Processing to which this Part applies
- This Part applies to—
- the processing by a competent authority of personal data wholly or partly by automated means, and
- the processing by a competent authority otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.
- Any reference in this Part to the processing of personal data is to processing to which this Part applies.
- For the meaning of “competent authority”, see section 30.
Meaning of “competent authority”
- In this Part, “competent authority” means—
- a person specified or described in Schedule 7, and
- any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes.
- But an intelligence service is not a competent authority within the meaning of this Part.
- The Secretary of State may by regulations amend Schedule 7—
- so as to add or remove a person or description of the person;
- so as to reflect any change in the name of a person specified in the Schedule.
- Regulations under subsection (3) which make provision of the kind described in subsection (3)(a) may also make consequential amendments of section 73(4)(b).
- Regulations under subsection (3) which make provision of the kind described in subsection (3)(a), or which make provision of that kind and of the kind described in subsection (3)(b), are subject to the affirmative resolution procedure.
- Regulations under subsection (3) which make provision only of the kind described in subsection (3)(b) are subject to the negative resolution procedure.
- In this section—
“intelligence service” means—
- the Security Service;
- the Secret Intelligence Service;
- the Government Communications Headquarters;
“statutory function” means a function under or by virtue of an enactment.
“The law enforcement purposes”
For the purposes of this Part, “the law enforcement purposes” are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Meaning of “controller” and “processor”
- In this Part, “controller” means the competent authority which, alone or jointly with others—
- determines the purposes and means of the processing of personal data, or
- is the controller by virtue of subsection (2).
- Where personal data is processed only—
- for purposes for which it is required by an enactment to be processed, and
- by means by which it is required by an enactment to be processed,
the competent authority on which the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.
- In this Part, “processor” means any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller).
- This section defines certain other expressions used in this Part.
- “Employee”, in relation to any person, includes an individual who holds a position (whether paid or unpaid) under the direction and control of that person.
- “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- “Recipient”, in relation to any personal data, means any person to whom the data is disclosed, whether a third party or not, but it does not include a public authority to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the law.
- “Restriction of processing” means the marking of stored personal data with the aim of limiting its processing for the future.
- “Third country” means a country or territory other than a Member State.
- Sections 3 and 205 include definitions of other expressions used in this Part.