//

Data Protection Act 2018 - Schedule 20 Part 5 National Security Certificates

National security certificates: processing of personal data under the 1998 Act

  1. The repeal of section 28(2) to (12) of the 1998 Act does not affect the application of those provisions after the relevant time with respect to the processing of personal data to which the 1998 Act (including as it has effect by virtue of this Schedule) applies.
  2. A certificate issued under section 28(2) of the 1998 Act continues to have effect after the relevant time with respect to the processing of personal data to which the 1998 Act (including as it has effect by virtue of this Schedule) applies.
  3. Where a certificate continues to have effect under subparagraph (2) after the relevant time, it may be revoked or quashed in accordance with section 28 of the 1998 Act after the relevant time.
  4. In this paragraph, “the relevant time” means the time when the repeal of section 28 of the 1998 Act comes into force.

National security certificates: processing of personal data under the 2018 Act

  1. This paragraph applies to a certificate issued under section 28(2) of the 1998 Act (an “old certificate”) which has effect immediately before the relevant time.
  2. If and to the extent that the old certificate provides protection with respect to personal data which corresponds to the protection that could be provided by a certificate issued under section 27, 79 or 111 of this Act, the old certificate also has the effect to that extent after the relevant time as if—
    1. it was a certificate issued under one or more of sections 27, 79 and 111 (as the case may be),
    2. it provided protection in respect of that personal data in relation to the corresponding provisions of this Act or the applied GDPR, and
    3. where it has effect as a certificate issued under section 79, it certified that each restriction in question is a necessary and proportionate measure to protect national security.
  3. Where an old certificate also has effect as if it were a certificate issued under one or more of sections 27, 79 and 111, that section has, or those sections have, effect accordingly in relation to the certificate.
  4. Where an old certificate has an extended effect because of sub-paragraph (2), section 130 of this Act does not apply in relation to it.
  5. An old certificate that has an extended effect because of sub-paragraph (2) provides protection only with respect to the processing of personal data that occurs during the period of 1 year beginning with the relevant time (and a Minister of the Crown may curtail that protection by wholly or partly revoking the old certificate).
  6. For the purposes of this paragraph—
    1. a reference to the protection provided by a certificate issued under—
      1. section 28(2) of the 1998 Act, or
      2. section 27, 79 or 111 of this Act,
        is a reference to the effect of the evidence that is provided by the certificate;
    2. protection provided by a certificate under section 28(2) of the 1998 Act is to be regarded as corresponding to protection that could be provided by a certificate under section 27, 79 or 111 of this Act where, in respect of provision in the 1998 Act to which the certificate under section 28(2) relates, there is corresponding provision in this Act or the applied GDPR to which a certificate under section 27, 79 or 111 could relate.
  7. In this paragraph, “the relevant time” means the time when the repeal of section 28 of the 1998 Act comes into force.