(1)Information is exempt information if it constitutes—
(a)personal data of which the applicant is the data subject;
[F1(b)personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));]
(c)personal census information; or
(d)a deceased person’s health record.
[F2(2A)The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(2B)The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the [F3UK GDPR] (general processing: right to object to processing).]
[F4(3A)The third condition is that—
(a)on a request under Article 15(1) of the [F5UK GDPR] (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.]
F6(4). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(5)In this section—
[F7“the data protection principles” means the principles set out in—
Article 5(1) of the [F8UK GDPR], and
section 34(1) of the Data Protection Act 2018;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);]
F9...
“health record” has the meaning assigned to that term by section 1(1) of the Access to Health Records Act 1990 (c.23); and
“personal census information” means any census information—
as defined in section 8(7) of the Census Act 1920 (c.41); or
acquired or derived by virtue of sections 1 to 9 of the Census (Great Britain) Act 1910 (c.27),
which relates to an identifiable person or household.
[F10“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);]
[F10“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).]
[F11(5A)In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the [F12UK GDPR] would be contravened by the disclosure of information, Article 6(1) of the [F12UK GDPR] (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.]
(6)In section 8(7) of the Census Act 1920 (penalties), in the definition of “personal census information”, at the end there is added “ but does not include information which, by virtue of section 58(2)(b) of the Freedom of Information (Scotland) Act 2002 (asp 13) (falling away of exemptions with time), is not exempt information within the meaning of that Act ”.
Textual Amendments
F1S. 38(1)(b) substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 90(2) (with ss. 117, 209, 210, Sch. 20 para. 36); S.I. 2018/625, reg. 2(1)(g)
F2S. 38(2A)(2B) substituted for s. 38(2) (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 90(3) (with ss. 117, 209, 210, Sch. 20 para. 36); S.I. 2018/625, reg. 2(1)(g)
F3Words in s. 38(2B) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 3 para. 22(2) (with Sch. 3 para. 112); 2020 c. 1, Sch. 5 para. 1(1)
F4S. 38(3A) substituted for s. 38(3) (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 90(4) (with ss. 117, 209, 210, Sch. 20 para. 36); S.I. 2018/625, reg. 2(1)(g)
F5Words in s. 38(3A)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 3 para. 22(2) (with Sch. 3 para. 112); 2020 c. 1, Sch. 5 para. 1(1)
F6S. 38(4) omitted (25.5.2018) by virtue of Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 90(5) (with ss. 117, 209, 210, Sch. 20 para. 36); S.I. 2018/625, reg. 2(1)(g)
F7Words in s. 38(5) substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 90(6) (with ss. 117, 209, 210, Sch. 20 para. 36); S.I. 2018/625, reg. 2(1)(g)
F8Words in s. 38(5) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 3 para. 22(3)(a) (with Sch. 3 para. 112); 2020 c. 1, Sch. 5 para. 1(1)
F9Words in s. 38(5) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 3 para. 22(3)(b) (with Sch. 3 para. 112); 2020 c. 1, Sch. 5 para. 1(1)
F10Words in s. 38(5) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 3 para. 22(3)(c) (with Sch. 3 para. 112); 2020 c. 1, Sch. 5 para. 1(1)
F11S. 38(5A) inserted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 90(7) (with ss. 117, 209, 210, Sch. 20 para. 36); S.I. 2018/625, reg. 2(1)(g)
F12Words in s. 38(5A) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 3 para. 22(4) (with Sch. 3 para. 112); 2020 c. 1, Sch. 5 para. 1(1)