UK

DPA 2018: UK GDPR Implementation

UK GDPR Implementation [Sections 6-20]

Rule: Part 2 Chapter 2 provides the UK-specific implementation of the UK GDPR, including definitions, lawfulness bases, special categories processing conditions, certification, exemptions, and safeguards.

Purpose of These Sections

While the UK GDPR is directly applicable law, sections 6-20 of the DPA 2018:

  • Define UK-specific terms and concepts
  • Specify conditions for processing special categories
  • Create additional lawful bases
  • Establish exemptions and restrictions
  • Provide safeguards for specific processing types

Definitions [Sections 6-7]

Section 6: Meaning of “Controller”

The UK GDPR definition of controller applies with this modification:

SituationWho is ControllerCitation
Processing required by lawWhere enactment requires processing with prescribed meansPerson on whom obligation is imposed
Normal circumstancesUK GDPR Article 4(7) appliesPerson determining purposes and means

Example:

  • Companies House must collect company information in specified format
  • Controller: Companies House (not the company submitting data)
  • Rationale: Law prescribes purposes and essential means

Practical impact:

  • Statutory data collection schemes have clear controller designation
  • Organizations fulfilling legal obligations may not be controllers
  • Important for determining responsibilities

Section 7: Meaning of “Public Authority” and “Public Body”

For UK GDPR purposes, “public authority” means:

CategoryDescriptionCitation
FOIA bodiesPublic authorities under Freedom of Information Act 2000s.7(1)(a)
Scottish equivalentsBodies under Scottish FOIAs.7(1)(b)
ARIAAdvanced Research and Invention Agencys.7(1)(c)
Secretary of State designationBodies specified by regulationss.7(1)(d)

Important limitation (s.7(2)): Public authority designation applies only when:

  • Performing tasks in public interest, or
  • Exercising official authority

Practical significance:

  • Affects Article 6(1)(e) lawful basis availability
  • Determines when consent cannot be freely given (imbalance of power)
  • Influences DPO appointment requirements
  • Relevant for transparency obligations

Not public authorities for all purposes:

  • NHS Trust running commercial services (commercial activity only)
  • University conducting private research (research activity only)
  • Council-owned company (trading activities)

Lawfulness of Processing [Section 8]

Section 8: Public Interest Processing

Expands Article 6(1)(e) (processing necessary for public interest task or official authority exercise).

Additional public interest bases:

BasisDescriptionExamples
Administration of justiceSupporting judicial systemCourt admin, tribunal processing
Parliamentary functionsLegislative and oversight activitiesHansard, committee inquiries
Statutory functionsCarrying out functions conferred by statuteRegulatory bodies, statutory inspectorates
Crown functionsExercise of Crown functionsGovernment departments, Crown services
Democratic engagementSupporting democratic processesElectoral registration, petitions

Practical application:

  • Government agencies using this basis for statutory functions
  • Parliamentary processing of correspondence and investigations
  • Courts processing case management data
  • Electoral registration officers processing voter data

Requirements:

  • Must be necessary for the specific function
  • Must be proportionate
  • Alternative bases may be more appropriate in some cases
  • Document reliance on this basis

International Law Processing [Section 9A]

Section 9A: Processing Based on International Law

Processing meets UK GDPR requirements for international law bases only if:

Conditions in Schedule A1 are satisfied:

Condition TypeDescriptionCitation
Treaty obligationsProcessing necessary for international treaty complianceSch A1
SafeguardsAppropriate safeguards for data subjects in placeSch A1
NecessityProcessing strictly necessary, not merely convenientSch A1

Secretary of State power:

  • May amend Schedule A1 by regulations
  • Subject to Parliamentary approval
  • Ensures compliance with evolving international obligations

Practical examples:

  • NATO information sharing
  • UN sanctions compliance
  • Diplomatic communications
  • International law enforcement cooperation

Special Categories and Criminal Convictions [Sections 10-11]

Section 10: Conditions for Processing

To process special category data (UK GDPR Article 9) or criminal conviction data (Article 10), must satisfy:

Dual requirement:

  1. Article 6 lawful basis (consent, contract, legal obligation, etc.)
  2. Article 9 or 10 condition (as specified in Schedule 1)

Schedule 1 structure:

PartCoversApplication
Part 1Consent-based processingArt 9(2)(a) explicit consent
Part 2Substantial public interestArt 9(2)(g) - 23 specific conditions
Part 3Health and social careArt 9(2)(h) health/social care processing

Key Schedule 1 Part 2 conditions include:

ConditionPurposeExamples
Statutory/government purposes (para 6)Exercising statutory functionsRegulatory oversight, public services
Equality monitoring (para 8)Monitoring diversityEmployment equality data
Preventing fraud (para 11)Detecting/preventing fraudFinancial crime prevention
Safeguarding vulnerable groups (para 18)Protecting children/adults at riskSafeguarding records
Insurance (para 12)Actuarial/risk assessmentInsurance underwriting
Occupational pensions (para 13)Pension scheme administrationHealth data for pensions

Additional requirements for Schedule 1 Part 2:

Appropriate Policy Document (APD) required:

  • Must document compliance with data protection principles
  • Explain retention and deletion policies
  • Review and update regularly
  • Make available to Commissioner on request

Record-keeping:

  • Maintain records of processing under Schedule 1
  • Document legal basis and condition relied upon
  • Retention policy for such records

Section 11: Supplementary Provisions

Article 9(2)(h) health/social care - processing includes:

Who Can ProcessCapacityCitation
Health professionalsMedical practitioners, nurses, etc.s.11(2)
Social workersQualified social workerss.11(2)
Others with confidentiality dutyAnyone owing equivalent dutys.11(2)

Article 10 criminal convictions - includes:

Broader than convictions alone:

  • Allegations of offenses
  • Proceedings relating to offenses
  • Sentences and penalties
  • Security measures
  • Rehabilitation measures

Practical effect:

  • DBS checks cover allegations, not just convictions
  • Court proceedings data covered
  • Police intelligence about suspected offenses
  • Sentence management data

Controller Obligations [Sections 12-14]

Section 12: Limits on Fees

Secretary of State may make regulations specifying:

Fee limits for:

  • Article 12(5) - manifestly unfounded/excessive requests
  • Article 15(3) - additional copies of personal data

Regulations may:

  • Set maximum fees chargeable
  • Prescribe calculation methods
  • Require publication of fee policies
  • Exempt certain categories

Purpose: Prevent excessive fees deterring data subject rights exercise

Section 13: Credit Reference Agencies

Special rules for credit reference agencies (CRAs):

Article 15 disclosure obligations:

RequirementDetailsCitation
Limited default scopeCRAs need only disclose financial standing datas.13(2)
Full disclosure on requestIf data subject specifies, disclose all personal datas.13(3)
Correction rights noticeMust inform of Consumer Credit Act 1974 rightss.13(4)

Practical application:

  • Standard credit report = financial standing data only
  • Data subject can request full file
  • CRA must explain how to correct errors
  • Balances transparency with practical operation

“Financial standing” information:

  • Credit history
  • Payment behavior
  • Outstanding debts
  • County Court Judgments
  • Insolvency records

Section 14: Automated Decision-Making Safeguards

Status: Omitted as of February 5, 2026 by Data (Use and Access) Act 2025

Historical purpose:

  • Provided safeguards for automated decisions authorized by law
  • Required appropriate measures to safeguard data subjects
  • Ensured right to human review where appropriate

Current position:

  • Automated decision-making governed directly by UK GDPR Article 22
  • Specific statutory safeguards may be in other legislation
  • Data (Use and Access) Act modernized framework

Exemptions [Sections 15-16]

Section 15: Main Exemptions

Schedule 2, 3, and 4 provide exemptions adapting UK GDPR application:

Schedule 2 exemptions:

CategoryArticles AffectedPurpose
National securityArts 13-21, 34Protect security interests
Crime/taxationArts 13-21, 34Enable investigations
Regulatory functionsArts 13-21Support oversight
Journalism/academia/artArts 13-21, 34Protect expression
Research/statisticsArts 15-20Enable valuable research
ArchivingArts 15-20Preserve historical records

Schedule 3 - Health and Education:

  • Exemptions for medical/educational records
  • Balance individual rights with professional judgment
  • Enable effective healthcare/education delivery

Schedule 4 - Disclosure Prohibited/Restricted:

  • Legal professional privilege
  • Self-incrimination protection
  • Other statutory restrictions on disclosure

How exemptions work:

  • Proportionate restriction of data subject rights
  • Only to extent necessary for exemption purpose
  • Controller must demonstrate necessity
  • Cannot rely on exemption automatically

Example - Crime/taxation exemption:

  • Police investigation need not disclose surveillance methods (Art 13/14)
  • Tax authority can withhold risk assessment approach (Art 15)
  • Only to extent that disclosure would prejudice investigation

Section 16: Power to Create Additional Exemptions

Secretary of State may make regulations exercising UK GDPR powers:

Article 6(3) - additional lawful bases:

  • For specific processing types
  • Meeting UK GDPR requirements
  • Proportionate and necessary

Article 23(1) - restrictions on rights:

  • Legislative measures restricting obligations
  • For important objectives (security, justice, etc.)
  • Respecting essence of rights

Article 85(2) - reconciling rights:

  • Balance data protection with expression
  • Exemptions for journalism, academia, art
  • Case-by-case assessment

Parliamentary procedure:

  • Regulations subject to affirmative resolution
  • Both Houses must approve
  • Ensures democratic oversight

Certification [Section 17]

Section 17: Accreditation of Certification Providers

UK GDPR Article 42 allows certification mechanisms. Section 17 specifies:

Accreditation requirements:

RequirementDetailsCitation
Accreditation bodyCommissioner or UK national accreditation bodys.17(1)
Public statementCommissioner must publish authorizations.17(2)
Before accreditationStatement must precede actual accreditations.17(3)

Certification purpose:

  • Demonstrate compliance with UK GDPR
  • Build trust with data subjects
  • Competitive advantage
  • Simplify procurement
  • Facilitate international transfers (with supplementary measures)

Certification scope can cover:

  • Specific processing operations
  • Categories of processing
  • Entire organization
  • Products or services
  • Specific UK GDPR requirements

UK GDPR Articles 42-43:

  • Article 42: General provisions on certification
  • Article 43: Certification bodies

Process:

  1. Organization seeks certification
  2. Accredited certification body assesses compliance
  3. If compliant, certification issued
  4. Maximum 3-year validity
  5. Monitoring and renewal required

International Transfers [Sections 17A-18]

Section 17A: Transfers Based on Adequacy

Post-Brexit framework for international transfers:

Adequacy regulations:

  • Secretary of State may designate countries/territories as adequate
  • Transfer to adequate destination lawful
  • No further safeguards required

Adequacy determination considers:

  • Rule of law in destination
  • Data protection laws
  • Supervisory authority independence
  • International commitments
  • Onward transfer rules

Current UK adequacy decisions:

  • EEA countries
  • European Commission adequacy decisions (adopted by UK)
  • Additional countries designated by UK

Section 17B: Review of Adequacy

Ongoing monitoring:

  • Commissioner monitors adequacy decisions
  • Review at least every 4 years
  • Can be suspended or withdrawn if circumstances change

Factors triggering review:

  • Changes to destination laws
  • Practical application concerns
  • New risks identified
  • Data subject complaints

Section 17C: Standard Data Protection Clauses

Commissioner may issue standard clauses for transfers lacking adequacy:

Parliamentary procedure:

  • Draft clauses laid before Parliament
  • 40-day approval period
  • Either House can reject

Use of standard clauses:

  • Contractual safeguards for transfers
  • Ensure adequate protection
  • Alternative to individual assessment
  • Commissioner maintains approved list

Section 18: Transfers for Important Public Interest

Where transfer cannot be based on adequacy and is necessary for important reasons of public interest:

Secretary of State may:

  • Authorize specific transfers
  • Subject to appropriate safeguards
  • For urgent or exceptional circumstances

Examples:

  • International criminal investigations
  • Public health emergencies
  • Diplomatic communications
  • Treaty obligations

Research and Archives [Section 19-20]

Section 19: Processing for Research/Statistics

Appropriate safeguards required where processing for:

  • Scientific or historical research
  • Statistical purposes
  • Archiving in public interest

And processing likely to cause:

  • Substantial damage, or
  • Substantial distress

Required safeguards include:

SafeguardPurposeExample
PseudonymisationSeparate identifying dataReplace names with codes
Access controlsLimit who can accessRole-based permissions
Anonymisation where possibleIrreversibly remove identifiersStatistical datasets
TransparencyInform data subjectsPrivacy notices
Purpose limitationOnly for specified purposeNo repurposing

Schedule 2 Part 6 exemptions:

  • Articles 15-20 rights may be restricted
  • To extent that rights would prevent/seriously impair research
  • Must apply appropriate safeguards
  • Balance scientific value with individual rights

Data Protection Act 2018 approach:

  • Maximal use of Article 89 derogations
  • Greatest freedom for researchers consistent with GDPR
  • UK research-friendly regime
  • Archivists and researchers benefit

Section 20: Meaning of “Court”

“Court” includes:

  • All levels of court hierarchy
  • Tribunals
  • Bodies exercising judicial functions

Relevance:

  • Section 117 (Commissioner competence limits)
  • Exemptions for court proceedings
  • Legal proceedings data protection rights

Practical Compliance

For Controllers Processing Special Categories

Checklist:

  1. ✅ Identify Article 6 lawful basis
  2. ✅ Identify Schedule 1 condition
  3. ✅ Prepare Appropriate Policy Document (if Schedule 1 Part 2)
  4. ✅ Maintain records of processing
  5. ✅ Implement technical safeguards
  6. ✅ Train staff on special categories handling
  7. ✅ Review and update APD regularly

For Public Authorities

Considerations:

  1. Determine if acting in public interest capacity
  2. Document reliance on Article 6(1)(e)
  3. Specify statutory basis clearly
  4. Consider if consent can be freely given (power imbalance)
  5. Apply public authority-specific obligations
  6. Enhanced transparency expectations

For Researchers

Key points:

  1. Apply appropriate safeguards (s.19)
  2. Rely on Schedule 2 Part 6 exemptions where applicable
  3. Document necessity of processing identifiable data
  4. Implement pseudonymisation/anonymisation where possible
  5. Establish ethics review processes
  6. Balance research value against individual rights
  7. Prepare for Commissioner oversight

For International Transfers

Compliance steps:

  1. Check if destination has adequacy decision (s.17A)
  2. If not adequate, identify appropriate safeguard:
    • Commissioner’s standard clauses (s.17C)
    • Binding corporate rules
    • Approved codes/certifications
    • Article 49 derogations (exceptional circumstances)
  3. Implement supplementary measures if needed
  4. Document transfer basis
  5. Inform data subjects
  6. Monitor Commissioner guidance on adequacy

Common Pitfalls

Assuming all government processing is public interest:

  • Section 7 limits when public authority designation applies
  • Commercial activities not covered
  • Must genuinely be public interest task

Relying on Schedule 1 without APD:

  • Schedule 1 Part 2 conditions require Appropriate Policy Document
  • Failure to maintain APD = non-compliance
  • Must be available to Commissioner on request

Overlooking exemptions:

  • Schedule 2-4 provide valuable exemptions
  • Must apply proportionately
  • Document necessity

Inadequate safeguards for research:

  • Section 19 requires appropriate safeguards
  • Cannot assume research = automatic exemption
  • Balance research value with data protection

Citation

Data Protection Act 2018, Part 2 Chapter 2

Sources

Contains public sector information licensed under the Open Government Licence v3.0 where applicable. This is not legal advice. Always refer to official sources for authoritative text.

llms.txt