A guide to the data protection exemptions
28 November 2023 - We have made updates to the section ‘Functions designed to protect the public’. The guidance now makes clear that this exemption can apply if you handle personal data to perform one of six functions designed to protect the public, or to enable another body to perform those functions. It also makes clear that if you can comply with these provisions and discharge your functions (or enable the relevant body to discharge their functions) as normal, you must do so.
19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.
At a glance
- The UK GDPR and the Data Protection Act 2018 set out exemptions from some of the rights and obligations in some circumstances.
- Whether or not you can rely on an exemption often depends on why you process personal data.
- You should not routinely rely on exemptions; you should consider them on a case-by-case basis.
- You should justify and document your reasons for relying on an exemption.
- If no exemption covers what you do with personal data, you need to comply with the UK GDPR as normal.
Checklists
Exemptions
☐ We consider whether we can rely on an exemption on a case-by-case basis.
☐ Where appropriate, we carefully consider the extent to which the relevant UK GDPR requirements would be likely to prevent, seriously impair, or prejudice the achievement of our processing purposes.
☐ We justify and document our reasons for relying on an exemption.
☐ When an exemption does not apply (or no longer applies) to our processing of personal data, we comply with the UK GDPR’s requirements as normal.
In brief
- What are exemptions?
- How do exemptions work?
- What exemptions are available?
What are exemptions?
In some circumstances, the DPA 2018 provides an exemption from particular UK GDPR provisions. If an exemption applies, you may not have to comply with all the usual rights and obligations.
There are several different exemptions; these are detailed in Schedules 2-4 of the DPA 2018. They add to and complement a number of exceptions already built in to certain UK GDPR provisions.
This part of the Guide focuses on the exemptions in Schedules 2-4 of the DPA 2018. We give guidance on the exceptions built in to the UK GDPR in the parts of the Guide that relate to the relevant provisions.
The exemptions in the DPA 2018 can relieve you of some of your obligations for things such as:
- the right to be informed;
- the right of access;
- dealing with other individual rights;
- reporting personal data breaches; and
- complying with the principles.
Some exemptions apply to only one of the above, but others can exempt you from several things.
Some things are not listed here as exemptions, although in practice they work a bit like an exemption. This is simply because they are not covered by the UK GDPR. Here are some examples:
- Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the UK GDPR’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the UK GDPR.
- Law enforcement – the processing of personal data by competent authorities for law enforcement purposes is outside the UK GDPR’s scope (e.g. the Police investigating a crime). Instead, this type of processing is subject to the rules in Part 3 of the DPA 2018. See our Guide to Law Enforcement Processing for further information.
- Intelligence services processing – personal data processed by the intelligence services (eg MI5) and their processors is outside the UK GDPR’s scope. Instead, this type of processing is subject to the rules in Part 4 of the DPA 2018. See our Guide to Intelligence Services Processing for further information.
How do exemptions work?
Whether or not you can rely on an exemption generally depends on your purposes for processing personal data.
Some exemptions apply simply because you have a particular purpose. But others only apply to the extent that complying with the UK GDPR would:
- be likely to prejudice your purpose (e.g. have a damaging or detrimental effect on what you are doing); or
- prevent or seriously impair you from processing personal data in a way that is required or necessary for your purpose.
Exemptions should not routinely be relied upon or applied in a blanket fashion. You must consider each exemption on a case-by-case basis.
If an exemption does apply, sometimes you will be obliged to rely on it (for instance, if complying with UK GDPR would break another law), but sometimes you can choose whether or not to rely on it.
In line with the accountability principle, you should justify and document your reasons for relying on an exemption so you can demonstrate your compliance.
If you cannot identify an exemption that covers what you are doing with personal data, you must comply with the UK GDPR as normal.
What exemptions are available?
Crime, law and public protection
- Crime and taxation: general
- Crime and taxation: risk assessment
- Information required to be disclosed by law or in connection with legal proceedings
- Legal professional privilege
- Self incrimination
- Disclosure prohibited or restricted by an enactment
- Immigration
- Functions designed to protect the public
- Audit functions
- Bank of England functions
Regulation, parliament and the judiciary
- Regulatory functions relating to legal services, the health service and children’s services
- Other regulatory functions
- Parliamentary privilege
- Judicial appointments, independence and proceedings
- Crown honours, dignities and appointments
Journalism, research and archiving
- Journalism, academia, art and literature
- Research and statistics
- Archiving in the public interest
Health, social work, education and child abuse
- Health data – processed by a court
- Health data – an individual’s expectations and wishes
- Health data – serious harm
- Health data – restriction of the right of access
- Social work data – processed by a court
- Social work data – an individual’s expectations and wishes
- Social work data – serious harm
- Social work data – restriction of the right of access
- Education data – processed by a court
- Education data – serious harm
- Education data – restriction of the right of access
- Child abuse data
Finance, management and negotiations
- Corporate finance
- Management forecasts
- Negotiations
References and exams
- Confidential references
- Exam scripts and exam marks
Subject access requests – information about other people
National security and defence
Crime and taxation: general
There are two parts to this exemption. The first part can apply if you process personal data for the purposes of:
- the prevention and detection of crime;
- the apprehension or prosecution of offenders; or
- the assessment or collection of a tax or duty or an imposition of a similar nature.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling;
- notifying individuals of personal data breaches;
- the lawfulness, fairness and transparency principle, except the requirement for processing to be lawful;
- the purpose limitation principle; and
- all the other principles, but only so far as they relate to the right to be informed and the other individual rights.
But the exemption only applies to the extent that complying with these provisions would be likely to prejudice your purposes of processing. If this is not so, you must comply with the UK GDPR as normal.
Example
A bank conducts an investigation into suspected financial fraud. The bank wants to pass its investigation file, including the personal data of several customers, to the National Crime Agency (NCA) for further investigation. The bank’s investigation and proposed disclosure to the NCA are for the purposes of the prevention and detection of crime. The bank decides that, were it to inform the individuals in question about this processing of their personal data, this would be likely to prejudice the investigation because they might abscond or destroy evidence. So the bank relies on the crime and taxation exemption and, in this case, does not comply with the right to be informed.
The second part of this exemption applies when another controller obtains personal data processed for any of the purposes mentioned above for the purposes of discharging statutory functions. The controller that obtains the personal data is exempt from the UK GDPR provisions below to the same extent that the original controller was exempt:
- The right to be informed.
- The right of access.
- All the principles, but only so far as they relate to the right to be informed and the right of access.
Note that if you are a competent authority processing personal data for law enforcement purposes (e.g. the Police conducting a criminal investigation), your processing is subject to the rules of Part 3 of the DPA 2018. See our Guide to Law Enforcement Processing for information on how individual rights may be restricted when personal data is processed for law enforcement purposes by competent authorities.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 2
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1) and (2), 18(1), 19, 20(1) and (2), 21(1), and 34(1) and (4)
External link
Crime and taxation: risk assessment
This exemption can apply to personal data in a classification applied to an individual as part of a risk assessment system.
The risk assessment system must be operated by a government department, local authority, or another authority administering housing benefit, for the purposes of:
- the assessment or collection of a tax or duty; or
- the prevention or detection of crime or the apprehension or prosecution of offenders, where the offence involves the unlawful use of public money or an unlawful claim for payment out of public money.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- the right of access;
- all the principles, but only so far as they relate to the right to be informed and the right of access.
But the exemption only applies to the extent that complying with these provisions would prevent the risk assessment system from operating effectively. If this is not so, you must comply with these provisions as normal.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 3
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), and 15(1)-(3)
External link
Information required to be disclosed by law or in connection with legal proceedings
This exemption has three parts. The first part can apply if you are required by law to make personal data available to the public.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling;
- the lawfulness, fairness and transparency principle, except the requirement for processing to be lawful;
- the purpose limitation principle; and
- all the other principles, but only so far as they relate to the right to be informed and the other individual rights.
But the exemption only applies to the extent that complying with these provisions would prevent you meeting your legal obligation to make personal data publicly available.
Example
The Registrar of Companies is legally obliged to maintain a public register of certain information about companies, including the names and (subject to certain restrictions) addresses of company directors. A director asks to exercise his right to erasure by having his name and address removed from the register. The request does not need to be complied with as it would prevent the Registrar meeting his legal obligation to make that information publicly available.
The second part of this exemption can apply if you are required by law, or court order, to disclose personal data to a third party. It exempts you from the same provisions as above, but only to the extent that complying with those provisions would prevent you disclosing the personal data.
Example
An employer receives a court order to hand over the personnel file of one of its employees to an insurance company for the assessment of a claim. Normally, the employer would not be able to disclose this information because doing so would be incompatible with the original purposes for collecting the data (contravening the purpose limitation principle). However, on this occasion the employer is exempt from the purpose limitation principle’s requirements because it would prevent the employer disclosing personal data that it must do by court order.
The third part of this exemption can apply if it is necessary for you to disclose personal data for the purposes of, or in connection with:
- legal proceedings, including prospective legal proceedings;
- obtaining legal advice; or
- establishing, exercising or defending legal rights.
It exempts you from the same provisions as above, but only to the extent that complying with them would prevent you disclosing the personal data. If complying with these provisions would not prevent the disclosure, you cannot rely on the exemption.
Example
A primary school collects information about the parents of the children who attend the school. The school has informed the parents that they will only use their personal data for specified purposes related to the care, welfare and education of their children.
However, a dispute has arisen between a teacher and one of the parents of a 7 year old child. The matter escalates, and the parent makes a number of allegations against the teacher. The school is concerned that the parent’s behaviour is threatening and abusive, and decides to take legal action against them. The parent writes to the school and asks it not to share their information with any other organisation or individual.
The school relies on the exemption to the extent that complying with the request, and complying with the purpose limitation principle, would prevent it from disclosing the information to its solicitor.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 5
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)
External link
Legal professional privilege
This exemption applies if you process personal data:
- to which a claim to legal professional privilege (or confidentiality of communications in Scotland) could be maintained in legal proceedings; or
- in respect of which a duty of confidentiality is owed by a professional legal adviser to their client.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- the right of access; and
- all the principles, but only so far as they relate to the right to be informed and the right of access.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 4, Paragraph 19
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), and 15(1)-(3)
External link
Self incrimination
This exemption can apply if complying with the UK GDPR provisions below would reveal evidence that you have committed an offence.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- the right of access; and
- all the principles, but only so far as they relate to the right to be informed and the right of access.
But the exemption only applies to the extent that complying with these provisions would expose you to proceedings for the offence.
This exemption does not apply to an offence under the DPA 2018 or an offence regarding false statements made otherwise than on oath.
But any information you do provide to an individual in response to a subject access request is not admissible against you in proceedings for an offence under the DPA 2018.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 4, Paragraph 20
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), and 15(1)-(3)
External link
Five separate exemptions apply to personal data that is prohibited or restricted from disclosure by an enactment.
Each of them exempts you from the UK GDPR’s provisions on:
- the right of access; and
- all the principles, but only so far as they relate to the right of access.
But the exemptions only apply to personal data restricted or prohibited from disclosure by certain specific provisions of enactments covering:
- human fertilisation and embryology;
- adoption;
- special educational needs;
- parental orders; and
- children’s hearings.
If you think any of these exemptions might apply to your processing of personal data, see Schedule 4 of the DPA 2018 for full details of the enactments that are covered.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemptions) - Schedule 4
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5 and 15(1)-(3)
External link
Immigration
This exemption can apply to certain rights if complying with those rights would be likely to prejudice effective immigration control.
The exemption can only be applied by the Secretary of State (including the Home Office and its agencies) when processing data for the purposes of maintaining effective immigration control, including investigatory/detection work (the immigration purposes).
The exemption is not available to other controllers who liaise with the Home Office on immigration matters.
It can exempt the Secretary of State from the UK GDPR’s provisions on:
- the right to be informed;
- the right of access;
- the right to erasure;
- the right to restrict processing;
- the right to object;
- all the principles, but only so far as they relate to the rights to be informed, of access, to erasure, to restrict processing and to object.
But the exemption only applies to the extent that applying these provisions would be likely to prejudice processing for the immigration purposes. If not, the exemption does not apply.
The Secretary of State must apply the exemption on a case-by-case basis, and balance the risk to immigration control against the risks to the person’s rights and freedoms (taking into account their potential vulnerabilities). They must only apply the exemption if it is necessary and proportionate in that particular case.
The Secretary of State is required to keep records of the use of the exemption and to inform individuals that the exemption has been applied unless it would be prejudicial to immigration purposes to inform them.
There is no longer any requirement for the Secretary of State to have an immigration exemption policy document in place.
Further reading
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 4
External link
As amended by - The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022
External link
Relevant provisions in the UK GDPR (the exempt provisions) – Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1) and 21(1)
External link
Functions designed to protect the public
This exemption can apply if you handle personal data to perform one of six functions designed to protect the public, or to enable another body to perform those functions.
The first four functions must: be conferred on a person by enactment; be a function of the Crown, a Minister of the Crown or a government department; or be of a public nature and exercised in the public interest. These functions are:
- to protect the public against financial loss due to the seriously improper conduct (or unfitness, or incompetence) of financial services providers, or in the management of bodies corporate, or due to the conduct of bankrupts;
- to protect the public against seriously improper conduct (or unfitness, or incompetence);
- to protect charities or community interest companies against misconduct or mismanagement in their administration, to protect the property of charities or community interest companies from loss or misapplication, or to recover the property of charities or community interest companies; or
- to secure workers’ health, safety and welfare or to protect others against health and safety risks in connection with (or arising from) someone at work.
The fifth function must be conferred by enactment on: the Parliamentary Commissioner for Administration; the Commissioner for Local Administration in England; the Health Service Commissioner for England; the Public Services Ombudsman for Wales; the Northern Ireland Public Services Ombudsman; the Prison Ombudsman for Northern Ireland; or the Scottish Public Services Ombudsman. This function is:
- to protect the public from maladministration, or a failure in services provided by a public body, or from the failure to provide a service that it is a function of a public body to provide.
The sixth function must be conferred by enactment on the Competition and Markets Authority. This function is:
- to protect members of the public from business conduct adversely affecting them, to regulate conduct (or agreements) preventing, restricting or distorting commercial competition, or to regulate undertakings abusing a dominant market position.
If you process personal data for any of the above functions, you are exempt from the UK GDPR’s provisions on:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling; and
- all the principles, but only so far as they relate to the right to be informed and the other individual rights.
But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of those functions. If you can comply with these provisions and discharge your functions (or enable the relevant body to discharge their functions) as normal, you must do so.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 7
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)
External link
Audit functions
This exemption can apply if you process personal data for the purposes of discharging a function conferred by enactment on:
- the Comptroller and Auditor General;
- the Auditor General for Scotland;
- the Auditor General for Wales; or
- the Comptroller and Auditor General for Northern Ireland.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling; and
- all the principles, but only so far as they relate to the right to be informed and the other individual rights.
But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If it does not, you must comply with the UK GDPR as normal.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 8
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)
External link
Bank of England functions
This exemption can apply if you process personal data for the purposes of discharging a function of the Bank of England:
- in its capacity as a monetary authority;
- that is a public function (within the meaning of Section 349 of the Financial Services and Markets Act 2000); or
- that is conferred on the Prudential Regulation Authority by enactment.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling; and
- all the principles, but only so far as they relate to the right to be informed and the other individual rights.
But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If this is not so, the exemption does not apply.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 9
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)
External link
Regulatory functions relating to legal services, the health service and children’s services
This exemption can apply if you process personal data for the purposes of discharging a function of:
- the Legal Services Board;
- considering a complaint under:
- Part 6 of the Legal Services Act 2007,
- Section 14 of the NHS Redress Act 2006,
- Section 113(1) or (2), or Section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,
- Section 24D or 26 of the Children’s Act 1989, or
- Part 2A of the Public Services Ombudsman (Wales) Act 2005; or
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling; and
- all the principles, but only so far as they relate to the right to be informed and the other individual rights.
But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If you can comply with these provisions and discharge your functions as normal, you cannot rely on the exemption.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 2, Paragraph 10
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)
External link
Other regulatory functions
This exemption can apply if you process personal data for the purpose of discharging a regulatory function conferred under specific, listed legislation on any one of 14 bodies and persons. These are:
- the Information Commissioner;
- the Scottish Information Commissioner;
- the Pensions Ombudsman;
- the Board of the Pension Protection Fund;
- the Ombudsman for the Board of the Pension Protection Fund;
- the Pensions Regulator;
- the Financial Conduct Authority;
- the Financial Ombudsman;
- the investigator of complaints against the financial regulators;
- a consumer protection enforcer (other than the Competition and Markets Authority);
- the monitoring officer of a relevant authority;
- the monitoring officer of a relevant Welsh authority;
- the Public Services Ombudsman for Wales; or
- the Charity Commission.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling; and
- all the principles, but only so far as they relate to the right to be informed and the other individual rights.
But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your function. If this is not so, you must comply with these provisions as you normally would.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 2, Paragraphs 11-12
External link
Relevant provisions in the UK GDPR (the exempt provisions) – Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), 21(1) and 34(1) and (4)
External link
Parliamentary privilege
This exemption can apply if it is required to avoid the privileges of either House of Parliament being infringed.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling;
- the communication of personal data breaches to individuals; and
- all the principles, but only so far as they relate to the right to be informed and the other individual rights.
But if you can comply with these provisions without infringing parliamentary privilege, you must do so.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 2, Paragraph 13
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), 21(1), and 34(1) and (4)
External link
Judicial appointments, independence and proceedings
This exemption applies if you process personal data:
- for the purposes of assessing a person’s suitability for judicial office or the office of Queen’s Counsel;
- as an individual acting in a judicial capacity; or
- as a court or tribunal acting in its judicial capacity.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling; and
- all the principles, but only so far as they relate to the right to be informed and the other individual rights.
Additionally, even if you do not process personal data for the reasons above, you are also exempt from the same provisions of the UK GDPR to the extent that complying with them would be likely to prejudice judicial independence or judicial proceedings.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 2, Paragraph 14
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)
External link
Crown honours, dignities and appointments
This exemption applies if you process personal data for the purposes of:
- conferring any honour or dignity by the Crown; or
- assessing a person’s suitability for any of the following offices:
- archbishops and diocesan and suffragan bishops in the Church of England,
- deans of cathedrals of the Church of England,
- deans and canons of the two Royal Peculiars,
- the First and Second Church Estates Commissioners,
- lord-lieutenants,
- Masters of Trinity College and Churchill College, Cambridge,
- the Provost of Eton,
- the Poet Laureate, or
- the Astronomer Royal.
It exempts you from the UK GDPR’s provisions on:
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling; and
- all the principles, but only so far as they relate to the right to be informed and the other individual rights.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 2, Paragraph 15
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)
External link
Journalism, academia, art and literature
This exemption can apply if you process personal data for:
- journalistic purposes;
- academic purposes;
- artistic purposes; or
- literary purposes.
Together, these are known as the ‘special purposes’.
The exemption relieves you from your obligations regarding the UK GDPR’s provisions on:
- all the principles, except the security and accountability principles;
- the lawful bases;
- the conditions for consent;
- children’s consent;
- the conditions for processing special categories of personal data and data about criminal convictions and offences;
- processing not requiring identification;
- the right to be informed;
- all the other individual rights, except rights related to automated individual decision-making including profiling;
- the communication of personal data breaches to individuals;
- consultation with the ICO for high risk processing;
- international transfers of personal data; and
- cooperation and consistency between supervisory authorities.
But the exemption only applies to the extent that:
- as controller for the processing of personal data, you reasonably believe that compliance with these provisions would be incompatible with the special purposes (this must be more than just an inconvenience);
- the processing is being carried out with a view to the publication of some journalistic, academic, artistic or literary material; and
- you reasonably believe that the publication of the material would be in the public interest, taking into account the special importance of the general public interest in freedom of expression, any specific public interest in the particular subject, and the potential to harm individuals.
When deciding whether it is reasonable to believe that publication would be in the public interest, you must (if relevant) have regard to:
- the BBC Editorial Guidelines;
- the Ofcom Broadcasting Code; and
- the Editors’ Code of Practice.
We expect you to be able to explain why the exemption is required in each case, and how and by whom this was considered at the time. The ICO does not have to agree with your view – but we must be satisfied that you had a reasonable belief.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 5, Paragraph 26
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5(1)(a)-(e), 6, 7, 8(1)-(2), 9, 10, 11(2), 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1)(a)-(b) and (d), 19, 20(1)-(2), 21(1), 34(1) and (4), 36, 44, and 60-67
External link
Research and statistics
This exemption can apply if you process personal data for:
- scientific or historical research purposes; or
- statistical purposes.
It is unlikely to apply to the processing of personal data for commercial research purposes such as market research or customer satisfaction surveys, unless you can demonstrate that this research uses rigorous scientific methods and furthers a general public interest.
It exempts you from the UK GDPR’s provisions on:
- the right of access;
- the right to rectification;
- the right to restrict processing; and
- the right to object.
The UK GDPR also provides exceptions from its provisions on the right to be informed (for indirectly collected data) and the right to erasure.
But the exemption and the exceptions only apply:
- to the extent that complying with the provisions above would prevent or seriously impair the achievement of the purposes for processing;
- if the processing is subject to appropriate safeguards for individuals’ rights and freedoms (see Article 89(1) of the UK GDPR – among other things, you must implement data minimisation measures);
- if the processing is not likely to cause substantial damage or substantial distress to an individual;
- if the processing is not used for measures or decisions about particular individuals, except for approved medical research; and
- as regards the right of access, the research results are not made available in a way that identifies individuals.
Additionally, the UK GDPR contains specific provisions that adapt the application of the purpose limitation and storage limitation principles when you process personal data for scientific or historical research purposes, or statistical purposes. See the Guide pages on these principles for more detail.
Further Reading
Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 6, Paragraph 27
External link
Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5(1)(b) and (e), 14(1)-(4), 15(1)-(3), 16, 18(1) and 21(1)
External link
Archiving in the public interest
This exemption can apply if you process personal data for archiving purposes in the public interest.
It exempts you from the UK GDPR’s provisions on:
- the right of access;
- the right to rectification;
- the right to restrict processing;
- the obligation to notify others regarding rectification, erasure or restriction;
- the right to data portability; and
- the right to object.
The UK GDPR also provides exceptions from its provisions on the right to be informed (for indirectly collected data) and the right to erasure.
But the exemption and the exceptions only apply:
- to the extent that complying with the provisions above would prevent or seriously impair the achievement of the purposes for processing;
- if the processing is subject to appropriate safeguards for individuals’ rights and freedoms (see Article 89(1) of the UK GDPR – among other things, you must implement data minimisation measures);
- if the processing is not likely to cause substantial damage or substantial distress to an individual; and
- if the processing is not used for measures or decisions about particular individuals, except for approved medical research.
Additionally, the UK GDPR contains specific provisions that adapt the application of the purpose limitation and storage limitation principles when you process personal data for archiving purposes in the public interest. See the Guide pages on these principles for more detail.