A guide to the data protection exemptions

28 November 2023 - We have made updates to the section ‘Functions designed to protect the public’. The guidance now makes clear that this exemption can apply if you handle personal data to perform one of six functions designed to protect the public, or to enable another body to perform those functions. It also makes clear that if you can comply with these provisions and discharge your functions (or enable the relevant body to discharge their functions) as normal, you must do so.

19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.

At a glance

Checklists

Exemptions

☐ We consider whether we can rely on an exemption on a case-by-case basis.

☐ Where appropriate, we carefully consider the extent to which the relevant UK GDPR requirements would be likely to prevent, seriously impair, or prejudice the achievement of our processing purposes.

☐ We justify and document our reasons for relying on an exemption.

☐ When an exemption does not apply (or no longer applies) to our processing of personal data, we comply with the UK GDPR’s requirements as normal.

In brief

What are exemptions?

In some circumstances, the DPA 2018 provides an exemption from particular UK GDPR provisions. If an exemption applies, you may not have to comply with all the usual rights and obligations.

There are several different exemptions; these are detailed in Schedules 2-4 of the DPA 2018. They add to and complement a number of exceptions already built in to certain UK GDPR provisions.

This part of the Guide focuses on the exemptions in Schedules 2-4 of the DPA 2018. We give guidance on the exceptions built in to the UK GDPR in the parts of the Guide that relate to the relevant provisions.

The exemptions in the DPA 2018 can relieve you of some of your obligations for things such as:

Some exemptions apply to only one of the above, but others can exempt you from several things.

Some things are not listed here as exemptions, although in practice they work a bit like an exemption. This is simply because they are not covered by the UK GDPR. Here are some examples:

How do exemptions work?

Whether or not you can rely on an exemption generally depends on your purposes for processing personal data.

Some exemptions apply simply because you have a particular purpose. But others only apply to the extent that complying with the UK GDPR would:

Exemptions should not routinely be relied upon or applied in a blanket fashion. You must consider each exemption on a case-by-case basis.

If an exemption does apply, sometimes you will be obliged to rely on it (for instance, if complying with UK GDPR would break another law), but sometimes you can choose whether or not to rely on it.

In line with the accountability principle, you should justify and document your reasons for relying on an exemption so you can demonstrate your compliance.

If you cannot identify an exemption that covers what you are doing with personal data, you must comply with the UK GDPR as normal.

What exemptions are available?

Crime, law and public protection

Regulation, parliament and the judiciary

Journalism, research and archiving

Health, social work, education and child abuse

Finance, management and negotiations

References and exams

Subject access requests – information about other people

National security and defence

Crime and taxation: general

There are two parts to this exemption. The first part can apply if you process personal data for the purposes of:

It exempts you from the UK GDPR’s provisions on:

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice your purposes of processing. If this is not so, you must comply with the UK GDPR as normal.

Example

A bank conducts an investigation into suspected financial fraud. The bank wants to pass its investigation file, including the personal data of several customers, to the National Crime Agency (NCA) for further investigation. The bank’s investigation and proposed disclosure to the NCA are for the purposes of the prevention and detection of crime. The bank decides that, were it to inform the individuals in question about this processing of their personal data, this would be likely to prejudice the investigation because they might abscond or destroy evidence. So the bank relies on the crime and taxation exemption and, in this case, does not comply with the right to be informed.

The second part of this exemption applies when another controller obtains personal data processed for any of the purposes mentioned above for the purposes of discharging statutory functions. The controller that obtains the personal data is exempt from the UK GDPR provisions below to the same extent that the original controller was exempt:

Note that if you are a competent authority processing personal data for law enforcement purposes (e.g. the Police conducting a criminal investigation), your processing is subject to the rules of Part 3 of the DPA 2018. See our Guide to Law Enforcement Processing for information on how individual rights may be restricted when personal data is processed for law enforcement purposes by competent authorities.

Further Reading

Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 2

External link

Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1) and (2), 18(1), 19, 20(1) and (2), 21(1), and 34(1) and (4)

External link

Crime and taxation: risk assessment

This exemption can apply to personal data in a classification applied to an individual as part of a risk assessment system.

The risk assessment system must be operated by a government department, local authority, or another authority administering housing benefit, for the purposes of:

It exempts you from the UK GDPR’s provisions on:

But the exemption only applies to the extent that complying with these provisions would prevent the risk assessment system from operating effectively. If this is not so, you must comply with these provisions as normal.

Further Reading

Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 3

External link

Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), and 15(1)-(3)

External link

Information required to be disclosed by law or in connection with legal proceedings

This exemption has three parts. The first part can apply if you are required by law to make personal data available to the public.

It exempts you from the UK GDPR’s provisions on:

But the exemption only applies to the extent that complying with these provisions would prevent you meeting your legal obligation to make personal data publicly available.

Example

The Registrar of Companies is legally obliged to maintain a public register of certain information about companies, including the names and (subject to certain restrictions) addresses of company directors. A director asks to exercise his right to erasure by having his name and address removed from the register. The request does not need to be complied with as it would prevent the Registrar meeting his legal obligation to make that information publicly available.

The second part of this exemption can apply if you are required by law, or court order, to disclose personal data to a third party. It exempts you from the same provisions as above, but only to the extent that complying with those provisions would prevent you disclosing the personal data.

Example

An employer receives a court order to hand over the personnel file of one of its employees to an insurance company for the assessment of a claim. Normally, the employer would not be able to disclose this information because doing so would be incompatible with the original purposes for collecting the data (contravening the purpose limitation principle). However, on this occasion the employer is exempt from the purpose limitation principle’s requirements because it would prevent the employer disclosing personal data that it must do by court order.

The third part of this exemption can apply if it is necessary for you to disclose personal data for the purposes of, or in connection with:

It exempts you from the same provisions as above, but only to the extent that complying with them would prevent you disclosing the personal data. If complying with these provisions would not prevent the disclosure, you cannot rely on the exemption.

Example

A primary school collects information about the parents of the children who attend the school. The school has informed the parents that they will only use their personal data for specified purposes related to the care, welfare and education of their children.

However, a dispute has arisen between a teacher and one of the parents of a 7 year old child. The matter escalates, and the parent makes a number of allegations against the teacher. The school is concerned that the parent’s behaviour is threatening and abusive, and decides to take legal action against them. The parent writes to the school and asks it not to share their information with any other organisation or individual.

The school relies on the exemption to the extent that complying with the request, and complying with the purpose limitation principle, would prevent it from disclosing the information to its solicitor.

Further Reading

Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 5

External link

Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)

External link

Legal professional privilege

This exemption applies if you process personal data:

It exempts you from the UK GDPR’s provisions on:

Further Reading

Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 4, Paragraph 19

External link

Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), and 15(1)-(3)

External link

Self incrimination

This exemption can apply if complying with the UK GDPR provisions below would reveal evidence that you have committed an offence.

It exempts you from the UK GDPR’s provisions on:

But the exemption only applies to the extent that complying with these provisions would expose you to proceedings for the offence.

This exemption does not apply to an offence under the DPA 2018 or an offence regarding false statements made otherwise than on oath.

But any information you do provide to an individual in response to a subject access request is not admissible against you in proceedings for an offence under the DPA 2018.

Further Reading

Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 4, Paragraph 20

External link

Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), and 15(1)-(3)

External link

Disclosure prohibited or restricted by an enactment

Five separate exemptions apply to personal data that is prohibited or restricted from disclosure by an enactment.

Each of them exempts you from the UK GDPR’s provisions on:

But the exemptions only apply to personal data restricted or prohibited from disclosure by certain specific provisions of enactments covering:

If you think any of these exemptions might apply to your processing of personal data, see Schedule 4 of the DPA 2018 for full details of the enactments that are covered.

Further Reading

Relevant provisions in the Data Protection Act 2018 (the exemptions) - Schedule 4

External link

Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5 and 15(1)-(3)

External link

Immigration

This exemption can apply to certain rights if complying with those rights would be likely to prejudice effective immigration control.

The exemption can only be applied by the Secretary of State (including the Home Office and its agencies) when processing data for the purposes of maintaining effective immigration control, including investigatory/detection work (the immigration purposes).

The exemption is not available to other controllers who liaise with the Home Office on immigration matters.

It can exempt the Secretary of State from the UK GDPR’s provisions on:

But the exemption only applies to the extent that applying these provisions would be likely to prejudice processing for the immigration purposes. If not, the exemption does not apply.

The Secretary of State must apply the exemption on a case-by-case basis, and balance the risk to immigration control against the risks to the person’s rights and freedoms (taking into account their potential vulnerabilities). They must only apply the exemption if it is necessary and proportionate in that particular case.

The Secretary of State is required to keep records of the use of the exemption and to inform individuals that the exemption has been applied unless it would be prejudicial to immigration purposes to inform them.

There is no longer any requirement for the Secretary of State to have an immigration exemption policy document in place.

Further reading

Further Reading

Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 4

External link

As amended by - The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022

External link

Relevant provisions in the UK GDPR (the exempt provisions) – Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1) and 21(1)

External link

Functions designed to protect the public

This exemption can apply if you handle personal data to perform one of six functions designed to protect the public, or to enable another body to perform those functions.

The first four functions must: be conferred on a person by enactment; be a function of the Crown, a Minister of the Crown or a government department; or be of a public nature and exercised in the public interest. These functions are:

  1. to protect the public against financial loss due to the seriously improper conduct (or unfitness, or incompetence) of financial services providers, or in the management of bodies corporate, or due to the conduct of bankrupts;
  2. to protect the public against seriously improper conduct (or unfitness, or incompetence);
  3. to protect charities or community interest companies against misconduct or mismanagement in their administration, to protect the property of charities or community interest companies from loss or misapplication, or to recover the property of charities or community interest companies; or
  4. to secure workers’ health, safety and welfare or to protect others against health and safety risks in connection with (or arising from) someone at work.

The fifth function must be conferred by enactment on: the Parliamentary Commissioner for Administration; the Commissioner for Local Administration in England; the Health Service Commissioner for England; the Public Services Ombudsman for Wales; the Northern Ireland Public Services Ombudsman; the Prison Ombudsman for Northern Ireland; or the Scottish Public Services Ombudsman. This function is:

  1. to protect the public from maladministration, or a failure in services provided by a public body, or from the failure to provide a service that it is a function of a public body to provide.

The sixth function must be conferred by enactment on the Competition and Markets Authority. This function is:

  1. to protect members of the public from business conduct adversely affecting them, to regulate conduct (or agreements) preventing, restricting or distorting commercial competition, or to regulate undertakings abusing a dominant market position.

If you process personal data for any of the above functions, you are exempt from the UK GDPR’s provisions on:

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of those functions. If you can comply with these provisions and discharge your functions (or enable the relevant body to discharge their functions) as normal, you must do so.

Further Reading

Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 7

External link

Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)

External link

Audit functions

This exemption can apply if you process personal data for the purposes of discharging a function conferred by enactment on:

It exempts you from the UK GDPR’s provisions on:

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If it does not, you must comply with the UK GDPR as normal.

Further Reading

Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 8

External link

Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)

External link

Bank of England functions

This exemption can apply if you process personal data for the purposes of discharging a function of the Bank of England:

It exempts you from the UK GDPR’s provisions on:

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If this is not so, the exemption does not apply.

Further Reading

Relevant provisions in the Data Protection Act 2018 (the exemption) - Schedule 2, Part 1, Paragraph 9

External link

Relevant provisions in the UK GDPR (the exempt provisions) - Articles 5, 13(1)-(3), 14(1)-(4), 15(1)-(3), 16, 17(1)-(2), 18(1), 19, 20(1)-(2), and 21(1)

External link

Regulatory functions relating to legal services, the health service and children’s services

This exemption can apply if you process personal data for the purposes of discharging a function of: