Data Protection Act 2018 - Part 4 Intelligence Services Processing Chapter 1 Scope and Definitions


Processing to which this Part applies

  1. This Part applies to—
    1. the processing by an intelligence service of personal data wholly or partly by automated means, and
    2. the processing by an intelligence service otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.
  2. In this Part, “intelligence service” means—
    1. the Security Service;
    2. the Secret Intelligence Service;
    3. the Government Communications Headquarters.
  3. A reference in this Part to the processing of personal data is to processing to which this Part applies.


Meaning of “controller” and “processor”

  1. In this Part, “controller” means the intelligence service which, alone or jointly with others—
    1. a) determines the purposes and means of the processing of personal data, or
    2. is the controller by virtue of subsection (2).
  2. Where personal data is processed only—
    1. a) for purposes for which it is required by an enactment to be processed, and
    2. by means by which it is required by an enactment to be processed, the intelligence service on which the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.
  3. In this Part, “processor” means any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller).

Other definitions

  1. This section defines other expressions used in this Part.
  2. “Consent”, in relation to the processing of personal data relating to an individual, means a freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data.
  3. “Employee”, in relation to any person, includes an individual who holds a position (whether paid or unpaid) under the direction and control of that person.
  4. “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  5. “Recipient”, in relation to any personal data, means any person to whom the data is disclosed, whether a third party or not, but it does not include a person to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the law.
  6. “Restriction of processing” means the marking of stored personal data with the aim of limiting its processing for the future.
  7. Sections 3 and 205 include definitions of other expressions used in this Part.