Data Protection Act 2018

Data Protection Act 2018, SCHEDULE 1 is up to date with all changes known to be in force on or before 14 September 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.

Changes and effects yet to be applied to the whole Act associated Parts and Chapters:

Whole provisions yet to be inserted into this Act (including any effects on those provisions):

• s. 13A inserted by 2024 c. 21s. 31(4)
• s. 204(1)(l) inserted by S.I. 2024/374Sch. 5para. 7
• Sch. 3 para. 8(1)(y) added by 2022 c. 18 (N.I.)Sch. 3para. 78(3)

SCHEDULE 1 U.K. Special categories of personal data and criminal convictions etc data

PART 1 U.K. Conditions relating to employment, health and research etc

Employment, social security and social protection U.K.

1 (1) This condition is met if— U.K.

(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b) when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).

(2) See also the additional safeguards in Part 4 of this Schedule.

(3) In this paragraph—

• “ social security ” includes any of the branches of social security listed in Article 3(1) of Regulation (EC) No. 883/2004 of the European Parliament and of the Council on the co-ordination of social security systems (as amended from time to time);
• “ social protection ” includes an intervention described in Article 2(b) of Regulation (EC) 458/2007 of the European Parliament and of the Council of 25 April 2007 on the European system of integrated social protection statistics (ESSPROS) [ F1 as it had effect in EU law immediately before [ F2 IP completion day ] ] .

Health or social care purposes U.K.

2 (1) This condition is met if the processing is necessary for health or social care purposes. U.K.

(2) In this paragraph “ health or social care purposes ” means the purposes of—

(a) preventive or occupational medicine,

(b) the assessment of the working capacity of an employee,

(c) medical diagnosis,

(d) the provision of health care or treatment,

(e) the provision of social care, or

(f) the management of health care systems or services or social care systems or services.

(3) See also the conditions and safeguards in Article 9(3) of the [ F3 UK GDPR ] (obligations of secrecy) and section 11(1).

Public health U.K.

3 U.K. This condition is met if the processing—

(a) is necessary for reasons of public interest in the area of public health, and

(b) is carried out—

(i) by or under the responsibility of a health professional, or

(ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

Research etc U.K.

4 U.K. This condition is met if the processing—

(a) is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,

(b) is carried out in accordance with Article 89(1) of the [ F4 UK GDPR ] (as supplemented by section 19), and

(c) is in the public interest.

PART 2 U.K. Substantial public interest conditions

Requirement for an appropriate policy document when relying on conditions in this Part U.K.

5 (1) Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule). U.K.

(2) See also the additional safeguards in Part 4 of this Schedule.

Statutory etc and government purposes U.K.

6 (1) This condition is met if the processing— U.K.

(a) is necessary for a purpose listed in sub-paragraph (2), and

(b) is necessary for reasons of substantial public interest.

(2) Those purposes are—

(a) the exercise of a function conferred on a person by an enactment or rule of law;

(b) the exercise of a function of the Crown, a Minister of the Crown or a government department.

Administration of justice and parliamentary purposes U.K.

7 U.K. This condition is met if the processing is necessary—

(a) for the administration of justice, or

(b) for the exercise of a function of either House of Parliament.

Equality of opportunity or treatment U.K.

8 (1) This condition is met if the processing— U.K.

(a) is of a specified category of personal data, and

(b) is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained,

subject to the exceptions in sub-paragraphs (3) to (5).

(2) In sub-paragraph (1), “ specified ” means specified in the following table—

(3) Processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject.

(4) Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.

(5) Processing does not meet the condition in sub-paragraph (1) if—

(a) an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),

(b) the notice gave the controller a reasonable period in which to stop processing such data, and

(c) that period has ended.

Racial and ethnic diversity at senior levels of organisations U.K.

9 (1) This condition is met if the processing— U.K.

(a) is of personal data revealing racial or ethnic origin,

(b) is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,

(c) is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and

(d) can reasonably be carried out without the consent of the data subject,

subject to the exception in sub-paragraph (3).

(2) For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a) the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b) the controller is not aware of the data subject withholding consent.

(3) Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.

(4) For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—

(a) holds a position listed in sub-paragraph (5), or

(b) does not hold such a position but is a senior manager of the organisation.

(5) Those positions are—

(a) a director, secretary or other similar officer of a body corporate;

(b) a member of a limited liability partnership;

(c) a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.

(6) In this paragraph, “ senior manager ”, in relation to an organisation, means a person who plays a significant role in—

(a) the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or

(b) the actual managing or organising of the whole or a substantial part of those activities.

(7) The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Preventing or detecting unlawful acts U.K.

10 (1) This condition is met if the processing— U.K.

(a) is necessary for the purposes of the prevention or detection of an unlawful act,

(b) must be carried out without the consent of the data subject so as not to prejudice those purposes, and

(c) is necessary for reasons of substantial public interest.

(2) If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

(3) In this paragraph—

• “ act ” includes a failure to act;
• “ competent authority ” has the same meaning as in Part 3 of this Act (see section 30).

Protecting the public against dishonesty etc U.K.

11 (1) This condition is met if the processing— U.K.

(a) is necessary for the exercise of a protective function,

(b) must be carried out without the consent of the data subject so as not to prejudice the exercise of that function, and

(c) is necessary for reasons of substantial public interest.

(2) In this paragraph, “ protective function ” means a function which is intended to protect members of the public against—

(a) dishonesty, malpractice or other seriously improper conduct,

(b) unfitness or incompetence,

(c) mismanagement in the administration of a body or association, or

(d) failures in services provided by a body or association.

Regulatory requirements relating to unlawful acts and dishonesty etc U.K.

12 (1) This condition is met if— U.K.

(a) the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—

(i) committed an unlawful act, or

(ii) been involved in dishonesty, malpractice or other seriously improper conduct,

(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and

(c) the processing is necessary for reasons of substantial public interest.

(2) In this paragraph—

• “ act ” includes a failure to act;
• “ regulatory requirement ” means—

a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or

a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.

Journalism etc in connection with unlawful acts and dishonesty etc U.K.

13 (1) This condition is met if— U.K.

(a) the processing consists of the disclosure of personal data for the special purposes,

(b) it is carried out in connection with a matter described in sub-paragraph (2),

(c) it is necessary for reasons of substantial public interest,

(d) it is carried out with a view to the publication of the personal data by any person, and

(e) the controller reasonably believes that publication of the personal data would be in the public interest.

(2) The matters mentioned in sub-paragraph (1)(b) are any of the following (whether alleged or established)—

(a) the commission of an unlawful act by a person;

(b) dishonesty, malpractice or other seriously improper conduct of a person;

(c) unfitness or incompetence of a person;

(d) mismanagement in the administration of a body or association;

(e) a failure in services provided by a body or association.

(3) The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

(4) In this paragraph—

• “ act ” includes a failure to act;
• “ the special purposes ” means—