Guidance

Guidance on the application of Article 36(4) of the UK General Data Protection Regulation (UK GDPR)

Guidance for public authorities on their obligation to consult with the Information Commissioner's Office (ICO) on any proposals for legislative or statutory measures they are developing which involve the processing of personal data.

From:
Department for Science, Innovation and Technology
Published
26 February 2019
Last updated
29 November 2023 鈥� See all updates

Documents

Guidance on the application of Article 36(4) of the General Data Protection Regulation (GDPR)

HTML

ODT, 14.5 KB

This file is in an OpenDocument format

Details

Article 36(4) of the UK GDPR states that 鈥渢he relevant authority must consult the Information Commissioner during the preparation of a proposal for a legislative measure to be adopted by Parliament, the National Assembly for Wales, the Scottish Parliament or the Northern Ireland Assembly or of a regulatory measure based on such a legislative measure, which relates to processing鈥�.

This is a legally binding requirement on all relevant public sector organisations, and failure to adequately consult with the ICO on such proposals would constitute a breach of the UK GDPR.

This guidance sets out a process by which all relevant public bodies should consult with the ICO to fulfil their obligations in respect of this requirement. The consultation process is consistent with established Cabinet Office consultation principles.

Updates to this page

Published 26 February 2019
Last updated 29 November 2023

  1. Updated page ownership from the Department for Digital, Culture, Media and Sport to the Department for Science, Innovation and Technology.

  2. Added translation

Sign up for emails or print this page