Supplementary and Final Provisions

Part 7 of the Data Protection Act 2018 contains critical procedural, interpretive, and implementation provisions that govern how the entire Act operates. These sections establish regulatory-making powers, define key terms, specify territorial scope, and set commencement dates.

Why this matters for AI agents:

• Defines legal terms you’ll encounter throughout the Act
• Establishes who has capacity to exercise data subject rights
• Specifies geographic scope of compliance obligations
• Clarifies Crown, Parliament, and tribunal procedures

---

Regulations Under This Act

Section 182: Regulations and Consultation

182.1 — Statutory Instrument Procedure

All regulations under the DPA 2018 must be made by statutory instrument.

182.2 — Mandatory Consultation

Before making regulations, Secretary of State MUST consult:

1. The Information Commissioner
2. Other persons the Secretary of State considers appropriate

Exceptions (no consultation required):

• Section 30 regulations
• Sections 211-213 regulations
• Paragraph 15 of Schedule 2 regulations

182.5 — Regulation-Making Powers

Regulations may:

• Make different provision for different purposes
• Include consequential, supplementary, incidental, transitional, transitory, or saving provision

182.6-8 — Three Parliamentary Procedures

Procedure	Description	Requirements
Negative resolution	Can be annulled by either House	Laid before Parliament, subject to annulment
Affirmative resolution	Must be approved	Draft laid before Parliament, requires approval by both Houses
Made affirmative resolution	Urgent, made first, approved later	Made with urgency statement, laid after making, ceases to have effect unless approved within specified period

182.14 — Urgency Statements

“Urgency statement” = reasoned statement that Secretary of State considers regulations desirable without delay.

Practical implication:

Emergency data protection regulations can be made immediately but must receive Parliamentary approval within a set timeframe or they automatically lapse.

---

Changes to Data Protection Convention

Section 183: Power to Reflect Changes

Secretary of State may amend legislation to respond to modifications of the Data Protection Convention (Council of Europe Convention 108).

Scope: Can modify UK GDPR, this Act, or other data protection legislation to maintain alignment with international treaty obligations.

---

Prohibitions and Restrictions on Processing

Section 183A: Protection of Prohibitions and Restrictions

Establishes priority hierarchy:

Enactments imposing data processing duties CANNOT override main data protection legislation requirements.

Practical effect:

• A law requiring disclosure of personal data does NOT automatically make that disclosure lawful under UK GDPR
• Controllers must still comply with UK GDPR principles even when another law mandates processing

Section 183B: Pre-Commencement Enactments

Addresses relationship between laws passed before DPA 2018 and UK GDPR provisions.

Rule: Pre-existing laws requiring/authorizing processing don’t automatically satisfy UK GDPR lawfulness conditions unless they meet substantive requirements.

---

Rights of the Data Subject

Section 184: Prohibition of Requirement to Produce Relevant Records

184.1 — Criminal Offence

It is an OFFENCE to require an individual to:

• Supply a relevant record (criminal conviction certificate, police record, etc.)
• Produce a relevant record obtained via subject access rights

as a condition of:

• Recruitment
• Continued employment
• Provision of goods/services
• Provision of facilities

184.2-5 — What Are “Relevant Records”?

Relevant records include:

• Criminal conviction certificates (DBS checks)
• Enhanced criminal record certificates
• Police records
• Scottish equivalents
• Northern Ireland equivalents

184.6-7 — Penalty

Maximum penalty:

• Summary conviction: fine
• Conviction on indictment: fine (unlimited)

Critical compliance point:

Employers CANNOT require job applicants to use subject access requests to obtain criminal records. Must use proper DBS check procedures instead.

Section 185: Avoidance of Certain Contractual Terms

Contract terms are VOID if they require an individual to:

• Request a health record under subject access rights
• Supply such a record to another person

Purpose: Prevents abuse of subject access rights to obtain medical records for insurance, employment, or other commercial purposes.

Example of void term:

“As a condition of this insurance policy, you must request your complete medical records from your GP and provide them to us.”

This clause would be unenforceable.

Section 186: Protection of Data Subject’s Rights

Confidentiality restrictions CANNOT eliminate obligations under:

• UK GDPR Chapter III (data subject rights)
• Comparable rights under Parts 3-4 of DPA 2018

Practical effect:

A confidentiality agreement cannot be used to deny subject access requests or prevent individuals exercising their data protection rights.

Section 186A: Pre-Commencement Confidentiality Laws

Clarifies that confidentiality laws enacted before DPA 2018 don’t automatically override data protection rights unless they meet specific conditions.

---

Representation of Data Subjects

Section 187: Representation with Authority

187.1 — Who Can Represent?

Bodies, organisations, or associations may represent data subjects for:

• UK GDPR Article 77 (complaints to supervisory authority)
• UK GDPR Article 78 (judicial remedy against supervisory authority)
• UK GDPR Article 79 (judicial remedy against controller/processor)
• UK GDPR Article 80(1) (compensation claims)

Requirements:

• Not-for-profit
• Statutory objectives in public interest
• Active in data protection field
• Authorized by the data subject

187.2 — Standing

Representative bodies have standing to exercise these rights on behalf of data subjects who authorize them.

Examples:

• Privacy advocacy groups
• Consumer rights organizations
• Trade unions
• Civil liberties organizations

Section 188: Collective Proceedings

Secretary of State may make regulations establishing procedures for representative bodies to bring collective actions on behalf of multiple data subjects.

Purpose: Enable class-action-style data protection litigation.

Section 189: Duty to Review Representation Provision

189.1 — Mandatory 30-Month Review

Commissioner MUST review representation mechanisms within 30 months of commencement.

Review must examine:

• Whether representation provisions are adequate
• Special attention to children’s needs
• Support frameworks for vulnerable individuals

189.2 — Consultation Required

Commissioner must consult:

• Secretary of State
• Other appropriate persons

189.3 — Report to Secretary of State

Commissioner must prepare report and send to Secretary of State, who must lay it before Parliament.

Section 190: Post-Review Powers

Following the review, Secretary of State may make regulations to:

• Enhance representation mechanisms
• Provide special protections for children
• Establish support frameworks
• Modify requirements for representative bodies

---

Framework for Data Processing by Government

Section 191: Framework for Data Processing

Secretary of State may issue guidance document (“the Framework”) regarding:

• Crown body personal data processing
• Public body personal data processing

Scope: Addresses government-wide data handling practices.

Section 192: Approval of the Framework

192.1 — Parliamentary Procedure

Before issuing Framework:

1. Secretary of State lays draft before Parliament
2. 40-day period for Parliamentary consideration
3. Either House may resolve NOT to approve
4. If no rejection, Framework may be issued

192.2 — Effect of Rejection

If either House resolves not to approve, Secretary of State:

• Must not issue Framework in that form
• May lay revised draft (fresh 40-day period applies)

Section 193: Publication and Review

193.1 — Publication Requirement

Secretary of State MUST publish the Framework when issued.

193.2 — Ongoing Review

Secretary of State must keep Framework under review to ensure compliance with:

• International obligations
• UK GDPR requirements
• DPA 2018 requirements

Section 194: Effect of the Framework

Legal status:

Entity	Effect
Courts and tribunals	Must take Framework into account
The Commissioner	Must take Framework into account
Public bodies	Should follow Framework guidance

NOT independently actionable:

Failure to comply with Framework does not itself give rise to legal liability.

Purpose: Provides soft-law guidance on government data handling best practices.

---

Data-Sharing: HMRC and Reserve Forces

Section 195: Reserve Forces Data-Sharing

Amends Reserve Forces Act 1996 to permit HMRC to share:

• Contact details
• Employment information

Purpose: Enable military reserve recruitment and administration.

Recipient: Ministry of Defence (for reserve forces purposes only).

---

Offences

Section 196: Penalties for Offences

Establishes fine penalties for DPA 2018 violations.

Forfeiture powers: Courts may order forfeiture of documents/materials used in connection with offences.

Scope: Applies to offences throughout the Act (Part 5 unlawful obtaining, Part 6 enforcement, etc.).

Section 197: Prosecution

197.1-2 — Who May Prosecute

Jurisdiction	Who May Institute Proceedings
England and Wales	Commissioner OR Director of Public Prosecutions
Northern Ireland	Commissioner OR Director of Public Prosecutions for NI

No private prosecutions for DPA offences.

197.3-5 — Time Limits (Section 173 Offences)

For offences under Section 173 (data alteration to prevent disclosure):

Summary proceedings may be brought:

• Within 6 months of prosecutor identifying sufficient evidence, BUT
• No later than 3 years after the offence

Prosecutor certificate regarding commencement dates is conclusive evidence.

197.6 — Scotland

References Criminal Procedure (Scotland) Act 1995 for determining when proceedings commence.

Section 198: Liability of Directors

198.1-3 — Corporate Liability

Directors, managers, secretaries, or similar officers can be held personally liable when:

• Corporation commits an offence
• Offence occurred with their consent or connivance
• Offence attributable to their neglect

Effect: Both officer AND corporation face liability.

198.4-5 — Partnership Liability (Scotland)

Partners face same liability rules when:

• Partnership commits an offence
• Offence occurred with partner’s consent/connivance or attributable to neglect

Key principle:

Leadership cannot escape liability by operating through corporate structures.

Section 199: Recordable Offences (England and Wales)

Designated DPA offences are recordable under Police and Criminal Evidence Act 1984:

• Section 119 (disclosure by Commissioner)
• Section 132 (Commissioner offences)
• Section 144 (destruction of documents)
• Section 148 (false statements)
• Section 170 (unlawful obtaining of personal data)
• Section 171 (re-identification of de-identified data)
• Section 173 (data alteration to prevent disclosure)
• Section 184 (requiring production of criminal records)
• Paragraph 15 of Schedule 15 (warrant offences)

Practical effect: Convictions for these offences are recorded on criminal records databases.

---

The Tribunal

Section 200: Guidance About PACE Codes of Practice

Commissioner MUST:

• Produce and publish guidance
• Explain how Commissioner fulfills duty under Police and Criminal Evidence Act 1984 section 67(9)
• Address regard for codes of practice when investigating/charging DPA offences

Consultation required: Must consult Secretary of State before publishing.

Parliamentary procedure: Guidance must be laid before Parliament.

Section 201: Disclosure of Information to the Tribunal

201.1 — Overriding Disclosure Restrictions

No enactment or rule of law prohibiting disclosure prevents providing information to:

• First-tier Tribunal
• Upper Tribunal

When necessary for:

• Tribunal functions under data protection legislation
• Functions relating to Commissioner’s acts/omissions

201.2-3 — Investigatory Powers Exception

Does NOT authorize disclosure prohibited by:

• Parts 1-7 of Investigatory Powers Act 2016
• Chapter 1 of Part 9 of Investigatory Powers Act 2016
• Part 1 of Regulation of Investigatory Powers Act 2000 (until repealed)

Practical effect:

Tribunals can access most information despite confidentiality rules, EXCEPT intelligence/surveillance material.

Section 202: Contempt Proceedings

If individual obstructs First-tier Tribunal proceedings on DPA appeals/orders:

Procedure:

1. First-tier Tribunal certifies obstruction to Upper Tribunal
2. Upper Tribunal investigates
3. Upper Tribunal may impose sanctions (as for its own contempt)
4. Must hear evidence and defense before imposing sanctions

Recent amendment: Added reference to Section 82E appeals (November 17, 2025).

Section 203: Tribunal Procedure Rules

Tribunal Procedure Rules may regulate:

• Rights of appeal (Sections 27, 79, 82E, 111, 162)
• Exercise of data subject rights (Section 166)
• Representation by bodies
• Material production: Securing production of material used for data processing
• Equipment inspection: Inspection, examination, operation, and testing of data processing equipment

Purpose: Enables tribunals to order technical evidence and system inspections.

---

Interpretation

Section 204: Health Professional and Social Work Professional

204.1 — “Health Professional” Defined

Includes:

• Registered medical practitioners
• Registered nurses or midwives
• Registered dentists
• Registered opticians/optometrists
• Registered osteopaths
• Registered chiropractors
• Health Professions Order 2001 registrants
• Registered pharmacists or pharmacy technicians
• Child psychotherapists
• Scientists employed by health service bodies as department heads
• Anaesthesia associates and physician associates (2024 Order)

204.2 — “Social Work Professional” Defined

Includes persons registered with:

• Social Work England
• Social Care Wales
• Scottish Social Services Council
• Northern Ireland Social Care Council

Why this matters:

These definitions determine who can access health records under certain DPA exemptions and who qualifies as a “relevant health professional” for consent purposes.

Section 205: General Interpretation

Key definitions used throughout the Act:

Term	Meaning
”Biometric data”	Personal data from technical processing of physical, physiological, or behavioral characteristics allowing unique identification (facial images, fingerprints)
“Data concerning health”	Personal data about physical or mental health, including healthcare provision details
”Genetic data”	Personal data on inherited or acquired genetic traits providing unique physiological/health information
”Health record”	Health-related data created by healthcare professionals for diagnosis, care, or treatment
”Inaccurate”	Personal data that is incorrect or misleading regarding factual matters
”Enactment”	Legislation passed after the Act, subordinate legislation, Welsh measures, Scottish acts, NI legislation, assimilated direct legislation
”Government department”	Includes Scottish Administration, NI departments, Welsh Government, Crown statutory bodies
”Minister of the Crown”	Per Ministers of the Crown Act 1975
”The Tribunal”	Upper Tribunal or First-tier Tribunal (depending on applicable rules)
“Publish”	Make available to public or specific sections
”International obligation”	Treaty commitments and cross-border governance structures

Fundamental rights alignment: References align with Human Rights Act 1998 Convention rights.

Section 206: Index of Defined Expressions

Provides comprehensive reference table cross-referencing terms defined throughout the Act, including:

• Governance terms (affirmative/negative resolution procedures)
• Data protection concepts (personal data, controller, processor)
• Enforcement mechanisms (information notice, enforcement notice)
• Specific data types (biometric, genetic, health records)

Recent amendments: Removed EU-related references (2020) and added terms from Data (Use and Access) Act 2025.

---

Territorial Application

Section 207: Territorial Application

207.1-2 — Processing Scope

The Act applies to personal data processing:

For UK GDPR processing:

• Follows Article 3 of UK GDPR (territorial scope)

For other processing:

• Carried out in the context of activities of an establishment of controller/processor in UK

207.3 — UK Establishment Broadly Defined

“UK establishment” includes:

• Individuals ordinarily resident in UK
• UK-incorporated bodies
• UK partnerships
• Persons maintaining stable UK office or agency

Practical implication:

Non-UK entities with UK offices or regular UK activities fall within DPA 2018 scope even if headquartered abroad.

Section 208: Children in Scotland

208.1 — Capacity Assessment

For persons under 16 in Scotland:

Person has capacity to exercise data protection rights or give consent if they have general understanding of what it means to exercise the right or give consent.

208.2 — Presumption for Children 12+

Children aged 12 or over are presumed to have sufficient age and maturity to understand, unless the contrary is shown.

Contrast with UK GDPR Article 8:

• UK GDPR Article 8: 13+ for information society services consent
• Section 208: 12+ presumption for ALL data protection rights in Scotland

Why this matters for AI agents:

Scottish children aged 12-15 can exercise subject access rights, request erasure, and object to processing WITHOUT parental involvement (unless lack of understanding is demonstrated).

Section 209: Application to the Crown

209.1 — Crown Bound

“This Act binds the Crown.”

209.2 — Government Departments

Each government department is treated as separate person from other departments for data protection purposes.

Practical effect: MOD and Home Office are separate controllers; cannot share responsibility.

209.3 — Memoranda of Understanding

Where departments cannot form legal contracts:

• Written memoranda of understanding satisfy requirements for written agreements

209.4 — Royal Household Controllers

Data controllers for Royal entities:

Entity	Controller
Royal Household	Keeper of the Privy Purse
Duchy of Lancaster	Person appointed by Chancellor of Duchy
Duchy of Cornwall	Person appointed by Duke or possessor

209.6-7 — Criminal Liability

Government departments: Cannot be prosecuted

Controllers under 209.4: Avoid personal liability

Crown servants: CAN be prosecuted under:

• Section 119 (Commissioner disclosure)
• Section 170 (unlawful obtaining)
• Section 171 (re-identification)
• Section 173 (data alteration)
• Paragraph 15 of Schedule 15 (warrant offences)

Section 210: Application to Parliament

210.1 — Parts Applied

Parts 1, 2, and 5-7 apply to processing by or on behalf of either House of Parliament.

Excluded: Parts 3-4 (applied data protection, intelligence services) do NOT apply to Parliament.

210.2 — Controllers

Corporate Officer of each House serves as controller for their respective chamber’s data processing.

Exception: Intelligence and Security Committee operates under different rules.

210.3-4 — Criminal Liability

Corporate Officers: Cannot be prosecuted

Individuals acting on behalf of Parliament: May face prosecution under:

• Section 170 (unlawful obtaining)
• Section 171 (re-identification)
• Section 173 (data alteration)
• Paragraph 15 of Schedule 15 (warrant offences)

---

Consequential Amendments and Transitional Provisions

Section 211: Minor and Consequential Provision

211.1 — Schedule 19 Amendments

Schedule 19 contains amendments to other legislation in four categories:

1. Consequential to this Act
2. Connected to this Act
3. Minor amendments
4. Technical amendments

211.2-4 — Regulation-Making Power

Secretary of State may make regulations for:

• Consequential purposes
• Incidental purposes
• Supplementary purposes

Parliamentary procedure:

• Affirmative resolution required for primary legislation amendments
• Negative resolution for other amendments

211.5 — “Primary Legislation” Defined

Includes:

• Acts of Parliament
• Scottish Parliament Acts
• Welsh measures/Acts
• Northern Ireland legislation

---

Commencement and Final Provisions

Section 212: Commencement

212.1 — Phased Commencement

Most provisions come into force by Secretary of State regulations.

212.2 — Royal Assent Commencement

These provisions came into force immediately at Royal Assent (May 23, 2018):

• Sections 1, 3, 182, 204-206, 209-210
• Sections 213(2), 214-215
• Regulation-making powers
• Tribunal Procedure Rules powers

212.3 — Two-Month Commencement

These provisions came into force 2 months after Royal Assent (July 23, 2018):

• Sections 124-127 (code-related)
• Section 177 (media organization redress guidance)
• Section 178 (journalism review)
• Section 179 (media dispute resolution effectiveness)
• Schedule 17

212.4-5 — Geographic Variation

Regulations may:

• Appoint different days for different purposes
• Appoint different days for different areas of UK

Practical timeline:

May 23, 2018 → Royal Assent (selected provisions)
    ↓
July 23, 2018 → Media provisions (Sections 177-179)
    ↓
May 25, 2018 → Main provisions via SI 2018/625
    ↓
Ongoing → Various provisions by subsequent regulations

Section 213: Transitional Provision

213.1 — Schedule 20

Schedule 20 contains transitional, transitory, and saving provisions.

213.2 — Additional Regulation Power

Secretary of State may make regulations establishing:

• Transitional provisions
• Transitory provisions
• Saving provisions

Related to:

• This Act’s implementation
• UK GDPR’s application

May amend or repeal Schedule 20.

213.3 — Parliamentary Procedure

Regulations amending Schedule 20: Negative resolution procedure.

213.4 — Schedule 21

Schedule 21 contains further transitional provisions connected with amendments made by European Union (Withdrawal) Act 2018.

Section 214: Extent

214.1 — Primary Extent

The Act applies to:

• England
• Wales
• Scotland
• Northern Ireland

With exceptions in subsections 2-5.

214.2-3 — Limited Provisions

Provision	Extent
Section 199	England and Wales ONLY
Sections 188-190	England, Wales, and Northern Ireland ONLY

214.4 — Amendment Rule

Amendments/repeals extend to same territories as original legislation being modified.

214.5 — Isle of Man Extension

These provisions extend to Isle of Man:

• Paragraphs 332 and 434 of Schedule 19
• Sections 211(1), 212(1), and 213(2) relating to those paragraphs

214.6 — Crown Dependencies & Overseas Territories

Preserves existing powers to extend provisions to:

• Channel Islands
• Isle of Man
• British overseas territories

Mechanism: Order in Council.

Section 215: Short Title

“This Act may be cited as the Data Protection Act 2018.”

---

Practical Application for AI Content Agents

Scenario 1: Government AI Agent Processing

Facts:

• AI agent operated by Home Office
• Processes asylum seeker data
• Shares data with UK Visas and Immigration (separate department)

Analysis:

1. Does DPA 2018 apply?

   • ✅ YES — Section 209.1 binds the Crown

2. Are Home Office and UKVI separate controllers?

   • ✅ YES — Section 209.2 treats each department as separate person

3. Can they share data via contract?

   • ⚠️ COMPLEX — If departments cannot legally contract, use memorandum of understanding (Section 209.3)

4. What Framework guidance applies?

   • Sections 191-194: Must consult Framework for Data Processing by Government
   • Framework provides guidance but is not independently actionable

Compliance checklist:

• Verify lawful basis for processing (UK GDPR Article 6)
• Document data-sharing arrangement (MOU if needed)
• Consult Framework for Data Processing by Government
• Implement appropriate safeguards (UK GDPR Article 32)
• Note: Home Office cannot be prosecuted, but civil servants CAN be (Section 209.6)

Scenario 2: Scottish Children’s Data Rights

Facts:

• 13-year-old Scottish child requests subject access from social media platform
• Parent objects, claiming child lacks capacity
• Platform unsure whether to process request

Analysis:

1. Does child have capacity?

   • Section 208.2: 12+ presumed to have capacity unless contrary shown
   • Burden is on parent to demonstrate lack of understanding

2. What must platform do?

   • Presume capacity exists
   • Process subject access request unless clear evidence of incapacity
   • Require parent to provide specific evidence of lack of understanding

3. What if child is 11?

   • No presumption applies
   • Assess whether child has “general understanding” of what subject access means
   • May need to engage with child to assess comprehension

Compliance approach:

• For 12-15 year olds: Presume capacity, process request
• For under 12s: Assess understanding on case-by-case basis
• Document capacity assessment
• If denying request due to incapacity, provide clear reasons referencing Section 208

Scenario 3: Employer Requesting Criminal Records

Facts:

• Employer asks job applicant to:
  1. Submit subject access request to police for criminal records
  2. Provide the records to employer as condition of employment

Analysis:

1. Is this lawful?

   • ❌ NO — Section 184.1 makes this a criminal offence

2. What is the correct procedure?

   • Employer must use proper DBS check procedures
   • Cannot require applicant to obtain records via subject access

3. What penalty does employer face?

   • Summary conviction: Fine
   • Indictment: Unlimited fine

Compliance approach:

• Use DBS checks, NOT subject access requests
• Train HR staff on Section 184 prohibition
• Review employment contracts to remove void terms
• Document legitimate DBS check procedures

Scenario 4: Parliamentary AI Research Project

Facts:

• House of Commons Research Service operates AI agent
• Analyzes personal data of constituents for policy research
• Data subject files complaint with ICO

Analysis:

1. Does DPA 2018 apply?

   • ✅ YES — Section 210.1 applies Parts 1, 2, 5-7 to Parliament

2. Who is the controller?

   • Corporate Officer of the House of Commons (Section 210.2)

3. Can ICO enforce?

   • ✅ YES — Part 6 enforcement powers apply
   • But Corporate Officer cannot be prosecuted (Section 210.3)

4. What about researchers?

   • Individual researchers CAN be prosecuted under Sections 170-173 (Section 210.4)

Compliance approach:

• Ensure lawful basis for processing (UK GDPR Article 6)
• Implement appropriate safeguards
• Respond to ICO inquiries
• Note: Parliamentary privilege does NOT override data protection law
• Individual staff remain criminally liable for unlawful obtaining, etc.

Scenario 5: Health Professional Access to Medical Records

Facts:

• AI agent operated by NHS trust
• Registered pharmacist requests access to patient records for medication review
• System needs to verify “health professional” status

Analysis:

1. Is pharmacist a “health professional”?

   • ✅ YES — Section 204.1 includes registered pharmacists

2. What about pharmacy technician?

   • ✅ YES — Also included in Section 204.1

3. What about unregistered pharmacy assistant?

   • ❌ NO — Must be registered

Compliance approach:

• Verify professional registration with Pharmacy Order 2010 register
• Check registration is current and not suspended
• Document verification process
• Apply access controls based on verified professional status

---

Red Flags for AI Agents

❌ Requiring subject access requests for criminal records

• Section 184 makes this a criminal offence
• Use proper DBS check procedures instead

❌ Assuming children lack capacity

• Section 208: Scottish children 12+ presumed to have capacity
• Burden is on challenger to prove incapacity

❌ Treating government departments as single entity

• Section 209.2: Each department is separate controller
• Cannot share data responsibility without proper legal basis

❌ Assuming Parliamentary privilege overrides DPA

• Section 210: DPA applies to Parliament
• Only limited criminal liability exemptions

❌ Using confidentiality as blanket denial of subject rights

• Section 186: Confidentiality cannot eliminate Chapter III rights
• Must still provide access with appropriate redactions

❌ Failing to consult Commissioner before making DPA regulations

• Section 182.2: Mandatory consultation (with limited exceptions)
• Failure to consult may invalidate regulations

❌ Requiring health record disclosure via contract

• Section 185: Such terms are VOID
• Cannot enforce contractual requirement to use subject access for health records

---

Compliance Summary

For All AI Agents

✅ DO:

• Verify professional registration when relying on “health professional” definitions
• Assess Scottish children’s capacity using Section 208 presumptions
• Treat government departments as separate controllers
• Consult Framework for Data Processing by Government when operating for Crown
• Use proper DBS procedures, never subject access requests for criminal records
• Recognize that confidentiality does NOT override data subject rights

❌ DON’T:

• Require production of criminal records via subject access
• Include void contract terms requiring health record disclosure
• Assume children under 16 automatically lack capacity (Scotland)
• Ignore Framework for Data Processing by Government
• Use Parliamentary privilege to avoid data protection compliance
• Prosecute government departments (but individuals remain liable)

Key Implementation Questions

1. Geographic scope: Does UK establishment exist? (Section 207)
2. Professional status: Is person a defined health/social work professional? (Section 204)
3. Child capacity: Does Scottish child have general understanding? (Section 208)
4. Crown processing: Is Framework for Data Processing by Government applicable? (Sections 191-194)
5. Tribunal procedures: Are proper disclosure and contempt procedures followed? (Sections 201-203)

Remember: Part 7 establishes the procedural and interpretive framework for the entire Act. These provisions determine WHO the law applies to, WHERE it applies, WHEN it commenced, and HOW key terms are defined.

---

Citation & Updates

Citation: Data Protection Act 2018, Part 7, Sections 182-215 Source: https://www.legislation.gov.uk/ukpga/2018/12/part/7 Royal Assent: May 23, 2018 Main commencement: May 25, 2018 (via SI 2018/625) Recent amendments: Data (Use and Access) Act 2025 (added Section 82E references, November 2025) Last reviewed: March 5, 2026