Data Protection Bill 2017-19

The Data Protection Bill replaces the Data Protection Act 1998 and incorporates the requirements of GDPR with certain conditions and exceptions.

Exceptions contained in the Bill are that when responding to subject access requests you should not provide personal data of third parties unless it is reasonable to do so, nor should you provide records to patients where this is likely to cause serious harm to that person's physical or mental health. These replicate existing provisions of the DPA.

The Bill is also designed to create new criminal offences of:

  • intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data
  • altering records with an intent to prevent disclosures to a data subject following a subject access request (but see exemptions above)
  • unlawfully obtaining or disclosing personal data without the data controller's consent.

This page was correct at publication on 20/06/2018. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

You may also be interested in


GDPR: Data subjects' rights

GDPR makes data subjects' rights much more explicit. Here we explain your obligations.

Read more

GDPR: Data breaches

An unaddressed data breach is likely to have a significant effect on individuals, and can result in heavy fines for those responsible.

Read more

Introduction to GDPR

Helping you comply with the General Data Protection Regulation.

Read more