DPA

avatar
Created by
Patrick Forrest

Cards (1357)

  • This Act makes provision about the processing of personal data
  • Most processing of personal data is subject to the GDPR
  • Part 2 supplements the GDPR and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply
  • Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive
  • Part 4 makes provision about the processing of personal data by the intelligence services
  • Part 5 makes provision about the Information Commissioner
  • Part 6 makes provision about the enforcement of the data protection legislation
  • Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament
  • Personal data
    Any information relating to an identified or identifiable living individual
  • Identifiable living individual
    A living individual who can be identified, directly or indirectly, in particular by reference to an identifier or one or more factors specific to the individual
  • Processing
    An operation or set of operations performed on information, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure or destruction
  • Data subject
    The identified or identifiable living individual to whom personal data relates
  • Controller
    The person who, alone or jointly with others, determines the purposes and means of the processing of personal data
  • Processor
    A person who processes personal data on behalf of the controller
  • Filing system
    Any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis
  • The Commissioner
    The Information Commissioner
  • The data protection legislation
    The GDPR, the applied GDPR, this Act, regulations made under this Act, and regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the Law Enforcement Directive
  • The GDPR
    Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
  • The applied GDPR
    The GDPR as applied by Chapter 3 of Part 2
  • The Law Enforcement Directive
    Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data
  • The Data Protection Convention
    The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
  • This Part is relevant to most processing of personal data
  • Chapter 2 of this Part applies to the types of processing of personal data to which the GDPR applies and supplements the GDPR
  • Chapter 3 of this Part applies to certain types of processing of personal data to which the GDPR does not apply and makes provision for a regime broadly equivalent to the GDPR to apply to such processing
  • Terms used in Chapter 2 of this Part and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR
  • Terms used in Chapter 3 of this Part and in the applied GDPR have the same meaning in Chapter 3 as they have in the applied GDPR
  • A reference in Chapter 2 or Chapter 3 of this Part to the processing of personal data is to processing to which the Chapter applies
  • The definition of "controller" in the GDPR has effect subject to section 6 of this Act, section 209, and section 210
  • For the purposes of the GDPR, the following are "public authorities" and "public bodies" under the law of the United Kingdom: a public authority as defined by the Freedom of Information Act 2000, a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002, and an authority or body specified or described by the Secretary of State in regulations
  • An authority or body that falls within the definition of "public authority" or "public body" is only considered as such for the purposes of the GDPR when performing a task carried out in the public interest or in the exercise of official authority vested in it
  • The references to public authorities and Scottish public authorities as defined by the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 do not include certain local authorities and bodies
  • The Secretary of State may by regulations provide that a person that is a public authority described in the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002 is not a "public authority" or "public body" for the purposes of the GDPR
  • In Article 6(1) of the GDPR, the reference to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller's official authority includes processing for the administration of justice, the exercise of a function of either House of Parliament, the exercise of a function conferred by an enactment or rule of law, the exercise of a function of the Crown, a Minister of the Crown or a government department, and an activity that supports or promotes democratic engagement
  • In Article 8(1) of the GDPR, the age of consent for a child in relation to information society services is 13 years, and the reference to "information society services" does not include preventive or counselling services
  • The processing of special categories of personal data and personal data relating to criminal convictions and offences must meet certain conditions set out in Schedule 1 of this Act
  • The Secretary of State may amend Schedule 1 by regulations to add, vary or remove conditions or safeguards
  • For the purposes of Article 9(2)(h) of the GDPR, the processing of personal data is carried out subject to the obligation of secrecy if it is carried out by or under the responsibility of a health professional or social work professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law
  • The law of the United Kingdom or a part of the United Kingdom only applies if it meets a condition in Part 1, 2 or 3 of Schedule 1
  • The Secretary of State may by regulations
    1. Amend Schedule 1 by adding or varying conditions or safeguards
    2. Omit conditions or safeguards added by regulations
    3. Consequentially amend this section
  • Regulations under this section are subject to the affirmative resolution procedure