GENERAL DATA PROTECTION REGULATION AND DATA PROTECTION ACT 2018

This table contains extracts and summaries of legislation using among other things the headings of paragraphs in the Schedules to the UK Data Protection Act 2018 ('DPA'). After identifying relevant paragraphs in those Schedules, users of this table should always use the DPA links provided to refer to the full text of those paragraphs, in order to identify their precise scope and to identify the 'listed GDPR provisions'. (See Summary of Data Protection Act 2018 for further explanation.)

Item Reference       Article 10 Link
1 10. Article 10 GDPR 10
2 10. Processing of personal data relating to criminal convictions and offences GDPR 10
3 10. Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority. GDPR 10
Item Reference Articles which affect Article 10 Link
Item Reference       Paragraphs in Schedules to Data Protection Act 2018 which affect Article 10 Link
10 1// Special categories of personal data and criminal convictions etc data DPA Sch 1
11 1/1/ Conditions relating to employment, health and research etc

"This condition is met if-
(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and
(b) when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule)."
DPA Sch 1
12 1/1/1 Employment, social security and social protection DPA Sch 1
13 1/1/2 Health or social care purposes DPA Sch 1
14 1/1/3 Public health

"This condition is met if the processing-
(a) is necessary for reasons of public interest in the area of public health, and
(b) is carried out-
(i by or under the responsibility of a health professional, or
(ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law."
DPA Sch 1
15 1/1/4 Research etc

"This condition is met if the processing-
(a) is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,
(b) is carried out in accordance with Article 89(1) of the GDPR (as supplemented by section 19), and
(c) is in the public interest."
DPA Sch 1
16 1/2/ Substantial public interest conditions DPA Sch 1
17 1/2/5 Requirement for an appropriate policy document when relying on conditions in this Part

"(1) Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
(2) See also the additional safeguards in Part 4 of this Schedule."
DPA Sch 1
18 1/2/6 Statutory etc and government purposes

"(1) This condition is met if the processing-
(a) is necessary for a purpose listed in sub-paragraph (2), and
(b)is necessary for reasons of substantial public interest.
(2) Those purposes are-
(a) the exercise of a function conferred on a person by an enactment or rule of law,
(b) the exercise of a function of the Crown, a Minister of the Crown or a government department."
DPA Sch 1
19 1/2/7 Administration of justice and parliamentary purposes

"This condition is met if the processing is necessary-
(a)for the administration of justice, or
(b)for the exercise of a function of either House of Parliament."
DPA Sch 1
20 1/2/8 Equality of opportunity or treatment
Category of personal data: Groups of people (in relation to a category of personal data):
Personal data revealing racial or ethnic origin People of different racial or ethnic origins
Personal data revealing religious or philosophical beliefs People holding different religious or philosophical beliefs
Data concerning health People with different states of physical or mental health
Personal data concerning an individual's sexual orientation People of different sexual orientation
DPA Sch 1
21 1/2/9 Racial and ethnic diversity at senior levels of organisations DPA Sch 1
22 1/2/10 Preventing or detecting unlawful acts DPA Sch 1
23 1/2/11 Protecting the public against dishonesty etc DPA Sch 1
24 1/2/12 Regulatory requirements relating to unlawful acts and dishonesty etc DPA Sch 1
25 1/2/13 Journalism etc in connection with unlawful acts and dishonesty etc DPA Sch 1
26 1/2/14 Preventing fraud

"(1) This condition is met if the processing-
(a) is necessary for the purposes of preventing fraud or a particular kind of fraud, and
(b) consists of-
(i) the disclosure of personal data by a person as a member of an anti-fraud organisation,
(ii)the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation, or
(iii) the processing of personal data disclosed as described in sub-paragraph (i) or (ii).
(2) In this paragraph, "anti-fraud organisation" has the same meaning as in section 68 of the Serious Crime Act 2007. "
DPA Sch 1
27 1/2/15 Suspicion of terrorist financing or money laundering

"This condition is met if the processing is necessary for the purposes of making a disclosure in good faith under either of the following-
(a) section 21CA of the Terrorism Act 2000 (disclosures between certain entities within regulated sector in relation to suspicion of commission of terrorist financing offence or for purposes of identifying terrorist property),
(b) section 339ZB of the Proceeds of Crime Act 2002 (disclosures within regulated sector in relation to suspicion of money laundering)."
DPA Sch 1
28 1/2/16 Support for individuals with a particular disability or medical condition DPA Sch 1
29 1/2/17 Counselling etc DPA Sch 1
30 1/2/18 Safeguarding of children and of individuals at risk DPA Sch 1
31 1/2/19 Safeguarding of economic well-being of certain individuals DPA Sch 1
32 1/2/20 Insurance DPA Sch 1
33 1/2/21 Occupational pensions DPA Sch 1
34 1/2/22 Political parties DPA Sch 1
35 1/2/23 Elected representatives responding to requests DPA Sch 1
36 1/2/24 Disclosure to elected representatives DPA Sch 1
37 1/2/25 Informing elected representatives about prisoners DPA Sch 1
38 1/2/26 Publication of legal judgments

"This condition is met if the processing-
(a) consists of the publication of a judgment or other decision of a court or tribunal, or
(b) is necessary for the purposes of publishing such a judgment or decision."
DPA Sch 1
39 1/2/27 Anti-doping in sport DPA Sch 1
40 1/2/28 Standards of behaviour in sport DPA Sch 1
41 1/3/ Additional conditions relating to criminal convictions etc DPA Sch 1
42 1/3/29 Consent

"This condition is met if the data subject has given consent to the processing."
DPA Sch 1
43 1/3/30 Protecting individual's vital interests

"This condition is met if-
(a) the processing is necessary to protect the vital interests of an individual, and
(b) the data subject is physically or legally incapable of giving consent."
DPA Sch 1
44 1/3/31 Processing by not-for-profit bodies

"This condition is met if the processing is carried out-
(a) in the course of its legitimate activities with appropriate safeguards by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, and
(b) on condition that-
(i) the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and
(ii) the personal data is not disclosed outside that body without the consent of the data subjects."
DPA Sch 1
45 1/3/32 Personal data in the public domain

"This condition is met if the processing relates to personal data which is manifestly made public by the data subject."
DPA Sch 1
46 1/3/33 Legal claims

"This condition is met if the processing-
(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights."
DPA Sch 1
47 1/3/34 Judicial acts

"This condition is met if the processing is necessary when a court or tribunal is acting in its judicial capacity."
DPA Sch 1
48 1/3/35 Administration of accounts used in commission of indecency offences involving children DPA Sch 1
49 1/3/36 Extension of conditions in Part 2 of this Schedule referring to substantial public interest

"This condition is met if the processing would meet a condition in Part 2 of this Schedule but for an express requirement for the processing to be necessary for reasons of substantial public interest. "
DPA Sch 1
50 1/3/37 Extension of insurance conditions DPA Sch 1
51 1/4/ Appropriate policy document and additional safeguards DPA Sch 1
52 1/4/38 Application of this Part of this Schedule

"This Part of this Schedule makes provision about the processing of personal data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule which requires the controller to have an appropriate policy document in place when the processing is carried out."
DPA Sch 1
53 1/4/39 Requirement to have an appropriate policy document in place

"The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which-
(a) explains the controller's procedures for securing compliance with the principles in Article 5 of the GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and
(b) explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained."
DPA Sch 1
54 1/4/40 Additional safeguard: retention of appropriate policy document

"(1) Where personal data is processed in reliance on a condition described in paragraph 38, the controller must during the relevant period-
(a) retain the appropriate policy document,
(b) review and (if appropriate) update it from time to time, and
(c) make it available to the Commissioner, on request, without charge.
(2) "Relevant period", in relation to the processing of personal data in reliance on a condition described in paragraph 38, means a period which-
(a) begins when the controller starts to carry out processing of personal data in reliance on that condition, and
(b) ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing."
DPA Sch 1
55 1/4/41 Additional safeguard: record of processing

"A record maintained by the controller, or the controller's representative, under Article 30 of the GDPR in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information-
(a) which condition is relied on,
(b) how the processing satisfies Article 6 of the GDPR (lawfulness of processing), and
(c) whether the personal data is retained and erased in accordance with the policies described in paragraph 39(b) and, if it is not, the reasons for not following those policies."
DPA Sch 1
56 2/5/ Exemptions etc based on Article 85(2) for reasons of freedom of expression and information DPA Sch 2
57 2/5/26 Journalistic, academic, artistic and literary purposes DPA Sch 2
ICO guidance
Item Reference Sections of the Data Protection Act 2018 which affect Article 10 Link
58 s. Special categories of personal data
59 s. 10 Special categories of personal data and criminal convictions etc data
(1) Subsections (2) and (3) make provision about the processing of personal data described in Article 9(1) of the GDPR (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of Article 9(2)—
(a) point (b) (employment, social security and social protection);
(b) point (g) (substantial public interest);
(c) point (h) (health and social care);
(d) point (i) (public health);
(e) point (j) (archiving, research and statistics).
(2) The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2) of the GDPR for authorisation by, or a basis in, the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of Schedule 1.
(3) The processing meets the requirement in point (g) of Article 9(2) of the GDPR for a basis in the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 2 of Schedule 1.
(4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.
(5) The processing meets the requirement in Article 10 of the GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.
(6) The Secretary of State may by regulations—
(a) amend Schedule 1—
(i) by adding or varying conditions or safeguards, and
(ii) by omitting conditions or safeguards added by regulations under this section, and
(b) consequentially amend this section.
(7) Regulations under this section are subject to the affirmative resolution procedure.
DPA s.10
60 s. 11 Special categories of personal data etc: supplementary
(1) For the purposes of Article 9(2)(h) of the GDPR (processing for health or social care purposes etc), the circumstances in which the processing of personal data is carried out subject to the conditions and safeguards referred to in Article 9(3) of the GDPR (obligation of secrecy) include circumstances in which it is carried out—
(a) by or under the responsibility of a health professional or a social work professional, or
(b) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
(2) In Article 10 of the GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to—
(a) the alleged commission of offences by the data subject, or
(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.
DPA s.11
61 s. 15 Restrictions on data subject's rights DPA s.15
62 s. 15 Exemptions etc
(1) Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR.
(2) In Schedule 2—
(a) Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 6(3) and Article 23(1) of the GDPR;
(b) Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(c) Part 3 makes provision restricting the application of Article 15 of the GDPR where this is necessary to protect the rights of others, as allowed for by Article 23(1) of the GDPR;
(d) Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the GDPR in specified circumstances, as allowed for by Article 23(1) of the GDPR;
(e) Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV, V and VII of the GDPR for reasons relating to freedom of expression, as allowed for by Article 85(2) of the GDPR;
(f) Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the GDPR for scientific or historical research purposes, statistical purposes and archiving purposes, as allowed for by Article 89(2) and (3) of the GDPR.
(3) Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to health, social work, education and child abuse data, as allowed for by Article 23(1) of the GDPR.
(4) Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the GDPR to information the disclosure of which is prohibited or restricted by an enactment, as allowed for by Article 23(1) of the GDPR.
(5) In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part and the exemption in section 26.
DPA s.15
Item Reference       GDPR Recitals which affect Article 10
63 Recital 51 (51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
64 Recital 52 (52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
Item Reference       Related Guidance which affects Article 10
65 ICO guidance on Lawfulness, fairness and transparency Guidance
66 ICO guidance on Purpose limitation Guidance
67 ICO guidance on Vital interests Guidance
68 ICO guidance on Public task Guidance
69 ICO guidance on Criminal offence data Guidance
Disclaimer - Copyright - Privacy policy