74B (transfers based on adequacy regulations: review etc) is
amended as follows.

(2)

For the heading substitute “Transfers approved by regulations: monitoring”.

(3)

Omit subsections (1) and (2).

(4)

In subsection (3), for “under section 74A” substitute “giving approval under section 74AA ”.

(5)

In subsection (4), for the words from the beginning to “otherwise,” substitute
“Where the Secretary of State becomes aware that the data protection test is no longer met in relation to transfers approved, or of a description approved, in regulations under section 74AA ,”.

(6)

In subsection (5)—

(a)

for “section 74A” substitute “ section 74AA ”, and

(b)

for “remedying the lack of an adequate level of protection” substitute
“improving the protection provided to data subjects with regard to the processing of personal data in the country or by the organisation”.

(7)

In subsection (6)(a)—

(a)

omit “, territories and specified sectors within a third country”,

(b)

omit “, territories, sectors”, and

(c)

for “specified in regulations under section 74A” substitute “approved
by regulations under section 74AA as places or persons to which personal data may be transferred”.

(8)

In subsection (6)(b)—

(a)

omit “, territories and specified sectors within a third country”,

(b)

omit “, territories, sectors”, and

(c)

for “specified in” substitute “approved by”.

(9)

In subsection (7)—

(a)

for “regulations under section 74A which specify that an adequate
level of protection of personal data is ensured only for a transfer” substitute “regulations under section 74AA which approve only certain transfers to a third country or international organisation that are”,

(b)

after “the regulations” insert “(in accordance with section
74AA (4) (b) )”, and

(c)

omit paragraph (a) (together with the final “and”).

Transfers subject to appropriate safeguards

6

(1)

Section 75 (transfers on the basis of appropriate safeguards) is amended
as follows.

(2)

In the heading, for “on the basis of” substitute “subject to”.

(3)

Omit subsection (1).

(4)

After that subsection insert—

“(1A)

A transfer of personal data to a third country or an international
organisation is made subject to appropriate safeguards only if—

(a)

an appropriate legal instrument binds the intended recipient
of the data (see subsection (4) ), or

(b)

the controller, acting reasonably and proportionately,
considers that the data protection test is met in relation to the transfer or that type of transfer (see subsection (5) ).”

(5)

In subsection (2), for “subsection (1)(b)” substitute “subsection (1A) (b) but
not in reliance on section 73(4)(aa) (transfer to processor)”.

(6)

In subsection (3), for “subsection (1)” substitute “this section but not in
reliance on section 73(4)(aa) (transfer to processor)”.

(7)

At the end insert—

“(4)

For the purposes of this section, a legal instrument is “appropriate”,
in relation to a transfer of personal data, if—

(a)

the instrument is intended to be relied on in connection with
the transfer or that type of transfer,

(b)

at least one competent authority is a party to the instrument,
and

(c)

each competent authority that is a party to the instrument,
acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see subsection (5) ).

(5)

For the purposes of this section, the data protection test is met in
relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data, whether by a binding legal instrument or by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under—

(a)

this Part, and

(b)

Parts 5 to 7, so far as they relate to processing by a
competent authority for any of the law enforcement purposes.

(6)

For the purposes of subsections (1A) (b) and (4) (c) , what is reasonable
and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred.

(7)

In this section, references to the protection provided for the data
subject are to that protection taken as a whole.”

Transfers based on special circumstances

7

(1)

Section 76 (transfers on the basis of special circumstances) is amended as
follows.

(2)

In the heading, for “on the basis of” substitute “based on”.

(3)

Before subsection (1) insert—

“(A1)

A transfer of personal data to a third country or international
organisation is based on special circumstances where—

(a)

it is made in the absence of approval by regulations under section 74AA and of compliance with section 75 (appropriate
safeguards), and

(b)

it is necessary for a special purpose.”

(4)

In subsection (1)—

(a)

for the words before paragraph (a) substitute “A transfer of personal
data is necessary for a special purpose if it is necessary—”,

(b)

in paragraph (c)—

(i)

after “public security” insert “or national security”, and

(ii)

at the end insert “or the United Kingdom”,

(c)

in paragraph (d), for “in individual cases” substitute “in particular
circumstances,”, and

(d)

in paragraph (e), for “in individual cases” substitute “in particular
circumstances,”.

(5)

In subsection (2), for “But subsection (1)(d) and (e) do not apply” substitute
“But a transfer of personal data is not necessary for a special purpose by virtue of subsection (1)(d) or (e)”.

(6)

After subsection (2) insert—

“(2A)

In accordance with the third data protection principle, the amount
of personal data transferred in reliance on this section must not be excessive in relation to the special purpose relied on.”

(7)

In subsection (3), for “subsection (1)” substitute “this section”.

Transfers to particular recipients

8

For the italic heading before section 77 substitute “Additional conditions”.

9

(1)

Section 77 (conditions for transfers of personal data to persons other than
relevant authorities) is amended as follows.

(2)

For the heading substitute “Additional conditions for transfers in reliance
on section 73(4)(b)”.

(3)

In subsection (6), for “other than a relevant authority” substitute “in reliance
on section 73(4)(b)”.

(4)

In subsection (7)(a), for “other than a relevant authority” substitute “that
takes place in reliance on section 73(4)(b)”.

Subsequent transfers

10

(1)

Section 78 (subsequent transfers) is amended as follows.

(2)

Before subsection (1) insert—

“(A1)

Subsections (1) to (6) apply where a transfer to which section 73
applies takes place otherwise than in reliance on section 73(4)(aa) (transfer to processor).”

(3)

In subsection (1)—

(a)

omit “Where personal data is transferred in accordance with section
73,”,

(b)

after “transfer” insert “—

(a)”,

(c)

for “the data” substitute “the personal data”, and

(d)

at the end insert “(the “UK authoriser”), or

(b)

that—

(i)

the personal data is not to be so transferred
without such authorisation except where subsection (1A) applies, and

(ii)

where a transfer is made without such
authorisation, the UK authoriser must be informed without delay.”

(4)

After subsection (1) insert—

“(1A)

This subsection applies if—

(a)

the transfer is necessary for the prevention of an immediate
and serious threat to the public security or national security of a third country or the United Kingdom, and

(b)

authorisation from the UK authoriser cannot be obtained in
good time.”

(5)

In subsection (2)—

(a)

for “A competent authority” substitute “The UK authoriser”, and

(b)

for “under subsection (1)” substitute “for the purposes of a condition
described in subsection (1)”.

(6)

In subsection (3), for “competent authority” substitute “UK authoriser”.

(7)

In subsection (4), for “an authorisation may not be given under subsection
(1)” substitute “the UK authoriser may not give an authorisation for the purposes of a condition described in subsection (1)”.

(8)

In subsection (5)(a), for the words from “either” to “State” substitute “to
the public security, national security or essential interests of a third country or the United Kingdom”.

(9)

In subsection (6)—

(a)

after “made” insert “in a case described in subsection (4)”,

(b)

for “subsection (4)” substitute “that subsection (whether made with
or without authorisation from the UK authoriser), the UK authoriser must, without delay, inform”, and

(c)

omit “must be informed without delay”.

(10)

At the end insert—

“(7)

Where a transfer takes place in reliance on section 73(4)(aa) (transfer
to processor), the transferring controller must make it a condition of the transfer that the data is only to be further transferred to a third country or international organisation where—

(a)

the terms of any relevant contract entered into, or
authorisation given, by the transferring controller in accordance with section 59 are complied with, and

(b)

the further transfer satisfies the requirements in section
73(1).”

Schedule 9

Section 84

Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

Part 1 Minor and consequential amendments

The UK GDPR

1

The UK GDPR is amended as follows.

2

In Article 13(1)(f) (information to be provided where personal data is
collected from the data subject)—

(a)

for “adequacy regulations under section 17A of the 2018 Act”
substitute “regulations under Article 45A”, and

(b)

for “reference to the appropriate or suitable safeguards” substitute
“the safeguards relied on”.

3

In Article 14(1)(f) (information to be provided where personal data is not
obtained from the data subject)—

(a)

for “adequacy regulations under section 17A of the 2018 Act”
substitute “regulations under Article 45A”, and

(b)

for “reference to the appropriate or suitable safeguards” substitute
“the safeguards relied on”.

4

In Article 15(2) (right of access by the data subject)—

(a)

after “organisation” insert “in reliance on Article 46”, and

(b)

for “appropriate safeguards pursuant to Article 46 relating to”
substitute “safeguards provided in accordance with Article 46(1A)(a)(i) or (b)(i) for the purposes of”.

5

(1)

Article 40 (codes of conduct) is amended as follows.

(2)

In paragraph 3 omit “appropriate” in both places.

(3)

In paragraph 5, for “provides sufficient appropriate safeguards” substitute
“is capable of providing safeguards for the purposes of Article 46”.

6

In Article 42(2) (certification) omit “appropriate” in both places.

7

In Article 46(2)(d) (transfers subject to appropriate safeguards: standard
data protection clauses), after “Commissioner” insert “for the purposes of this Article”.

8

In Article 57(1) (Information Commissioner’s tasks)—

(a)

in point (m) omit “which provide sufficient safeguards,”, and

(b)

after point (s) insert—

“(sa)

provide authorisation required under regulations
made under Article 47A;”.

9

In Article 58(3) (authorisation and advisory powers of the Commissioner),
after point (j) insert—

“(k)

to provide authorisation required under regulations made
under Article 47A”.

10

In Article 83(5)(c) (general conditions for imposing administrative fines),
for “44” substitute “44A”.

The 2018 Act

11

The 2018 Act is amended as follows.

12

Omit section 17A (transfers based on adequacy decisions) and the italic
heading before it.

13

Omit section 17B (transfers based on adequacy regulations: review etc).

14

Omit section 17C (standard data protection clauses).

15

Omit section 18 (transfers of personal data to third countries etc: public
interest).

16

In section 24(2) (manual unstructured data held by FOI public authorities)—

(a)

in paragraph (c), for “44 to 49” substitute “44A to 49A”, and

(b)

omit paragraph (ca).

17

In section 26(2) (national security and defence exemption), omit paragraph
(fa).

18

In section 75 (transfers on the basis of appropriate safeguards), after
subsection (7) (inserted by Schedule 8 to this Act) insert—

“(8)

For provision about standard data protection clauses which the
Commissioner considers are capable of securing that the data protection test in this section is met, see section 119A.”

19

In section 78A (law enforcement processing: national security exemption)
(inserted by section 87 of this Act), in subsection (2)(e), after sub-paragraph (i) insert—

“(ia)

section 119A (standard clauses for transfers to third
countries);”.

20

(1)

Section 119A (power of Information Commissioner to specify standard
clauses for transfers to third countries etc providing appropriate safeguards) is amended as follows.

(2)

In subsection (1), for the words from “provide” to the end substitute “are
capable of securing that the data protection test set out in Article 46 of the UK GDPR or section 75 of this Act (or both) is met in relation to transfers of personal data”.

(3)

In subsection (3), after paragraph (a) insert—

“(aa)

may make provision generally or in relation to types of
transfer described in the document,”.

21

In section 149(2)(e) (enforcement notices), for “44 to 49” substitute “44A to
49A”.

22

(1)

Section 182 (regulations and consultation) is amended as follows.

(2)

Omit subsection (4).

(3)

In subsection (6), for “Where regulations under this Act” substitute “For
the purposes of this Act, where regulations”.

(4)

In subsection (7), for “Where regulations under this Act” substitute “For
the purposes of this Act, where regulations”.

(5)

In subsection (8)—

(a)

for “Where regulations under this Act” substitute “For the purposes
of this Act, regulations”,

(b)

after “procedure”” insert “if”,

(c)

in paragraph (a), for “the urgency” substitute “an urgency”, and

(d)

in paragraph (b), for “the period of 120 days” substitute “a period”.

(6)

Omit subsections (9) and (10).

(7)

In subsection (11), after “by regulations” insert “made under this Act or
another enactment that are”.

(8)

For subsection (14) substitute—

“(14)

For the purposes of this section, an urgency statement is a reasoned
statement that the Secretary of State considers it desirable for regulations to come into force without delay.”

23

In section 205(2)(e) (references to periods of time) omit “and (9)”.

24

In paragraph 26(9)(d) of Schedule 2 (exemptions etc for journalistic,
academic, artistic and literary purposes), for “44” substitute “44A”.

25

(1)

Part 3 of Schedule 21 (further transitional provision etc: transfers to third
countries and international organisations) is amended as follows.

(2)

In the heading before paragraph 4, for “adequacy decisions and adequacy
regulations” substitute “transfers approved by regulations”.

(3)

In paragraph 4 (UK GDPR: adequacy decisions and adequacy regulations)—

(a)

in sub-paragraph (1), for “based on adequacy regulations” substitute
“to be treated as approved by regulations made under Article 45A of the UK GDPR”,

(b)

in sub-paragraph (4)(a), for “lists or other” substitute “schemes, lists
or other arrangements or”, and

(c)

omit sub-paragraph (6).

(4)

In paragraph 6 (UK GDPR: application of certain provisions referring to
regulations made under section 17A of the 2018 Act)—

(a)

in sub-paragraph (1)(a), for “section 17A” substitute “Article 45A of
the UK GDPR”,

(b)

for sub-paragraph (2) substitute—

“(2)

Those provisions are Articles 13(1)(f), 14(1)(f), 45C, 49(1) and
49A(1) of the UK GDPR.”, and

(c)

after that sub-paragraph insert—

“(3)

In its application to transfers treated as approved by virtue
of paragraph 1, Article 45C(5) of the UK GDPR (transfers approved by regulations: monitoring) has effect as if the reference to Article 45A(4)(b) were omitted.”

(5)

Omit paragraphs 7 and 8 (UK GDPR: transfers subject to appropriate
safeguards provided by standard data protection clauses).

(6)

In paragraph 9 (UK GDPR: transfers subject to appropriate safeguards
provided by binding corporate rules)—

(a)

in sub-paragraph (1)—

(i)

for “The appropriate safeguards referred to in Article 46(1)
of the UK GDPR may be provided for” substitute “The requirement for safeguards to be provided under Article 46(1A)(a)(i) of the UK GDPR may be satisfied”, and

(ii)

after “described” insert “in”,

(b)

in sub-paragraph (3)(a)—

(i)

for “or provision” substitute “, of provision”, and

(ii)

for “(or both)” substitute “or of the amendment of Chapter
5 of the UK GDPR by the Data (Use and Access) Act 2024”, and

(c)

in sub-paragraph (4), after paragraph (a) insert—

“(aa)

changing references to provision made by regulations
under section 17A into references to provision made by regulations made under Article 45A of the UK GDPR;”.

(7)

In the heading before paragraph 10, for “adequacy decisions and adequacy
regulations” substitute “transfers approved by regulations”.

(8)

In paragraph 10 (law enforcement processing: adequacy decisions and
adequacy regulations)—

(a)

in sub-paragraph (1), for “based on adequacy regulations” substitute
“to be treated as approved by regulations made under section 74AA ”,

(b)

in sub-paragraph (4)(a), for “lists or other” substitute “schemes, lists
or other arrangements or”, and

(c)

omit sub-paragraph (6).

(9)

In paragraph 12 (Part 3 (law enforcement processing): application of certain
provisions referring to regulations made under section 74A)—

(a)

the existing text becomes sub-paragraph (1),

(b)

in that sub-paragraph—

(i)

for the words before paragraph (a) substitute “In sections
74B and 76(A1)—”, and

(ii)

in paragraph (a), for “74A” substitute “ 74AA ”, and

(c)

after that sub-paragraph insert—

“(2)

In its application to transfers treated as approved by virtue
of paragraph 10, section 74B(7) (transfers approved by regulations: monitoring) has effect as if the reference to section 74AA (4) (b) were omitted.”

Part 2 Transitional provision

The UK GDPR: transfers approved by regulations

26

(1)

Regulations made under section 17A of the 2018 Act (transfers based on
adequacy regulations) and in force immediately before the relevant day are to be treated, on and after that day, as if made under Article 45A of the UK GDPR (inserted by Schedule 7 to this Act).

(2)

In this paragraph, “the relevant day” means the day on which paragraph 4 of Schedule 7 to this Act comes into force.

The UK GDPR: transfers subject to appropriate safeguards

27

(1)

For the purposes of Article 44A(1)(a) and (2)(b) of the UK GDPR (general
principles for transfers of personal data), a transfer of personal data to a third country or an international organisation made on or after the relevant day is made subject to appropriate safeguards where—

(a)

the transfer is made under arrangements entered into before the
relevant day,

(b)

safeguards are provided in accordance with paragraph 2 or 3 of
Article 46 of the UK GDPR or paragraph 9 of Schedule 21 to the 2018 Act, and

(c)

if the transfer had been made immediately before the relevant day,
it would have satisfied—

(i)

the condition in Article 46(1) of the UK GDPR relating to
data subjects’ rights and legal remedies, and

(ii)

the requirements of the last sentence of Article 44 of the UK
GDPR (level of protection must not be undermined).

(2)

Sub-paragraph (1) has effect in addition to Article 46(1A) of the UK GDPR.

(3)

In this paragraph—


international organisation has the same meaning as in the 2018 Act
(see section 205 of that Act);


personal data has the same meaning as in the 2018 Act (see section
3 of that Act);


the relevant day means the day on which paragraph 6 of Schedule 7 to this Act comes into force;


third country has the same meaning as in Part 3 of the 2018 Act (see
section 33 of that Act).

The UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses

28

(1)

Regulations made under section 17C of the 2018 Act (standard data
protection clauses) and in force immediately before the relevant day are to be treated, on and after that day, as if made under Article 47A(1) of the UK GDPR (inserted by Schedule 7 to this Act).

(2)

In this paragraph, “the relevant day” means the day on which paragraph 8 of Schedule 7 to this Act comes into force.

29

(1)

This paragraph applies to a requirement for safeguards to be provided
under—

(a)

Article 46(1A)(a)(i) of the UK GDPR, or

(b)

paragraph 27 (1) (b) of this Schedule.

(2)

The requirement may be satisfied on and after the relevant day by a version
of pre-commencement standard clauses incorporating changes where—

(a)

all of the changes are made in consequence of the amendment of
Chapter 5 of the UK GDPR by this Act, and

(b)

none of the changes alters the effect of the clauses.

(3)

Changing a reference to regulations under section 17A of the 2018 Act into
a reference to regulations made under Article 45A of the UK GDPR is to be treated as a change falling within sub-paragraph (2) .

(4)

Sub-paragraphs (2) and (3) cease to apply in relation to pre-commencement
standard clauses if—

(a)

the clauses are specified in regulations and a provision of the
regulations relating to the clauses is amended or revoked on or after the relevant day, or

(b)

the clauses are specified in another document and a provision of
the document relating to the clauses is amended or withdrawn by the Information Commissioner on or after the relevant day.

(5)

Sub-paragraph (2) has effect in addition to Article 46(2) and (3) of the UK
GDPR.

(6)

In this paragraph—


pre-commencement standard clauses means standard data protection
clauses specified in—

(a)

regulations made under section 17C of the 2018 Act and in
force immediately before the relevant day, or

(b)

a document issued by the Information Commissioner under
section 119A of the 2018 Act before the relevant day and not withdrawn before that day;


the relevant day means the day on which paragraph 6 of Schedule 7 to this Act comes into force.

The UK GDPR: transfers necessary for important reasons of public interest

30

(1)

Regulations made under section 18(1) of the 2018 Act (transfers necessary
for important reasons of public interest) and in force immediately before the relevant day are to be treated, on and after that day, as if made under Article 49(4A) of the UK GDPR (inserted by Schedule 7 to this Act).

(2)

In this paragraph, “the relevant day” means the day on which paragraph
9 (5) of Schedule 7 to this Act comes into force.

The UK GDPR: restrictions on transfers of personal data to third countries and international organisations

31

(1)

Regulations made under section 18(2) of the 2018 Act (restrictions on
transfers of personal data to third countries and international organisations) and in force immediately before the relevant day are to be treated, on and after that day, as if made under Article 49A of the UK GDPR (inserted by Schedule 7 to this Act).

(2)

In this paragraph, “the relevant day” means the day on which paragraph 10 of Schedule 7 to this Act comes into force.

Part 3 of the 2018 Act (law enforcement processing): transfers approved by regulations

32

(1)

Regulations made under section 74A of the 2018 Act (transfers based on
adequacy regulations) and in force immediately before the relevant day are to be treated, on and after that day, as if made under section 74AA of that Act (inserted by Schedule 8 to this Act).

(2)

In this paragraph, “the relevant day” means the day on which paragraph 4 of Schedule 8 to this Act comes into force.

Part 3 of the 2018 Act (law enforcement processing): transfers subject to appropriate safeguards

33

(1)

For the purposes of section 73(3) of the 2018 Act (general principles for
transfers of personal data), a transfer of personal data to a third country or an international organisation made on or after the relevant day is a transfer made subject to appropriate safeguards where—

(a)

an appropriate pre-commencement legal instrument binds the
intended recipient of the data, and

(b)

if the transfer had been made immediately before the relevant day,
the requirement in section 75(1)(a) of the 2018 Act (binding legal instrument containing appropriate safeguards) would have been satisfied by virtue of that instrument.

(2)

Sub-paragraph (1) has effect in addition to section 75 (1A) of the 2018 Act.

(3)

For the purposes of sub-paragraph (1) , a legal instrument is an “appropriate
pre-commencement legal instrument”, in relation to a transfer of personal data, if—

(a)

it was entered into before the relevant day,

(b)

it is intended to be relied on in connection with the transfer or that
type of transfer, and

(c)

at least one competent authority is a party to the instrument.

(4)

In this paragraph—


competent authority has the same meaning as in Part 3 of the 2018
Act (see section 30 of that Act);


international organisation has the same meaning as in the 2018 Act
(see section 205 of that Act);


personal data has the same meaning as in the 2018 Act (see section
3 of that Act);


the relevant day means the day on which paragraph 6 of Schedule 8 to this Act comes into force;


third country has the same meaning as in Part 3 of the 2018 Act (see
section 33 of that Act).

Schedule 10

Section 102

Complaints: minor and consequential amendments

The UK GDPR

1

The UK GDPR is amended as follows.

2

In Article 12(4) (transparent information, communication and modalities
for the exercise of the rights of the data subject), for “lodging a complaint with the Commissioner” substitute “making a complaint to the controller under section 164A of the 2018 Act, making a complaint to the Commissioner under section 165 of that Act”.

3

(1)

Article 13(2) (information to be provided where personal data are collected
from the data subject) is amended as follows.

(2)

After point (c) insert—

“(ca)

the right to make a complaint to the controller under section 164A of the 2018 Act;”.

(3)

In point (d), for “lodge a complaint with the Commissioner” substitute
“make a complaint to the Commissioner under section 165 of the 2018 Act”.

4

(1)

Article 14(2) (information to be provided where personal data have not
been obtained from the data subject) is amended as follows.

(2)

After point (d) insert—

“(da)

the right to make a complaint to the controller (see section 164A of the 2018 Act);”.

(3)

In point (e), for “lodge a complaint with the Commissioner” substitute
“make a complaint to the Commissioner under section 165 of the 2018 Act”.

5

(1)

Article 15(1) (right of access by the data subject) is amended as follows.

(2)

After point (e) insert—

“(ea)

the right to make a complaint to the controller under section 164A of the 2018 Act;”.

(3)

In point (f), for “lodge a complaint with the Commissioner” substitute
“make a complaint to the Commissioner under section 165 of the 2018 Act”.

6

In Article 47 (binding corporate rules), in paragraph 2(e), for “lodge a
complaint with the Commissioner and” substitute “make a complaint to the controller under section 164A of the 2018 Act, the right to make a complaint to the Commissioner under section 165 of the 2018 Act, the right to lodge a complaint”.

7

(1)

Article 80 (representation of data subjects) is amended as follows.

(2)

In paragraph 1—

(a)

for “lodge the complaint” substitute “make a complaint under section 164A or 165 of the 2018 Act”, and

(b)

omit “77,”.

(3)

In paragraph 2, for “lodge a complaint with the Commissioner” substitute
“make a complaint under section 164A or 165 of the 2018 Act”.

The 2018 Act

8

The 2018 Act is amended as follows.

9

In section 26(2)(f) (national security and defence exemption), omit
sub-paragraph (zi) (inserted by section 87 of this Act).

10

(1)

Section 44 (information: controller’s general duties) is amended as follows.

(2)

In subsection (1)—

(a)

after paragraph (d) insert—

“(da)

the existence of the right to make a complaint to the
controller (see section 164A );”, and

(b)

in paragraph (e), after “Commissioner”, in the first place it occurs,
insert “(see section 165)”.

(3)

In subsection (5)—

(a)

after paragraph (c) insert—

“(ca)

of the data subject’s right to make a complaint to the
controller under section 164A ,”, and

(b)

in paragraph (d), after “Commissioner” insert “under section 165”.

11

(1)

Section 45 (right of access by the data subject) is amended as follows.

(2)

In subsection (2)—

(a)

after paragraph (e) insert—

“(ea)

the existence of the data subject’s right to make a
complaint to the controller (see section 164A );”, and

(b)

in paragraph (f), after “the Commissioner”, in the first place it occurs,
insert “(see section 165)”.

(3)

In subsection (5)—

(a)

after paragraph (c) insert—

“(ca)

of the data subject’s right to make a complaint to the
controller under section 164A ,”, and

(b)

in paragraph (d), at the end insert “under section 165”.

12

In section 45A (exemption from sections 44 and 45: legal professional
privilege) (inserted by section 79 of this Act), in subsection (2), after paragraph (c) insert—

“(ca)

the data subject’s right to make a complaint to the controller
under section 164A ,”.

13

(1)

Section 48 (rights to rectification, to erasure or to restriction of processing:
supplementary) is amended as follows.

(2)

In subsection (1)(b)—

(a)

after sub-paragraph (ii) insert—

“(iia)

of the data subject’s right to make a complaint
to the controller under section 164A ,”, and

(b)

in sub-paragraph (iii), after “Commissioner” insert “under section
165”.

(3)

In subsection (4)—

(a)

after paragraph (b) insert—

“(ba)

of the data subject’s right to make a complaint to the
controller under section 164A ,”, and

(b)

in paragraph (c), after “Commissioner” insert “under section 165”.

14

In section 93(1)(e) (right to information), after “Commissioner”, in the first
place it occurs, insert “under section 165”.

15

In section 94(2)(f) (right of access), after “Commissioner”, in the first place
it occurs, insert “under section 165”.

16

(1)

Section 149 (enforcement notices) is amended as follows.

(2)

In subsection (1), for “or (5)” substitute “, (5) or (5A)”.

(3)

After subsection (5) insert—

“(5A)

The fifth type of failure is where a controller has failed, or is failing,
to comply with section 164A or with regulations under section 164B .”

(4)

In subsection (6), for “or (5)” substitute “, (5) or (5A)”.

17

In section 155 (penalty notices), in subsection (1)(a), for “or (5)” substitute
“, (5) or (5A)”.

18

In section 157 (maximum amount of penalty), after subsection (4) insert—

“(4A)

In relation to an infringement of section 164A or of regulations
under section 164B , the maximum amount of the penalty that may be imposed by a penalty notice is the standard maximum amount.”

19

In section 165 (complaints by data subjects), in the heading, at the end
insert “to the Commissioner”.

20

(1)

Section 166 (orders to progress complaints) is amended as follows.

(2)

In the heading, at the end insert “to the Commissioner”.

(3)

In subsection (1), omit “or Article 77 of the UK GDPR”.

21

(1)

Section 187 (representation of data subjects with their authority) is amended
as follows.

(2)

In subsection (1)(a)—

(a)

for “Articles 77,” substitute “sections 164A and 165 (complaints) and
Articles”, and

(b)

omit “to lodge complaints and”.

(3)

In subsection (2)—

(a)

before paragraph (a) insert—

“(za)

the right under section 164A (complaints to the
controller);”, and

(b)

in paragraph (a), for “165(2) and (4)(d)” substitute “165”.

Schedule 11

Section 107

Further minor provision about data protection

The UK GDPR

1

The UK GDPR is amended as follows.

2

(1)

Article 4(1) (interpretation) is amended as follows.

(2)

After point (15) insert—

“(15A)

“direct marketing” means the communication (by
whatever means) of advertising or marketing material which is directed to particular individuals;”.

(3)

After point (28) insert—

“(29)

“enactment” has the same meaning as in the 2018 Act
(see section 205 of that Act);

(30)

“tribunal” means any tribunal in which legal proceedings
may be brought.”

3

After Article 4 insert—

“Article 4A Periods of time

1.

References in this Regulation to a period expressed in hours, days,
weeks, months or years are to be interpreted in accordance with Article 3 of the Periods of Time Regulation, except in Article 91A(8) and (9).

2.

In this Article, “the Periods of Time Regulation” means Regulation
(EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.”

4

In Article 9 (processing of special categories of personal data)—

(a)

in paragraph 2, after “apply if” insert “the processing is based on
Article 6(1) and”,

(b)

in paragraph 2(f), after “courts” insert “or tribunals”, and

(c)

in paragraph 3, for the words from the beginning to “data are”
substitute “Paragraph 1 is only disapplied by point (h) of paragraph 2 if the personal data is”.

5

In Article 12(5) (information etc to be provided free of charge), at the
beginning insert “Subject to Article 15(3),”.

6

In Article 23(1)(h) (restrictions), for “(a)” substitute “(c)”.

7

In Article 24(3) (responsibility of the controller), for “an element by which
to demonstrate” substitute “a means of demonstrating”.

8

In Article 25(3) (data protection by design and by default), for “an element
to demonstrate” substitute “a means of demonstrating”.

9

In Article 28(5) (processors), for “an element by which to demonstrate”
substitute “a means of demonstrating”.

10

In Article 32(3) (security of processing), for “an element by which to
demonstrate” substitute “a means of demonstrating”.

11

In Article 37(1)(a), after “courts” insert “and tribunals”.

12

Omit Article 59 (activity reports).

The 2018 Act

13

The 2018 Act is amended as follows.

14

In section 3(9) (definition of “the data protection legislation”)—

(a)

insert “and” at the end of paragraph (c), and

(b)

omit paragraph (e) (regulations under section 2(2) of the European
Communities Act 1972 which relate to the EU GDPR or the Law Enforcement Directive) and the “and” before it.

15

Omit section 20 (meaning of “court” in Part 2).

16

In section 94 (data subject’s right of access under Part 4), in subsection (10),
for “subsection (6)” substitute “subsections (3), (5) and (6)”.

17

In section 119A(11) (standard clauses for transfers to third countries etc),
after “any” insert “whole days that fall within a”.

18

In section 124(5) (data protection and journalism code), in the definition of
“good practice in the processing of personal data for the purposes of journalism”—

(a)

in paragraph (a), omit “, including compliance with the requirements
of the data protection legislation”, and

(b)

after paragraph (b) insert—

“and includes compliance with the requirements of the data protection legislation;”.

19

(1)

Section 125 (approval of codes of practice prepared by the Commissioner)
is amended as follows.

(2)

Omit subsection (2).

(3)

In subsection (8), after “any” insert “whole days that fall within a”.

(4)

In subsection (9), for “subsections (2) and (5)” substitute “subsection (5)”.

20

In section 139 (reporting to Parliament), omit subsection (2).

21

In section 161(6) (approval of first guidance about regulatory action), after
“any” insert “whole days that fall within a”.

22

In section 181 (interpretation of Part 6) omit the definition of
“representative”.

23

In section 184(4) (prohibition of requirement to produce relevant records),
after “prevention” insert “, investigation”.

24

In section 192(6) (approval of the Framework), after “any” insert “whole
days that fall within a”.

25

In section 206 (index of defined expressions), in the Table, omit the entry
for “representative (in Part 6)”.

26

(1)

Schedule 1 (special categories of personal data and criminal convictions etc
data) is amended as follows.

(2)

In the heading before paragraph 10, for “or detecting” substitute “etc”.

(3)

In paragraph 10(1)(a) (preventing etc unlawful acts), after “prevention”
insert “, investigation”.

(4)

In paragraph 13(1)(a) (journalism etc in connection with unlawful acts and
dishonesty etc), after “consists of” insert “, or is carried out in preparation for,”.

(5)

In paragraph 14(1)(b) (preventing fraud), after sub-paragraph (ii) (but before
the “or” at the end of that sub-paragraph) insert—

“(iia)

the processing of personal data carried out in
preparation for disclosure described in sub-paragraph (i) or (ii),”.

(6)

In paragraph 24(1)(a) (disclosure to elected representatives), after “consists
of” insert “, or is carried out in preparation for,”.

27

(1)

Schedule 2 (exemptions etc from the UK GDPR) is amended as follows.

(2)

In paragraph 2(1)(a) (crime), after “prevention” insert “, investigation”.

(3)

In paragraph 3(2)(b)(ii) (crime: risk assessment systems), after “prevention”
insert “, investigation”.

28

In paragraph 8(1)(b) of Schedule 8 (conditions for sensitive processing
under Part 3: preventing fraud), after sub-paragraph (ii) (but before the “or” at the end of that sub-paragraph) insert—

“(iia)

the processing of personal data carried out in
preparation for disclosure described in sub-paragraph (i) or (ii),”.

29

In paragraph 2(a) of Schedule 11 (other exemptions under Part 4: crime),
after “prevention” insert “, investigation”.

Victims and Prisoners Act 2024

30

The following provisions (inserted by section 31 of the Victims and Prisoners
Act 2024) extend to Scotland and Northern Ireland (as well as to England and Wales)—

(a)

Article 17(1)(g), (4) and (5) of the UK GDPR (right to erasure), and

(b)

section 13A of the 2018 Act (meaning of “relevant offence” for
purpose of right to erasure).

Schedule 12

Section 111

Storing information in the terminal equipment of a subscriber or user

In the PEC Regulations, before Schedule 1 insert—

“Schedule A1

Regulation 6

 Storing information in the terminal equipment of a subscriber or user

Interpretation

1.

(1)

In this Schedule, “website” includes a mobile application and any other
platform by means of which an information society service is provided.

(2)

For further provision about the interpretation of this Schedule, see regulation
6(2).

Consent

2.

(1)

Regulation 6(1) does not prevent a person storing information, or gaining
access to information stored, in the terminal equipment of a subscriber or user if the subscriber or user—

(a)

is provided with clear and comprehensive information about the purpose of
the storage or access, and

(b)

gives consent to the storage or access.

(2)

Where an electronic communications network is used by the same person to
store or access information in the terminal equipment of a subscriber or user for the same purpose on more than one occasion, it is sufficient that the requirements of sub-paragraph (1) are met in respect of the initial use.

(3)

For the purposes of sub-paragraph (1) (b) , the means by which the subscriber
or user may signify consent include—

(a)

amending or setting controls on the internet browser which the subscriber
or user uses;

(b)

using another application or programme.

Transmission of a communication over an electronic communications network

3.

Regulation 6(1) does not apply to—

(a)

technical storage of information in the terminal equipment of a subscriber
or user, or

(b)

technical access to information stored in such equipment,

for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Storage or access strictly necessary to provide an information society service

4.

(1)

Regulation 6(1) does not apply to—

(a)

technical storage of information in the terminal equipment of a subscriber
or user, or

(b)

technical access to information stored in such equipment,

where the storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

(2)

For the purposes of this paragraph, the technical storage of, or technical access
to, information is strictly necessary for the provision of an information society service requested by the subscriber or user if, for example, the storage or access is strictly necessary—

(a)

to protect information provided in connection with, or relating to, the
provision of the service requested,

(b)

to ensure that the security of the terminal equipment of the subscriber or
user is not adversely affected by the provision of the service requested,

(c)

to prevent or detect fraud in connection with the provision of the service
requested,

(d)

to prevent or detect technical faults in connection with the provision of the
service requested, or

(e)

to enable either of the following things to be done where necessary for the
provision of the service requested—

(i)

automatically authenticating the identity of the subscriber or user, or

(ii)

maintaining a record of selections made on a website, or information
put into a website, by the subscriber or user.

Collecting information for statistical purposes

5.

(1)

Regulation 6(1) does not prevent a person storing information, or gaining
access to information stored, in the terminal equipment of a subscriber or user if—

(a)

the person provides an information society service,

(b)

the sole purpose of the storage or access is to enable the person—

(i)

to collect information for statistical purposes about how the service is
used with a view to making improvements to the service, or

(ii)

to collect information for statistical purposes about how a website by
means of which the service is provided is used with a view to making improvements to the website,

(c)

any information that the storage or access enables the person to collect is
not shared with any other person except for the purpose of enabling that other person to assist with making improvements to the service or website,

(d)

the subscriber or user is provided with clear and comprehensive information
about the purpose of the storage or access, and

(e)

the subscriber or user is given a simple means of objecting, free of charge,
to the storage or access and does not object.

(2)

In sub-paragraph (1) , the reference to gaining access to information stored in
the terminal equipment of a subscriber or user does not include a reference to collecting or monitoring information automatically emitted by the terminal equipment.

(3)

Where an electronic communications network is used by the same person to
store or access information in the terminal equipment of a subscriber or user for the same purpose on more than one occasion, it is sufficient that the requirements of sub-paragraph (1) (d) and (e) are met in respect of the initial use.

Website appearance etc

6.

(1)

Regulation 6(1) does not prevent a person storing information, or gaining
access to information stored, in the terminal equipment of a subscriber or user if—

(a)

the person provides an information society service by means of a website,

(b)

the sole purpose of the storage or access is—

(i)

to enable the way the website appears or functions when displayed on,
or accessed by, the terminal equipment to adapt to the preferences of the subscriber or user, or

(ii)

to otherwise enable an enhancement of the appearance or functionality
of the website when displayed on, or accessed by, the terminal equipment,

(c)

the subscriber or user is provided with clear and comprehensive information
about the purpose of the storage or access, and

(d)

the subscriber or user is given a simple means of objecting, free of charge,
to the storage or access and does not object.

(2)

Where an electronic communications network is used by the same person to
store or access information in the terminal equipment of a subscriber or user for the same purpose on more than one occasion, it is sufficient that the requirements of sub-paragraph (1) (c) and (d) are met in respect of the initial use.

Emergency assistance

7.

Regulation 6(1) does not prevent a person storing information, or gaining access
to information stored, in the terminal equipment of a subscriber or user if—

(a)

the person receives a communication from the terminal equipment,

(b)

the communication is a request from the subscriber or user for emergency
assistance or otherwise indicates that the subscriber or user is in need of emergency assistance, and

(c)

the sole purpose of the storage or access is to enable the geographical position
of the subscriber or user to be ascertained with a view to the emergency assistance being provided.”

Schedule 13

Section 113

Privacy and electronic communications: Commissioner’s enforcement powers

This is the Schedule to be substituted for Schedule 1 to the PEC Regulations—

“Schedule 1

Regulation 31

 Information Commissioner’s enforcement powers

Provisions applied for enforcement purposes

1.

For the purposes of enforcing these Regulations, the following provisions of
Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 29

section 140 (publication by the Commissioner);

section 141A (notices from the Commissioner);

section 142 (information notices);

section 143 (information notices: restrictions);

section 144 (false statements made in response to an information notice);

section 145 (information orders);

section 146 (assessment notices);

section 146A (assessment notices: approval of person to prepare report);

section 147 (assessment notices: restrictions);

section 148 (destroying or falsifying information and documents etc);

section 148A (interview notices);

section 148B (interview notices: restrictions);

section 148C (false statements made in response to interview notices);

section 149 (enforcement notices);

section 150 (enforcement notices: supplementary);

section 152 (enforcement notices: restrictions);

section 153 (enforcement notices: cancellation and variation);

section 154 and Schedule 15 (powers of entry and inspection);

section 155 and Schedule 16 (penalty notices);

section 156 (penalty notices: restrictions);

section 157 (maximum amount of penalty);

section 159 (amount of penalties: supplementary);

section 160 (guidance about regulatory action);

section 161 (approval of first guidance about regulatory action);

section 162 (rights of appeal);

section 163 (determination of appeals);

section 164 (applications in respect of urgent notices);

section 180 (jurisdiction);

section 181 (interpretation of Part 6);

section 182 (regulations and consultation);

section 196 (penalties for offences);

section 197(1) and (2) (prosecution);

section 198 (liability of directors etc);

section 200 (guidance about PACE codes of practice);

section 202 (proceedings in the First-tier Tribunal: contempt);

section 203 (Tribunal Procedure Rules).

General modification of references to the Data Protection Act 2018

2.

The provisions listed in paragraph 1 have effect as if—

(a)

references to the Data Protection Act 2018 or to a Part of that Act were
references to the provisions of that Act or that Part as applied by these Regulations;

(b)

references to a particular provision of that Act were references to that
provision as applied by these Regulations.

Modification of section 142 (information notices)

3.

Section 142 has effect as if—

(a)

in subsection (1), for paragraphs (a) and (b) there were substituted—

“(a)

require any person to provide the Commissioner with
information or documents that the Commissioner reasonably requires for the purposes of determining whether that person has complied or is complying with the requirements of the PEC Regulations,

(b)

require a communications provider to provide the
Commissioner with information or documents relating to another person’s use of an electronic communications network or electronic communications service for the purposes of determining whether that other person has complied or is complying with the requirements of the PEC Regulations, or

(c)

require any person to provide the Commissioner with
information or documents that the Commissioner reasonably requires for the purposes of investigating a suspected failure by another person to comply with the requirements of the PEC Regulations.”;

(b)

in subsection (2)(a), for “(b)(i) or (b)(ii)” there were substituted “(b) or (c)”;

(c)

after subsection (8) there were inserted—

“(8A)

Subsections (8B) and (8C) apply if an information notice given to a
person under subsection (1)(b) or (c) contains—

(a)

a statement that a duty of confidentiality applies in relation
to the notice, and

(b)

an explanation of the effects of subsections (8B) and (8C) .

(8B)

The person to whom the information notice is given, and any person
employed or engaged for the purpose of that person’s business, must not disclose the existence of the notice without reasonable excuse.

(8C)

Subsection (8B) does not prevent—

(a)

a disclosure to a person employed or engaged for the purpose
of the business of the person to whom the notice is given,

(b)

a disclosure made with the permission of the Commissioner
(whether the permission is contained in the information notice or otherwise), or

(c)

a disclosure made for the purpose of obtaining legal advice.”;

(d)

subsections (9) and (10) were omitted.

Modification of section 143 (information notices: restrictions)

4.

(1)

Section 143 has effect as if subsections (1) and (9) were omitted.

(2)

In that section—

(a)

subsections (3)(b) and (4)(b) have effect as if for “the data protection
legislation” there were substituted “the PEC Regulations”;

(b)

subsection (7)(a) has effect as if for “this Act” there were substituted “section
144, 148 or 148C or paragraph 15 of Schedule 15”;

(c)

subsection (8) has effect as if for “this Act (other than an offence under section
144)” there were substituted “section 148 or 148C or paragraph 15 of Schedule 15”.

Modification of section 145 (information orders)

5.

Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted
“section 142(2)”.

Modification of section 146 (assessment notices)

6.

Section 146 has effect as if—

(a)

in subsection (1)—

(i)

for “a controller or processor” there were substituted “a person within
subsection (1A)”;

(ii)

for “the controller or processor” there were substituted “the person”;

(iii)

for “the data protection legislation” there were substituted “the
requirements of the PEC Regulations”;

(b)

after subsection (1) there were inserted—

“(1A)

A person is within this subsection if the person—

(a)

is a communications provider, or

(b)

is engaged in any activity regulated by the PEC Regulations.”;

(c)

in subsection (2)—

(i)

for “controller or processor” there were substituted “person to whom it
is given”;

(ii)

in paragraph (h), for “the processing of personal data” there were
substituted “any activity regulated by the PEC Regulations”;

(iii)

in paragraph (i), for “process personal data on behalf of the controller”
there were substituted “are involved in any such activity on behalf of the person to whom the notice is given”;

(d)

in subsection (3A), for “controller or processor” there were substituted
“person”;

(e)

in subsection (7), for “controller or processor” there were substituted “person
to whom the notice is given”;

(f)

in subsection (8)—

(i)

in paragraph (a), for “controller or processor” there were substituted
“person to whom the notice is given”;

(ii)

in the words after paragraph (c), for “controller or processor” there were
substituted “person”;

(g)

in subsection (9)—

(i)

in paragraph (a), for the words from “a controller” to “this Act” there
were substituted “the person to whom the notice is given has failed or is failing to comply with the requirements of the PEC Regulations or that an offence under section 144, 148 or 148C or paragraph 15 of Schedule 15”;

(ii)

in paragraph (d), for “controller or processor” there were substituted
“person”;

(h)

in subsection (10), for “controller or processor” there were substituted
“person”;

(i)

subsection (11) were omitted;

(j)

in subsection (11A)—

(i)

for “controller or processor”, in the first place it occurs, there were
substituted “person to whom it is given”;

(ii)

for “controller or processor”, in the second place it occurs, there were
substituted “the person”.

Modification of section 146A (assessment notices: approval of person to prepare report)

7.

Section 146A has effect as if—

(a)

in subsection (1), for “a controller or processor” there were substituted “a
person (“P”)”;

(b)

in subsection (2), for “The controller or processor” there were substituted
“P”;

(c)

in subsections (3) to (6), for “the controller or processor” (in each place) there
were substituted “P”.

Modification of section 147 (assessment notices: restrictions)

8.

(1)

Section 147 has effect as if subsection (5) were omitted.

(2)

In that section, subsections (2)(b) and (3)(b) have effect as if for “the data
protection legislation” there were substituted “the PEC Regulations”.

Modification of section 148A (interview notices)

9.

Section 148A has effect as if—

(a)

in subsection (1)—

(i)

for “a controller or processor” there were substituted “a person”;

(ii)

in paragraph (a), for “as described in section 149(2)” there were
substituted “to comply with a requirement of the PEC Regulations”;

(iii)

in paragraph (b), for “this Act” there were substituted “section 144, 148
or 148C or paragraph 15 of Schedule 15”;

(b)

in subsection (3)—

(i)

in paragraph (a), for “the controller or processor” there were substituted
“the person mentioned in subsection (1)”;

(ii)

in paragraph (b), for “the controller or processor” there were substituted
“that person”;

(iii)

in paragraph (c), for “the controller or processor” there were substituted
“that person”.

Modification of section 148B (interview notices: restrictions)

10.

(1)

Section 148B has effect as if subsections (8) and (9) were omitted.

(2)

In that section—

(a)

subsections (2)(b) and (3)(b) have effect as if for “the data protection
legislation” there were substituted “the PEC Regulations”;

(b)

subsection (6)(a) has effect as if for “this Act” there were substituted “section
144, 148 or 148C or paragraph 15 of Schedule 15”;

(c)

subsection (7) has effect as if for “this Act (other than an offence under section
148C)” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”.

Modification of section 149 (enforcement notices)

11.

(1)

Section 149 has effect as if subsections (2) to (5A) and (7) to (9) were
omitted.

(2)

In that section—

(a)

subsection (1) has effect as if—

(i)

for “as described in subsections (2), (3), (4), (5) or (5A)” there were
substituted “to comply with a requirement of the PEC Regulations”;

(ii)

for “sections 150 and 151” there were substituted “section 150”;

(b)

subsection (6) has effect as if the words “given in reliance on subsection (2),
(3), (5) or (5A)” were omitted.

Modification of section 150 (enforcement notices: supplementary)

12.

(1)

Section 150 has effect as if subsection (3) were omitted.

(2)

In that section, subsection (2) has effect as if the words “in reliance on section
149(2)” were omitted.

Modification of section 152 (enforcement notices: restrictions)

13.

Section 152 has effect as if subsections (1), (2) and (4) were omitted.

Modification of Schedule 15 (powers of entry and inspection)

14.

(1)

Schedule 15 has effect as if paragraph 3 were omitted.

(2)

Paragraph 1(1) of that Schedule (issue of warrants in connection with
non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—

“(a)

there are reasonable grounds for suspecting that—

(i)

a person has failed or is failing to comply with a requirement
of the PEC Regulations, or

(ii)

an offence under section 144, 148, or 148C or paragraph 15 of
this Schedule has been or is being committed,”.

(3)

Paragraph 2 of that Schedule (issue of warrants in connection with assessment
notices) has effect as if—

(a)

in sub-paragraphs (1) and (2), for “controller or processor” there were
substituted “person”;

(b)

in sub-paragraph (2), for “the data protection legislation” there were
substituted “the PEC Regulations”.

(4)

Paragraph 5 of that Schedule (content of warrants) has effect as if—

(a)

in sub-paragraph (1)(c), for “the processing of personal data” there were
substituted “an activity regulated by the PEC Regulations”;

(b)

in sub-paragraph (2)(d), for the words from “controller or processor” to the
end there were substituted “person mentioned in paragraph 1(1)(a) has failed or is failing to comply with a requirement of the PEC Regulations”;

(c)

in sub-paragraph (3)(a) and (d)—

(i)

for “controller or processor” there were substituted “person mentioned
in paragraph 2(1)”;

(ii)

for “the data protection legislation” there were substituted “the
requirements of the PEC Regulations”.

(5)

Paragraph 11 of that Schedule (privileged communications) has effect as if, in
sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the PEC Regulations”.

Modification of section 155 (penalty notices)

15.

Section 155 has effect as if—

(a)

in subsection (1)—

(i)

in paragraph (a), for “as described in section 149(2), (3), (4), (5) or (5A)”
there were substituted “to comply with a requirement of the PEC Regulations”;

(ii)

after paragraph (c), there were inserted “, or

(d)

has failed to comply with the prohibition in section 142(8B),”;

(b)

after subsection (1) there were inserted—

“(1A)

But the Commissioner may not give a penalty notice to a person in
respect of a failure to comply with regulation 5A of the PEC Regulations.”;

(c)

for subsection (2) there were substituted—

“(2)

When deciding whether to give a penalty notice to a person and
determining the amount of the penalty, the Commission must have regard to the matters listed in subsection (3), so far as relevant.”;

(d)

in subsection (3)—

(i)

for “the controller or processor” (in each place) there were substituted
“the person”;

(ii)

in paragraph (c), for the words from “data subjects” to the end there
were substituted “subscribers or users”;

(iii)

in paragraph (d), for the words “in accordance with section 57, 66, 103
or 107” there were substituted “with a view to securing compliance with the requirements of the PEC Regulations”;

(iv)

paragraph (g) were omitted;

(v)

in paragraph (j), the words “or certification mechanism” were omitted;

(e)

subsection (4) were omitted;

(f)

after subsection (4) there were inserted—

“(4A)

If a penalty notice is given to a body in respect of a failure to comply
with any of regulations 19 to 24 of the PEC Regulations, the Commissioner may also give a penalty notice to an officer of the body if the Commissioner is satisfied that the failure—

(a)

took place with the consent or connivance of the officer, or

(b)

was attributable to any neglect on the part of the officer.

(4B)

In subsection (4A)


body means a body corporate or a Scottish partnership;


officer, in relation to a body, means—

(a)

in relation to a body corporate—

(i)

a director, manager, secretary or other similar
officer of the body or any person purporting to act in such capacity, and

(ii)

where the affairs of the body are managed by
its members, a member; or

(b)

in relation to a Scottish partnership, a partner or any
person purporting to act as a partner.”;

(g)

subsections (6) to (8) were omitted.

Modification of Schedule 16 (penalties)

16.

Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.

Modification of section 156 (penalty notices: restrictions)

17.

(1)

Section 156 has effect as if subsections (1), (2), (4)(b) and (5) were omitted.

(2)

In that section, subsection (3) has effect as if for the words from “controller” to
“determined by or” there were substituted “penalty notice to a person who acts”.

Modification of section 157 (maximum amount of penalty)

18.

Section 157 has effect as if—

(a)

subsection (1) were omitted;

(b)

in subsection (2)—

(i)

for “Part 3 of this Act” there were substituted “the PEC Regulations”;

(ii)

in paragraph (a), for the words from “section 35” to “or 78” there were
substituted “regulation 5, 6, 7, 8, 14, 19, 20, 21, 21A, 21B, 22, 23 or 24”;

(c)

subsections (3) and (4A) were omitted;

(d)

after subsection (4A) there were inserted—

“(4B)

In relation to an infringement of section 142(8B) of this Act, the
maximum amount of the penalty that may be imposed by a penalty notice is the higher maximum amount.”

Modification of section 159 (amount of penalties: supplementary)

19.

Section 159 has effect as if—

(a)

in subsection (1), the words “Article 83 of the UK GDPR and” were omitted;

(b)

in subsection (2), the words “Article 83 of the UK GDPR,” and “and section
158” were omitted.

Modification of section 160 (guidance)

20.

Section 160 has effect as if, in subsection (4)(f), for “controllers and processors”
there were substituted “persons”.

Modification of section 162 (rights of appeal)

21.

Section 162 has effect as if subsection (4) were omitted.

Modification of section 163 (determination of appeals)

22.

Section 163 has effect as if subsection (6) were omitted.

Modification of section 180 (jurisdiction)

23.

(1)

Section 180 has effect as if subsections (2)(b), (c), (d) and (e) and (3) were
omitted.

(2)

Subsection (1) of that section has effect as if for “subsections (3) and (4)” there
were substituted “subsection (4)”.

Modification of section 181 (interpretation of Part 6)

24.

Section 181 has effect as if the definition of “certification provider” were omitted.

Modification of section 182 (regulations and consultation)

25.

(1)

Section 182 has effect as if subsections (3), (6), (8), (11), (12) and (14) were
omitted.

(2)

Subsection (13) of that section has effect as if for “provision comes into force”
there were substituted “coming into force of section 113 of the Data (Use and Access) Act 2024”.

Modification of section 196 (penalties for offences)

26.

(1)

Section 196 has effect as if subsections (3) to (5) were omitted.

(2)

In that section—

(a)

subsection (1) has effect as if the words “section 119 or 173 or” were omitted;

(b)

subsection (2) has effect as if for “section 132, 144, 148, 148C, 170, 171 or 184”
there were substituted “section 144, 148 or 148C”.

Modification of section 200 (guidance about PACE codes of practice)

27.

Section 200 has effect as if, in subsection (1), for “this Act” there were substituted
“section 144, 148 and 148C and paragraph 15 of Schedule 15”.

Modification of section 202 (proceedings in the First-tier Tribunal: contempt)

28.

Section 202 has effect as if, in subsection (1)(a), for sub-paragraphs (i) and (ii)
there were substituted “on an appeal under section 162”.

Modification of section 203 (tribunal procedure rules)

29.

Section 203 has effect as if—

(a)

in subsection (1), for paragraphs (a) and (b) there were substituted “the
exercise of the rights of appeal conferred by section 162”;

(b)

in subsection (2)—

(i)

in paragraph (a), for “the processing of personal data” there were
substituted “any activity regulated by the PEC Regulations”;

(ii)

in paragraph (b), for “the processing of personal data” there were
substituted “any such activity”.

Interpretation

30.

In this Schedule, “the PEC Regulations” means these Regulations.”

Schedule 14

Section 115

The Information Commission

Schedule 12A to the Data Protection Act 2018

1

In the Data Protection Act 2018, after Schedule 12 insert—

“Schedule 12A

Section 114A

 The Information Commission

Status

1

(1)

The Commission is not to be regarded—

(a)

as a servant or agent of the Crown, or

(b)

as enjoying any status, immunity or privilege of the
Crown.

(2)

The Commission’s property is not to be regarded—

(a)

as property of the Crown, or

(b)

as property held on behalf of the Crown.

Number of members

2

(1)

The number of members of the Commission is to be determined
by the Secretary of State.

(2)

That number must not be—

(a)

less than 3, or

(b)

more than 14.

(3)

The Secretary of State may by regulations substitute a different
number for the number for the time being specified in sub-paragraph (2) (b) .

(4)

Regulations under this paragraph are subject to the negative
resolution procedure.

Membership: general

3

(1)

The Commission is to consist of—

(a)

the non-executive members, and

(b)

the executive members.

(2)

The non-executive members are—

(a)

a chair appointed by His Majesty by Letters Patent on the
recommendation of the Secretary of State, and

(b)

such other members as the Secretary of State may appoint.

(3)

The executive members are—

(a)

a chief executive appointed by the non-executive members
or in accordance with paragraph 25 , and

(b)

such other members, if any, as the non-executive members
may appoint.

(4)

The Secretary of State must consult the chair of the Commission
before appointing a non-executive member.

(5)

The non-executive members must consult the Secretary of State
before appointing the chief executive.

(6)

The non-executive members must consult the chief executive
about whether there should be any executive members within sub-paragraph (3) (b) and, if so, how many there should be.

(7)

The Secretary of State may by direction set a maximum and a
minimum number of executive members.

(8)

The Commission may appoint one of the non-executive members
as a deputy to the chair.

Membership: non-executive members to outnumber executive members

4

The Secretary of State must exercise the powers conferred on the
Secretary of State by paragraphs 2 and 3 so as to secure that the number of non-executive members of the Commission is, so far as practicable, at all times greater than the number of executive members.

Membership: selection on merit etc

5

(1)

The Secretary of State may not recommend a person for
appointment as the chair of the Commission unless the person has been selected on merit on the basis of fair and open competition.

(2)

A person may not be appointed as a member of the Commission
unless the person has been selected on merit on the basis of fair and open competition.

Membership: conflicts of interests

6

(1)

Before—

(a)

recommending a person for appointment as the chair of
the Commission, or

(b)

appointing a person as a non-executive member of the
Commission,

the Secretary of State must be satisfied that the person does not have a conflict of interest.

(2)

The Secretary of State must check from time to time that none of
the non-executive members has a conflict of interest.

(3)

The Secretary of State may require a non-executive member to
provide whatever information the Secretary of State considers necessary for the purpose of checking that the member does not have a conflict of interest.

(4)

A non-executive member who is required to provide information
under sub-paragraph (3) must provide it within such period as may be specified by the Secretary of State.

(5)

In this Schedule, “conflict of interest”, in relation to a person,
means a financial or other interest which is likely to affect prejudicially the discharge by the person of the person’s functions as a member of the Commission.

Tenure of the chair

7

(1)

The chair of the Commission holds and vacates office in
accordance with the terms of the chair’s appointment, subject to the provisions of this paragraph.

(2)

The chair must be appointed for a term of not more than 7 years.

(3)

On the recommendation of the Secretary of State, His Majesty
may by Letters Patent extend the term of the chair’s appointment but not so the term as extended is more than 7 years.

(4)

A person cannot be appointed as the chair more than once.

(5)

The chair may be relieved from office by His Majesty at the chair’s
own request.

(6)

The chair may be removed from office by His Majesty on an
Address from both Houses of Parliament.

(7)

No motion is to be made in either House of Parliament for such
an Address unless the Secretary of State has presented a report to that House stating that the Secretary of State is satisfied that—

(a)

the chair is guilty of serious misconduct,

(b)

the chair has a conflict of interest (see paragraph 6 (5) ),

(c)

the chair has failed to comply with paragraph 6 (4) , or

(d)

the chair is unable, unfit or unwilling to carry out the
chair’s functions.

Tenure of deputy chair

8

(1)

A deputy chair of the Commission may resign that office by
giving written notice to the Commission.

(2)

A deputy chair of the Commission ceases to hold that office on
ceasing to be a non-executive member of the Commission.

(3)

A deputy chair of the Commission may be removed from that
office by the Commission.

Tenure of the other non-executive members

9

(1)

This paragraph applies to a non-executive member of the
Commission appointed by the Secretary of State.

(2)

The member holds and vacates office in accordance with the
terms of their appointment, subject to the provisions of this paragraph.

(3)

The member must be appointed for a term of not more than 7
years.

(4)

The Secretary of State may extend the term of the member’s
appointment but not so that the term as extended is more than 7 years.

(5)

The Secretary of State may not appoint the member as a
non-executive member of the Commission on a subsequent occasion.

(6)

The member may resign from office by giving written notice to
the Secretary of State and the Commission.

(7)

The Secretary of State may remove the member from office by
written notice if satisfied that—

(a)

the member is guilty of serious misconduct,

(b)

the member has a conflict of interest (see paragraph 6 (5) ),

(c)

the member has failed to comply with paragraph 6 (4) , or

(d)

the member is unable, unfit or unwilling to carry out the
member’s functions.

(8)

At the time of removing the member from office the Secretary of
State must make public the decision to do so.

(9)

The Secretary of State must—

(a)

give the member a statement of reasons for the removal,
and

(b)

if asked to do so by the member, publish the statement.

Remuneration and pensions of non-executive members

10

(1)

The Commission may pay to the non-executive members of the
Commission such remuneration and allowances as the Secretary of State may determine.

(2)

The Commission may pay, or make provision for paying, to or
in respect of the non-executive members of the Commission, such sums by way of pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of office) as the Secretary of State may determine.

(3)

The Commission may make a payment to a person of such
amount as the Secretary of State may determine where—

(a)

the person ceases to be a non-executive member of the
Commission otherwise than on the expiry of the person’s term of office, and

(b)

it appears to the Secretary of State that there are special
circumstances which make it appropriate for the person to receive compensation.

Executive members: terms and conditions

11

(1)

The executive members of the Commission are to be employees
of the Commission.

(2)

The executive members are to be employed by the Commission
on such terms and conditions, including those as to remuneration, as the non-executive members of the Commission may determine.

(3)

The Commission must—

(a)

pay to or in respect of the executive members of the
Commission such pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of office) as the non-executive members of the Commission may determine, and

(b)

provide and maintain for them such pension schemes
(whether contributory or not) as the non-executive members of the Commission may determine.

Other staff: appointment, terms and conditions

12

(1)

The Commission may—

(a)

appoint other employees, and

(b)

make such other arrangements for the staffing of the
Commission as it considers appropriate.

(2)

In appointing an employee, the Commission must have regard
to the principle of selection on merit on the basis of fair and open competition.

(3)

Employees appointed by the Commission are to be appointed on
such terms and conditions, including those as to remuneration, as the Commission may determine.

(4)

The Commission may—

(a)

pay to or in respect of those employees such pensions,
allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of employment) as the Commission may determine, and

(b)

provide and maintain for them such pension schemes
(whether contributory or not) as the Commission may determine.

Committees

13

(1)

The Commission may establish committees.

(2)

A committee of the Commission may consist of or include persons
who are neither members nor employees of the Commission.

(3)

But a committee of the Commission to which functions are
delegated under paragraph 14 (1) (c) must include at least one person who is either a member or an employee of the Commission.

(4)

Where a person who is neither a member nor an employee of the
Commission is a member of a committee of the Commission, the Commission may pay to that person such remuneration and expenses as it may determine.

Delegation of functions

14

(1)

The Commission may delegate any of its functions to—

(a)

a member of the Commission,

(b)

an employee of the Commission, or

(c)

a committee of the Commission.

(2)

A function is delegated under sub-paragraph (1) to the extent
and on the terms that the Commission determines.

(3)

A committee of the Commission may delegate any function
delegated to it to a member of the committee.

(4)

A function is delegated under sub-paragraph (3) to the extent
and on the terms that the committee determines.

(5)

The power of a committee of the Commission to delegate a
function, and to determine the extent and terms of the delegation, is subject to the Commission’s power to direct what a committee established by it may and may not do.

(6)

The delegation of a function by the Commission or a committee
of the Commission under this paragraph does not prevent the Commission or the committee from exercising that function.

Advice from committees

15

The Commission may require a committee of the Commission to
give the Commission advice about matters relating to the discharge of the Commission’s functions.

Proceedings

16

(1)

The Commission may make arrangements for regulating—

(a)

its own procedure, and

(b)

the procedure of a committee of the Commission.

(2)

The non-executive members of the Commission may by majority
make arrangements for regulating the procedure for the carrying out of the separate functions which are conferred on them under this Schedule.

(3)

Arrangements under this paragraph may include arrangements
as to quorum and the making of decisions by a majority.

(4)

The Commission must publish arrangements which it makes
under this paragraph.

(5)

This paragraph is subject to paragraph 18 .

Records of proceedings

17

The Commission must make arrangements for the keeping of
proper records of—

(a)

its proceedings,

(b)

the proceedings of a committee of the Commission,

(c)

the proceedings at a meeting of the non-executive members
of the Commission,

(d)

anything done by a member or employee of the
Commission under paragraph 14 (1) , and

(e)

anything done by a member of a committee of the
Commission under paragraph 14 (3) .

Disqualification for acting in relation to certain matters

18

(1)

This paragraph applies if—

(a)

a member of the Commission has a direct or indirect
interest in a matter falling to be considered at a meeting of the Commission,

(b)

a non-executive member of the Commission has a direct
or indirect interest in a matter falling to be considered at a meeting of the non-executive members, or

(c)

a member of a committee of the Commission has a direct
or indirect interest in a matter falling to be considered at a meeting of the committee.

(2)

The member with the interest must declare it.

(3)

The declaration must be recorded in the minutes of the meeting.

(4)

The member with the interest may not take part in a discussion
or decision at the meeting relating to the matter, unless—

(a)

in the case of a meeting of the Commission, the other
members of the Commission who are present have resolved unanimously that the interest is to be disregarded,

(b)

in the case of a meeting of the non-executive members,
the other non-executive members who are present have resolved unanimously that the interest is to be disregarded, or

(c)

in the case of a meeting of a committee, the other members
of the committee who are present have, in the manner authorised by the Commission, resolved that the interest is to be disregarded.

(5)

In giving authorisation for the purposes of sub-paragraph (4) (c) , the Commission must secure that a resolution for those purposes does not allow a member to take part in a discussion or decision at a meeting of a committee to which functions are delegated under paragraph 14 (1) (c) unless the number of other members of the committee in favour of the resolution—

(a)

is not less than two thirds of those who are both present
and entitled to vote on the resolution, and

(b)

is not less than its quorum.

(6)

For the purposes of this paragraph, a notification given at or sent
to a meeting of the Commission that a person—

(a)

is a member of a company or firm, and

(b)

is to be regarded as interested in any matter involving
that company or firm,

is to be regarded as compliance with sub-paragraph (2) in relation to any such matter for the purposes of that meeting and subsequent meetings of the Commission, of the non-executive members or of a committee.

(7)

For the purposes of this paragraph, a notification given at or sent
to a meeting of the non-executive members of the Commission or of a committee of the Commission that—

(a)

a person is a member of a company or firm, and

(b)

is to be regarded as interested in any matter involving
that company or firm,

is to be regarded as compliance with sub-paragraph (2) in relation to any such matter for the purposes of that meeting and subsequent meetings of the non-executive members or (as the case may be) of the committee.

(8)

A notification described in sub-paragraph (6) or (7) remains in
force until it is withdrawn.

(9)

A person required to make a declaration for the purposes of this
paragraph in relation to any meeting—

(a)

is not required to attend the meeting, but

(b)

is to be taken to have complied with the requirements of
this paragraph if the person takes reasonable steps to secure that notice of the person’s interest is read out, and taken into consideration, at the meeting in question.

Validity of proceedings

19

(1)

The validity of proceedings of the Commission, of the
non-executive members of the Commission or of a committee of the Commission is not affected by—

(a)

a vacancy in the membership of the Commission or of the
committee,

(b)

a defect in the appointment of a member of the
Commission,

(c)

a failure of the Secretary of State to comply with the
requirements of paragraph 4 , or

(d)

a failure to comply with arrangements under paragraph 16 or with a requirement under paragraph 18 .

(2)

Nothing in sub-paragraph (1) (d) validates proceedings of a
meeting which is inquorate unless it is inquorate by reason only of a matter within sub-paragraph (1) (b) or (c) .

Money

20

The Secretary of State may make payments to the Commission.

Fees etc and other sums

21

(1)

All fees, charges, penalties and other sums received by the
Commission in carrying out its functions are to be paid to the Secretary of State.

(2)

Sub-paragraph (1) does not apply where the Secretary of State
otherwise directs.

(3)

Any sums received by the Secretary of State under this paragraph
are to be paid into the Consolidated Fund.

Accounts

22

(1)

The Commission must keep proper accounts and proper records
in relation to them.

(2)

The Commission must prepare a statement of accounts in respect
of each financial year in the form specified by the Secretary of State.

(3)

The Commission must send a copy of each statement of accounts
to the Secretary of State and the Comptroller and Auditor General before the end of August next following the financial year to which the statement relates.

(4)

The Comptroller and Auditor General must—

(a)

examine, certify and report on the statement of accounts,
and

(b)

send a copy of the certified statement and the report to
the Secretary of State.

(5)

The Secretary of State must lay before Parliament each document
received under sub-paragraph (4) (b) .

(6)

In this paragraph “financial year” means—

(a)

the period beginning with the date on which the
Commission is established and ending with the 31 March following that date, and

(b)

each successive period of 12 months.

Authentication of seal and presumption of authenticity of documents

23

(1)

The application of the Commission’s seal must be authenticated
by the signature of—

(a)

the chair of the Commission, or

(b)

another person authorised for that purpose by the
Commission.

(2)

A document purporting to be duly executed under the
Commission’s seal or signed on its behalf—

(a)

is to be received in evidence, and

(b)

is to be taken to be executed or signed in that way, unless
the contrary is shown.

(3)

This paragraph does not extend to Scotland.

Supplementary powers

24

The Commission may do anything it thinks appropriate for the
purposes of, or in connection with, its functions.

Transitional provision: interim chief executive

25

(1)

The first chief executive of the Commission is to be appointed
by the chair of the Commission.

(2)

Before making the appointment the chair must consult the
Secretary of State.

(3)

The appointment must be for a term of not more than 2 years.

(4)

The chair may extend the term of the appointment but not so the
term as extended is more than 2 years.

(5)

For the term of appointment, the person appointed under
sub-paragraph (1) is “the interim chief executive”.

(6)

Until the expiry of the term of appointment, the powers conferred
on the non-executive members by paragraph 11 (2) and (3) are exercisable in respect of the interim chief executive by the chair (instead of by the non-executive members).

(7)

In sub-paragraphs (5) and (6) , the references to the term of
appointment are to the term of appointment described in sub-paragraph (3) , including any extension of the term under sub-paragraph (4) .

Interpretation

26

In this Schedule—

(a)

references to pensions, allowances or gratuities include
references to any similar benefits provided on death or retirement, and

(b)

references to the payment of pensions, allowances or
gratuities to or in respect of a person include references to the making of payments towards the provision of pensions, allowances or gratuities to be paid to or in respect of a person.”

Transitional provision: first chair

2

(1)

This paragraph applies to the person who holds the office of Information
Commissioner immediately before the day on which this Schedule comes into force.

(2)

The person is to be treated as having been appointed as the chair of the
Information Commission for a term that expires at the time the person would cease to hold the office of Information Commissioner but for the abolition of that office by section 116 .

(3)

For the purposes of paragraph 7 (3) of Schedule 12A to the Data Protection
Act 2018 (extension of chair’s term), the term of the person’s appointment as chair of the Information Commission is to be treated as a term beginning when the person began to hold the office of Information Commissioner.

Transitional provision: consultation about non-executive members

3

(1)

This paragraph is about the requirement under paragraph 3 (4) of Schedule 12A to the Data Protection Act 2018 for the Secretary of State to consult
the chair of the Information Commission before appointing a non-executive member of the Information Commission.

(2)

The requirement may be satisfied by consultation, before this Schedule
comes into force, with the person who holds the office of Information Commissioner.

Transitional provision: consultation about interim chief executive

4

(1)

This paragraph is about the requirement under paragraph 25 of Schedule 12A to the Data Protection Act 2018 (transitional provision: interim chief
executive) for the chair of the Information Commission to consult the Secretary of State before appointing the first chief executive of the Information Commission.

(2)

The requirement may be satisfied by consultation carried out, before this
Schedule comes into force, by the person who holds the office of Information Commissioner.

Schedule 15

Section 119

Information standards for health and adult social care in England

1

Chapter 1 of Part 9 of the Health and Social Care Act 2012 (health and
adult social care services: information standards) is amended as follows.

2

Before section 250 insert—

“Powers to publish standards”.

3

(1)

Section 250 (powers to publish information standards) is amended as
follows.

(2)

In subsection (2), at the end insert “and includes, among other things, a
standard relating to information technology or IT services used, or intended to be used, in connection with the processing of information (see section 250A)”.

(3)

In subsection (2B)(c)—

(a)

after “provision” insert “in, or in relation to, England”, and

(b)

omit “in England”.

(4)

In subsection (2B), at the end insert—

“(e)

a relevant IT provider.”

(5)

In subsection (3)—

(a)

after “provision” insert “in, or in relation to, England”, and

(b)

omit “in England”.

(6)

In subsection (7)—

(a)

in the opening words, for “section” substitute “Chapter”,

(b)

after the definition of “health care” insert—

““
information technology includes—

(a)

computers,

(b)

other devices whose uses include the processing of
information by electronic means (“IT devices”),

(c)

parts, accessories and other equipment made or
adapted for use in connection with computers or IT devices,

(d)

software and code made or adapted for use in
connection with computers or IT devices, and

(e)

networks and other infrastructure (whether physical
or virtual) used in connection with other information technology;


IT service means an information technology service, including
any service (whether physical or virtual) which consists of, or is provided in connection with, the development, making available, operation or maintenance of information technology;”,

(c)

in the definition of “processing”, omit “and (14)”, and

(d)

at the end insert—

““
relevant IT provider means a person involved in marketing,
supplying, providing or otherwise making available—

(a)

information technology,

(b)

an IT service, or

(c)

a service which consists of processing information
using information technology,

whether for payment or free of charge, but only so far as the technology or service is used, or intended to be used, in connection with the provision in, or in relation to, England of health care or of adult social care.”

4

After section 250 insert—

“250A Standards relating to information technology

(1)

An information standard relating to information technology or IT
services may, among other things, make provision about—

(a)

the design, quality, capabilities or other characteristics of
such technology or services;

(b)

contracts or other arrangements under which such technology
or services are marketed, supplied, provided or otherwise made available.

(2)

An information standard may include technical provision about
information technology or IT services, including provision about—

(a)

functionality;

(b)

connectivity;

(c)

interoperability;

(d)

portability;

(e)

storage of, and access to, information;

(f)

security of information.

(3)

An information standard may make provision by reference to open
standards or proprietary standards.”

5

(1)

Section 251 (information standards: procedure etc) is amended as follows.

(2)

In the heading omit “Information standards:”.

(3)

For subsection (3) substitute—

“(3)

The power under section 250(1) may be exercised by—

(a)

adopting an information standard prepared or published by
another person, including as it has effect from time to time, or

(b)

making provision by reference to an international agreement
or another document, including as it has effect from time to time.”

6

After section 251 insert—

“Compliance with standards”.

7

For the heading of section 251ZA (information standards: compliance)
substitute “Monitoring compliance”.

8

After that section insert—

“251ZB Notice requesting compliance by relevant IT providers

(1)

If the Secretary of State has reasonable grounds to suspect that a
relevant IT provider is not complying with an information standard which applies to the provider, the Secretary of State may give the provider a written notice which—

(a)

identifies the standard in question,

(b)

sets out the Secretary of State’s grounds for suspecting that
the provider is not complying with the standard,

(c)

asks the provider to comply with the standard within a
period specified in the notice,

(d)

asks the provider, within a period specified in the notice, to
provide evidence to the Secretary of State’s satisfaction that the provider is complying with the standard, and

(e)

if the Secretary of State considers it appropriate, sets out the
steps that the Secretary of State considers the provider must take, within a period specified in the notice, in order to comply with the standard.

(2)

A period specified for the purposes of subsection (1) (c) , (d) or (e) must be a period of at least 28 days beginning with the day on which the notice is given.

(3)

The Secretary of State may, by giving the relevant IT provider a
further written notice, vary or revoke a notice given under subsection (1) .

251ZC Public censure of relevant IT providers

(1)

If the Secretary of State has reasonable grounds to suspect that a
relevant IT provider is not complying with an information standard which applies to the provider, the Secretary of State may publish a statement to that effect.

(2)

The statement may include the text of a notice given to the provider
under section 251ZB .

(3)

Before publishing a statement under this section, the Secretary of
State must give the relevant IT provider—

(a)

a copy of the terms of the proposed statement, and

(b)

an opportunity to make representations about the decision
to publish a statement and the terms of the statement.

(4)

If, after considering any representations, the Secretary of State
decides to publish the statement, the Secretary of State must inform the relevant IT provider before publishing it.

251ZD Exercise of functions of Secretary of State by other persons

(1)

The Secretary of State may—

(a)

direct a public body to exercise some or all of the functions
listed in subsection (3) , and

(b)

give the public body directions about the exercise of those
functions, including directions about the processing of information that the body obtains in exercising those functions.

(2)

The Secretary of State may make arrangements for a person
prescribed by regulations under this subsection to exercise some or all of the functions listed in subsection (3) .

(3)

Those functions are—

(a)

the Secretary of State’s functions under section 251ZA, so
far as they relate to relevant IT providers, and

(b)

the Secretary of State’s functions under section 251ZB .

(4)

Arrangements under subsection (2) may—

(a)

provide for the Secretary of State to make payments to the
person, and

(b)

make provision as to the circumstances in which such
payments are to be repaid to the Secretary of State.

(5)

Section 304(9) applies in relation to the power to make arrangements
under subsection (2) as it applies to a power of the Secretary of State to give directions under this Act.

Accreditation

251ZE Accreditation of information technology etc

(1)

Regulations may make provision for the establishment and operation
of a scheme for the accreditation of information technology and IT services so far as used, or intended to be used, in connection with the provision in, or in relation to, England of health care or of adult social care.

(2)

The regulations may provide for the scheme to be established and
operated by a person specified in the regulations (“the operator”).

(3)

The regulations may, among other things, confer power on the
operator—

(a)

to establish the procedure for accreditation under the scheme,

(b)

to set the criteria for accreditation under the scheme (“the
accreditation criteria”),

(c)

to keep an accreditation under the scheme under review,
and

(d)

to charge a reasonable fee in respect of an application for
accreditation.

(4)

The regulations may, among other things, make provision requiring
the operator—

(a)

to set some or all of the accreditation criteria by reference
to information standards,

(b)

to publish details of the scheme, including the accreditation
criteria,

(c)

to provide for the review of a decision to refuse an
application for accreditation, and

(d)

to provide advice to applicants for accreditation with a view
to ensuring that the accreditation criteria are met.”

Schedule 16

Section 120

Grant of smart meter communication licences

Part 1 Amendments of the Energy Act 2008

1

The Energy Act 2008 is amended as follows.

2

In the italic heading before section 88, after “meters” insert “: modification
of licence conditions etc by Secretary of State”.

3

After section 91 insert—

“Grant of smart meter communication licences

91A Grant of smart meter communication licences

(1)

The Gas and Electricity Markets Authority may by regulations make
provision about the procedure to be followed in relation to the grant of a smart meter communication licence.

(2)

Regulations under subsection (1) may provide that the procedure
is to consist of either (but not both) of the following—

(a)

a determination by the Authority, on a competitive basis, of
the person to whom a licence is to be granted;

(b)

the selection by the Authority, on a non-competitive basis,
of the person to whom a licence is to be granted.

(3)

Regulations under subsection (1) may make provision by reference
to a determination by the Authority or to the opinion of the Authority as to any matter.

(4)

The approval of the Secretary of State is required for the making
of regulations under subsection (1) .

(5)

In this section and in sections 91B to 91D


the Authority means the Gas and Electricity Markets
Authority;


smart meter communication licence means a licence under
section 7AB of the Gas Act 1986 or a licence under section
6 (1) (f) of the Electricity Act 1989 .

91B Regulations under section 91A (1) : further provision

(1)

Regulations under section 91A (1)

(a)

must make provision so as to ensure that a smart meter
communication licence must not be granted to a person unless the Authority is satisfied that the person would not, if granted the licence, have a financial or other interest likely to prejudice the discharge of their functions as the licence holder;

(b)

may make provision about the granting of a licence to a
person formed by the Authority.

(2)

Any sums received by the Authority under regulations under section
91A (1) are to be paid into the Consolidated Fund.

(3)

Regulations made in reliance on section 91A (2) (a) may—

(a)

provide for the publication of a proposal to grant a smart
meter communication licence;

(b)

provide for the inclusion in such a proposal of an invitation
to apply for such a licence;

(c)

impose conditions in relation to the making of an application
for a licence;

(d)

impose restrictions in relation to persons who may apply
for a licence;

(e)

impose requirements as to the period within which
applications must be made;

(f)

make provision for regulating the manner in which
applications are to be considered or determined;

(g)

confer on the Authority functions in connection with tender
exercises.

(4)

Regulations in reliance on section 91A (2) (a) may also include
provision—

(a)

enabling the Authority to require payments to be made, in
the form and manner prescribed, in respect of costs incurred or likely to be incurred by the Authority for the purposes of a tender exercise;

(b)

about the effect on a person’s participation in a tender
exercise of a failure to comply with a requirement imposed by virtue of paragraph (a) ;

(c)

about the circumstances in which the tender exercise is to
stop as a result of such a failure.

(5)

In this section—


prescribed means prescribed in or determined under
regulations under section 91A (1) ;


tender exercise means the procedure set out in regulations
made in reliance on section 91A (2) (a) for determining to whom a particular smart meter communication licence is to be granted.

91C Power of Gas and Electricity Markets Authority to amend licence
conditions etc

(1)

The Authority may modify—

(a)

a condition of a particular relevant licence;

(b)

the standard conditions incorporated in relevant licences of
a particular type;

(c)

a document maintained in accordance with the conditions
of a relevant licence, or an agreement that gives effect to a document so maintained.

(2)

The Authority may exercise the power in subsection (1) only if the
Authority considers it necessary or expedient to do so for the purposes of, or in preparation for, the grant of a smart meter communication licence.

(3)

The power conferred by subsection (1)

(a)

may be exercised to make different provision for different
purposes or different areas;

(b)

may be exercised generally, only in relation to specified cases
or subject to exceptions (including provision for a case to be excepted only so long as specified conditions are satisfied);

(c)

includes a power to make incidental, supplementary,
consequential or transitional modifications.

(4)

Provision included in a licence in reliance on subsection (1)

(a)

need not relate to the activities authorised by the licence;

(b)

in the case of a licence for the purposes of section 5 of the
Gas Act 1986, may do any of the things authorised by section 7B(5) of that Act (which apply to the Authority’s power with respect to licence conditions under section 7B(4)(a));

(c)

in the case of a licence for the purposes of section 4 of the
Electricity Act 1989, may do any of the things authorised by section 7(2) to (4) of that Act (which apply to the Authority’s power with respect to licence conditions under section 7(1)(a)).

(5)

A modification under subsection (1) of part of a standard condition
of a licence does not prevent any other part of the condition from continuing to be regarded as a standard condition for the purposes of Part 1 of the Gas Act 1986 or Part 1 of the Electricity Act 1989.

(6)

Where the Authority makes modifications under subsection (1) of
the standard conditions of a licence of any type, the Authority must—

(a)

make (as nearly as may be) the same modifications of those
standard conditions for the purposes of their incorporation in licences of that type granted after that time, and

(b)

publish the modifications.

(7)

In this section—


relevant licence means a licence for the purposes of section
5 of the Gas Act 1986 or section 4 of the Electricity Act 1989 (prohibitions on unlicensed activities);


specified means specified in the modification.

91D Power under section 91C : procedure

(1)

Before making a modification under section 91C , the Authority must
consult—

(a)

the holder of any licence being modified,

(b)

the Secretary of State, and

(c)

such other persons as the Authority considers appropriate.

(2)

Subsection (1) may be satisfied by consultation undertaken before
the passing of the Data (Use and Access) Act 2024.

(3)

If, after carrying out the consultation, the Authority decides to make
the modification, it must publish a notice about the decision which—

(a)

states that the Authority has decided to make the
modification;

(b)

sets out the modification and its effect;

(c)

specifies the date from which the modification has effect;

(d)

states how the Authority has taken account of any
representations made during the consultation;

(e)

states the reason for any differences between the modification
consulted on and the proposed modification.

(4)

The notice must be published in such manner as the Authority
considers appropriate for bringing it to the attention of those likely to be affected by the making of the modification.”

4

In section 104 (subordinate legislation)—

(a)

in subsection (1), for “or the Scottish Ministers” substitute “, the
Scottish Ministers or the Gas and Electricity Markets Authority”;

(b)

in subsection (3), at the end insert “, and

(c)

regulations made by the Gas and Electricity Markets
Authority under section 91A .”

Part 2 Amendments of other legislation

Gas Act 1986

5

(1)

The Gas Act 1986 is amended as follows.

(2)

In section 7B (licences: general)—

(a)

omit subsection (2B);

(b)

in subsection (2C), after “for” insert “a smart meter communication
licence or”.

(3)

In section 41HC (competitive tenders for licences for new licensable
activities), in subsection (1), after “activities” insert “, other than a smart meter communication licence,”.

Electricity Act 1989

6

(1)

The Electricity Act 1989 is amended as follows.

(2)

In section 6A (procedure for licence applications)—

(a)

in subsection (1)(a), for “subsections (1A) and (1B)” substitute
“subsection (1B)”;

(b)

omit subsection (1A);

(c)

in subsection (1B), after “for” insert “a smart meter communication
licence or”.

(3)

In section 56FC (competitive tenders for licences for new licensable
activities), in subsection (1), after “activities” insert “, other than a licence under section 6(1)(f) (smart meter communication licence),”.

Electricity and Gas (Competitive Tenders for Smart Meter Communication Licences) Regulations 2012

7

The Electricity and Gas (Competitive Tenders for Smart Meter
Communication Licences) Regulations 2012 (S.I. 2012/2414) are revoked.

Data (Use and Access) Bill [HL]
[As Introduced]

A

bill

to

Make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; and for connected purposes.

Baroness Jones of Whitchurch

Ordered to be Printed, .

© Parliamentary copyright House of Lords 2024

This publication may be reproduced under the terms of the Open Parliament Licence, which is published at www.parliament.uk/site-information/copyright

Published by the authority of the House of Lords