Competent authority data protection act

This option allows you to compare the current text with bill, draft, or proposed changes. Please select from the list below to specify which changes to include.

If the comparison exceeds 50 pages, please be patient as it may take some time to generate.

Cancel Compare text

Text comparison - Full text

Date fields are required.

The text generated incorporates all known amendments with given commencement dates.

If comparing more than 50 pages, this may take a moment to generate.

Cancel Compare text

Table of Contents

Table of Contents

Data Protection Act 2018 (c. 12)
- Introductory Text
- Part 1 Preliminary (ss. 1-3)
  - 1. Overview
  - 2. Protection of personal data
  - 3. Terms relating to the processing of personal data
  - Chapter 1 Scope and definitions (ss. 4-5)
    - 4. Processing to which this Part applies
    - 5. Definitions
    - Meaning of certain terms used in the UK GDPR (ss. 6-7)
      - 6. Meaning of "controller"
      - 7. Meaning of "public authority" and "public body"
      - 8. Lawfulness of processing: public interest etc
      - 9. Child's consent in relation to information society services
      - 10. Special categories of personal data and criminal convictions etc data
      - 11. Special categories of personal data etc: supplementary
      - 12. Limits on fees that may be charged by controllers
      - 13. Obligations of credit reference agencies
      - 13A. Meaning of "relevant offence" for purpose of right to erasure
      - 14. Automated decision-making authorised by law: safeguards
      - 15. Exemptions etc
      - 16. Power to make further exemptions etc by regulations
      - 17. Accreditation of certification providers
      - 17A. Transfers based on adequacy regulations
      - 17B. Transfers based on adequacy regulations: review etc
      - 17C. Standard data protection clauses
      - 18. Transfers of personal data to third countries etc: public interest
      - 19. Processing for archiving, research and statistical purposes: safeguards
      - 20. Meaning of "court"
      - Definitions (s. 21)
        
        21. Definitions
        
        22. Application of the GDPR to processing to which this Chapter applies
        
        23. Power to make provision in consequence of regulations related to the GDPR
        
        24. Manual unstructured data held by FOI public authorities
        
        25. Manual unstructured data used in longstanding historical research
        
        26. National security and defence exemption
        
        27. National security: certificate
        
        28. National security and defence: modifications to Articles 9 and 32 of the UK GDPR
        
        Chapter 1 Scope and definitions (ss. 29-33)
        
        Scope (s. 29)
        
        29. Processing to which this Part applies
        
        30. Meaning of "competent authority"
        
        31. "The law enforcement purposes"
        
        32. Meaning of "controller" and "processor"
        
        33. Other definitions
        
        34. Overview and general duty of controller
        
        35. The first data protection principle
        
        36. The second data protection principle
        
        37. The third data protection principle
        
        38. The fourth data protection principle
        
        39. The fifth data protection principle
        
        40. The sixth data protection principle
        
        41. Safeguards: archiving
        
        42. Safeguards: sensitive processing
        
        Overview and scope (s. 43)
        
        43. Overview and scope
        
        44. Information: controller's general duties
        
        45. Right of access by the data subject
        
        46. Right to rectification
        
        47. Right to erasure or restriction of processing
        
        48. Rights under section 46 or 47: supplementary
        
        49. Right not to be subject to automated decision-making
        
        50. Automated decision-making authorised by law: safeguards
        
        51. Exercise of rights through the Commissioner
        
        52. Form of provision of information etc
        
        53. Manifestly unfounded or excessive requests by the data subject
        
        54. Meaning of "applicable time period"
        
        55. Overview and scope
        
        General obligations (ss. 56-63)
        
        56. General obligations of the controller
        
        57. Data protection by design and default
        
        58. Joint controllers
        
        59. Processors
        
        60. Processing under the authority of the controller or processor
        
        61. Records of processing activities
        
        62. Logging
        
        63. Co-operation with the Commissioner
        
        64. Data protection impact assessment
        
        65. Prior consultation with the Commissioner
        
        66. Security of processing
        
        67. Notification of a personal data breach to the Commissioner
        
        68. Communication of a personal data breach to the data subject
        
        69. Designation of a data protection officer
        
        70. Position of data protection officer
        
        71. Tasks of data protection officer
        
        Overview and interpretation (s. 72)
        
        72. Overview and interpretation
        
        73. General principles for transfers of personal data
        
        74. Transfers on the basis of an adequacy decision
        
        74A. Transfers based on adequacy regulations
        
        74B. Transfers based on adequacy regulations: review etc
        
        75. Transfers on the basis of appropriate safeguards
        
        76. Transfers on the basis of special circumstances
        
        77. Transfers of personal data to persons other than relevant authorities
        
        78. Subsequent transfers
        
        79. National security: certificate
        
        80. Special processing restrictions
        
        81. Reporting of infringements
        
        Chapter 1 Scope and definitions (ss. 82-84)
        
        Scope (s. 82)
        
        82. Processing to which this Part applies
        
        83. Meaning of "controller" and "processor"
        
        84. Other definitions
        
        Overview (s. 85)
        
        85. Overview
        
        86. The first data protection principle
        
        87. The second data protection principle
        
        88. The third data protection principle
        
        89. The fourth data protection principle
        
        90. The fifth data protection principle
        
        91. The sixth data protection principle
        
        Overview (s. 92)
        
        92. Overview
        
        93. Right to information
        
        94. Right of access
        
        95. Right of access: supplementary
        
        96. Right not to be subject to automated decision-making
        
        97. Right to intervene in automated decision-making
        
        98. Right to information about decision-making
        
        99. Right to object to processing
        
        100. Rights to rectification and erasure
        
        Overview (s. 101)
        
        101. Overview
        
        102. General obligations of the controller
        
        103. Data protection by design
        
        104. Joint controllers
        
        105. Processors
        
        106. Processing under the authority of the controller or processor
        
        107. Security of processing
        
        108. Communication of a personal data breach
        
        109. Transfers of personal data outside the United Kingdom
        
        110. National security
        
        111. National security: certificate
        
        112. Other exemptions
        
        113. Power to make further exemptions
        
        The Commissioner (s. 114)
        
        114. The Information Commissioner
        
        115. General functions under the UK GDPR and safeguards
        
        116. Other general functions
        
        117. Competence in relation to courts etc
        
        118. Co-operation between parties to the Data Protection Convention
        
        119. Inspection of personal data in accordance with international obligations
        
        119A. Standard clauses for transfers to third countries etc
        
        120. Further international role
        
        121. Data-sharing code
        
        122. Direct marketing code
        
        123. Age-appropriate design code
        
        124. Data protection and journalism code
        
        125. Approval of codes prepared under sections 121 to 124
        
        126. Publication and review of codes issued under section 125(4)
        
        127. Effect of codes issued under section 125(4)
        
        128. Other codes of practice
        
        129. Consensual audits
        
        130. Records of national security certificates
        
        131. Disclosure of information to the Commissioner
        
        132. Confidentiality of information
        
        133. Guidance about privileged communications
        
        134. Fees for services
        
        135. Manifestly unfounded or excessive requests by data subjects etc
        
        136. Guidance about fees
        
        137. Charges payable to the Commissioner by controllers
        
        138. Regulations under section 137: supplementary
        
        139. Reporting to Parliament
        
        140. Publication by the Commissioner
        
        141. Notices from the Commissioner
        
        Information notices (ss. 142-145)
        
        142. Information notices
        
        143. Information notices: restrictions
        
        144. False statements made in response to information notices
        
        145. Information orders
        
        146. Assessment notices
        
        147. Assessment notices: restrictions
        
        148. Destroying or falsifying information and documents etc
        
        149. Enforcement notices
        
        150. Enforcement notices: supplementary
        
        151. Enforcement notices: rectification and erasure of personal data etc
        
        152. Enforcement notices: restrictions
        
        153. Enforcement notices: cancellation and variation
        
        154. Powers of entry and inspection
        
        155. Penalty notices
        
        156. Penalty notices: restrictions
        
        157. Maximum amount of penalty
        
        158. Fixed penalties for non-compliance with charges regulations
        
        159. Amount of penalties: supplementary
        
        160. Guidance about regulatory action
        
        161. Approval of first guidance about regulatory action
        
        162. Rights of appeal
        
        163. Determination of appeals
        
        164. Applications in respect of urgent notices
        
        165. Complaints by data subjects
        
        166. Orders to progress complaints
        
        167. Compliance orders
        
        168. Compensation for contravention of the UK GDPR
        
        169. Compensation for contravention of other data protection legislation
        
        170. Unlawful obtaining etc of personal data
        
        171. Re-identification of de-identified personal data
        
        172. Re-identification: effectiveness testing conditions
        
        173. Alteration etc of personal data to prevent disclosure to data subject
        
        174. The special purposes
        
        175. Provision of assistance in special purposes proceedings
        
        176. Staying special purposes proceedings
        
        177. Guidance about how to seek redress against media organisations
        
        178. Review of processing of personal data for the purposes of journalism
        
        179. Effectiveness of the media's dispute resolution procedures
        
        180. Jurisdiction
        
        181. Interpretation of Part 6
        
        Regulations under this Act (s. 182)
        
        182. Regulations and consultation
        
        183. Power to reflect changes to the Data Protection Convention
        
        184. Prohibition of requirement to produce relevant records
        
        185. Avoidance of certain contractual terms relating to health records
        
        186. Data subject's rights and other prohibitions and restrictions
        
        187. Representation of data subjects with their authority
        
        188. Representation of data subjects with their authority: collective proceedings
        
        189. Duty to review provision for representation of data subjects
        
        190. Post-review powers to make provision about representation of data subjects
        
        191. Framework for Data Processing by Government
        
        192. Approval of the Framework
        
        193. Publication and review of the Framework
        
        194. Effect of the Framework
        
        195. Reserve forces: data-sharing by HMRC
        
        196. Penalties for offences
        
        197. Prosecution
        
        198. Liability of directors etc
        
        199. Recordable offences
        
        200. Guidance about PACE codes of practice
        
        201. Disclosure of information to the Tribunal
        
        202. Proceedings in the First-tier Tribunal: contempt
        
        203. Tribunal Procedure Rules
        
        204. Meaning of "health professional" and "social work professional"
        
        205. General interpretation
        
        206. Index of defined expressions
        
        207. Territorial application of this Act
        
        208. Children in Scotland
        
        209. Application to the Crown
        
        210. Application to Parliament
        
        211. Minor and consequential provision
        
        212. Commencement
        
        213. Transitional provision
        
        214. Extent
        
        215. Short title
        
        Schedule 1, Part 1 Conditions relating to employment, health and research etc (paras. 1-4)
        
        Schedule 1, Part 2 Substantial public interest conditions (paras. 5-28)
        
        Schedule 1, Part 3 Additional conditions relating to criminal convictions etc (paras. 29-37)
        
        Schedule 1, Part 4 Appropriate policy document and additional safeguards (paras. 38-41)
        
        Schedule 2, Part 1 Adaptations and restrictions as described in Articles 6(3) and 23(1) (paras. 1-5)
        
        Schedule 2, Part 2 Restrictions as described in Article 23(1): restrictions of rules in Articles 13 to 21 and 34 (paras. 6-15)
        
        Schedule 2, Part 3 Restriction for the protection of rights of others (paras. 16-17)
        
        Schedule 2, Part 4 Restrictions as described in Article 23(1): restrictions of rules in Articles 13 to 15 (paras. 18-25)
        
        Schedule 2, Part 5 Exemptions etc for reasons of freedom of expression and information (para. 26)
        
        Schedule 2, Part 6 Derogations etc for research, statistics and archiving (paras. 27-28)
        
        Schedule 3, Part 1 UK GDPR provisions to be restricted (para. 1)
        
        Schedule 3, Part 2 Health data (paras. 2-6)
        
        Schedule 3, Part 3 Social work data (paras. 7-12)
        
        Schedule 3, Part 4 Education data (paras. 13-20)
        
        Schedule 3, Part 5 Child abuse data (para. 21)
        
        Schedule 6, Part 1 Modifications to the GDPR (paras. 1-72)
        
        Schedule 6, Part 2 Modifications to Chapter 2 of Part 2 (paras. 73-75)
        
        Schedule 14, Part 1 Law Enforcement Directive (paras. 1-5)
        
        Schedule 14, Part 2 Data Protection Convention (paras. 6-10)
        
        Schedule 19, Part 1 Amendments of primary legislation (paras. 1-227)
        
        Schedule 19, Part 2 Amendments of other legislation (paras. 228-429)
        
        Schedule 19, Part 3 Modifications (paras. 430-432)
        
        Schedule 19, Part 4 Supplementary (paras. 433-434)
        
        Schedule 20, Part 1 General (para. 1)
        
        Schedule 20, Part 2 Rights of data subjects (paras. 2-11)
        
        Schedule 20, Part 3 The UK GDPR and Part 2 of this Act (paras. 12-13)
        
        Schedule 20, Part 4 Law enforcement and intelligence services processing (paras. 14-16)
        
        Schedule 20, Part 5 National security certificates (paras. 17-18)
        
        Schedule 20, Part 6 The Information Commissioner (paras. 19-28)
        
        Schedule 20, Part 7 Enforcement etc under the 1998 Act (paras. 29-43)
        
        Schedule 20, Part 8 Enforcement etc under this Act (paras. 44-46)
        
        Schedule 20, Part 9 Other enactments (paras. 47-61)
        
        Schedule 21, Part 1 Interpretation (para. 1)
        
        Schedule 21, Part 2 Continuation of existing acts etc (paras. 2-3)
        
        Schedule 21, Part 3 Transfers to third countries and international organisations (paras. 4-12)
        
        Schedule 21, Part 4 Repeal of provisions in Chapter 3 of Part 2 (paras. 13-14)
        
        Schedule 21, Part 5 The Information Commissioner (para. 15)
        
        Schedule 21, Part 6 Enforcement (paras. 16-17)
        
        Page overview
        
        Table of amendments
        
        Commencement orders
        
        Definitions used on this page

Competent authority data protection act

Text comparison - Full text

Page overview