This HTML version does not include page and line references. Please use the pdf version for page and line references.
Data (Use and Access) Bill [HL]

EXPLANATORY NOTES

Explanatory notes to the Bill, prepared by the Department for Science, Innovation and Technology, the Department of Health and Social Care, the Home Office, the Department for Business and Trade, HM Treasury and the Department for Energy Security and Net Zero, have been ordered to be published as HL Bill 40—EN.

EUROPEAN CONVENTION ON HUMAN RIGHTS

Baroness Jones of Whitchurch has made the following statement under section 19(1)(a) of the Human Rights Act 1998:

In my view the provisions of the Data (Use and Access) Bill [HL] are compatible with the Convention rights.

Data (Use and Access) Bill [HL]
[As Introduced]
CONTENTS
[As Introduced]

A

bill

to

Make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; and for connected purposes.

B e it enacted by the King’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—

Part 1 Access to customer data and business data

Introductory

1 Customer data and business data

(1)

This Part confers powers on the Secretary of State and the Treasury to make
provision in connection with access to customer data and business data.

(2)

In this Part—


business data
, in relation to a trader, means—

(a)

information about goods, services and digital content supplied
or provided by the trader,

(b)

information relating to the supply or provision of goods,
services and digital content by the trader (such as, for example, information about—

(i)

where goods, services or digital content are supplied
or provided,

(ii)

prices or other terms on which they are supplied or
provided,

(iii)

how they are used, or

(iv)

their performance or quality),

(c)

information relating to feedback about the goods, services or
digital content (or their supply or provision), and

(d)

information relating to the provision of information described
in paragraphs (a) to (c) to a person in accordance with data regulations;


customer data
means information relating to a customer of a trader,
including—

(a)

information relating to goods, services and digital content
supplied or provided by the trader to the customer or to another person at the customer’s request (such as, for example, information about—

(i)

prices or other terms on which goods, services or digital
content are supplied or provided to the customer or the other person,

(ii)

how they are used by the customer or the other person,
or

(iii)

their performance or quality when used by the customer
or the other person), and

(b)

information relating to the provision of information described
in paragraph (a) , or of other information relating to a customer of a trader, to a person in accordance with data regulations;


data holder
, in relation to customer data or business data of a trader,
means—

(a)

the trader, or

(b)

a person who, in the course of a business, processes the data;


data regulations
means regulations under section 2 or 4 (and see section 23 );


trader
means a person who supplies or provides goods, services or
digital content in the course of a business, whether acting personally or through another person acting in the trader’s name or on the trader’s behalf.

(3)

For the purposes of this Part, a person (“C”) is a customer of a trader (“T”)
if C has at any time—

(a)

purchased goods, services or digital content supplied or provided by
T (whether for use by C or another person),

(b)

been supplied or provided by T with goods, services or digital content
purchased from T by another person, or

(c)

otherwise received goods, services or digital content free of charge
from T.

(4)

In subsection (3) , the references to purchase, supply, provision or receipt of
goods, services or digital content at any time include purchase, supply, provision or receipt before this section comes into force.

(5)

In subsections (3) and (4) , references to purchasing goods, services or digital
content include entering into an agreement to do so.

(6)

In this Part—

(a)

a reference to providing customer data or business data to a person
(however expressed) includes a reference to providing the person with access to such data or with the ability to provide other persons with access to such data, and

(b)

a reference to a person receiving customer data or business data
(however expressed) includes a reference to a person obtaining access to such data or the ability to provide other persons with access to such data.

Data regulations

2 Power to make provision in connection with customer data

(1)

The Secretary of State or the Treasury may by regulations make provision
requiring a data holder to provide customer data—

(a)

to the customer, at the customer’s request, or

(b)

to a person of a specified description who is authorised by the
customer to receive the data (an “authorised person”), at the customer’s request or at the authorised person’s request.

(2)

In this Part, in relation to customer data, “third party recipient” means a
person of a description specified by provision made under subsection (1) (b) (and see section 25 (1) ).

(3)

The Secretary of State or the Treasury may by regulations make provision
enabling or requiring a data holder—

(a)

to produce, collect or retain, or arrange for the production, collection
or retention of, customer data;

(b)

to make changes to customer data, including to require rectification
of inaccurate customer data, at the request of a customer or authorised person.

(4)

The Secretary of State or the Treasury may by regulations make provision
for a person who is an authorised person in relation to customer data to take, on the customer’s behalf, action that the customer could take in relation to goods, services or digital content supplied or provided by a person who is, or has been, a data holder in relation to the customer data.

(5)

In deciding whether to make regulations under this section, the Secretary of
State or the Treasury must have regard to (among other things)—

(a)

the likely effects for existing and future customers,

(b)

the likely effects for data holders,

(c)

the likely effect on small businesses and micro businesses,

(d)

the likely effect on innovation in the supply or provision of goods,
services and digital content affected by the regulations or other goods, services and digital content, and

(e)

the likely effect on competition in markets for goods, services and
digital content affected by the regulations or other markets.

3 Customer data: supplementary

(1)

This section is about provision that regulations under section 2 may (among
other things) contain.

(2)

The regulations may include—

(a)

provision about the procedure by which customers authorise persons
to receive customer data or to do other things;

(b)

provision restricting the persons that may be authorised to persons
that comply with specified conditions;

(c)

provision for a specified person to decide whether a person satisfies
the conditions for authorisation (and see section 6 for further provision about decision-makers).

(3)

The regulations may make provision about requests relating to customer data,
including provision about the circumstances in which a data holder may or must refuse to act on a request.

(4)

The regulations may make provision about the providing of customer data
and the taking of action described in section 2 (4) , including—

(a)

provision requiring a data holder to provide customer data on one or
more occasions, for a specified period or at specified intervals;

(b)

provision requiring a data holder, customer or third party recipient
to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;

(c)

provision requiring a data holder or third party recipient to comply
with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(d)

provision requiring a data holder or third party recipient to provide,
or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services;

(e)

provision about interface bodies (see section 7 ).

(5)

The regulations may include—

(a)

provision enabling or requiring a data holder to produce, collect or
retain, or arrange for the production, collection or retention of, records of customer data provided in accordance with the regulations;

(b)

provision enabling or requiring a third party recipient to produce or
retain, or arrange for the production or retention of, records of customer data received in accordance with the regulations.

(6)

The regulations may make provision requiring a person who, in the course
of a business, processes customer data of a trader to assist, or take specified steps to assist, the trader in complying with regulations under this Part.

(7)

The regulations may make provision about the processing of customer data
provided to a third party recipient in accordance with the regulations, including—

(a)

provision requiring a third party recipient to use specified facilities
or services, including dashboard services, other electronic communications services or application programming interfaces;

(b)

provision requiring a third party recipient to comply with specified
standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(c)

provision requiring a third party recipient to provide, or arrange for,
specified assistance in connection with the establishment, maintenance or management of such facilities or services;

(d)

provision about interface bodies (see section 7 );

(e)

provision about further disclosure of the data, including provision for
a person to whom customer data is further disclosed to be subject to—

(i)

some or all of the obligations imposed on a third party recipient
by the regulations in relation to the customer data;

(ii)

conditions imposed by the third party recipient.

(8)

The regulations may make provision enabling or requiring a data holder or
a third party recipient to publish specified information relating to the rights and obligations of persons under the regulations, including—

(a)

information about the rights of customers in relation to customer data
processed by the data holder or a third party recipient;

(b)

information about the activities carried out by the data holder or a
third party recipient in performance of their obligations under the regulations.

(9)

The regulations may make provision about complaints, including provision
requiring data holders or third party recipients to implement procedures for the handling of complaints.

(10)

The regulations may make provision about procedures for the resolution of
disputes, including—

(a)

provision appointing, or providing for the appointment of, a person
to determine disputes;

(b)

provision about the person’s powers when determining disputes;

(c)

provision about the effect of decisions relating to disputes;

(d)

provision about the review of decisions relating to disputes;

(e)

provision about appeals to a court or tribunal.

(11)

In subsections (4) (d) and (7) (c) , references to assistance include actual or
contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).

4 Power to make provision in connection with business data

(1)

The Secretary of State or the Treasury may by regulations make provision
requiring a data holder to publish business data or to provide business data—

(a)

to a customer of the trader to whom the business data relates, or

(b)

to another person of a specified description.

(2)

In this Part, in relation to business data, “third party recipient” means a person
of a description specified by provision made under subsection (1) (b) (and see section 25 (1) ).

(3)

The Secretary of State or the Treasury may by regulations make provision
enabling or requiring a data holder to produce, collect or retain, or arrange for the production, collection or retention of, business data.

(4)

The Secretary of State or the Treasury may by regulations—

(a)

make provision requiring a public authority that is a third party
recipient (whether by virtue of those regulations or other data regulations), or a person appointed by such a public authority, to publish business data or to provide business data—

(i)

to a customer of the trader to whom the business data relates,
or

(ii)

to another person of a specified description,

(b)

in relation to the public authority, or a person appointed by the public
authority to do something described in paragraph (a) , make any provision that could be made in relation to a data holder, in connection with business data, in reliance on subsection (3) or sections 5 to 21 , other than provision imposing a levy on the public authority or person, and

(c)

in relation to a person to whom the public authority is required to
provide business data by virtue of provision made under paragraph (a) (ii) , make any provision that could be made in relation to a third party recipient in reliance on sections 5 to 21 .

(5)

In deciding whether to make regulations under this section, the Secretary of
State or the Treasury must have regard to (among other things)—

(a)

the likely effects for existing and future customers,

(b)

the likely effects for data holders,

(c)

the likely effect on small businesses and micro businesses,

(d)

the likely effect on innovation in the supply or provision of goods,
services and digital content affected by the regulations or other goods, services and digital content, and

(e)

the likely effect on competition in markets for goods, services and
digital content affected by the regulations or other markets.

5 Business data: supplementary

(1)

This section is about provision that regulations under section 4 may (among
other things) contain.

(2)

The regulations may require business data to be provided on request and
make provision about requests, including—

(a)

provision for requests to be made by a customer, a third party recipient
or another person;

(b)

provision about the circumstances in which a data holder may or must
refuse to act on a request.

(3)

The regulations may make provision requiring business data to be provided
to customers, or third party recipients, who are approved to receive it, including—

(a)

provision restricting the persons that may be approved to persons that
comply with specified conditions;

(b)

provision for a specified person to decide whether a person satisfies
the conditions for approval (and see section 6 for further provision about decision-makers).

(4)

The regulations may make provision about the providing or publishing of
business data, including—

(a)

provision requiring a data holder to provide or publish business data
on one or more occasions, for a specified period or at specified intervals;

(b)

provision requiring a data holder, customer or third party recipient
to use specified facilities or services, including dashboard services, other electronic communications services or application programming interfaces;

(c)

provision requiring a data holder or third party recipient to comply
with specified standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(d)

provision requiring a data holder or third party recipient to provide,
or arrange for, specified assistance in connection with the establishment, maintenance or management of such facilities or services.

(e)

provision about interface bodies (see section 7 ).

(5)

The regulations may include—

(a)

provision enabling or requiring a data holder to produce, collect or
retain, or arrange for the production, collection or retention of, records of business data provided in accordance with the regulations;

(b)

provision enabling or requiring a third party recipient to produce or
retain, or arrange for the production or retention of, records of business data received in accordance with the regulations.

(6)

The regulations may make provision requiring a person who, in the course
of a business, processes business data of a trader to assist, or take specified steps to assist, the trader in complying with regulations under this Part.

(7)

The regulations may make provision about the processing of business data
provided to a third party recipient in accordance with the regulations, including—

(a)

provision requiring a third party recipient to use specified facilities
or services, including dashboard services, other electronic communications services or application programming interfaces;

(b)

provision requiring a third party recipient to comply with specified
standards, or participate in specified arrangements, relating to, or to the use of, such facilities or services;

(c)

provision requiring a third party recipient to provide, or arrange for,
specified assistance in connection with the establishment, maintenance or management of such facilities or services;

(d)

provision about interface bodies (see section 7 );

(e)

provision about further disclosure of the data, including provision for
a person to whom business data is further disclosed to be subject to some or all of the obligations imposed on customers or third party recipients by the regulations in relation to the business data.

(8)

The regulations may make provision enabling or requiring a data holder or
a third party recipient to publish specified information relating to the rights and obligations of persons under the regulations, including information about the activities carried out by the data holder or third party recipient in performance of their obligations under the regulations.

(9)

The regulations may make provision about complaints, including provision
requiring data holders or third party recipients to implement procedures for the handling of complaints.

(10)

The regulations may make provision about procedures for the resolution of
disputes, including—

(a)

provision appointing, or providing for the appointment of, a person
to determine disputes;

(b)

provision about the person’s powers when determining disputes;

(c)

provision about the effect of decisions relating to disputes;

(d)

provision about the review of decisions relating to disputes;

(e)

provision about appeals to a court or tribunal.

(11)

In subsections (4) (d) and (7) (c) , references to assistance include actual or
contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).

6 Decision-makers

(1)

This section is about the provision about decision-makers that regulations
under section 2 or 4 may or must (among other things) contain.

(2)

In this Part, “decision-maker” means a person who is authorised or required
to take a decision described in section 3 (2) (c) (authorisation) or 5 (3) (b) (approval).

(3)

The regulations may make provision about the appointment of a
decision-maker.

(4)

The regulations may make provision enabling or requiring a decision-maker
to suspend or revoke a decision.

(5)

The regulations may confer powers on a decision-maker for the purpose of
monitoring compliance with conditions for authorisation or approval (“monitoring powers”) (and see section 8 for provision about enforcement of requirements imposed in exercise of those powers).

(6)

The monitoring powers that may be conferred on a decision-maker include
powers to require the provision of documents or information (but such powers are subject to the restrictions in section 9 as well as any restrictions included in the regulations).

(7)

The regulations must make provision about the rights of persons affected by
the exercise of a decision-maker’s functions under the regulations and such provision may include (among other things)—

(a)

provision about the review of decision-makers’ decisions;

(b)

provision about appeals to a court or tribunal.

(8)

The regulations may make provision about complaints, including provision
requiring a decision-maker to implement procedures for the handling of complaints.

(9)

The regulations may make provision enabling or requiring a decision-maker
to publish, or provide to a specified person, specified documents or information relating to the exercise of the decision-maker’s functions.

(10)

The regulations may make provision for a decision-maker to arrange for its
monitoring powers to be exercised by another person.

(11)

The regulations may—

(a)

provide for functions under the regulations to be exercisable by more
than one decision-maker (whether jointly or concurrently);

(b)

where functions of decision-makers are exercisable concurrently—

(i)

provide for one of the decision-makers to be the lead
decision-maker;

(ii)

require the other decision-makers to consult the lead
decision-maker before exercising the functions in a particular case;

(iii)

provide for the lead decision-maker to give directions as to
which decision-maker is to exercise a function in a particular case.

(12)

The regulations may make provision enabling or requiring a decision-maker—

(a)

to produce guidance about how it proposes to exercise its functions
under the regulations (including provision enabling or requiring decision-makers with functions exercisable jointly or concurrently to produce joint guidance),

(b)

to publish the guidance, and

(c)

to provide copies to specified persons.

7 Interface bodies

(1)

This section is about the provision that regulations under section 2 or 4 may
(among other things) contain about bodies with one or more of the following tasks—

(a)

establishing a facility or service used, or capable of being used, for
providing, publishing or otherwise processing customer data or business data or for taking action described in section 2 (4) (referred to in this Part as an “interface”);

(b)

setting standards, or making other arrangements, relating to, or to the
use of, an interface (referred to in this Part as “interface standards” and “interface arrangements”);

(c)

maintaining or managing an interface, interface standards or interface
arrangements.

(2)

Such bodies are referred to in this Part as “interface bodies”.

(3)

The regulations may—

(a)

require a data holder or a third party recipient to set up an interface
body;

(b)

make provision about the type of body to be set up.

(4)

In relation to an interface body (whether or not it is required to be set up by
regulations under section 2 or 4 ), the regulations may—

(a)

make provision about the body’s composition and governance;

(b)

make provision requiring a data holder or a third party recipient to
provide, or arrange for, assistance for the body;

(c)

impose other requirements relating to the body on a person who is
required to set it up or to provide, or arrange for, assistance for the body;

(d)

make provision requiring the body to carry on all or part of a task
described in subsection (1) ;

(e)

make provision requiring the body to do other things in connection
with its interface, interface standards or interface arrangements;

(f)

make provision about how the body carries out its functions (such as,
for example, provision about the body’s objectives or matters to be taken into account by the body);

(g)

confer powers on the body for the purpose of monitoring use of its
interface, interface standards or interface arrangements (“monitoring powers”) (and see section 8 for provision about enforcement of requirements imposed in exercise of those powers);

(h)

make provision for the body to arrange for its monitoring powers to
be exercised by another person;

(i)

make provision about the rights of persons affected by the exercise of
the body’s functions under the regulations, including (among other things)—

(i)

provision about the review of decisions made in exercise of
those functions;

(ii)

provision about appeals to a court or tribunal;

(j)

make provision about complaints, including provision requiring the
body to implement procedures for the handling of complaints;

(k)

make provision enabling or requiring the body to publish, or provide
to a specified person, specified documents or information relating to its interface, interface standards or interface arrangements;

(l)

make provision enabling or requiring the body to produce guidance
about how it proposes to exercise its functions under the regulations, to publish the guidance and to provide copies to specified persons.

(5)

The monitoring powers that may be conferred on an interface body include
power to require the provision of documents or information (but such powers are subject to the restrictions in section 9 as well as any restrictions included in the regulations).

(6)

Examples of facilities or services referred to in subsection (1) include dashboard
services, other electronic communications services and application programming interfaces.

(7)

In subsection (4) (b) and (c) , the references to assistance include actual or
contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).

Enforcement

8 Enforcement of regulations under this Part

(1)

The Secretary of State or the Treasury may by regulations make provision—

(a)

for the purpose of monitoring compliance with regulations under this
Part or requirements imposed in exercise of a power conferred by such regulations, and

(b)

for the enforcement of such regulations or requirements,

including provision for monitoring or enforcement by a specified public authority.

(2)

In this Part, “enforcer” means a public authority that is authorised or required
to carry out monitoring or enforcement described in subsection (1) .

(3)

The following subsections and sections 9 and 10 make provision about what
regulations under subsection (1) may or must (among other things) contain.

(4)

The regulations may confer powers of investigation on an enforcer, including—

(a)

powers to require the provision of documents or information,

(b)

powers to require an individual to attend at a place and answer
questions, and

(c)

powers of entry, inspection, search and seizure,

but such powers are subject to the restrictions in section 9 (as well as any restrictions included in the regulations).

(5)

The regulations may—

(a)

make provision enabling an enforcer to issue a notice (“a compliance
notice”) requiring compliance with—

(i)

regulations under this Part;

(ii)

a condition for authorisation or approval imposed by a
decision-maker;

(iii)

any other requirement imposed in exercise of a power conferred
by regulations under this Part;

(b)

make provision for the enforcement of compliance notices, including
provision for their enforcement as if they were orders of a court or tribunal;

(c)

make provision enabling an enforcer to publish a statement to the
effect that the enforcer considers that a person is not complying with—

(i)

a requirement imposed by regulations under this Part,

(ii)

a requirement imposed by a compliance notice, or

(iii)

any other requirement imposed in exercise of a power conferred
by regulations under this Part.

(6)

The regulations may make provision creating offences punishable with an
unlimited fine, or a fine not exceeding a specified amount, in respect of—

(a)

the provision of false or misleading information in response to a
request made in accordance with regulations under this Part;

(b)

an act or omission (including falsification) which prevents an enforcer,
an interface body or a decision-maker from accessing information, documents, equipment or other material.

(7)

The regulations may make provision enabling a financial penalty to be
imposed by an enforcer in respect of—

(a)

the provision of false or misleading information in response to a
request made in accordance with regulations under this Part;

(b)

a failure to comply with a requirement imposed by regulations under
this Part;

(c)

a failure to comply with a requirement imposed by a compliance
notice;

(d)

a failure to comply with any other requirement imposed in exercise
of a power conferred by regulations under this Part;

and see section 10 for further provision about financial penalties.

(8)

The regulations may make provision about the rights of persons affected by
the exercise of an enforcer’s functions under the regulations, including—

(a)

provision about the review of a decision made in exercise of those
functions;

(b)

provision about appeals to a court or tribunal.

(9)

The regulations may make provision about complaints, including provision
requiring an enforcer to implement procedures for the handling of complaints.

(10)

The regulations may make provision enabling or requiring an enforcer to
publish, or to provide to a specified person, specified information relating to monitoring or enforcement described in subsection (1) , including—

(a)

information about the exercise of the enforcer’s functions, either
generally or in relation to a particular case, and

(b)

information about convictions for offences.

(11)

The regulations may make provision for an enforcer to arrange for its powers
of investigation under the regulations to be exercised by another person.

(12)

The regulations may—

(a)

provide for functions under the regulations to be exercisable by more
than one enforcer (whether jointly or concurrently);

(b)

where functions of enforcers are exercisable concurrently—

(i)

provide for one of the enforcers to be the lead enforcer;

(ii)

require the other enforcers to consult the lead enforcer before
exercising the functions in a particular case;

(iii)

provide for the lead enforcer to give directions as to which
enforcer is to exercise a function in a particular case.

(13)

The regulations may make provision enabling or requiring an enforcer—

(a)

to produce guidance about how it proposes to exercise its functions
under the regulations (including provision enabling or requiring enforcers with functions exercisable jointly or concurrently to produce joint guidance),

(b)

to publish the guidance, and

(c)

to provide copies to specified persons.

9 Restrictions on powers of investigation etc

(1)

Regulations under this Part may not—

(a)

authorise entry to a private dwelling without a warrant issued by a
justice, or

(b)

require a person to provide information within subsections (2) to (7) to a decision-maker, an interface body or an enforcer.

(2)

Information is within this subsection if requiring a person to provide the
information would involve an infringement of the privileges of either House of Parliament.

(3)

Information is within this subsection if it is information in respect of a
communication which is made—

(a)

between a professional legal adviser and the adviser’s client, and

(b)

in connection with the giving of legal advice to the client with respect
to obligations, liabilities or rights imposed or conferred by or under regulations made under this Part.

(4)

Information is within this subsection if it is information in respect of a
communication which is made—

(a)

between a professional legal adviser and the adviser’s client or between
such an adviser or client and another person,

(b)

in connection with, or in contemplation of, proceedings under or
arising out of regulations made under this Part (including proceedings arising out of the exercise of powers conferred by such regulations), and

(c)

for the purposes of such proceedings.

(5)

In subsections (3) and (4) , references to the client of a professional legal adviser
include references to a person acting on behalf of the client.

(6)

Information is within this subsection if requiring a person to provide the
information would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.

(7)

The reference to an offence in subsection (6) does not include an offence
under—

(a)

regulations made under this Part;

(b)

section 5 of the Perjury Act 1911 (false statements made otherwise
than on oath);

(c)

section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995
(false statements made otherwise than on oath);

(d)

Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714
(N.I. 19)) (false statutory declarations and other false unsworn statements).

(8)

An oral or written statement provided by a person in response to a request
for information made by a decision-maker, an interface body or an enforcer in accordance with regulations under this Part may not be used in evidence against that person on a prosecution for an offence (other than an offence under regulations made under this Part) unless in the proceedings—

(a)

in giving evidence the person provides information inconsistent with
the statement, and

(b)

evidence relating to the statement is adduced, or a question relating
to it is asked, by that person or on that person’s behalf.

(9)

In this section, “justice” means—

(a)

in England and Wales, a justice of the peace,

(b)

in Scotland, a sheriff or summary sheriff, and

(c)

in Northern Ireland, a lay magistrate.

10 Financial penalties

(1)

This section is about provision that regulations under this Part conferring
power on an enforcer to impose a financial penalty may or must (among other things) contain.

(2)

The regulations must provide for the amount of a financial penalty to be—

(a)

a specified amount or an amount determined in accordance with the
regulations, or

(b)

an amount not exceeding such an amount,

unless section 16 confers power to provide otherwise.

(3)

The regulations must include provision—

(a)

requiring an enforcer to produce guidance about how the enforcer
proposes to exercise any discretion to determine the amount of a financial penalty and to have regard to such guidance in exercising its discretion;

(b)

requiring an enforcer to publish the guidance;

(c)

requiring an enforcer, before imposing a financial penalty on a person,
to give the person written notice (a “notice of intent”) of the proposed financial penalty;

(d)

ensuring that the person is given an opportunity to make
representations about the proposed financial penalty;

(e)

requiring the enforcer, after the period for making representations, to
decide whether to impose the financial penalty;

(f)

requiring the enforcer, if they decide to impose the financial penalty,
to give the person notice in writing (a “final notice”) imposing the penalty;

(g)

enabling a person on whom a financial penalty is imposed to appeal
to a court or tribunal in accordance with the regulations;

(h)

as to the powers of the court or tribunal on such an appeal.

(4)

The regulations may include provision—

(a)

requiring or enabling an enforcer to provide copies of guidance
described in subsection (3) (a) to specified persons;

(b)

enabling a notice of intent or final notice to be withdrawn or amended;

(c)

requiring an enforcer to withdraw a final notice in specified
circumstances;

(d)

for a financial penalty to be increased in the event of late payment
by—

(i)

a specified amount or an amount determined in accordance
with the regulations, or

(ii)

an amount not exceeding such an amount;

(e)

as to how financial penalties are recoverable.

Fees etc and financial assistance

11 Fees

(1)

The Secretary of State or the Treasury may by regulations—

(a)

make provision enabling a person listed in subsection (2) , or a person
acting on their behalf, to require other persons to pay fees for the purpose of meeting expenses described in subsection (3) , and

(b)

make provision about what must or may be done with amounts paid
as fees.

(2)

Those persons are—

(a)

data holders;

(b)

decision-makers;

(c)

interface bodies;

(d)

enforcers;

(e)

other persons on whom duties are imposed, or powers are conferred,
by or under regulations made under this Part.

(3)

Those expenses are expenses incurred, or to be incurred, by the person listed
in subsection (2) , or a person acting on their behalf, in performing duties, or exercising powers, imposed or conferred on the person listed in subsection (2) by or under regulations made under this Part.

(4)

Regulations under subsection (1)

(a)

may only provide for a fee to be payable by persons that appear to
the Secretary of State or the Treasury to be capable of being directly affected by the performance of duties, or the exercise of powers, imposed or conferred by or under regulations made under this Part;

(b)

may provide for the amount of a fee to be an amount which is
intended to exceed the cost of the things in respect of which the fee is charged.

(5)

Regulations under subsection (1) must provide for the amount of a fee to
be—

(a)

a specified amount or an amount determined in accordance with the
regulations, or

(b)

an amount not exceeding such an amount,

unless section 15 confers power to provide otherwise.

(6)

Regulations under subsection (1) may provide for the amount, or maximum
amount, of a fee to increase at specified times and by—

(a)

a specified amount or an amount determined in accordance with the
regulations, or

(b)

an amount not exceeding such an amount.

(7)

Regulations under subsection (1) enabling a person to determine the amount
of a fee must require the person to publish information about the amount and how it is determined.

(8)

Regulations under subsection (1) may (among other things) make provision
about—

(a)

interest on any unpaid amounts;

(b)

the recovery of unpaid amounts.

12 Levy

(1)

The Secretary of State or the Treasury may by regulations—

(a)

impose, or provide for a specified public authority to impose, a levy
on data holders or third party recipients for the purpose of meeting expenses described in subsection (2) , and

(b)

make provision about what must or may be done with funds raised
by means of the levy.

(2)

Those expenses are expenses incurred, or to be incurred, during a period by
a person listed in subsection (3) , or a person acting on their behalf, in performing duties, or exercising powers, imposed or conferred on the person listed in subsection (3) by or under regulations made under this Part.

(3)

Those persons are—

(a)

decision-makers;

(b)

interface bodies;

(c)

enforcers;

(d)

public authorities subject to requirements imposed by regulations
made in reliance on section 4 (4) .

(4)

Regulations under subsection (1) may only provide for a levy in respect of
expenses of a person to be imposed on data holders or third party recipients that appear to the Secretary of State or the Treasury to be capable of being directly affected by the exercise of some or all of the functions conferred on the person by or under regulations made under this Part.

(5)

Regulations under subsection (1) providing for a specified public authority
to impose a levy must—

(a)

make provision about how the rate of the levy is to be determined;

(b)

make provision about how the period in respect of which the levy is
payable is to be determined;

(c)

require the public authority to publish information about the rate, the
period and how they are determined.

(6)

Regulations under subsection (1) may (among other things) make provision
about—

(a)

interest on any unpaid amounts payable by way of a levy;

(b)

the recovery of such unpaid amounts.

13 Financial assistance

(1)

The Secretary of State or the Treasury may give financial assistance to a person
for the purpose of—

(a)

meeting expenses incurred, or to be incurred, by the person in
performing duties, or exercising powers, imposed or conferred by or under regulations made under this Part, or

(b)

exercising other functions in connection with such regulations.

(2)

But subsection (1) does not enable financial assistance to be provided to a
person listed in subsection (3) or to a person acting on their behalf.

(3)

Those persons are—

(a)

data holders,

(b)

customers, or

(c)

third party recipients, other than a third party recipient that is a public
authority subject to requirements imposed by regulations made in reliance on section 4 (4) .

(4)

The financial assistance may be given on such terms and conditions as the
Secretary of State or the Treasury considers appropriate.

(5)

In this section, “financial assistance” means any kind of financial assistance
whether actual or contingent, including a grant, loan, guarantee or indemnity, but does not include buying a company’s share capital.

Financial services sector

14 The FCA and financial services interfaces

(1)

The Treasury may by regulations make provision enabling or requiring the
Financial Conduct Authority (referred to in this Part as “the FCA”) to make rules—

(a)

requiring financial services providers described in the regulations to
use a prescribed interface, comply with prescribed interface standards or participate in prescribed interface arrangements, when providing or receiving customer data or business data which is required to be provided by or to the financial services provider by data regulations;

(b)

requiring persons described in the regulations to use a prescribed
interface, comply with prescribed interface standards or participate in prescribed interface arrangements, when the person, in the course of a business, receives, from a financial services provider, customer data or business data which is required to be provided to the person by data regulations;

(c)

imposing interface-related requirements on a description of person
falling within subsection (3) .

(2)

Such rules are referred to in this Part as “FCA interface rules”.

(3)

The following persons fall within this subsection—

(a)

an interface body linked to the financial services sector;

(b)

a person required by regulations made in reliance on section 7 to set
up an interface body linked to the financial services sector;

(c)

a person who uses an interface, complies with interface standards or
participates in interface arrangements linked to the financial services sector or who is required to do so by data regulations or rules made by virtue of regulations under subsection (1) (a) or (b) .

(4)

For the purposes of this section, requirements are interface-related if they
relate to—

(a)

the composition, governance or activities of an interface body linked
to the financial services sector,

(b)

an interface, interface standards or interface arrangements linked to
the financial services sector, or

(c)

the use of such an interface, compliance with such interface standards
or participation in such interface arrangements.

(5)

For the purposes of this section—

(a)

an interface body is linked to the financial services sector to the extent
that its interface, interface standards or interface arrangements are linked to the financial services sector;

(b)

interfaces, interface standards and interface arrangements are linked
to the financial services sector to the extent that they are used, or intended to be used, by financial services providers (whether or not they are used, or intended to be used, by other persons).

(6)

The Treasury may by regulations make provision enabling or requiring the
FCA to impose requirements on a person to whom FCA interface rules apply (referred to in this Part as “FCA additional requirements”) where the FCA considers it appropriate to impose the requirement—

(a)

in response to a failure, or likely failure, by the person to comply with
an FCA interface rule or FCA additional requirement, or

(b)

in order to advance a purpose which the FCA is required to advance
when exercising functions conferred by regulations under this section (see section 15 (3) (a) ).

(7)

Regulations under subsection (6) may, for example, provide for the FCA to
impose requirements by giving a notice or direction.

(8)

The restrictions in section 9 apply in connection with FCA interface rules and
FCA additional requirements as they apply in connection with regulations under this Part.

(9)

In section 9 as so applied—

(a)

the references in subsections (1) (b) and (8) to an enforcer include the
FCA, and

(b)

the references in subsections (3) and (4) to regulations made under
this Part include FCA interface rules and FCA additional requirements.

(10)

In this section—


financial services provider
means a person providing financial services;


prescribed
means prescribed in FCA interface rules.

15 The FCA and financial services interfaces: supplementary

(1)

This section is about provision that regulations under section 14 may or must
(among other things) contain.

(2)

The regulations—

(a)

may require or enable the FCA to impose interface-related requirements
that could be imposed by regulations made in reliance on section 7 (4) or (5) , but

(b)

may not require or enable the FCA to require a person to set up an
interface body.

(3)

The regulations must—

(a)

require the FCA, so far as is reasonably possible, to exercise functions
conferred by the regulations in a manner which is compatible with, or which advances, one or more specified purposes;

(b)

specify one or more matters to which the FCA must have regard when
exercising functions conferred by the regulations;

(c)

if they require or enable the FCA to make rules, make provision about
the procedure for making rules, including provision requiring such consultation with persons likely to be affected by the rules or representatives of such persons as the FCA considers appropriate.

(4)

The regulations may—

(a)

require the FCA to carry out an analysis of the costs and benefits that
will arise if proposed rules are made or proposed changes are made to rules and make provision about what the analysis must include;

(b)

require the FCA to publish rules or changes to rules and to provide
copies to specified persons;

(c)

make provision about the effect of rules, including provision about
circumstances in which rules are void and circumstances in which a person is not to be taken to have contravened a rule;

(d)

make provision enabling or requiring the FCA to modify or waive
rules as they apply to a particular case;

(e)

make provision about the procedure for imposing FCA additional
requirements;

(f)

make provision enabling or requiring the FCA to produce guidance
about how it proposes to exercise its functions under the regulations, to publish the guidance and to provide copies to specified persons.

(5)

The regulations may require or enable the FCA to impose the following types
of requirement on a person as FCA additional requirements—

(a)

a requirement to review the person’s conduct;

(b)

a requirement to take remedial action;

(c)

a requirement to make redress for loss or damage suffered by others
as a result of the person’s conduct.

(6)

The regulations may require or enable FCA interface rules to require a person
listed in subsection (7) to pay fees to an interface body, or to another person listed in that subsection, for the purpose of meeting expenses described in subsection (8) .

(7)

Those persons are—

(a)

persons falling within section 14 (3) (b) or (c) ;

(b)

financial services providers.

(8)

Those expenses are expenses incurred, or to be incurred, by the interface body
or person listed in subsection (7) , or a person acting on behalf of such a body or person, in performing duties, or exercising powers, imposed or conferred by—

(a)

regulations under this Part, or

(b)

rules made by virtue of regulations under section 14 .

(9)

Regulations made in reliance on subsection (6)

(a)

may enable rules to provide for the amount of a fee to be an amount
which is intended to exceed the cost of the things in respect of which the fee is charged;

(b)

may require or enable rules to make provision about the amount, or
maximum amount, of a fee, including provision about how a fee is to be determined;

(c)

may require or enable rules to make provision about the amount, or
maximum amount, by which the amount, or maximum amount, of a fee must or may increase and the times at which it must or may increase;

(d)

must require rules, where relevant, to require a person who determines
an amount referred to in paragraph (b) or (c) to publish information about the amount and how it is determined;

(e)

may require or enable rules to make provision about—

(i)

interest on any unpaid amounts;

(ii)

the recovery of unpaid amounts.

(10)

Regulations under section 14 may provide that powers to make FCA interface
rules include powers to do things described in section 21 (1) (a) to (h) (supplementary powers) (ignoring the restriction in relation to fees in section 21 (3) ).

(11)

In this section, “financial services provider” and “interface-related” have the
meaning given in section 14 .

(12)

The reference in subsection (5) (c) to making redress includes—

(a)

paying interest, and

(b)

providing redress in the form of a remedy or relief which could not
be awarded in legal proceedings.

16 The FCA and financial services interfaces: penalties and levies

(1)

Subsections (2) and (3) are about the provision that regulations made by the
Treasury under this Part providing for the FCA to enforce requirements under FCA interface rules may (among other things) contain in relation to financial penalties.

(2)

The regulations may require or enable the FCA—

(a)

to set the amount or maximum amount of, or of an increase in, a
penalty imposed in respect of failure to comply with a requirement imposed by the FCA in exercise of a power conferred by regulations under section 14 (whether imposed by means of FCA interface rules or an FCA additional requirement), or

(b)

to set the method for determining such an amount.

(3)

Regulations made in reliance on subsection (2)

(a)

must require the FCA to produce and publish a statement of its policy
with respect to the amount of the penalties;

(b)

may require the policy to include specified matters;

(c)

may make provision about the procedure for producing the statement;

(d)

may require copies of the statement to be provided to specified
persons;

(e)

may require the FCA to have regard to a statement published in
accordance with the regulations.

(4)

The Treasury may by regulations—

(a)

impose, or provide for the FCA to impose, a levy on data holders or
third party recipients for the purpose of meeting expenses incurred, or to be incurred, during a period by the FCA, or by a person acting on the FCA’s behalf, in performing duties, or exercising powers, imposed or conferred on the FCA by regulations under section 14 , and

(b)

make provision about what must or may be done with funds raised
by means of the levy.

(5)

Regulations under subsection (4) may only provide for a levy in respect of
expenses of the FCA to be imposed on persons that appear to the Treasury to be capable of being directly affected by the exercise of some or all of the functions conferred on the FCA by regulations under section 14 .

(6)

Regulations under subsection (4) providing for the FCA to impose a levy
must—

(a)

make provision about how the rate of the levy is to be determined;

(b)

make provision about how the period in respect of which the levy is
payable is to be determined;

(c)

require the FCA to publish information about the rate, the period and
how they are determined.

(7)

Regulations under subsection (4) may (among other things) make provision
about—

(a)

interest on any unpaid amounts payable by way of a levy;

(b)

the recovery of such unpaid amounts.

17 The FCA and co-ordination with other regulators

The Treasury may by regulations amend section 98 of the Financial Services (Banking Reform) Act 2013 (payment systems: duty of the FCA and other regulators to ensure co-ordinated exercise of relevant functions) by—

(a)

amending the definition of “relevant functions” so as to add or remove
a function conferred on the FCA by regulations under this Part, and

(b)

amending the definition of “objectives” so as to add or remove an
objective of the FCA relevant to such a function.

Supplementary

18 Liability in damages

(1)

The Secretary of State or the Treasury may by regulations provide that a
person listed in subsection (2) is not liable in damages for anything done or omitted to be done in the exercise of functions conferred by or under regulations made under this Part.

(2)

Those persons are—

(a)

a public authority;

(b)

a member, officer or member of staff of a public authority;

(c)

a person who could be held vicariously liable for things done or
omitted to be done by a public authority.

(3)

Regulations under this section may not—

(a)

make provision removing liability for an act or omission which is
shown to have been in bad faith, or

(b)

make provision so as to prevent an award of damages made in respect
of an act or omission on the ground that the act or omission was unlawful as a result of section 6(1) of the Human Rights Act 1998.

19 Duty to review regulations

(1)

The relevant person must, by regulations, provide for the review of provision
made by the relevant person in exercise of powers to make regulations under other sections in this Part (“Part 1 provision”) (but see the exceptions in subsection (8) ).

(2)

In this section, “the relevant person” means—

(a)

in relation to Part 1 provision made by the Secretary of State, the
Secretary of State, and

(b)

in relation to Part 1 provision made by the Treasury, the Treasury.

(3)

Regulations under subsection (1) must require the relevant person—

(a)

to review the Part 1 provision,

(b)

to prepare and publish a report setting out the findings of each review,
and

(c)

to lay a copy of the report before Parliament.

(4)

The regulations must require the relevant person—

(a)

to publish the report setting out the findings of the first review of the
Part 1 provision before the end of the period of 5 years beginning with the day on which the provision comes into force, and

(b)

to publish reports setting out the findings of subsequent reviews at
intervals of not more than 5 years.

(5)

The regulations must require that, in carrying out a review, the relevant
person must consider whether the Part 1 provision remains appropriate, having regard to (among other things)—

(a)

the objectives it is intended to achieve, and

(b)

to the extent that it is part of data regulations, the matters to which
the relevant person was required to have regard in deciding whether to make the provision (see sections 2 (5) and 4 (5) ).

(6)

The regulations must provide that the relevant person may omit material
from a report before publication if the relevant person thinks that the publication of that material might harm the commercial interests of any person.

(7)

The regulations may (whether made by the Secretary of State or the Treasury)
provide for the Secretary of State and the Treasury to carry out a joint review, and to produce a joint report, in respect of Part 1 provision made by the Secretary of State and Part 1 provision made by the Treasury.

(8)

Subsection (1) does not apply in relation to—

(a)

Part 1 provision that is required to be reviewed by the relevant person
by virtue of existing regulations under this section, or

(b)

Part 1 provision that makes, amends or revokes provision described
in paragraph (a) ,

nor does it require the relevant person to provide for the review of Part 1 provision that has been revoked.

(9)

Section 28 of the Small Business, Enterprise and Employment Act 2015 (duty
to review regulatory provisions in secondary legislation) does not apply in relation to a power to make regulations under this Part.

20 Restrictions on processing and data protection

(1)

Except as provided by subsection (2) , regulations under this Part may provide
for the processing of information in accordance with the regulations not to be in breach of—

(a)

any obligation of confidence owed by the person processing the
information, or

(b)

any other restriction on the processing of information (however
imposed).

(2)

Regulations under this Part are not to be read as authorising or requiring
processing of personal data that would contravene the data protection legislation (but in determining whether particular processing of data would do so, take into account the power conferred or duty imposed by the provision of the regulations in question).

(3)

In this section—


the data protection legislation
has the same meaning as in the Data
Protection Act 2018 (see section 3(9) of that Act);


personal data
has the same meaning as in that Act (see section 3(2) of
that Act).

21 Regulations under this Part: supplementary

(1)

Regulations under this Part may (among other things)—

(a)

make provision generally or in relation to particular cases;

(b)

make different provision for different purposes or areas;

(c)

make provision about the form and manner in which things must or
may be done;

(d)

make provision about the content of requests, notices or other
documents;

(e)

make provision about the time by which, or period within which,
things must or may be done;

(f)

make provision by reference to standards, arrangements, specifications
or technical requirements as published from time to time;

(g)

confer functions on a person, including functions involving the exercise
of a discretion, and make provision in connection with the procedure for exercising the functions;

(h)

make consequential, supplementary, incidental, transitional, transitory
or saving provision.

(2)

Regulations under this Part may not require or enable a person to set the
maximum amount of a fine for an offence, except that such regulations may make provision about the maximum amount referring to the standard scale, the statutory maximum or a similar amount.

(3)

Regulations under this Part may not require or enable a person to set the
amount or maximum amount of, or of an increase in, a penalty or fee or to set the method for determining such an amount, except as provided by subsection (4) and sections 15 and 16 .

(4)

Regulations under this Part—

(a)

may make provision about the amount or method described in
subsection (3) referring to a published index, and

(b)

may require or enable a person to make decisions, in accordance with
a maximum amount or method set out in the regulations, about the amount of, or of an increase or reduction in, a penalty or fee payable in a particular case.

(5)

Regulations under this Part making the following types of provision may
amend, repeal or revoke primary legislation—

(a)

provision about the handling of complaints;

(b)

provision about the resolution of disputes;

(c)

provision about appeals;

(d)

provision described in subsection (1) (h) .

22 Regulations under this Part: Parliamentary procedure and consultation

(1)

The following regulations under this Part are subject to the affirmative
resolution procedure—

(a)

the first regulations under each of section 2 (1) , (3) and (4) making
provision about a particular description of customer data,

(b)

the first regulations under each of section 4 (1) , (3) and (4) making
provision about a particular description of business data,

(c)

regulations under section 2 or 4 which make the requirements of
regulations under this Part more onerous for data holders or interface bodies,

(d)

regulations under section 6 (5) , 7 , 8 , 11 , 12 , 14 , 16 , 17 or 18 , and

(e)

regulations described in section 21 (5) which amend, repeal or revoke
primary legislation.

(2)

Other regulations under this Part are subject to the negative resolution
procedure.

(3)

Before making regulations described in subsection (1) , the Secretary of State
or the Treasury (as the case may be) must consult such of the following as the Secretary of State or the Treasury considers appropriate—

(a)

persons likely to be affected by the regulations or representatives of
such persons;

(b)

sectoral regulators with functions in relation to data holders likely to
be affected by the regulations.

(4)

The requirement in subsection (3) may be satisfied by consultation undertaken
before the day on which this Act is passed.

23 Related subordinate legislation

(1)

This section is about cases in which subordinate legislation, other than
regulations under this Part, contains provision described in section 2 (1) to (4) or 4 (1) to (4) (and such provision is referred to in this section as “related subordinate legislation”).

(2)

The regulation-making powers under this Part may be exercised so as to
make, in connection with the related subordinate legislation, any provision that they could be exercised to make as part of, or in connection with, provision made under section 2 (1) to (4) or, as appropriate, section 4 (1) to (4) .

(3)

In this Part, references to “data regulations” include regulations made in
reliance on subsection (2) to the extent that they make provision described in sections 2 to 7 .

(4)

In this section, “subordinate legislation” has the same meaning as in the
Interpretation Act 1978 (see section 21 of that Act).

24 Repeal of provisions relating to supply of customer data

Omit sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013 (supply of customer data).

25 Other defined terms

(1)

In this Part—


application programming interface
means a facility for allowing
software to make use of facilities contained in other software;


dashboard service
means an electronic communications service by
means of which information may be requested by and provided to a person;


digital content
means data which is produced and supplied in digital
form;


electronic communications service
has the meaning given by section
32 of the Communications Act 2003;


goods
includes water, gas and electricity (however supplied);


micro business
has the meaning given by section 33 of the Small
Business, Enterprise and Employment Act 2015, read with any regulations under that section;


primary legislation
means—

(a)

an Act of Parliament;

(b)

an Act of the Scottish Parliament;

(c)

a Measure or Act of Senedd Cymru;

(d)

Northern Ireland legislation;


processing
has the same meaning as in the Data Protection Act 2018
(see section 3(4) of that Act) and related terms are to be interpreted accordingly;


public authority
means a person whose functions—

(a)

are of a public nature, or

(b)

include functions of that nature;


small business
has the meaning given by section 33 of the Small
Business, Enterprise and Employment Act 2015, read with any regulations under that section;


specified
means specified, or of a description specified, by regulations
under this Part, or in exercise of a power conferred by such regulations, except to the extent otherwise provided in this Part;


third party recipient
means—

(a)

in section 3 , a third party in relation to customer data (see
section 2 (2) ),

(b)

in sections 4 and 5 , a third party recipient in relation to business
data (see section 4 (2) ), and

(c)

in other sections, a third party recipient in relation to customer
data or business data (see sections 2 (2) and 4 (2) ).

(2)

In this Part, references to doing something “in the course of a business”
include doing something in the course of—

(a)

a trade, craft or profession, or

(b)

any other undertaking carried on for gain or reward.

(3)

In this Part—

(a)

references to making arrangements include producing model
arrangements,

(b)

references to managing a facility (or an interface that is a facility)
include operating, or overseeing the operation, of a facility,

(c)

references to managing a service (or an interface that is a service)
include providing, or overseeing the provision of, a service, and

(d)

references to managing standards or arrangements include assisting
people to use them or overseeing how they are used.

26 Index of defined terms for this Part

The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part.

Term

Provision

application programming interface

section 25 (1)

business, in the course of a

section 25 (2)

business data

section 1 (2)

customer

section 1 (3)

customer data

section 1 (2)

dashboard service

section 25 (1)

data holder

section 1 (2)

data regulations

sections 1 (2) and 23 (3)

decision-maker

section 6 (2)

digital content

section 25 (1)

electronic communications service

section 25 (1)

enforcer

section 8 (2)

the FCA

section 14 (1)

FCA additional requirement

section 14 (6)

FCA interface rules

section 14 (2)

goods

section 25 (1)

interface

section 7 (1)

interface arrangements

section 7 (1)

interface body

section 7 (2)

interface standards

section 7 (1)

making arrangements

section 25 (3)

managing (facilities, services, standards or arrangements)

section 25 (3)

micro business

section 25 (1)

monitoring powers (in sections 6 and 7 )

section 6 (5) or 7 (4) (g) (as appropriate)

primary legislation

section 25 (1)

processing

section 25 (1)

providing customer data

section 1 (6) (a)

public authority

section 25 (1)

receiving customer data

section 1 (6) (b)

small business

section 25 (1)

specified

section 25 (1)

third party recipient

section 25 (1)

trader

section 1 (2)

Part 2 Digital verification services

Introductory

27 Introductory

(1)

This Part contains provision to secure the reliability of digital verification
services by means of—

(a)

a trust framework (see section 28 ),

(b)

supplementary codes (see section 29 ),

(c)

a register (see section 32 ),

(d)

an information gateway (see section 45 ), and

(e)

a trust mark (see section 50 ).

(2)

In this Part, “digital verification services” means verification services provided
to any extent by means of the internet.

(3)

In subsection (2) , “verification services” means services that are provided at
the request of an individual and consist in—

(a)

ascertaining or verifying a fact about the individual from information
provided otherwise than by the individual, and

(b)

confirming to another person that the fact about the individual has
been ascertained or verified from information so provided.

DVS trust framework and supplementary codes

28 DVS trust framework

(1)

The Secretary of State must prepare and publish a document (“the DVS trust
framework”) setting out rules concerning the provision of digital verification services.

(2)

Those rules may include (among other things) rules relating to, and to the
conduct of, a person who provides such services; and references in this Part to a person providing services in accordance with the DVS trust framework (however expressed) include a person complying with such rules.

(3)

In preparing the DVS trust framework, the Secretary of State must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

(4)

The requirement in subsection (3) may be satisfied by consultation undertaken
before the coming into force of this section.

(5)

The Secretary of State may revise and republish the DVS trust framework
(whether following a review under section 31 or otherwise).

(6)

The DVS trust framework, and any revised version of the framework, must
specify the time it comes into force (which must not be a time earlier than the time it is published).

(7)

The DVS trust framework, and any revised version of the framework, may—

(a)

set out different rules for different digital verification services,

(b)

specify that provisions come into force at different times for different
purposes, and

(c)

make transitional or saving provision.

(8)

Where the Secretary of State revises and republishes the DVS trust framework,
the DVS trust framework (as revised) may provide that from a date, or from the end of a period, specified in the framework a pre-revision certificate is required to be ignored for the purposes of sections 33 (1) (a) , 35 (1) (c) , 40 (1) (c) and 42 (1) (c) .

(9)

In subsection (8) , a “pre-revision certificate” means a certificate which—

(a)

certifies that digital verification services provided by the holder of the
certificate are provided in accordance with the DVS trust framework, and

(b)

was issued before the time the relevant revision to the DVS trust
framework comes into force.

(10)

Provision included in the DVS trust framework in reliance on subsection (8) may make different provision in relation to different descriptions of pre-revision certificate.

29 Supplementary codes

(1)

The Secretary of State may prepare and publish one or more sets of rules
concerning the provision of digital verification services which supplement the DVS trust framework.

(2)

In this Part, a set of rules published under subsection (1) is referred to as a
supplementary code.

(3)

Those rules may include (among other things) rules relating to, and to the
conduct of, a person who provides such services; and in this Part references to a person providing services in accordance with a supplementary code (however expressed) include a person complying with such rules.

(4)

In preparing a set of rules, the Secretary of State must consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

(5)

The requirement in subsection (4) may be satisfied by consultation undertaken
before the coming into force of this section.

(6)

The Secretary of State may revise and republish a supplementary code
(whether following a review under section 31 or otherwise).

(7)

A supplementary code, and any revised version of a supplementary code,
must specify the time it comes into force (which must not be a time earlier than the time it is published).

(8)

A supplementary code, and any revised version of a supplementary code,
may—

(a)

set out different rules for different digital verification services,

(b)

specify that provisions come into force at different times for different
purposes, and

(c)

make transitional or saving provision.

(9)

Where the Secretary of State revises and republishes a supplementary code,
the supplementary code (as revised) may provide that from a date, or from the end of a period, specified in the code a pre-revision certificate is required to be ignored for the purposes of sections 36 (1) (a) , 37 (1) (c) , 43 (1) (c) and 44 (1) (c) .

(10)

In subsection (9) , a “pre-revision certificate” means a certificate which—

(a)

certifies that digital verification services provided by the holder of the
certificate are provided in accordance with the supplementary code, and

(b)

was issued before the time the relevant revision to the supplementary
code comes into force.

(11)

Provision included in a supplementary code in reliance on subsection (9) may
make different provision in relation to different descriptions of pre-revision certificate.

30 Withdrawal of a supplementary code

(1)

The Secretary of State may determine to withdraw a supplementary code.

(2)

A determination must—

(a)

be published, and

(b)

specify when the code is withdrawn, which must be a time after the
end of the period of 21 days beginning with the day on which the determination is published.

31 Review of DVS trust framework and supplementary codes

(1)

At least every 12 months, the Secretary of State must—

(a)

carry out a review of the DVS trust framework, and

(b)

at the same time, carry out a review of each supplementary code which
has not been withdrawn.

(2)

In carrying out a review under subsection (1) , the Secretary of State must
consult—

(a)

the Information Commissioner, and

(b)

such other persons as the Secretary of State considers appropriate.

DVS register

32 DVS register

(1)

The Secretary of State must establish and maintain a register of persons
providing digital verification services.

(2)

The register is referred to in this Part as the DVS register.

(3)

The Secretary of State must make the DVS register publicly available.

33 Registration in the DVS register

(1)

The Secretary of State must register a person providing digital verification
services in the DVS register if—

(a)

the person holds a certificate from an accredited conformity assessment
body certifying that digital verification services provided by the person are provided in accordance with the DVS trust framework,

(b)

the person applies to be registered in the DVS register in respect of
one or more of the digital verification services to which the certificate relates,

(c)

the application complies with any requirements imposed by a
determination under section 38 , and

(d)

the person complies with any regulations under section 39 (1) requiring
a fee to be paid.

(2)

But subsection (1) is subject to—

(a)

the power to refuse registration under section 34 (1) , and

(b)

the duties to refuse registration under sections 34 (10) and 41 (10) .

(3)

If the conditions in paragraphs (a) to (d) of subsection (1) are not met, the
Secretary of State may not register a person in the DVS register.

(4)

The register must record the digital verification services in respect of which
a person is, from time to time, registered.

(5)

For the purposes of subsection (1) (a) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
DVS trust framework under section 28 (8) .

(6)

In this Part, “accredited conformity assessment body” means a conformity
assessment body that is accredited by the UK national accreditation body in accordance with Article 5 of the Accreditation Regulation as competent to carry out assessments of whether digital verification services are provided in accordance with the DVS trust framework.

(7)

In subsection (6)


the Accreditation Regulation
means Regulation (EC) No 765/2008 of
the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93;


conformity assessment body
has the same meaning as in the
Accreditation Regulation (see Article 2(13) of that Regulation);


the UK national accreditation body
means the UK national accreditation
body for the purposes of Article 4(1) of the Accreditation Regulation.

34 Power to refuse registration in the DVS register

(1)

The Secretary of State may refuse to register a person providing digital
verification services in the DVS register if the Secretary of State—

(a)

considers that it is necessary to do so in the interests of national
security, or

(b)

is satisfied that the person is failing to comply with the DVS trust
framework in respect of one or more of the digital verification services in respect of which the person applies to be registered.

(2)

Before refusing to register a person under this section the Secretary of State
must, by written notice, inform the person that the Secretary of State intends to do so.

(3)

The notice must—

(a)

state the name and address of the person,

(b)

state the reason why the Secretary of State—

(i)

considers that it is necessary to refuse to register the person in
the interests of national security, or

(ii)

is satisfied that the person is failing as mentioned in subsection (1) (b) ,

(c)

state whether the Secretary of State intends to specify a period in the
notice under subsection (8) and, if so, what period is intended to be specified,

(d)

state that the person may make written representations to the Secretary
of State about—

(i)

the Secretary of State’s intention to refuse to register the person
in the DVS register, and

(ii)

where relevant, the period the Secretary of State intends to
specify in the notice under subsection (8) , and

(e)

specify the period within which such representations may be made.

(4)

Where the Secretary of State intends to refuse to register a person in reliance
on subsection (1) (a) , the requirement in subsection (3) (b) does not apply if, or to the extent that, the Secretary of State considers that stating the reason described in subsection (3) (b) (i) would be contrary to the interests of national security.

(5)

The period specified for making written representations must be a period of
not less than 21 days beginning with the day on which the notice is given.

(6)

If the Secretary of State considers that it is appropriate for the person to have
an opportunity to make oral representations about the matters mentioned in subsection (3) (d) , the notice must also—

(a)

state that the person may make such representations, and

(b)

specify the arrangements for making such representations and the
time at which, or the period within which, they may be made.

(7)

When deciding whether to refuse to register the person in the DVS register
under this section, the Secretary of State must consider any oral or written representations made by the person in accordance with the notice.

(8)

Where the Secretary of State refuses to register the person in the DVS register
under this section, the Secretary of State must by written notice inform the person that the person’s application for registration has been refused.

(9)

The Secretary of State may, in the notice given under subsection (8) , state
that any further application for registration made by the person during a period specified in the notice will be refused.

(10)

If the person applies to be registered in the DVS register during the period
specified in the notice in reliance on subsection (9) , the Secretary of State must refuse the application.

(11)

The period specified in the notice in reliance on subsection (9) must begin
with the day on which the notice is given and must not exceed two years.

35 Registration of additional services

(1)

Subsection (2) applies if—

(a)

a person is registered in the DVS register,

(b)

the person applies for their entry in the register to be amended to
record additional digital verification services that the person provides in accordance with the DVS trust framework,

(c)

the person holds a certificate from an accredited conformity assessment
body certifying that the person provides the additional services in accordance with the DVS trust framework,

(d)

the application complies with any requirements imposed by a
determination under section 38 , and

(e)

the person complies with any regulations under section 39 (1) requiring
a fee to be paid.

(2)

The Secretary of State must amend the DVS register to record that the person
is also registered in respect of the additional services referred to in subsection (1) .

(3)

If the conditions in paragraphs (a) to (e) of subsection (1) are not met, the
Secretary of State may not amend the DVS register as described in subsection (2) .

(4)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
DVS trust framework under section 28 (8) .

36 Supplementary notes

(1)

Subsection (2) applies if—

(a)

a person holds a certificate from an accredited conformity assessment
body certifying that digital verification services provided by the person are provided in accordance with a supplementary code,

(b)

the person applies for a note about one or more of the services to
which the certificate relates to be included in the entry relating to that person in the DVS register,

(c)

the application complies with any requirements imposed by a
determination under section 38 , and

(d)

the person complies with any regulations under section 39 (1) requiring
a fee to be paid.

(2)

The Secretary of State must include a note in the entry relating to the person
in the DVS register recording that the person provides, in accordance with the supplementary code referred to in subsection (1) , the services in respect of which the person made the application referred to in that subsection.

(3)

But subsection (2) does not apply if the supplementary code referred to in
subsection (1) has been withdrawn.

(4)

If the conditions in paragraphs (a) to (d) of subsection (1) are not met, the
Secretary of State may not include a note described in subsection (2) in the DVS register.

(5)

For the purposes of subsection (1) (a) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
supplementary code as a result of section 29 (9) .

(6)

In this Part, a note included in the DVS register in accordance with subsection (2) is referred to as a supplementary note.

37 Addition of services to supplementary notes

(1)

Subsection (2) applies if—

(a)

a person has a supplementary note included in the DVS register
relating to a supplementary code,

(b)

the person applies for the note to be amended to record additional
digital verification services that the person provides in accordance with that code,

(c)

the person holds a certificate from an accredited conformity assessment
body certifying that the person provides the additional services in accordance with that code,

(d)

the application complies with any requirements imposed by a
determination under section 38 , and

(e)

the person complies with any regulations under section 39 (1) requiring
a fee to be paid.

(2)

The Secretary of State must amend the note to record that the person also
provides the additional services referred to in subsection (1) in accordance with the supplementary code to which the note relates.

(3)

But subsection (2) does not apply if the supplementary code to which the
note relates has been withdrawn.

(4)

If the conditions in paragraphs (a) to (e) of subsection (1) are not met, the
Secretary of State may not amend the note as described in subsection (2) .

(5)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
supplementary code as a result of section 29 (9) .

38 Applications for registration, supplementary notes, etc

(1)

The Secretary of State may determine—

(a)

the form of an application under section 33 , 35 , 36 or 37 ,

(b)

the information to be contained in or provided with the application,

(c)

the documents to be provided with the application, and

(d)

the manner in which the application is to be submitted.

(2)

A determination may make different provision for different purposes.

(3)

The Secretary of State must publish a determination.

(4)

The Secretary of State may revise a determination.

(5)

If the Secretary of State revises a determination the Secretary of State must
publish the determination as revised.

39 Fees for applications for registration, supplementary notes, etc

(1)

The Secretary of State may by regulations make provision for or in connection
with—

(a)

the payment of fees for applications under sections 33 , 35 , 36 and 37 , and

(b)

the payment of fees in connection with continued registration in the
DVS register.

(2)

The regulations may not provide for payment of fees to anyone other than
the Secretary of State.

(3)

The regulations must—

(a)

specify the amount, or the maximum amount of a fee, or

(b)

provide for a fee, or the maximum amount of a fee, to be determined
in accordance with regulations.

(4)

The regulations may provide for the amount of a fee to exceed the
administrative costs of determining the application or the administrative costs associated with the continued registration (as the case may be).

(5)

Regulations under subsection (1) may (among other things) make provision
about the following—

(a)

when fees are to be paid;

(b)

the manner in which fees are to be paid;

(c)

the payment of discounted fees;

(d)

exceptions to requirements to pay fees;

(e)

the refund of fees (in whole or in part);

(f)

interest on any unpaid amounts,

including provision conferring functions on the Secretary of State in relation to the matters in paragraphs (a) to (e) .

(6)

A fee payable under regulations made under subsection (1) (b) , and any interest
payable in respect of it, is recoverable summarily (or, in Scotland, recoverable) as a civil debt.

(7)

The regulations may—

(a)

make different provision for different purposes;

(b)

make transitional, transitory or saving provision.

(8)

Regulations under this section are subject to the negative resolution procedure.

40 Duty to remove person from the DVS register

(1)

The Secretary of State must remove a person from the DVS register if the
person—

(a)

asks to be removed from the register,

(b)

ceases to provide all of the digital verification services in respect of
which the person is registered in the register, or

(c)

no longer holds a certificate from an accredited conformity assessment
body certifying that at least one of those digital verification services is provided in accordance with the DVS trust framework.

(2)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
DVS trust framework under section 28 (8) .

41 Power to remove person from the DVS register

(1)

The Secretary of State may remove a person from the DVS register if—

(a)

the Secretary of State is satisfied that the person is failing to comply
with the DVS trust framework when providing one or more of the digital verification services in respect of which the person is registered,

(b)

the person has a supplementary note included in the DVS register and
the Secretary of State is satisfied that the person is failing to comply with the supplementary code to which the note relates when providing one or more of the digital verification services recorded in the note,

(c)

the Secretary of State is satisfied that the person has failed to provide
the Secretary of State with information in accordance with a notice under section 51 , or

(d)

the Secretary of State considers that it is necessary to do so in the
interests of national security.

(2)

Before removing a person from the DVS register under this section the
Secretary of State must, by written notice, inform the person that the Secretary of State intends to do so.

(3)

The notice must—

(a)

state the name and address of the person,

(b)

state the reason why the Secretary of State—

(i)

is satisfied that the person is failing or has failed as mentioned
in subsection (1) (a) to (c) , or

(ii)

considers that it is necessary to remove the person from the
DVS register in the interests of national security,

(c)

state whether the Secretary of State intends to specify a period in the
notice under subsection (8) and, if so, what period is intended to be specified,

(d)

state that the person may make written representations to the Secretary
of State about—

(i)

the Secretary of State’s intention to remove the person from
the DVS register, and

(ii)

where relevant, the period the Secretary of State intends to
specify in the notice under subsection (8) , and

(e)

specify the period within which such representations may be made.

(4)

The requirement in subsection (3) (b) does not apply if, or to the extent that,
the Secretary of State considers that stating the reason described in subsection (3) (b) (ii) would be contrary to the interests of national security.

(5)

The period specified for making written representations must be a period of
not less than 21 days beginning with the day on which the notice is given.

(6)

If the Secretary of State considers that it is appropriate for the person to have
an opportunity to make oral representations about the matters mentioned in subsection (3) (d) , the notice must also—

(a)

state that the person may make such representations, and

(b)

specify the arrangements for making such representations and the
time at which, or the period within which, they may be made.

(7)

When deciding whether to remove the person from the DVS register under
this section, the Secretary of State must consider any oral or written representations made by the person in accordance with the notice.

(8)

Where the Secretary of State removes the person from the DVS register under
this section, the Secretary of State must by written notice inform the person of that.

(9)

The Secretary of State may, in the notice given under subsection (8) , state
that any application for re-registration made by the person during a period specified in the notice will be refused.

(10)

If the person applies to be re-registered during the period specified in the
notice in reliance on subsection (9) , the Secretary of State must refuse the application.

(11)

The period specified in the notice in reliance on subsection (9) must begin
with the day on which the notice is given and must not exceed two years.

42 Duty to remove services from the DVS register

(1)

Where a person is registered in the DVS register in respect of digital
verification services, subsection (2) applies if the person—

(a)

asks for the register to be amended so that the person is no longer
registered in respect of one or more of those services,

(b)

ceases to provide one or more of those services (but not all of them),
or

(c)

no longer holds a certificate from an accredited conformity assessment
body certifying that all of those services are provided in accordance with the DVS trust framework.

(2)

The Secretary of State must amend the register to record that the person is
no longer registered in respect of (as the case may be)—

(a)

the service or services mentioned in a request described in subsection (1) (a) ,

(b)

the service or services which the person has ceased to provide, or

(c)

the service or services for which there is no longer a certificate as
described in subsection (1) (c) .

(3)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
DVS trust framework under section 28 (8) .

43 Duty to remove supplementary notes from the DVS register

(1)

The Secretary of State must remove a supplementary note included in the
entry in the DVS register relating to a person if—

(a)

the person asks for the note to be removed,

(b)

the person ceases to provide all of the digital verification services to
which the note relates,

(c)

the person no longer holds a certificate from an accredited conformity
assessment body certifying that at least one of those digital verification services is provided in accordance with the supplementary code to which the note relates, or

(d)

the supplementary code to which the note relates has been withdrawn.

(2)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
supplementary code as a result of section 29 (9) .

44 Duty to remove services from supplementary notes

(1)

Where a person has a supplementary note included in their entry in the DVS
register in respect of digital verification services, subsection (2) applies if the person—

(a)

asks for the note to be amended so that it no longer records one or
more of those services,

(b)

ceases to provide one or more of the services recorded in the note (but
not all of them), or

(c)

no longer holds a certificate from an accredited conformity assessment
body certifying that all of the services included in the note are provided in accordance with a supplementary code.

(2)

The Secretary of State must amend the supplementary note so it no longer
records (as the case may be)—

(a)

the service or services mentioned in a request described in subsection (1) (a) ,

(b)

the service or services which the person has ceased to provide, or

(c)

the service or services for which there is no longer a certificate as
described in subsection (1) (c) .

(3)

For the purposes of subsection (1) (c) , a certificate is to be ignored if—

(a)

it has expired in accordance with its terms,

(b)

it has been withdrawn by the body that issued it, or

(c)

it is required to be ignored by reason of provision included in the
supplementary code as a result of section 29 (9) .

Information gateway

45 Power of public authority to disclose information to registered person

(1)

This section applies where—

(a)

a person is registered in the DVS register, and

(b)

an individual makes a request to the person for the provision of digital
verification services in respect of which the person is registered.

(2)

A public authority may disclose to the person information relating to the
individual for the purpose of enabling the person to provide the digital verification services for the individual.

(3)

A disclosure of information under this section does not breach—

(a)

any obligation of confidence owed by the public authority making the
disclosure, or

(b)

any other restriction on the disclosure of information (however
imposed).

(4)

But this section does not authorise a disclosure of information which—

(a)

would contravene the data protection legislation (but in determining
whether a disclosure would do so, the power conferred by this section is to be taken into account), or

(b)

is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the
Investigatory Powers Act 2016.

(5)

This section does not authorise a public authority to disclose information
obtained by the authority otherwise than in connection with the exercise by the authority of functions of a public nature.

(6)

This section does not affect a power to disclose information that exists apart
from this section.

(7)

A public authority may charge a person fees in respect of the disclosure to
the person of information under this section.

(8)

In this section—


data protection legislation
has the same meaning as in the Data
Protection Act 2018 (see section 3(9) of that Act);


public authority
means a person whose functions—

(a)

are of a public nature, or

(b)

include functions of that nature.

46 Information disclosed by the Revenue and Customs

(1)

This section applies where the Revenue and Customs disclose personal
information to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2)

The person must not further disclose the information otherwise than for the
purpose of providing digital verification services for the individual, except with the consent of the Commissioners for His Majesty’s Revenue and Customs.

(3)

Any other person who receives the information, whether directly or indirectly
from the person to whom the Revenue and Customs disclose the information, must not further disclose the information, except with the consent of the Commissioners for His Majesty’s Revenue and Customs.

(4)

If a person discloses information in contravention of this section, section 19
of the Commissioners for Revenue and Customs Act 2005 (offence of wrongful disclosure) applies in relation to that disclosure as it applies in relation to a disclosure of information in contravention of section 20(9) of that Act.

(5)

In this section—


personal information
means information relating to a person whose
identity—

(a)

is specified in the information, or

(b)

can be deduced from it;


the Revenue and Customs
has the meaning given by section 17(3) of
the Commissioners for Revenue and Customs Act 2005.

47 Information disclosed by the Welsh Revenue Authority

(1)

This section applies where the Welsh Revenue Authority discloses personal
information to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2)

The person must not further disclose the information otherwise than for the
purpose of providing digital verification services for the individual, except with the consent of the Welsh Revenue Authority.

(3)

Any other person who receives the information, whether directly or indirectly
from the person to whom the Welsh Revenue Authority discloses the information, must not further disclose the information, except with the consent of the Welsh Revenue Authority.

(4)

A person who discloses information in contravention of subsection (2) or (3) commits an offence.

(5)

It is a defence for a person charged with an offence under subsection (4) to
prove that the person reasonably believed—

(a)

that the disclosure was lawful, or

(b)

that the information had already lawfully been made available to the
public.

(6)

A person who commits an offence under subsection (4) is liable—

(a)

on summary conviction in England and Wales, to imprisonment for
a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)

on summary conviction in Scotland, to imprisonment for a term not
exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c)

on summary conviction in Northern Ireland, to imprisonment for a
term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d)

on conviction on indictment, to imprisonment for a term not exceeding
2 years or a fine (or both).

(7)

In this section, “personal information” means information relating to a person
whose identity—

(a)

is specified in the information, or

(b)

can be deduced from it.

48 Information disclosed by Revenue Scotland

(1)

This section applies where Revenue Scotland discloses personal information
to a person under section 45 for the purpose of enabling the person to provide digital verification services for an individual.

(2)

The person must not further disclose the information otherwise than for the
purpose of providing digital verification services for the individual, except with the consent of Revenue Scotland.

(3)

Any other person who receives the information, whether directly or indirectly
from the person to whom Revenue Scotland discloses the information, must not further disclose the information, except with the consent of Revenue Scotland.

(4)

A person who discloses information in contravention of subsection (2) or (3) commits an offence.

(5)

It is a defence for a person charged with an offence under subsection (4) to
prove that the person reasonably believed—

(a)

that the disclosure was lawful, or

(b)

that the information had already lawfully been made available to the
public.

(6)

A person who commits an offence under subsection (4) is liable—

(a)

on summary conviction in England and Wales, to imprisonment for
a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)

on summary conviction in Scotland, to imprisonment for a term not
exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c)

on summary conviction in Northern Ireland, to imprisonment for a
term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d)

on conviction on indictment, to imprisonment for a term not exceeding
2 years or a fine (or both).

(7)

In this section, “personal information” means information relating to a person
whose identity—

(a)

is specified in the information, or

(b)

can be deduced from it.

49 Code of practice about the disclosure of information

(1)

The Secretary of State must prepare and publish a code of practice about the
disclosure of information under section 45 .

(2)

The code of practice must be consistent with the code of practice prepared
under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act (as altered or replaced from time to time).

(3)

A public authority must have regard to the code of practice in disclosing
information under section 45 .

(4)

The Secretary of State may from time to time revise and republish the code
of practice.

(5)

In preparing or revising the code of practice, the Secretary of State must
consult—

(a)

the Information Commissioner,

(b)

the Welsh Ministers,

(c)

the Scottish Ministers,

(d)

the Department of Finance in Northern Ireland, and

(e)

such other persons as the Secretary of State considers appropriate.

(6)

The requirement in subsection (5) may be satisfied by consultation undertaken
before the coming into force of this section.

(7)

The Secretary of State may not publish the first version of the code of practice
unless a draft of the code has been laid before, and approved by a resolution of, each House of Parliament.

(8)

The Secretary of State may not republish the code of practice following its
revision unless—

(a)

a draft of the code as revised has been laid before each House of
Parliament, and

(b)

the 40-day period has expired without either House of Parliament
resolving not to approve the draft.

(9)

“The 40-day period” means—

(a)

the period of 40 days beginning with the day on which the draft is
laid before Parliament, or

(b)

if the draft is not laid before each House on the same day, the period
of 40 days beginning with the later of the days on which it is laid before Parliament.

(10)

In calculating the 40-day period, no account is to be taken of any whole days
that fall within a period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.

(11)

In this section, “public authority” means whose functions—

(a)

are of a public nature, or

(b)

include functions of that nature.

Trust mark

50 Trust mark for use by registered persons

(1)

The Secretary of State may designate a mark for use in the course of providing,
or offering to provide, digital verification services.

(2)

A mark designated under this section must be published by the Secretary of
State.

(3)

A mark designated under this section may not be used by a person in the
course of providing, or offering to provide, digital verification services unless the person is registered in the DVS register in respect of those digital verification services.

(4)

The Secretary of State may enforce subsection (3) in civil proceedings for an
injunction or, in Scotland, an interdict.

Supplementary

51 Power of Secretary of State to require information

(1)

The Secretary of State may by written notice require—

(a)

an accredited conformity assessment body, or

(b)

a person registered in the DVS register,

to provide the Secretary of State with information that the Secretary of State reasonably requires for the purposes of the exercise of the Secretary of State’s functions under this Part.

(2)

A notice under this section must state why the information is required for
the purposes of the exercise of those functions.

(3)

A notice under this section—

(a)

may specify or describe particular information or a category of
information;

(b)

may specify the form in which the information must be provided;

(c)

may specify the time at which, or the period within which, the
information must be provided;

(d)

may specify the place where the information must be provided.

(4)

A notice under this section that is given to a person registered in the DVS
register must provide information about the consequences under section 41 of failure to comply with the notice.

(5)

The Secretary of State may cancel a notice under this section by notice to the
person to whom it was given.

(6)

A disclosure of information required by a notice under this section does not
breach—

(a)

any obligation of confidence owed by the person making the disclosure,
or

(b)

any other restriction on the disclosure of information (however
imposed).

(7)

But a notice under this section does not require a disclosure of information
if the disclosure—

(a)

would contravene section 46 , 47 or 48 ,

(b)

would contravene the data protection legislation (but in determining
whether a disclosure would do so, the duty imposed by the notice is to be taken into account), or

(c)

is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the
Investigatory Powers Act 2016.

(8)

A notice under this section does not require a person to provide the Secretary
of State with information in respect of a communication which is made—

(a)

between a professional legal adviser and the adviser’s client, and

(b)

in connection with the giving of legal advice to the client with respect
to obligations, liabilities or rights under this Part.

(9)

In subsection (8) , references to the client of a professional legal adviser include
references to a person acting on behalf of the client.

(10)

A notice under this section does not require a person to provide the Secretary
of State with information if doing so would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.

(11)

The reference to an offence in subsection (10) does not include an offence
under—

(a)

section 5 of the Perjury Act 1911 (false statements made otherwise
than on oath);

(b)

section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995
(false statements made otherwise than on oath);

(c)

Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714
(N.I. 19)) (false statutory declarations and other false unsworn statements).

(12)

In this section, “data protection legislation” has the same meaning as in the
Data Protection Act 2018 (see section 3(9) of that Act).

52 Arrangements for third party to exercise functions

(1)

The Secretary of State may make arrangements for a person prescribed by
regulations under this section to exercise a relevant function of the Secretary of State (and, where arrangements are made, references in this Part, or in regulations made under this Part, to the Secretary of State are to be read accordingly).

(2)

Arrangements under this section may—

(a)

provide for the Secretary of State to make payments to the person,
and

(b)

make provision as to the circumstances in which any such payments
are to be repaid to the Secretary of State.

(3)

Regulations under this section are subject to the affirmative resolution
procedure.

(4)

In this section, “relevant function” means a function of the Secretary of State
conferred by or under this Part (including the function of charging or recovering fees under regulations under section 39 ) other than a power to make regulations.

(5)

If a person exercises the function of charging or recovering fees by virtue of
arrangements under this section, the person must pay the fees to the Secretary of State, except to the extent that the Secretary of State directs otherwise.

53 Report on the operation of this Part

(1)

The Secretary of State must prepare and publish reports on the operation of
this Part.

(2)

The first report must be published within the period of 12 months beginning
with the day on which section 28 comes into force.

(3)

The reports must be published not more than 12 months apart.

54 Index of defined terms for this Part

The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part.

Term

Provision

accredited conformity assessment body

section 33 (6)

digital verification services

section 27 (2)

the DVS register

section 32 (2)

the DVS trust framework

section 28 (1)

supplementary code

section 29 (2)

supplementary note

section 36 (6)

55 Powers relating to verification of identity or status

(1)

In section 15 of the Immigration, Asylum and Nationality Act 2006 (penalty
for employing a person subject to immigration control), after subsection (7) insert—

“(8)

An order under subsection (3) containing provision described in
subsection (7)(a), (b) or (c) may, in particular—

(a)

specify a document generated by a DVS-registered person or
a DVS-registered person of a specified description;

(b)

specify a document which was provided to such a person in
order to generate such a document;

(c)

specify steps involving the use of services provided by such a
person.

(9)

In subsection (8), “DVS-registered person” means a person who is
registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2024 (“the DVS register”).

(10)

An order under subsection (3) which specifies a description of
DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to specified services (see section 36 of the Data (Use and Access) Act 2024).”

(2)

In section 34 of the Immigration Act 2014 (requirements which may be
prescribed for the purposes of provisions about occupying premises under a residential tenancy agreement)—

(a)

in subsection (1)—

(i)

in paragraph (a), after “occupiers” insert “, a DVS-registered
person or a DVS-registered person of a prescribed description”,

(ii)

in paragraph (b), after “occupiers” insert “, a DVS-registered
person or a DVS-registered person of a prescribed description”, and

(iii)

in paragraph (c), at the end insert “, including steps involving
the use of services provided by a DVS-registered person or a DVS-registered person of a prescribed description”, and

(b)

after that subsection insert—

“(1A)

An order prescribing requirements for the purposes of this
Chapter which contains provision described in subsection (1)(a) or (b) may, in particular—

(a)

prescribe a document generated by a DVS-registered
person or a DVS-registered person of a prescribed description;

(b)

prescribe a document which was provided to such a
person in order to generate such a document.

(1B)

In subsections (1) and (1A), “DVS-registered person” means a
person who is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2024 (“the DVS register”).

(1C)

An order prescribing requirements for the purposes of this
Chapter which prescribes a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section 36 of the Data (Use and Access) Act 2024).”

(3)

In Schedule 6 to the Immigration Act 2016 (illegal working compliance orders
etc), after paragraph 5 insert—

“Prescribed checks and documents

5A

(1)

Regulations under paragraph 5(6)(b) or (c) may, in particular—

(a)

prescribe checks carried out using services provided by a
DVS-registered person or a DVS-registered person of a prescribed description;

(b)

prescribe documents generated by such a person;

(c)

prescribe documents which were provided to such a person
in order to generate such documents.

(2)

In sub-paragraph (1), “DVS-registered person” means a person who
is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2024 (“the DVS register”).

(3)

Regulations under paragraph 5(6)(b) or (c) which prescribe a
description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section 36 of the Data (Use and Access) Act 2024).”

Part 3 National Underground Asset Register

56 National Underground Asset Register: England and Wales

(1)

After section 106 of the New Roads and Street Works Act 1991 insert—

“Part 3A National Underground Asset Register: England and Wales

The register

106A National Underground Asset Register

(1)

The Secretary of State must keep a register of information relating to
apparatus in streets in England and Wales.

(2)

The register is to be known as the National Underground Asset
Register (and is referred to in this Act as “NUAR”).

(3)

NUAR must be kept in such form and manner as may be prescribed.

(4)

The Secretary of State must make arrangements so as to enable any
person who is required, by a provision of this Act, to enter information into NUAR to have access to NUAR for that purpose.

(5)

Regulations under subsection (3) are subject to the negative procedure.

(6)

The obligations of the Secretary of State under subsection (1) and
under Article 45A (1) of the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) (keeping of register of information relating to apparatus in streets in Northern Ireland) may be discharged by the keeping of a single register in relation to England, Wales and Northern Ireland.

106B Initial upload of information into NUAR

(1)

Before the end of the initial upload period an undertaker having
apparatus in a street must enter into NUAR—

(a)

all information that is included in the undertaker’s records
under section 79(1) on the archive upload date, and

(b)

any other information of a prescribed description that is held
by the undertaker on that date.

(2)

The duty under subsection (1) does not apply in such cases as may
be prescribed.

(3)

Information must be entered into NUAR under subsection (1) in such
form and manner as may be prescribed.

(4)

An undertaker who fails to comply with a duty placed on the
undertaker under this section—

(a)

commits an offence, and

(b)

is liable to compensate any person in respect of damage or loss
incurred by the person in consequence of the failure.

(5)

A person who commits an offence under subsection (4) (a) is liable on
summary conviction to a fine.

(6)

In criminal or civil proceedings against an undertaker arising out of
a failure to comply with a duty under this section, it is a defence for the undertaker to show that all reasonable care was taken to secure that no such failure occurred by—

(a)

the undertaker and the undertaker’s employees, and

(b)

any contractor of the undertaker and the undertaker’s
employees.

(7)

Section 95 applies in relation to an offence under this section as it
applies in relation to an offence under Part 3.

(8)

For the purposes of subsection (1) the Secretary of State must by
regulations—

(a)

specify a date as “the archive upload date”, and

(b)

specify a period beginning with that date as the “initial upload
period”.

(9)

Regulations under this section are subject to the negative procedure.

106C Access to information kept in NUAR

(1)

The Secretary of State may by regulations make provision for or in
connection with making information kept in NUAR available.

(2)

The regulations may (among other things)—

(a)

make provision about which information, or descriptions of
information, may be made available;

(b)

make provision about the descriptions of person to whom
information may be made available;

(c)

make provision for information to be made available subject
to exceptions;

(d)

make provision requiring or authorising the Secretary of State
to adapt, modify or obscure information before making it available;

(e)

make provision authorising all information kept in NUAR to
be made available to prescribed descriptions of person under prescribed conditions;

(f)

make provision about the purposes for which information may
be made available;

(g)

make provision about the form and manner in which
information may be made available;

(h)

make provision for or in connection with the granting of
licences by the Secretary of State in relation to any non-Crown IP rights that may exist in relation to information made available (including provision about the form of a licence and the terms and conditions of a licence);

(i)

make provision for information to be made available for free
or for a fee;

(j)

make provision about the amounts of the fees, including
provision for the amoun