Data Protection Act 2018, SCHEDULE 1 is up to date with all changes known to be in force on or before 14 September 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Whole provisions yet to be inserted into this Act (including any effects on those provisions):
1 (1) This condition is met if— U.K.
(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and
(b) when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
(2) See also the additional safeguards in Part 4 of this Schedule.
(3) In this paragraph—
2 (1) This condition is met if the processing is necessary for health or social care purposes. U.K.
(2) In this paragraph “ health or social care purposes ” means the purposes of—
(a) preventive or occupational medicine,
(b) the assessment of the working capacity of an employee,
(c) medical diagnosis,
(d) the provision of health care or treatment,
(e) the provision of social care, or
(f) the management of health care systems or services or social care systems or services.
(3) See also the conditions and safeguards in Article 9(3) of the [ F3 UK GDPR ] (obligations of secrecy) and section 11(1).
3 U.K. This condition is met if the processing—
(a) is necessary for reasons of public interest in the area of public health, and
(b) is carried out—
(i) by or under the responsibility of a health professional, or
(ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
4 U.K. This condition is met if the processing—
(a) is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,
(b) is carried out in accordance with Article 89(1) of the [ F4 UK GDPR ] (as supplemented by section 19), and
(c) is in the public interest.
5 (1) Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule). U.K.
(2) See also the additional safeguards in Part 4 of this Schedule.
6 (1) This condition is met if the processing— U.K.
(a) is necessary for a purpose listed in sub-paragraph (2), and
(b) is necessary for reasons of substantial public interest.
(2) Those purposes are—
(a) the exercise of a function conferred on a person by an enactment or rule of law;
(b) the exercise of a function of the Crown, a Minister of the Crown or a government department.
7 U.K. This condition is met if the processing is necessary—
(a) for the administration of justice, or
(b) for the exercise of a function of either House of Parliament.
8 (1) This condition is met if the processing— U.K.
(a) is of a specified category of personal data, and
(b) is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained,
subject to the exceptions in sub-paragraphs (3) to (5).
(2) In sub-paragraph (1), “ specified ” means specified in the following table—
Category of personal data | Groups of people (in relation to a category of personal data) |
---|---|
Personal data revealing racial or ethnic origin | People of different racial or ethnic origins |
Personal data revealing religious or philosophical beliefs | People holding different religious or philosophical beliefs |
Data concerning health | People with different states of physical or mental health |
Personal data concerning an individual's sexual orientation | People of different sexual orientation |
(3) Processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject.
(4) Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
(5) Processing does not meet the condition in sub-paragraph (1) if—
(a) an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
(b) the notice gave the controller a reasonable period in which to stop processing such data, and
(c) that period has ended.
9 (1) This condition is met if the processing— U.K.
(a) is of personal data revealing racial or ethnic origin,
(b) is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,
(c) is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and
(d) can reasonably be carried out without the consent of the data subject,
subject to the exception in sub-paragraph (3).
(2) For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
(a) the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b) the controller is not aware of the data subject withholding consent.
(3) Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
(4) For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—
(a) holds a position listed in sub-paragraph (5), or
(b) does not hold such a position but is a senior manager of the organisation.
(5) Those positions are—
(a) a director, secretary or other similar officer of a body corporate;
(b) a member of a limited liability partnership;
(c) a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.
(6) In this paragraph, “ senior manager ”, in relation to an organisation, means a person who plays a significant role in—
(a) the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or
(b) the actual managing or organising of the whole or a substantial part of those activities.
(7) The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
10 (1) This condition is met if the processing— U.K.
(a) is necessary for the purposes of the prevention or detection of an unlawful act,
(b) must be carried out without the consent of the data subject so as not to prejudice those purposes, and
(c) is necessary for reasons of substantial public interest.
(2) If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
(3) In this paragraph—
11 (1) This condition is met if the processing— U.K.
(a) is necessary for the exercise of a protective function,
(b) must be carried out without the consent of the data subject so as not to prejudice the exercise of that function, and
(c) is necessary for reasons of substantial public interest.
(2) In this paragraph, “ protective function ” means a function which is intended to protect members of the public against—
(a) dishonesty, malpractice or other seriously improper conduct,
(b) unfitness or incompetence,
(c) mismanagement in the administration of a body or association, or
(d) failures in services provided by a body or association.
12 (1) This condition is met if— U.K.
(a) the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—
(i) committed an unlawful act, or
(ii) been involved in dishonesty, malpractice or other seriously improper conduct,
(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and
(c) the processing is necessary for reasons of substantial public interest.
(2) In this paragraph—
a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or
a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.
13 (1) This condition is met if— U.K.
(a) the processing consists of the disclosure of personal data for the special purposes,
(b) it is carried out in connection with a matter described in sub-paragraph (2),
(c) it is necessary for reasons of substantial public interest,
(d) it is carried out with a view to the publication of the personal data by any person, and
(e) the controller reasonably believes that publication of the personal data would be in the public interest.
(2) The matters mentioned in sub-paragraph (1)(b) are any of the following (whether alleged or established)—
(a) the commission of an unlawful act by a person;
(b) dishonesty, malpractice or other seriously improper conduct of a person;
(c) unfitness or incompetence of a person;
(d) mismanagement in the administration of a body or association;
(e) a failure in services provided by a body or association.
(3) The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
(4) In this paragraph—