Who is Exempt from Data Protection Act?

Who is Exempt from Data Protection Act?

The Data Protection Act 2018 (DPA) updated the 1998 act to aid in securing UK citizens data and works alongside the EU’s General Data Protection Regulation (GDPR) law.

The new Data Protection Act modernises data protection laws using seven key principles. These principles of the Data Protection Act are also used in the EU’s GDPR rules. These include:

  1. Fair, lawful and transparent processing
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Data retention periods
  6. Data Security
  7. Accountability

The Data Protection Act 2018 includes four separate clauses that are no included in GDPR. As a result, these are laws relating to law enforcement and individual state national security that the European Union cannot make, which therefore countries must make themselves. Chapters 2 to 4 of the DPA cover these regulations and include regimes for specialised UK enforcement agencies like the Information Commissioner’s Office[1] (ICO), and chapters that supplement the enforcement of GDPR in the country.[2]

Exemptions in the Data Protection Act

Complete Exemptions

Complete exemptions are those organisations that can store certain data types that are so important, they cannot be provided to other parties.

Articles 6 and 23 of the EU’s GDPR allows member-states to grant exemptions in order to secure individual rights and national security.[3] For example, organisations that are involved in preserving the national safety of the UK and health of its citizens.


Intelligence companies like GCHQ or MI5, who collect data to prevent terror attacks or cybercrimes, are exempt from the Data Protection Act. This is because they hold information that is vital to defend the UK and its citizens. Therefore, providing data to any party that asks for it is not allowed.

Also, the Home Office is exempt from the DPA on matters relating to immigration, as they process data that maintains effective controls. Meaning, that subjects who have personal data in the Home Office cannot access it, neither can other third parties.

Partial Exemptions

Organisations that work in whole range of sectors can be granted partial exemptions from the Data Protection Act 2018, including crime and taxation, certain regulatory functions, health and safety and archiving in the public interest. These help to secure data protection rights for individuals.


If an institution harvests data for the purpose of detecting and preventing crime, they are also exempt from the new Data Protection Act. Examples may include police branches, intelligence agencies.

Furthermore, taxation departments may be partially exempt as investigators do not have to show their files to third parties.[4] In addition, information is protected if it is collected to prevent tax crime or fraud.

As well as this, those that regulate legal, health or children’s services are not accountable under the DPA. An example of a regulatory body that may be partially exempt is the Health and Safety Executive.

In addition to this, organisations that process and handle archival data relating to science or history are exempt, as they are carrying out work that is valuable in the public interest. These can be any museums or organisations that track personal family trees who send the data to an individual. Also, academics or researchers may also be partially exempt if their work is “in the public interest or does not identify individuals”.[5]

Though, if organisations fail to comply with the Data Protection Act 2018 or GDPR 2018 there are serious implications. Mishandling people’s data is a crime, punishable under both laws of compliance. Consequently, organisations are liable to a maximum fine of £500,000 under the DPA. However, GDPR can fine any company a maximum of 4% of their global turnover and imprison guilty individuals.[6]

You can view our GDPR online training courses here.

[1] https://ico.org.uk/

[2] https://ico.org.uk/for-organisations/guide-to-data-protection/introduction-to-data-protection/about-the-dpa-2018/

[3] https://actnowtraining.wordpress.com/2018/05/30/the-data-protection-act-2018-a-summary/

[4] https://www.bbc.com/bitesize/guides/z6kj6sg/revision/7

[5] https://www.bbc.com/bitesize/guides/z6kj6sg/revision/7

[6] https://www.bpe.co.uk/services/need/data-protection-the-gdpr/brilliantly-simple-guide-to-the-gdpr/fines-and-penalties/