This Part confers powers on the Secretary of State and the Treasury to make
provision in connection with access to customer data and business data.
Explanatory notes to the Bill, prepared by the Department for Science, Innovation and Technology, the Department of Health and Social Care, the Home Office, the Department for Business and Trade, HM Treasury and the Department for Energy Security and Net Zero, have been ordered to be published as HL Bill 40—EN.
Baroness Jones of Whitchurch has made the following statement under section 19(1)(a) of the Human Rights Act 1998:
In my view the provisions of the Data (Use and Access) Bill [HL] are compatible with the Convention rights.
A
bill
to
Make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; and for connected purposes.
B e it enacted by the King’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—
This Part confers powers on the Secretary of State and the Treasury to make
provision in connection with access to customer data and business data.
In this Part—
“
business data”, in relation to a trader, means—
information about goods, services and digital content supplied
or provided by the trader,
information relating to the supply or provision of goods,
services and digital content by the trader (such as, for example,
information about—
where goods, services or digital content are supplied
or provided,
prices or other terms on which they are supplied or
provided,
how they are used, or
their performance or quality),
information relating to feedback about the goods, services or
digital content (or their supply or provision), and
“
customer data” means information relating to a customer of a trader,
including—
information relating to goods, services and digital content
supplied or provided by the trader to the customer or to
another person at the customer’s request (such as, for example,
information about—
prices or other terms on which goods, services or digital
content are supplied or provided to the customer or the
other person,
how they are used by the customer or the other person,
or
their performance or quality when used by the customer
or the other person), and
information relating to the provision of information described
in paragraph
(a)
, or of other information relating to a customer
of a trader, to a person in accordance with data regulations;
“
data holder”, in relation to customer data or business data of a trader,
means—
the trader, or
a person who, in the course of a business, processes the data;
“
trader” means a person who supplies or provides goods, services or
digital content in the course of a business, whether acting personally
or through another person acting in the trader’s name or on the
trader’s behalf.
For the purposes of this Part, a person (“C”) is a customer of a trader (“T”)
if C has at any time—
purchased goods, services or digital content supplied or provided by
T (whether for use by C or another person),
been supplied or provided by T with goods, services or digital content
purchased from T by another person, or
otherwise received goods, services or digital content free of charge
from T.
In subsection
(3)
, the references to purchase, supply, provision or receipt of
goods, services or digital content at any time include purchase, supply,
provision or receipt before this section comes into force.
In this Part—
a reference to providing customer data or business data to a person
(however expressed) includes a reference to providing the person with
access to such data or with the ability to provide other persons with
access to such data, and
a reference to a person receiving customer data or business data
(however expressed) includes a reference to a person obtaining access
to such data or the ability to provide other persons with access to such
data.
The Secretary of State or the Treasury may by regulations make provision
requiring a data holder to provide customer data—
to the customer, at the customer’s request, or
to a person of a specified description who is authorised by the
customer to receive the data (an “authorised person”), at the customer’s
request or at the authorised person’s request.
The Secretary of State or the Treasury may by regulations make provision
enabling or requiring a data holder—
to produce, collect or retain, or arrange for the production, collection
or retention of, customer data;
to make changes to customer data, including to require rectification
of inaccurate customer data, at the request of a customer or authorised
person.
The Secretary of State or the Treasury may by regulations make provision
for a person who is an authorised person in relation to customer data to take,
on the customer’s behalf, action that the customer could take in relation to
goods, services or digital content supplied or provided by a person who is,
or has been, a data holder in relation to the customer data.
In deciding whether to make regulations under this section, the Secretary of
State or the Treasury must have regard to (among other things)—
the likely effects for existing and future customers,
the likely effects for data holders,
the likely effect on small businesses and micro businesses,
the likely effect on innovation in the supply or provision of goods,
services and digital content affected by the regulations or other goods,
services and digital content, and
the likely effect on competition in markets for goods, services and
digital content affected by the regulations or other markets.
This section is about provision that regulations under
section 2
may (among
other things) contain.
The regulations may include—
provision about the procedure by which customers authorise persons
to receive customer data or to do other things;
provision restricting the persons that may be authorised to persons
that comply with specified conditions;
provision for a specified person to decide whether a person satisfies
the conditions for authorisation (and see
section 6
for further provision
about decision-makers).
The regulations may make provision about requests relating to customer data,
including provision about the circumstances in which a data holder may or
must refuse to act on a request.
The regulations may make provision about the providing of customer data
and the taking of action described in section
2
(4)
, including—
provision requiring a data holder to provide customer data on one or
more occasions, for a specified period or at specified intervals;
provision requiring a data holder, customer or third party recipient
to use specified facilities or services, including dashboard services,
other electronic communications services or application programming
interfaces;
provision requiring a data holder or third party recipient to comply
with specified standards, or participate in specified arrangements,
relating to, or to the use of, such facilities or services;
provision requiring a data holder or third party recipient to provide,
or arrange for, specified assistance in connection with the
establishment, maintenance or management of such facilities or services;
provision about interface bodies (see section 7 ).
The regulations may include—
provision enabling or requiring a data holder to produce, collect or
retain, or arrange for the production, collection or retention of, records
of customer data provided in accordance with the regulations;
provision enabling or requiring a third party recipient to produce or
retain, or arrange for the production or retention of, records of
customer data received in accordance with the regulations.
The regulations may make provision requiring a person who, in the course
of a business, processes customer data of a trader to assist, or take specified
steps to assist, the trader in complying with regulations under this Part.
The regulations may make provision about the processing of customer data
provided to a third party recipient in accordance with the regulations,
including—
provision requiring a third party recipient to use specified facilities
or services, including dashboard services, other electronic
communications services or application programming interfaces;
provision requiring a third party recipient to comply with specified
standards, or participate in specified arrangements, relating to, or to
the use of, such facilities or services;
provision requiring a third party recipient to provide, or arrange for,
specified assistance in connection with the establishment, maintenance
or management of such facilities or services;
provision about interface bodies (see section 7 );
provision about further disclosure of the data, including provision for
a person to whom customer data is further disclosed to be subject to—
some or all of the obligations imposed on a third party recipient
by the regulations in relation to the customer data;
conditions imposed by the third party recipient.
The regulations may make provision enabling or requiring a data holder or
a third party recipient to publish specified information relating to the rights
and obligations of persons under the regulations, including—
information about the rights of customers in relation to customer data
processed by the data holder or a third party recipient;
information about the activities carried out by the data holder or a
third party recipient in performance of their obligations under the
regulations.
The regulations may make provision about complaints, including provision
requiring data holders or third party recipients to implement procedures for
the handling of complaints.
The regulations may make provision about procedures for the resolution of
disputes, including—
provision appointing, or providing for the appointment of, a person
to determine disputes;
provision about the person’s powers when determining disputes;
provision about the effect of decisions relating to disputes;
provision about the review of decisions relating to disputes;
provision about appeals to a court or tribunal.
The Secretary of State or the Treasury may by regulations make provision
requiring a data holder to publish business data or to provide business data—
to a customer of the trader to whom the business data relates, or
to another person of a specified description.
The Secretary of State or the Treasury may by regulations make provision
enabling or requiring a data holder to produce, collect or retain, or arrange
for the production, collection or retention of, business data.
The Secretary of State or the Treasury may by regulations—
make provision requiring a public authority that is a third party
recipient (whether by virtue of those regulations or other data
regulations), or a person appointed by such a public authority, to
publish business data or to provide business data—
to a customer of the trader to whom the business data relates,
or
to another person of a specified description,
in relation to the public authority, or a person appointed by the public
authority to do something described in paragraph
(a)
, make any
provision that could be made in relation to a data holder, in connection
with business data, in reliance on subsection
(3)
or sections
5
to
21
, other than provision imposing a levy on the public authority or person,
and
In deciding whether to make regulations under this section, the Secretary of
State or the Treasury must have regard to (among other things)—
the likely effects for existing and future customers,
the likely effects for data holders,
the likely effect on small businesses and micro businesses,
the likely effect on innovation in the supply or provision of goods,
services and digital content affected by the regulations or other goods,
services and digital content, and
the likely effect on competition in markets for goods, services and
digital content affected by the regulations or other markets.
This section is about provision that regulations under
section 4
may (among
other things) contain.
The regulations may require business data to be provided on request and
make provision about requests, including—
provision for requests to be made by a customer, a third party recipient
or another person;
provision about the circumstances in which a data holder may or must
refuse to act on a request.
The regulations may make provision requiring business data to be provided
to customers, or third party recipients, who are approved to receive it,
including—
provision restricting the persons that may be approved to persons that
comply with specified conditions;
provision for a specified person to decide whether a person satisfies
the conditions for approval (and see
section 6
for further provision
about decision-makers).
The regulations may make provision about the providing or publishing of
business data, including—
provision requiring a data holder to provide or publish business data
on one or more occasions, for a specified period or at specified
intervals;
provision requiring a data holder, customer or third party recipient
to use specified facilities or services, including dashboard services,
other electronic communications services or application programming
interfaces;
provision requiring a data holder or third party recipient to comply
with specified standards, or participate in specified arrangements,
relating to, or to the use of, such facilities or services;
provision requiring a data holder or third party recipient to provide,
or arrange for, specified assistance in connection with the
establishment, maintenance or management of such facilities or services.
provision about interface bodies (see section 7 ).
The regulations may include—
provision enabling or requiring a data holder to produce, collect or
retain, or arrange for the production, collection or retention of, records
of business data provided in accordance with the regulations;
provision enabling or requiring a third party recipient to produce or
retain, or arrange for the production or retention of, records of business
data received in accordance with the regulations.
The regulations may make provision requiring a person who, in the course
of a business, processes business data of a trader to assist, or take specified
steps to assist, the trader in complying with regulations under this Part.
The regulations may make provision about the processing of business data
provided to a third party recipient in accordance with the regulations,
including—
provision requiring a third party recipient to use specified facilities
or services, including dashboard services, other electronic
communications services or application programming interfaces;
provision requiring a third party recipient to comply with specified
standards, or participate in specified arrangements, relating to, or to
the use of, such facilities or services;
provision requiring a third party recipient to provide, or arrange for,
specified assistance in connection with the establishment, maintenance
or management of such facilities or services;
provision about interface bodies (see section 7 );
provision about further disclosure of the data, including provision for
a person to whom business data is further disclosed to be subject to
some or all of the obligations imposed on customers or third party
recipients by the regulations in relation to the business data.
The regulations may make provision enabling or requiring a data holder or
a third party recipient to publish specified information relating to the rights
and obligations of persons under the regulations, including information about
the activities carried out by the data holder or third party recipient in
performance of their obligations under the regulations.
The regulations may make provision about complaints, including provision
requiring data holders or third party recipients to implement procedures for
the handling of complaints.
The regulations may make provision about procedures for the resolution of
disputes, including—
provision appointing, or providing for the appointment of, a person
to determine disputes;
provision about the person’s powers when determining disputes;
provision about the effect of decisions relating to disputes;
provision about the review of decisions relating to disputes;
provision about appeals to a court or tribunal.
The regulations may make provision about the appointment of a
decision-maker.
The regulations may make provision enabling or requiring a decision-maker
to suspend or revoke a decision.
The regulations may confer powers on a decision-maker for the purpose of
monitoring compliance with conditions for authorisation or approval
(“monitoring powers”) (and see
section 8
for provision about enforcement of
requirements imposed in exercise of those powers).
The monitoring powers that may be conferred on a decision-maker include
powers to require the provision of documents or information (but such powers
are subject to the restrictions in
section 9
as well as any restrictions included
in the regulations).
The regulations must make provision about the rights of persons affected by
the exercise of a decision-maker’s functions under the regulations and such
provision may include (among other things)—
provision about the review of decision-makers’ decisions;
provision about appeals to a court or tribunal.
The regulations may make provision about complaints, including provision
requiring a decision-maker to implement procedures for the handling of
complaints.
The regulations may make provision enabling or requiring a decision-maker
to publish, or provide to a specified person, specified documents or
information relating to the exercise of the decision-maker’s functions.
The regulations may make provision for a decision-maker to arrange for its
monitoring powers to be exercised by another person.
The regulations may—
provide for functions under the regulations to be exercisable by more
than one decision-maker (whether jointly or concurrently);
where functions of decision-makers are exercisable concurrently—
provide for one of the decision-makers to be the lead
decision-maker;
require the other decision-makers to consult the lead
decision-maker before exercising the functions in a particular
case;
provide for the lead decision-maker to give directions as to
which decision-maker is to exercise a function in a particular
case.
The regulations may make provision enabling or requiring a decision-maker—
to produce guidance about how it proposes to exercise its functions
under the regulations (including provision enabling or requiring
decision-makers with functions exercisable jointly or concurrently to
produce joint guidance),
to publish the guidance, and
to provide copies to specified persons.
This section is about the provision that regulations under section
2
or
4
may
(among other things) contain about bodies with one or more of the following
tasks—
setting standards, or making other arrangements, relating to, or to the
use of, an interface (referred to in this Part as “interface standards”
and “interface arrangements”);
maintaining or managing an interface, interface standards or interface
arrangements.
Such bodies are referred to in this Part as “interface bodies”.
The regulations may—
require a data holder or a third party recipient to set up an interface
body;
make provision about the type of body to be set up.
In relation to an interface body (whether or not it is required to be set up by
regulations under section
2
or
4
), the regulations may—
make provision about the body’s composition and governance;
make provision requiring a data holder or a third party recipient to
provide, or arrange for, assistance for the body;
impose other requirements relating to the body on a person who is
required to set it up or to provide, or arrange for, assistance for the
body;
make provision requiring the body to carry on all or part of a task
described in subsection
(1)
;
make provision requiring the body to do other things in connection
with its interface, interface standards or interface arrangements;
make provision about how the body carries out its functions (such as,
for example, provision about the body’s objectives or matters to be
taken into account by the body);
confer powers on the body for the purpose of monitoring use of its
interface, interface standards or interface arrangements (“monitoring
powers”) (and see section
8
for provision about enforcement of
requirements imposed in exercise of those powers);
make provision for the body to arrange for its monitoring powers to
be exercised by another person;
make provision about the rights of persons affected by the exercise of
the body’s functions under the regulations, including (among other
things)—
provision about the review of decisions made in exercise of
those functions;
provision about appeals to a court or tribunal;
make provision about complaints, including provision requiring the
body to implement procedures for the handling of complaints;
make provision enabling or requiring the body to publish, or provide
to a specified person, specified documents or information relating to
its interface, interface standards or interface arrangements;
make provision enabling or requiring the body to produce guidance
about how it proposes to exercise its functions under the regulations,
to publish the guidance and to provide copies to specified persons.
The monitoring powers that may be conferred on an interface body include
power to require the provision of documents or information (but such powers
are subject to the restrictions in section
9
as well as any restrictions included
in the regulations).
Examples of facilities or services referred to in subsection
(1)
include dashboard
services, other electronic communications services and application
programming interfaces.
The Secretary of State or the Treasury may by regulations make provision—
for the purpose of monitoring compliance with regulations under this
Part or requirements imposed in exercise of a power conferred by
such regulations, and
for the enforcement of such regulations or requirements,
including provision for monitoring or enforcement by a specified public authority.
In this Part, “enforcer” means a public authority that is authorised or required
to carry out monitoring or enforcement described in subsection
(1)
.
The following subsections and sections
9
and
10
make provision about what
regulations under
subsection (1)
may or must (among other things) contain.
The regulations may confer powers of investigation on an enforcer, including—
powers to require the provision of documents or information,
powers to require an individual to attend at a place and answer
questions, and
powers of entry, inspection, search and seizure,
but such powers are subject to the restrictions in section 9 (as well as any restrictions included in the regulations).
The regulations may—
make provision enabling an enforcer to issue a notice (“a compliance
notice”) requiring compliance with—
regulations under this Part;
a condition for authorisation or approval imposed by a
decision-maker;
any other requirement imposed in exercise of a power conferred
by regulations under this Part;
make provision for the enforcement of compliance notices, including
provision for their enforcement as if they were orders of a court or
tribunal;
make provision enabling an enforcer to publish a statement to the
effect that the enforcer considers that a person is not complying with—
a requirement imposed by regulations under this Part,
a requirement imposed by a compliance notice, or
any other requirement imposed in exercise of a power conferred
by regulations under this Part.
The regulations may make provision creating offences punishable with an
unlimited fine, or a fine not exceeding a specified amount, in respect of—
the provision of false or misleading information in response to a
request made in accordance with regulations under this Part;
an act or omission (including falsification) which prevents an enforcer,
an interface body or a decision-maker from accessing information,
documents, equipment or other material.
The regulations may make provision enabling a financial penalty to be
imposed by an enforcer in respect of—
the provision of false or misleading information in response to a
request made in accordance with regulations under this Part;
a failure to comply with a requirement imposed by regulations under
this Part;
a failure to comply with a requirement imposed by a compliance
notice;
a failure to comply with any other requirement imposed in exercise
of a power conferred by regulations under this Part;
and see section 10 for further provision about financial penalties.
The regulations may make provision about the rights of persons affected by
the exercise of an enforcer’s functions under the regulations, including—
provision about the review of a decision made in exercise of those
functions;
provision about appeals to a court or tribunal.
The regulations may make provision about complaints, including provision
requiring an enforcer to implement procedures for the handling of complaints.
The regulations may make provision enabling or requiring an enforcer to
publish, or to provide to a specified person, specified information relating to
monitoring or enforcement described in subsection
(1)
, including—
information about the exercise of the enforcer’s functions, either
generally or in relation to a particular case, and
information about convictions for offences.
The regulations may make provision for an enforcer to arrange for its powers
of investigation under the regulations to be exercised by another person.
The regulations may—
provide for functions under the regulations to be exercisable by more
than one enforcer (whether jointly or concurrently);
where functions of enforcers are exercisable concurrently—
provide for one of the enforcers to be the lead enforcer;
require the other enforcers to consult the lead enforcer before
exercising the functions in a particular case;
provide for the lead enforcer to give directions as to which
enforcer is to exercise a function in a particular case.
The regulations may make provision enabling or requiring an enforcer—
to produce guidance about how it proposes to exercise its functions
under the regulations (including provision enabling or requiring
enforcers with functions exercisable jointly or concurrently to produce
joint guidance),
to publish the guidance, and
to provide copies to specified persons.
Regulations under this Part may not—
authorise entry to a private dwelling without a warrant issued by a
justice, or
Information is within this subsection if requiring a person to provide the
information would involve an infringement of the privileges of either House
of Parliament.
Information is within this subsection if it is information in respect of a
communication which is made—
between a professional legal adviser and the adviser’s client, and
in connection with the giving of legal advice to the client with respect
to obligations, liabilities or rights imposed or conferred by or under
regulations made under this Part.
Information is within this subsection if it is information in respect of a
communication which is made—
between a professional legal adviser and the adviser’s client or between
such an adviser or client and another person,
in connection with, or in contemplation of, proceedings under or
arising out of regulations made under this Part (including proceedings
arising out of the exercise of powers conferred by such regulations),
and
for the purposes of such proceedings.
Information is within this subsection if requiring a person to provide the
information would, by revealing evidence of the commission of an offence,
expose the person to proceedings for that offence.
The reference to an offence in
subsection (6)
does not include an offence
under—
regulations made under this Part;
section 5 of the Perjury Act 1911 (false statements made otherwise
than on oath);
section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995
(false statements made otherwise than on oath);
Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714
(N.I. 19)) (false statutory declarations and other false unsworn
statements).
An oral or written statement provided by a person in response to a request
for information made by a decision-maker, an interface body or an enforcer
in accordance with regulations under this Part may not be used in evidence
against that person on a prosecution for an offence (other than an offence
under regulations made under this Part) unless in the proceedings—
in giving evidence the person provides information inconsistent with
the statement, and
evidence relating to the statement is adduced, or a question relating
to it is asked, by that person or on that person’s behalf.
In this section, “justice” means—
in England and Wales, a justice of the peace,
in Scotland, a sheriff or summary sheriff, and
in Northern Ireland, a lay magistrate.
This section is about provision that regulations under this Part conferring
power on an enforcer to impose a financial penalty may or must (among
other things) contain.
The regulations must provide for the amount of a financial penalty to be—
a specified amount or an amount determined in accordance with the
regulations, or
an amount not exceeding such an amount,
unless section 16 confers power to provide otherwise.
The regulations must include provision—
requiring an enforcer to produce guidance about how the enforcer
proposes to exercise any discretion to determine the amount of a
financial penalty and to have regard to such guidance in exercising
its discretion;
requiring an enforcer to publish the guidance;
requiring an enforcer, before imposing a financial penalty on a person,
to give the person written notice (a “notice of intent”) of the proposed
financial penalty;
ensuring that the person is given an opportunity to make
representations about the proposed financial penalty;
requiring the enforcer, after the period for making representations, to
decide whether to impose the financial penalty;
requiring the enforcer, if they decide to impose the financial penalty,
to give the person notice in writing (a “final notice”) imposing the
penalty;
enabling a person on whom a financial penalty is imposed to appeal
to a court or tribunal in accordance with the regulations;
as to the powers of the court or tribunal on such an appeal.
The regulations may include provision—
enabling a notice of intent or final notice to be withdrawn or amended;
requiring an enforcer to withdraw a final notice in specified
circumstances;
for a financial penalty to be increased in the event of late payment
by—
a specified amount or an amount determined in accordance
with the regulations, or
an amount not exceeding such an amount;
as to how financial penalties are recoverable.
The Secretary of State or the Treasury may by regulations—
make provision about what must or may be done with amounts paid
as fees.
Those persons are—
data holders;
decision-makers;
interface bodies;
enforcers;
other persons on whom duties are imposed, or powers are conferred,
by or under regulations made under this Part.
Regulations under subsection (1) —
may only provide for a fee to be payable by persons that appear to
the Secretary of State or the Treasury to be capable of being directly
affected by the performance of duties, or the exercise of powers,
imposed or conferred by or under regulations made under this Part;
may provide for the amount of a fee to be an amount which is
intended to exceed the cost of the things in respect of which the fee
is charged.
Regulations under
subsection (1)
must provide for the amount of a fee to
be—
a specified amount or an amount determined in accordance with the
regulations, or
an amount not exceeding such an amount,
unless section 15 confers power to provide otherwise.
Regulations under subsection
(1)
may provide for the amount, or maximum
amount, of a fee to increase at specified times and by—
a specified amount or an amount determined in accordance with the
regulations, or
an amount not exceeding such an amount.
Regulations under
subsection (1)
enabling a person to determine the amount
of a fee must require the person to publish information about the amount
and how it is determined.
Regulations under
subsection (1)
may (among other things) make provision
about—
interest on any unpaid amounts;
the recovery of unpaid amounts.
The Secretary of State or the Treasury may by regulations—
impose, or provide for a specified public authority to impose, a levy
on data holders or third party recipients for the purpose of meeting
expenses described in subsection
(2)
, and
make provision about what must or may be done with funds raised
by means of the levy.
Those persons are—
decision-makers;
interface bodies;
enforcers;
Regulations under
subsection (1)
may only provide for a levy in respect of
expenses of a person to be imposed on data holders or third party recipients
that appear to the Secretary of State or the Treasury to be capable of being
directly affected by the exercise of some or all of the functions conferred on
the person by or under regulations made under this Part.
Regulations under
subsection (1)
providing for a specified public authority
to impose a levy must—
make provision about how the rate of the levy is to be determined;
make provision about how the period in respect of which the levy is
payable is to be determined;
require the public authority to publish information about the rate, the
period and how they are determined.
Regulations under
subsection (1)
may (among other things) make provision
about—
interest on any unpaid amounts payable by way of a levy;
the recovery of such unpaid amounts.
The Secretary of State or the Treasury may give financial assistance to a person
for the purpose of—
meeting expenses incurred, or to be incurred, by the person in
performing duties, or exercising powers, imposed or conferred by or
under regulations made under this Part, or
exercising other functions in connection with such regulations.
Those persons are—
data holders,
customers, or
The financial assistance may be given on such terms and conditions as the
Secretary of State or the Treasury considers appropriate.
In this section, “financial assistance” means any kind of financial assistance
whether actual or contingent, including a grant, loan, guarantee or indemnity,
but does not include buying a company’s share capital.
The Treasury may by regulations make provision enabling or requiring the
Financial Conduct Authority (referred to in this Part as “the FCA”) to make
rules—
requiring financial services providers described in the regulations to
use a prescribed interface, comply with prescribed interface standards
or participate in prescribed interface arrangements, when providing
or receiving customer data or business data which is required to be
provided by or to the financial services provider by data regulations;
requiring persons described in the regulations to use a prescribed
interface, comply with prescribed interface standards or participate in
prescribed interface arrangements, when the person, in the course of
a business, receives, from a financial services provider, customer data
or business data which is required to be provided to the person by
data regulations;
imposing interface-related requirements on a description of person
falling within subsection
(3)
.
Such rules are referred to in this Part as “FCA interface rules”.
The following persons fall within this subsection—
an interface body linked to the financial services sector;
a person required by regulations made in reliance on section
7
to set
up an interface body linked to the financial services sector;
For the purposes of this section, requirements are interface-related if they
relate to—
the composition, governance or activities of an interface body linked
to the financial services sector,
an interface, interface standards or interface arrangements linked to
the financial services sector, or
the use of such an interface, compliance with such interface standards
or participation in such interface arrangements.
For the purposes of this section—
an interface body is linked to the financial services sector to the extent
that its interface, interface standards or interface arrangements are
linked to the financial services sector;
interfaces, interface standards and interface arrangements are linked
to the financial services sector to the extent that they are used, or
intended to be used, by financial services providers (whether or not
they are used, or intended to be used, by other persons).
The Treasury may by regulations make provision enabling or requiring the
FCA to impose requirements on a person to whom FCA interface rules apply
(referred to in this Part as “FCA additional requirements”) where the FCA
considers it appropriate to impose the requirement—
in response to a failure, or likely failure, by the person to comply with
an FCA interface rule or FCA additional requirement, or
Regulations under subsection
(6)
may, for example, provide for the FCA to
impose requirements by giving a notice or direction.
The restrictions in section
9
apply in connection with FCA interface rules and
FCA additional requirements as they apply in connection with regulations
under this Part.
In section 9 as so applied—
In this section—
“
financial services provider” means a person providing financial services;
“
prescribed” means prescribed in FCA interface rules.
This section is about provision that regulations under section
14
may or must
(among other things) contain.
The regulations—
may not require or enable the FCA to require a person to set up an
interface body.
The regulations must—
require the FCA, so far as is reasonably possible, to exercise functions
conferred by the regulations in a manner which is compatible with,
or which advances, one or more specified purposes;
specify one or more matters to which the FCA must have regard when
exercising functions conferred by the regulations;
if they require or enable the FCA to make rules, make provision about
the procedure for making rules, including provision requiring such
consultation with persons likely to be affected by the rules or
representatives of such persons as the FCA considers appropriate.
The regulations may—
require the FCA to carry out an analysis of the costs and benefits that
will arise if proposed rules are made or proposed changes are made
to rules and make provision about what the analysis must include;
require the FCA to publish rules or changes to rules and to provide
copies to specified persons;
make provision about the effect of rules, including provision about
circumstances in which rules are void and circumstances in which a
person is not to be taken to have contravened a rule;
make provision enabling or requiring the FCA to modify or waive
rules as they apply to a particular case;
make provision about the procedure for imposing FCA additional
requirements;
make provision enabling or requiring the FCA to produce guidance
about how it proposes to exercise its functions under the regulations,
to publish the guidance and to provide copies to specified persons.
The regulations may require or enable the FCA to impose the following types
of requirement on a person as FCA additional requirements—
a requirement to review the person’s conduct;
a requirement to take remedial action;
a requirement to make redress for loss or damage suffered by others
as a result of the person’s conduct.
Those persons are—
financial services providers.
Those expenses are expenses incurred, or to be incurred, by the interface body
or person listed in subsection
(7)
, or a person acting on behalf of such a body
or person, in performing duties, or exercising powers, imposed or conferred
by—
regulations under this Part, or
rules made by virtue of regulations under section 14 .
Regulations made in reliance on subsection (6) —
may enable rules to provide for the amount of a fee to be an amount
which is intended to exceed the cost of the things in respect of which
the fee is charged;
may require or enable rules to make provision about the amount, or
maximum amount, of a fee, including provision about how a fee is to
be determined;
may require or enable rules to make provision about the amount, or
maximum amount, by which the amount, or maximum amount, of a
fee must or may increase and the times at which it must or may
increase;
must require rules, where relevant, to require a person who determines
an amount referred to in paragraph (b) or (c) to publish information
about the amount and how it is determined;
may require or enable rules to make provision about—
interest on any unpaid amounts;
the recovery of unpaid amounts.
In this section, “financial services provider” and
meaning given in section
14
.
paying interest, and
providing redress in the form of a remedy or relief which could not
be awarded in legal proceedings.
The regulations may require or enable the FCA—
to set the amount or maximum amount of, or of an increase in, a
penalty imposed in respect of failure to comply with a requirement
imposed by the FCA in exercise of a power conferred by regulations
under section
14
(whether imposed by means of FCA interface rules
or an FCA additional requirement), or
to set the method for determining such an amount.
Regulations made in reliance on subsection (2) —
must require the FCA to produce and publish a statement of its policy
with respect to the amount of the penalties;
may require the policy to include specified matters;
may make provision about the procedure for producing the statement;
may require copies of the statement to be provided to specified
persons;
may require the FCA to have regard to a statement published in
accordance with the regulations.
The Treasury may by regulations—
impose, or provide for the FCA to impose, a levy on data holders or
third party recipients for the purpose of meeting expenses incurred,
or to be incurred, during a period by the FCA, or by a person acting
on the FCA’s behalf, in performing duties, or exercising powers,
imposed or conferred on the FCA by regulations under section
14
, and
make provision about what must or may be done with funds raised
by means of the levy.
Regulations under subsection
(4)
providing for the FCA to impose a levy
must—
make provision about how the rate of the levy is to be determined;
make provision about how the period in respect of which the levy is
payable is to be determined;
require the FCA to publish information about the rate, the period and
how they are determined.
Regulations under subsection
(4)
may (among other things) make provision
about—
interest on any unpaid amounts payable by way of a levy;
the recovery of such unpaid amounts.
The Treasury may by regulations amend section 98 of the Financial Services (Banking Reform) Act 2013 (payment systems: duty of the FCA and other regulators to ensure co-ordinated exercise of relevant functions) by—
amending the definition of “relevant functions” so as to add or remove
a function conferred on the FCA by regulations under this Part, and
amending the definition of “objectives” so as to add or remove an
objective of the FCA relevant to such a function.
The Secretary of State or the Treasury may by regulations provide that a
person listed in subsection
(2)
is not liable in damages for anything done or
omitted to be done in the exercise of functions conferred by or under
regulations made under this Part.
Those persons are—
a public authority;
a member, officer or member of staff of a public authority;
a person who could be held vicariously liable for things done or
omitted to be done by a public authority.
Regulations under this section may not—
make provision removing liability for an act or omission which is
shown to have been in bad faith, or
make provision so as to prevent an award of damages made in respect
of an act or omission on the ground that the act or omission was
unlawful as a result of section 6(1) of the Human Rights Act 1998.
The relevant person must, by regulations, provide for the review of provision
made by the relevant person in exercise of powers to make regulations under
other sections in this Part (“Part 1 provision”) (but see the exceptions in
subsection
(8)
).
In this section, “the relevant person” means—
in relation to Part 1 provision made by the Secretary of State, the
Secretary of State, and
in relation to Part 1 provision made by the Treasury, the Treasury.
Regulations under subsection (1) must require the relevant person—
to review the Part 1 provision,
to prepare and publish a report setting out the findings of each review,
and
to lay a copy of the report before Parliament.
The regulations must require the relevant person—
to publish the report setting out the findings of the first review of the
Part 1 provision before the end of the period of 5 years beginning
with the day on which the provision comes into force, and
to publish reports setting out the findings of subsequent reviews at
intervals of not more than 5 years.
The regulations must require that, in carrying out a review, the relevant
person must consider whether the Part 1 provision remains appropriate,
having regard to (among other things)—
the objectives it is intended to achieve, and
The regulations must provide that the relevant person may omit material
from a report before publication if the relevant person thinks that the
publication of that material might harm the commercial interests of any person.
The regulations may (whether made by the Secretary of State or the Treasury)
provide for the Secretary of State and the Treasury to carry out a joint review,
and to produce a joint report, in respect of Part 1 provision made by the
Secretary of State and Part 1 provision made by the Treasury.
Subsection (1) does not apply in relation to—
Part 1 provision that is required to be reviewed by the relevant person
by virtue of existing regulations under this section, or
Part 1 provision that makes, amends or revokes provision described
in paragraph
(a)
,
nor does it require the relevant person to provide for the review of Part 1 provision that has been revoked.
Section 28 of the Small Business, Enterprise and Employment Act 2015 (duty
to review regulatory provisions in secondary legislation) does not apply in
relation to a power to make regulations under this Part.
Except as provided by
subsection (2)
, regulations under this Part may provide
for the processing of information in accordance with the regulations not to
be in breach of—
any obligation of confidence owed by the person processing the
information, or
any other restriction on the processing of information (however
imposed).
Regulations under this Part are not to be read as authorising or requiring
processing of personal data that would contravene the data protection
legislation (but in determining whether particular processing of data would
do so, take into account the power conferred or duty imposed by the provision
of the regulations in question).
In this section—
“
the data protection legislation” has the same meaning as in the Data
Protection Act 2018 (see section 3(9) of that Act);
“
personal data” has the same meaning as in that Act (see section 3(2) of
that Act).
Regulations under this Part may (among other things)—
make provision generally or in relation to particular cases;
make different provision for different purposes or areas;
make provision about the form and manner in which things must or
may be done;
make provision about the content of requests, notices or other
documents;
make provision about the time by which, or period within which,
things must or may be done;
make provision by reference to standards, arrangements, specifications
or technical requirements as published from time to time;
confer functions on a person, including functions involving the exercise
of a discretion, and make provision in connection with the procedure
for exercising the functions;
make consequential, supplementary, incidental, transitional, transitory
or saving provision.
Regulations under this Part may not require or enable a person to set the
maximum amount of a fine for an offence, except that such regulations may
make provision about the maximum amount referring to the standard scale,
the statutory maximum or a similar amount.
Regulations under this Part—
may make provision about the amount or method described in
subsection
(3)
referring to a published index, and
may require or enable a person to make decisions, in accordance with
a maximum amount or method set out in the regulations, about the
amount of, or of an increase or reduction in, a penalty or fee payable
in a particular case.
Regulations under this Part making the following types of provision may
amend, repeal or revoke primary legislation—
provision about the handling of complaints;
provision about the resolution of disputes;
provision about appeals;
provision described in subsection (1) (h) .
The following regulations under this Part are subject to the affirmative
resolution procedure—
Other regulations under this Part are subject to the negative resolution
procedure.
Before making regulations described in subsection
(1)
, the Secretary of State
or the Treasury (as the case may be) must consult such of the following as
the Secretary of State or the Treasury considers appropriate—
persons likely to be affected by the regulations or representatives of
such persons;
sectoral regulators with functions in relation to data holders likely to
be affected by the regulations.
The requirement in subsection
(3)
may be satisfied by consultation undertaken
before the day on which this Act is passed.
The regulation-making powers under this Part may be exercised so as to
make, in connection with the related subordinate legislation, any provision
that they could be exercised to make as part of, or in connection with,
provision made under section
2
(1)
to
(4)
or, as appropriate, section
4
(1)
to
(4)
.
In this section, “subordinate legislation” has the same meaning as in the
Interpretation Act 1978 (see section 21 of that Act).
Omit sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013 (supply of customer data).
In this Part—
“
application programming interface” means a facility for allowing
software to make use of facilities contained in other software;
“
dashboard service” means an electronic communications service by
means of which information may be requested by and provided to a
person;
“
digital content” means data which is produced and supplied in digital
form;
“
electronic communications service” has the meaning given by section
32 of the Communications Act 2003;
“
goods” includes water, gas and electricity (however supplied);
“
micro business” has the meaning given by section 33 of the Small
Business, Enterprise and Employment Act 2015, read with any
regulations under that section;
“
primary legislation” means—
an Act of Parliament;
an Act of the Scottish Parliament;
a Measure or Act of Senedd Cymru;
Northern Ireland legislation;
“
processing” has the same meaning as in the Data Protection Act 2018
(see section 3(4) of that Act) and related terms are to be interpreted
accordingly;
“
public authority” means a person whose functions—
are of a public nature, or
include functions of that nature;
“
small business” has the meaning given by section 33 of the Small
Business, Enterprise and Employment Act 2015, read with any
regulations under that section;
“
specified” means specified, or of a description specified, by regulations
under this Part, or in exercise of a power conferred by such regulations,
except to the extent otherwise provided in this Part;
“
third party recipient” means—
In this Part, references to doing something “in the course of a business”
include doing something in the course of—
a trade, craft or profession, or
any other undertaking carried on for gain or reward.
In this Part—
references to making arrangements include producing model
arrangements,
references to managing a facility (or an interface that is a facility)
include operating, or overseeing the operation, of a facility,
references to managing a service (or an interface that is a service)
include providing, or overseeing the provision of, a service, and
references to managing standards or arrangements include assisting
people to use them or overseeing how they are used.
The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part.
Term |
Provision |
application programming interface |
|
business, in the course of a |
|
business data |
|
customer |
|
customer data |
|
dashboard service |
|
data holder |
|
data regulations |
|
decision-maker |
|
digital content |
|
electronic communications service |
|
enforcer |
|
the FCA |
|
FCA additional requirement |
|
FCA interface rules |
|
goods |
|
interface |
|
interface arrangements |
|
interface body |
|
interface standards |
|
making arrangements |
|
managing (facilities, services, standards or arrangements) |
|
micro business |
|
primary legislation |
|
processing |
|
providing customer data |
|
public authority |
|
receiving customer data |
|
small business |
|
specified |
|
third party recipient |
|
trader |
This Part contains provision to secure the reliability of digital verification
services by means of—
a trust framework (see section 28 ),
supplementary codes (see section 29 ),
a register (see section 32 ),
an information gateway (see section 45 ), and
a trust mark (see section 50 ).
In this Part, “digital verification services” means verification services provided
to any extent by means of the internet.
In subsection
(2)
, “verification services” means services that are provided at
the request of an individual and consist in—
ascertaining or verifying a fact about the individual from information
provided otherwise than by the individual, and
confirming to another person that the fact about the individual has
been ascertained or verified from information so provided.
The Secretary of State must prepare and publish a document (“the DVS trust
framework”) setting out rules concerning the provision of digital verification
services.
Those rules may include (among other things) rules relating to, and to the
conduct of, a person who provides such services; and references in this Part
to a person providing services in accordance with the DVS trust framework
(however expressed) include a person complying with such rules.
In preparing the DVS trust framework, the Secretary of State must consult—
the Information Commissioner, and
such other persons as the Secretary of State considers appropriate.
The requirement in
subsection (3)
may be satisfied by consultation undertaken
before the coming into force of this section.
The Secretary of State may revise and republish the DVS trust framework
(whether following a review under section
31
or otherwise).
The DVS trust framework, and any revised version of the framework, must
specify the time it comes into force (which must not be a time earlier than
the time it is published).
The DVS trust framework, and any revised version of the framework, may—
set out different rules for different digital verification services,
specify that provisions come into force at different times for different
purposes, and
make transitional or saving provision.
Where the Secretary of State revises and republishes the DVS trust framework,
the DVS trust framework (as revised) may provide that from a date, or from
the end of a period, specified in the framework a pre-revision certificate is
required to be ignored for the purposes of sections
33
(1)
(a)
,
35
(1)
(c)
,
40
(1)
(c)
and
42
(1)
(c)
.
In subsection (8) , a “pre-revision certificate” means a certificate which—
certifies that digital verification services provided by the holder of the
certificate are provided in accordance with the DVS trust framework,
and
was issued before the time the relevant revision to the DVS trust
framework comes into force.
Provision included in the DVS trust framework in reliance on subsection (8) may make different provision in relation to different descriptions of pre-revision certificate.
The Secretary of State may prepare and publish one or more sets of rules
concerning the provision of digital verification services which supplement
the DVS trust framework.
In this Part, a set of rules published under subsection
(1)
is referred to as a
supplementary code.
Those rules may include (among other things) rules relating to, and to the
conduct of, a person who provides such services; and in this Part references
to a person providing services in accordance with a supplementary code
(however expressed) include a person complying with such rules.
In preparing a set of rules, the Secretary of State must consult—
the Information Commissioner, and
such other persons as the Secretary of State considers appropriate.
The requirement in subsection
(4)
may be satisfied by consultation undertaken
before the coming into force of this section.
The Secretary of State may revise and republish a supplementary code
(whether following a review under section
31
or otherwise).
A supplementary code, and any revised version of a supplementary code,
must specify the time it comes into force (which must not be a time earlier
than the time it is published).
A supplementary code, and any revised version of a supplementary code,
may—
set out different rules for different digital verification services,
specify that provisions come into force at different times for different
purposes, and
make transitional or saving provision.
Where the Secretary of State revises and republishes a supplementary code,
the supplementary code (as revised) may provide that from a date, or from
the end of a period, specified in the code a pre-revision certificate is required
to be ignored for the purposes of sections
36
(1)
(a)
,
37
(1)
(c)
,
43
(1)
(c)
and
44
(1)
(c)
.
In subsection (9) , a “pre-revision certificate” means a certificate which—
certifies that digital verification services provided by the holder of the
certificate are provided in accordance with the supplementary code,
and
was issued before the time the relevant revision to the supplementary
code comes into force.
Provision included in a supplementary code in reliance on subsection
(9)
may
make different provision in relation to different descriptions of pre-revision
certificate.
The Secretary of State may determine to withdraw a supplementary code.
A determination must—
be published, and
specify when the code is withdrawn, which must be a time after the
end of the period of 21 days beginning with the day on which the
determination is published.
At least every 12 months, the Secretary of State must—
carry out a review of the DVS trust framework, and
at the same time, carry out a review of each supplementary code which
has not been withdrawn.
In carrying out a review under subsection
(1)
, the Secretary of State must
consult—
the Information Commissioner, and
such other persons as the Secretary of State considers appropriate.
The Secretary of State must establish and maintain a register of persons
providing digital verification services.
The register is referred to in this Part as the DVS register.
The Secretary of State must make the DVS register publicly available.
The Secretary of State must register a person providing digital verification
services in the DVS register if—
the person holds a certificate from an accredited conformity assessment
body certifying that digital verification services provided by the person
are provided in accordance with the DVS trust framework,
the person applies to be registered in the DVS register in respect of
one or more of the digital verification services to which the certificate
relates,
the application complies with any requirements imposed by a
determination under
section 38
, and
the person complies with any regulations under
section 39
(1)
requiring
a fee to be paid.
But subsection (1) is subject to—
The register must record the digital verification services in respect of which
a person is, from time to time, registered.
For the purposes of subsection (1) (a) , a certificate is to be ignored if—
it has expired in accordance with its terms,
it has been withdrawn by the body that issued it, or
it is required to be ignored by reason of provision included in the
DVS trust framework under
section 28
(8)
.
In this Part, “accredited conformity assessment body” means a conformity
assessment body that is accredited by the UK national accreditation body in
accordance with Article 5 of the Accreditation Regulation as competent to
carry out assessments of whether digital verification services are provided in
accordance with the DVS trust framework.
In subsection (6) —
“
the Accreditation Regulation” means Regulation (EC) No 765/2008 of
the European Parliament and of the Council of 9 July 2008 setting out
the requirements for accreditation and market surveillance relating to
the marketing of products and repealing Regulation (EEC) No 339/93;
“
conformity assessment body” has the same meaning as in the
Accreditation Regulation (see Article 2(13) of that Regulation);
“
the UK national accreditation body” means the UK national accreditation
body for the purposes of Article 4(1) of the Accreditation Regulation.
The Secretary of State may refuse to register a person providing digital
verification services in the DVS register if the Secretary of State—
considers that it is necessary to do so in the interests of national
security, or
is satisfied that the person is failing to comply with the DVS trust
framework in respect of one or more of the digital verification services
in respect of which the person applies to be registered.
Before refusing to register a person under this section the Secretary of State
must, by written notice, inform the person that the Secretary of State intends
to do so.
The notice must—
state the name and address of the person,
state the reason why the Secretary of State—
considers that it is necessary to refuse to register the person in
the interests of national security, or
state whether the Secretary of State intends to specify a period in the
notice under subsection
(8)
and, if so, what period is intended to be
specified,
state that the person may make written representations to the Secretary
of State about—
the Secretary of State’s intention to refuse to register the person
in the DVS register, and
where relevant, the period the Secretary of State intends to
specify in the notice under subsection
(8)
, and
specify the period within which such representations may be made.
Where the Secretary of State intends to refuse to register a person in reliance
on subsection
(1)
(a)
, the requirement in subsection
(3)
(b)
does not apply if,
or to the extent that, the Secretary of State considers that stating the reason
described in subsection
(3)
(b)
(i)
would be contrary to the interests of national
security.
The period specified for making written representations must be a period of
not less than 21 days beginning with the day on which the notice is given.
If the Secretary of State considers that it is appropriate for the person to have
an opportunity to make oral representations about the matters mentioned in
subsection
(3)
(d)
, the notice must also—
state that the person may make such representations, and
specify the arrangements for making such representations and the
time at which, or the period within which, they may be made.
When deciding whether to refuse to register the person in the DVS register
under this section, the Secretary of State must consider any oral or written
representations made by the person in accordance with the notice.
Where the Secretary of State refuses to register the person in the DVS register
under this section, the Secretary of State must by written notice inform the
person that the person’s application for registration has been refused.
The Secretary of State may, in the notice given under subsection
(8)
, state
that any further application for registration made by the person during a
period specified in the notice will be refused.
If the person applies to be registered in the DVS register during the period
specified in the notice in reliance on subsection
(9)
, the Secretary of State
must refuse the application.
The period specified in the notice in reliance on subsection
(9)
must begin
with the day on which the notice is given and must not exceed two years.
Subsection (2) applies if—
a person is registered in the DVS register,
the person applies for their entry in the register to be amended to
record additional digital verification services that the person provides
in accordance with the DVS trust framework,
the person holds a certificate from an accredited conformity assessment
body certifying that the person provides the additional services in
accordance with the DVS trust framework,
the application complies with any requirements imposed by a
determination under section
38
, and
The Secretary of State must amend the DVS register to record that the person
is also registered in respect of the additional services referred to in subsection
(1)
.
it has expired in accordance with its terms,
it has been withdrawn by the body that issued it, or
Subsection (2) applies if—
a person holds a certificate from an accredited conformity assessment
body certifying that digital verification services provided by the person
are provided in accordance with a supplementary code,
the person applies for a note about one or more of the services to
which the certificate relates to be included in the entry relating to that
person in the DVS register,
the application complies with any requirements imposed by a
determination under section
38
, and
The Secretary of State must include a note in the entry relating to the person
in the DVS register recording that the person provides, in accordance with
the supplementary code referred to in subsection
(1)
, the services in respect
of which the person made the application referred to in that subsection.
it has expired in accordance with its terms,
it has been withdrawn by the body that issued it, or
In this Part, a note included in the DVS register in accordance with subsection (2) is referred to as a supplementary note.
Subsection (2) applies if—
a person has a supplementary note included in the DVS register
relating to a supplementary code,
the person applies for the note to be amended to record additional
digital verification services that the person provides in accordance
with that code,
the person holds a certificate from an accredited conformity assessment
body certifying that the person provides the additional services in
accordance with that code,
the application complies with any requirements imposed by a
determination under section
38
, and
The Secretary of State must amend the note to record that the person also
provides the additional services referred to in subsection
(1)
in accordance
with the supplementary code to which the note relates.
But subsection
(2)
does not apply if the supplementary code to which the
note relates has been withdrawn.
it has expired in accordance with its terms,
it has been withdrawn by the body that issued it, or
The Secretary of State may determine—
the information to be contained in or provided with the application,
the documents to be provided with the application, and
the manner in which the application is to be submitted.
A determination may make different provision for different purposes.
The Secretary of State must publish a determination.
The Secretary of State may revise a determination.
If the Secretary of State revises a determination the Secretary of State must
publish the determination as revised.
The Secretary of State may by regulations make provision for or in connection
with—
the payment of fees in connection with continued registration in the
DVS register.
The regulations may not provide for payment of fees to anyone other than
the Secretary of State.
The regulations must—
specify the amount, or the maximum amount of a fee, or
provide for a fee, or the maximum amount of a fee, to be determined
in accordance with regulations.
The regulations may provide for the amount of a fee to exceed the
administrative costs of determining the application or the administrative costs
associated with the continued registration (as the case may be).
Regulations under subsection
(1)
may (among other things) make provision
about the following—
when fees are to be paid;
the manner in which fees are to be paid;
the payment of discounted fees;
exceptions to requirements to pay fees;
the refund of fees (in whole or in part);
interest on any unpaid amounts,
The regulations may—
make different provision for different purposes;
make transitional, transitory or saving provision.
Regulations under this section are subject to the negative resolution procedure.
The Secretary of State must remove a person from the DVS register if the
person—
asks to be removed from the register,
ceases to provide all of the digital verification services in respect of
which the person is registered in the register, or
no longer holds a certificate from an accredited conformity assessment
body certifying that at least one of those digital verification services
is provided in accordance with the DVS trust framework.
For the purposes of subsection (1) (c) , a certificate is to be ignored if—
it has expired in accordance with its terms,
it has been withdrawn by the body that issued it, or
The Secretary of State may remove a person from the DVS register if—
the Secretary of State is satisfied that the person is failing to comply
with the DVS trust framework when providing one or more of the
digital verification services in respect of which the person is registered,
the person has a supplementary note included in the DVS register and
the Secretary of State is satisfied that the person is failing to comply
with the supplementary code to which the note relates when providing
one or more of the digital verification services recorded in the note,
the Secretary of State is satisfied that the person has failed to provide
the Secretary of State with information in accordance with a notice
under section
51
, or
the Secretary of State considers that it is necessary to do so in the
interests of national security.
Before removing a person from the DVS register under this section the
Secretary of State must, by written notice, inform the person that the Secretary
of State intends to do so.
The notice must—
state the name and address of the person,
state the reason why the Secretary of State—
is satisfied that the person is failing or has failed as mentioned
in
subsection (1)
(a)
to
(c)
, or
considers that it is necessary to remove the person from the
DVS register in the interests of national security,
state whether the Secretary of State intends to specify a period in the
notice under
subsection (8)
and, if so, what period is intended to be
specified,
state that the person may make written representations to the Secretary
of State about—
the Secretary of State’s intention to remove the person from
the DVS register, and
where relevant, the period the Secretary of State intends to
specify in the notice under
subsection (8)
, and
specify the period within which such representations may be made.
The period specified for making written representations must be a period of
not less than 21 days beginning with the day on which the notice is given.
If the Secretary of State considers that it is appropriate for the person to have
an opportunity to make oral representations about the matters mentioned in
subsection (3)
(d)
, the notice must also—
state that the person may make such representations, and
specify the arrangements for making such representations and the
time at which, or the period within which, they may be made.
When deciding whether to remove the person from the DVS register under
this section, the Secretary of State must consider any oral or written
representations made by the person in accordance with the notice.
Where the Secretary of State removes the person from the DVS register under
this section, the Secretary of State must by written notice inform the person
of that.
The Secretary of State may, in the notice given under subsection
(8)
, state
that any application for re-registration made by the person during a period
specified in the notice will be refused.
If the person applies to be re-registered during the period specified in the
notice in reliance on subsection
(9)
, the Secretary of State must refuse the
application.
The period specified in the notice in reliance on subsection
(9)
must begin
with the day on which the notice is given and must not exceed two years.
Where a person is registered in the DVS register in respect of digital
verification services, subsection
(2)
applies if the person—
asks for the register to be amended so that the person is no longer
registered in respect of one or more of those services,
ceases to provide one or more of those services (but not all of them),
or
no longer holds a certificate from an accredited conformity assessment
body certifying that all of those services are provided in accordance
with the DVS trust framework.
The Secretary of State must amend the register to record that the person is
no longer registered in respect of (as the case may be)—
the service or services which the person has ceased to provide, or
it has expired in accordance with its terms,
it has been withdrawn by the body that issued it, or
The Secretary of State must remove a supplementary note included in the
entry in the DVS register relating to a person if—
the person asks for the note to be removed,
the person ceases to provide all of the digital verification services to
which the note relates,
the person no longer holds a certificate from an accredited conformity
assessment body certifying that at least one of those digital verification
services is provided in accordance with the supplementary code to
which the note relates, or
the supplementary code to which the note relates has been withdrawn.
it has expired in accordance with its terms,
it has been withdrawn by the body that issued it, or
Where a person has a supplementary note included in their entry in the DVS
register in respect of digital verification services, subsection
(2)
applies if the
person—
asks for the note to be amended so that it no longer records one or
more of those services,
ceases to provide one or more of the services recorded in the note (but
not all of them), or
no longer holds a certificate from an accredited conformity assessment
body certifying that all of the services included in the note are provided
in accordance with a supplementary code.
The Secretary of State must amend the supplementary note so it no longer
records (as the case may be)—
the service or services which the person has ceased to provide, or
For the purposes of subsection (1) (c) , a certificate is to be ignored if—
it has expired in accordance with its terms,
it has been withdrawn by the body that issued it, or
This section applies where—
a person is registered in the DVS register, and
an individual makes a request to the person for the provision of digital
verification services in respect of which the person is registered.
A public authority may disclose to the person information relating to the
individual for the purpose of enabling the person to provide the digital
verification services for the individual.
A disclosure of information under this section does not breach—
any obligation of confidence owed by the public authority making the
disclosure, or
any other restriction on the disclosure of information (however
imposed).
But this section does not authorise a disclosure of information which—
would contravene the data protection legislation (but in determining
whether a disclosure would do so, the power conferred by this section
is to be taken into account), or
is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the
Investigatory Powers Act 2016.
This section does not authorise a public authority to disclose information
obtained by the authority otherwise than in connection with the exercise by
the authority of functions of a public nature.
This section does not affect a power to disclose information that exists apart
from this section.
A public authority may charge a person fees in respect of the disclosure to
the person of information under this section.
In this section—
“
data protection legislation” has the same meaning as in the Data
Protection Act 2018 (see section 3(9) of that Act);
“
public authority” means a person whose functions—
are of a public nature, or
include functions of that nature.
This section applies where the Revenue and Customs disclose personal
information to a person under
section 45
for the purpose of enabling the
person to provide digital verification services for an individual.
The person must not further disclose the information otherwise than for the
purpose of providing digital verification services for the individual, except
with the consent of the Commissioners for His Majesty’s Revenue and
Customs.
Any other person who receives the information, whether directly or indirectly
from the person to whom the Revenue and Customs disclose the information,
must not further disclose the information, except with the consent of the
Commissioners for His Majesty’s Revenue and Customs.
If a person discloses information in contravention of this section, section 19
of the Commissioners for Revenue and Customs Act 2005 (offence of wrongful
disclosure) applies in relation to that disclosure as it applies in relation to a
disclosure of information in contravention of section 20(9) of that Act.
In this section—
“
personal information” means information relating to a person whose
identity—
is specified in the information, or
can be deduced from it;
“
the Revenue and Customs” has the meaning given by section 17(3) of
the Commissioners for Revenue and Customs Act 2005.
This section applies where the Welsh Revenue Authority discloses personal
information to a person under section
45
for the purpose of enabling the
person to provide digital verification services for an individual.
The person must not further disclose the information otherwise than for the
purpose of providing digital verification services for the individual, except
with the consent of the Welsh Revenue Authority.
Any other person who receives the information, whether directly or indirectly
from the person to whom the Welsh Revenue Authority discloses the
information, must not further disclose the information, except with the consent
of the Welsh Revenue Authority.
It is a defence for a person charged with an offence under subsection
(4)
to
prove that the person reasonably believed—
that the disclosure was lawful, or
that the information had already lawfully been made available to the
public.
A person who commits an offence under subsection (4) is liable—
on summary conviction in England and Wales, to imprisonment for
a term not exceeding the general limit in a magistrates’ court or a fine
(or both);
on summary conviction in Scotland, to imprisonment for a term not
exceeding 12 months or a fine not exceeding the statutory maximum
(or both);
on summary conviction in Northern Ireland, to imprisonment for a
term not exceeding 6 months or a fine not exceeding the statutory
maximum (or both);
on conviction on indictment, to imprisonment for a term not exceeding
2 years or a fine (or both).
In this section, “personal information” means information relating to a person
whose identity—
is specified in the information, or
can be deduced from it.
This section applies where Revenue Scotland discloses personal information
to a person under section
45
for the purpose of enabling the person to provide
digital verification services for an individual.
The person must not further disclose the information otherwise than for the
purpose of providing digital verification services for the individual, except
with the consent of Revenue Scotland.
Any other person who receives the information, whether directly or indirectly
from the person to whom Revenue Scotland discloses the information, must
not further disclose the information, except with the consent of Revenue
Scotland.
It is a defence for a person charged with an offence under subsection
(4)
to
prove that the person reasonably believed—
that the disclosure was lawful, or
that the information had already lawfully been made available to the
public.
A person who commits an offence under subsection (4) is liable—
on summary conviction in England and Wales, to imprisonment for
a term not exceeding the general limit in a magistrates’ court or a fine
(or both);
on summary conviction in Scotland, to imprisonment for a term not
exceeding 12 months or a fine not exceeding the statutory maximum
(or both);
on summary conviction in Northern Ireland, to imprisonment for a
term not exceeding 6 months or a fine not exceeding the statutory
maximum (or both);
on conviction on indictment, to imprisonment for a term not exceeding
2 years or a fine (or both).
In this section, “personal information” means information relating to a person
whose identity—
is specified in the information, or
can be deduced from it.
The Secretary of State must prepare and publish a code of practice about the
disclosure of information under section
45
.
The code of practice must be consistent with the code of practice prepared
under section 121 of the Data Protection Act 2018 (data-sharing code) and
issued under section 125(4) of that Act (as altered or replaced from time to
time).
A public authority must have regard to the code of practice in disclosing
information under section
45
.
The Secretary of State may from time to time revise and republish the code
of practice.
In preparing or revising the code of practice, the Secretary of State must
consult—
the Information Commissioner,
the Welsh Ministers,
the Scottish Ministers,
the Department of Finance in Northern Ireland, and
such other persons as the Secretary of State considers appropriate.
The requirement in
subsection (5)
may be satisfied by consultation undertaken
before the coming into force of this section.
The Secretary of State may not publish the first version of the code of practice
unless a draft of the code has been laid before, and approved by a resolution
of, each House of Parliament.
The Secretary of State may not republish the code of practice following its
revision unless—
a draft of the code as revised has been laid before each House of
Parliament, and
the 40-day period has expired without either House of Parliament
resolving not to approve the draft.
“The 40-day period” means—
the period of 40 days beginning with the day on which the draft is
laid before Parliament, or
if the draft is not laid before each House on the same day, the period
of 40 days beginning with the later of the days on which it is laid
before Parliament.
In calculating the 40-day period, no account is to be taken of any whole days
that fall within a period during which Parliament is dissolved or prorogued
or during which both Houses are adjourned for more than 4 days.
In this section, “public authority” means whose functions—
are of a public nature, or
include functions of that nature.
The Secretary of State may designate a mark for use in the course of providing,
or offering to provide, digital verification services.
A mark designated under this section must be published by the Secretary of
State.
A mark designated under this section may not be used by a person in the
course of providing, or offering to provide, digital verification services unless
the person is registered in the DVS register in respect of those digital
verification services.
The Secretary of State may enforce
subsection (3)
in civil proceedings for an
injunction or, in Scotland, an interdict.
The Secretary of State may by written notice require—
an accredited conformity assessment body, or
a person registered in the DVS register,
to provide the Secretary of State with information that the Secretary of State reasonably requires for the purposes of the exercise of the Secretary of State’s functions under this Part.
A notice under this section must state why the information is required for
the purposes of the exercise of those functions.
A notice under this section—
may specify or describe particular information or a category of
information;
may specify the form in which the information must be provided;
may specify the time at which, or the period within which, the
information must be provided;
may specify the place where the information must be provided.
A notice under this section that is given to a person registered in the DVS
register must provide information about the consequences under
section 41
of failure to comply with the notice.
The Secretary of State may cancel a notice under this section by notice to the
person to whom it was given.
A disclosure of information required by a notice under this section does not
breach—
any obligation of confidence owed by the person making the disclosure,
or
any other restriction on the disclosure of information (however
imposed).
But a notice under this section does not require a disclosure of information
if the disclosure—
would contravene section 46 , 47 or 48 ,
would contravene the data protection legislation (but in determining
whether a disclosure would do so, the duty imposed by the notice is
to be taken into account), or
is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the
Investigatory Powers Act 2016.
A notice under this section does not require a person to provide the Secretary
of State with information in respect of a communication which is made—
between a professional legal adviser and the adviser’s client, and
in connection with the giving of legal advice to the client with respect
to obligations, liabilities or rights under this Part.
In
subsection (8)
, references to the client of a professional legal adviser include
references to a person acting on behalf of the client.
A notice under this section does not require a person to provide the Secretary
of State with information if doing so would, by revealing evidence of the
commission of an offence, expose the person to proceedings for that offence.
The reference to an offence in
subsection (10)
does not include an offence
under—
section 5 of the Perjury Act 1911 (false statements made otherwise
than on oath);
section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995
(false statements made otherwise than on oath);
Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714
(N.I. 19)) (false statutory declarations and other false unsworn
statements).
In this section, “data protection legislation” has the same meaning as in the
Data Protection Act 2018 (see section 3(9) of that Act).
The Secretary of State may make arrangements for a person prescribed by
regulations under this section to exercise a relevant function of the Secretary
of State (and, where arrangements are made, references in this Part, or in
regulations made under this Part, to the Secretary of State are to be read
accordingly).
Arrangements under this section may—
provide for the Secretary of State to make payments to the person,
and
make provision as to the circumstances in which any such payments
are to be repaid to the Secretary of State.
Regulations under this section are subject to the affirmative resolution
procedure.
In this section, “relevant function” means a function of the Secretary of State
conferred by or under this Part (including the function of charging or
recovering fees under regulations under section
39
) other than a power to
make regulations.
If a person exercises the function of charging or recovering fees by virtue of
arrangements under this section, the person must pay the fees to the Secretary
of State, except to the extent that the Secretary of State directs otherwise.
The Secretary of State must prepare and publish reports on the operation of
this Part.
The first report must be published within the period of 12 months beginning
with the day on which
section 28
comes into force.
The reports must be published not more than 12 months apart.
The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part.
In section 15 of the Immigration, Asylum and Nationality Act 2006 (penalty An order under subsection (3) containing provision described in specify a document generated by a DVS-registered person or specify a document which was provided to such a person in specify steps involving the use of services provided by such a In subsection (8), “DVS-registered person” means a person who is An order under subsection (3) which specifies a description of
for employing a person subject to immigration control), after subsection (7)
insert—
“(8)
subsection (7)(a), (b) or (c) may, in particular—
(a)
a DVS-registered person of a specified description;
(b)
order to generate such a document;
(c)
person.
(9)
registered in the DVS register maintained under Part 2 of the Data
(Use and Access) Act 2024 (“the DVS register”).
(10)
DVS-registered person may do so by, for example, describing a
DVS-registered person whose entry in the DVS register includes a
note relating to specified services (see section
36
of the Data (Use and
Access) Act 2024).”
In section 34 of the Immigration Act 2014 (requirements which may be
prescribed for the purposes of provisions about occupying premises under a
residential tenancy agreement)—
in subsection (1)—
in paragraph (a), after “occupiers” insert “, a DVS-registered
person or a DVS-registered person of a prescribed description”,
in paragraph (b), after “occupiers” insert “, a DVS-registered
person or a DVS-registered person of a prescribed description”,
and
in paragraph (c), at the end insert “, including steps involving
the use of services provided by a DVS-registered person or a
DVS-registered person of a prescribed description”, and
“(1A)
An order prescribing requirements for the purposes of this
Chapter which contains provision described in subsection (1)(a) or (b) may, in particular—(a)
prescribe a document generated by a DVS-registered
person or a DVS-registered person of a prescribed description;(b)
prescribe a document which was provided to such a
person in order to generate such a document.(1B)
In subsections (1) and (1A), “DVS-registered person” means a
person who is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2024 (“the DVS register”).(1C)
An order prescribing requirements for the purposes of this
Chapter which prescribes a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section 36 of the Data (Use and Access) Act 2024).”
In Schedule 6 to the Immigration Act 2016 (illegal working compliance orders Regulations under paragraph 5(6)(b) or (c) may, in particular— prescribe checks carried out using services provided by a prescribe documents generated by such a person; prescribe documents which were provided to such a person In sub-paragraph (1), “DVS-registered person” means a person who Regulations under paragraph 5(6)(b) or (c) which prescribe a
etc), after paragraph 5 insert—
“Prescribed checks and documents
5A
(1)
(a)
DVS-registered person or a DVS-registered person of a
prescribed description;
(b)
(c)
in order to generate such documents.
(2)
is registered in the DVS register maintained under Part 2 of the
Data (Use and Access) Act 2024 (“the DVS register”).
(3)
description of DVS-registered person may do so by, for example,
describing a DVS-registered person whose entry in the DVS register
includes a note relating to prescribed services (see section
36
of the
Data (Use and Access) Act 2024).”
“Part 3A National Underground Asset Register: England and Wales
The register
106A National Underground Asset Register
(1)
The Secretary of State must keep a register of information relating to
apparatus in streets in England and Wales.(2)
The register is to be known as the National Underground Asset
Register (and is referred to in this Act as “NUAR”).(3)
NUAR must be kept in such form and manner as may be prescribed.
(4)
The Secretary of State must make arrangements so as to enable any
person who is required, by a provision of this Act, to enter information into NUAR to have access to NUAR for that purpose.(5)
Regulations under subsection (3) are subject to the negative procedure.
(6)
The obligations of the Secretary of State under subsection (1) and
under Article 45A (1) of the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) (keeping of register of information relating to apparatus in streets in Northern Ireland) may be discharged by the keeping of a single register in relation to England, Wales and Northern Ireland.106B Initial upload of information into NUAR
(1)
Before the end of the initial upload period an undertaker having
apparatus in a street must enter into NUAR—(a)
all information that is included in the undertaker’s records
under section 79(1) on the archive upload date, and(b)
any other information of a prescribed description that is held
by the undertaker on that date.(2)
The duty under subsection (1) does not apply in such cases as may
be prescribed.(3)
Information must be entered into NUAR under subsection (1) in such
form and manner as may be prescribed.(4)
An undertaker who fails to comply with a duty placed on the
undertaker under this section—(a)
commits an offence, and
(b)
is liable to compensate any person in respect of damage or loss
incurred by the person in consequence of the failure.(5)
A person who commits an offence under subsection (4) (a) is liable on
summary conviction to a fine.(6)
In criminal or civil proceedings against an undertaker arising out of
a failure to comply with a duty under this section, it is a defence for the undertaker to show that all reasonable care was taken to secure that no such failure occurred by—(a)
the undertaker and the undertaker’s employees, and
(b)
any contractor of the undertaker and the undertaker’s
employees.(7)
Section 95 applies in relation to an offence under this section as it
applies in relation to an offence under Part 3.(8)
For the purposes of subsection (1) the Secretary of State must by
regulations—(a)
specify a date as “the archive upload date”, and
(b)
specify a period beginning with that date as the “initial upload
period”.(9)
Regulations under this section are subject to the negative procedure.
106C Access to information kept in NUAR
(1)
The Secretary of State may by regulations make provision for or in
connection with making information kept in NUAR available.(2)
The regulations may (among other things)—
(a)
make provision about which information, or descriptions of
information, may be made available;(b)
make provision about the descriptions of person to whom
information may be made available;(c)
make provision for information to be made available subject
to exceptions;(d)
make provision requiring or authorising the Secretary of State
to adapt, modify or obscure information before making it available;(e)
make provision authorising all information kept in NUAR to
be made available to prescribed descriptions of person under prescribed conditions;(f)
make provision about the purposes for which information may
be made available;(g)
make provision about the form and manner in which
information may be made available;(h)
make provision for or in connection with the granting of
licences by the Secretary of State in relation to any non-Crown IP rights that may exist in relation to information made available (including provision about the form of a licence and the terms and conditions of a licence);(i)
make provision for information to be made available for free
or for a fee;(j)
make provision about the amounts of the fees, including
provision for the amoun