Data meaning

The Investigatory Powers Act 2016 (IPA 2016) revamped the legal regime regulating covert surveillance by public authorities. IPA 2016 superseded large parts of the framework previously, though not solely, contained in the Regulation of Investigatory Powers Act 2000 (RIPA 2000). See Practice Note: The regulation of intelligence gathering—an introductory guide. This note outlines the offences introduced by IPA 2016. For details of general sentencing limits in a magistrates’ court, see Practice Note: Sentences imposed following conviction—General limits on magistrates’ courts powers to impose custodial sentences following conviction... Section Offence Statutory defence Maximum sentence IPA 2016, s 3 — Unlawful interception: a person, by conduct in the UK, deliberately intercepts a communication during its transmission without lawful authority. Defence: where the individual has the right to control the operation or use of the system, or had that person’s express or implied consent to carry out the interception. Maximum sentence: on summary conviction, a fine; on indictment, up to two years’ imprisonment and/or a...

In this Checklist, the following defined terms are relevant: application programming interface (API) refers to an application programming interface API Data means any data or other content on the Platform reached by the Application or the API Licensee, and/or sent from the Platform to the Application via an API API Licensee means a provider of an Application that connects to the Platform/API API Licensor means the provider of a Platform/API Application means an application of an API Licensee that uses an API Platform means a platform of an API Licensor that is accessed through an API An API is a source code-level interface that enables applications (specifically, software components) to communicate with one another. It is the outward-facing element of an application that sets the rules for how that application will interact with other software. A developer does not need to grasp the entire codebase of an application to build something compatible with it. So long as the software...

This timeline charts activity from 1 January 2024 onwards concerning the EU-facing legal and supervisory frameworks for anti-money laundering (AML), counter-terrorist financing (CTF) and counter‑proliferation financing (CPF) within the financial services sector. It traces both milestones and roll-out of the European AML, CTF and CPF rulebook. It also tracks cross-border initiatives in AML/CTF/CPF from the Financial Action Task Force (FATF), Basel Committee on Banking Supervision (BCBS), International Association of Insurance Supervisors (IAIS), IOSCO, the Egmont Group of Financial Intelligence Units (FIUs) and the Wolfsberg Group. For added detail on the EU AML/CTF regime, consult the Financial crime and sanctions (EU Law)—overview, including Practice Notes on AMLA—direct oversight of qualifying financial services firms, the EU Sixth Money Laundering Directive (MLD6) and the EU Recast Second Wire Transfer Regulation (Recast WTR2) on cryptoasset transfers... 2026 16 March 2026 — AMLA — AMLA starts a data collection exercise to test risk assessment models. AMLA has issued the reporting package for this data collection and testing exercise...

STOP PRESS: This document is currently being updated to take account of the full implementation of the Data (Use and Access) Act 2025 (DUAA 2025), which amends both the UK GDPR and the Data Protection Act 2018. For further guidance on the compliance consequences of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications. The UK General Data Protection Regulation (UK GDPR) grants data subjects several rights, including, among others: access to their personal data rectification erasure restriction of processing data portability a right of data subjects Individuals may ask an organisation at any time of their choosing to exercise one or more of these rights, and strict time limits and deadlines apply to responding to such requests promptly. See Practice Note: How to handle data subject requests. This Flowchart sets out a process for dealing with data subject requests made under the UK GDPR and reflects the requirements in the UK GDPR together...

These Flowcharts These Flowcharts offer direction on the proper method for completing the parts of a stock transfer form that address consideration, stamp duty certification, and execution. They are included within an annotated stock transfer form, which clearly sets out instructions explaining how its sections should be properly filled in...

STOP PRESS: This document is being revised to take account of the Data (Use and Access) Act 2025 (DUAA 2025), which updates the UK GDPR and the Data Protection Act 2018. For more on the compliance impact of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications... This Flowchart steers you through the lawful mechanisms for sending personal data to a country outside the UK, for example: an adequacy decision or regulation appropriate safeguards such as standard contractual clauses (SCCs) or the International Data Transfer Agreement (IDTA), or binding corporate rules (BCRs) a derogation Such transfers are barred by the data protection regime unless one of these tools is in place. These mechanisms exist to ensure data subjects remain protected when their personal data leaves the UK... The mechanisms follow a hierarchy, and this Flowchart helps you select the route most suitable for your organisation and processing operations... This Flowchart reflects the UK General Data...

In this issue: Air emissions and climate change Energy for environmental lawyers Environmental disputes and proceedings Environmental permits and consents Environmental taxes, reliefs and incentives ESG and sustainability Hazardous substances and chemicals Marine Nature, biodiversity and habitat conservation Waste Waste producer responsibility regimes Water, flooding and drainage Daily and weekly news alerts New and updated content Air emissions and climate change DESNZ releases quarterly waste data reporting template for the UK ETS. The Department for Energy Security and Net Zero (DESNZ) has issued a template for quarterly waste data submissions under the UK Emissions Trading Scheme (UK ETS). It is designed for waste operators to use when sending quarterly data reports to their regulator during the voluntary monitoring, reporting and verification (MRV) period. See: LNB News 19/02/2026 50. AFME responds to European Commission consultation on climate resilience legislative framework. The Association for Financial Markets in Europe (AFME) has provided...

In this issue: Energy efficiency and buildings Energy for environmental lawyers Environmental enforcement and prosecutions ESG and sustainability Hazardous substances and chemicals Nature, biodiversity and habitat conservation Waste Waste producer responsibility regimes Water, flooding and drainage Daily and weekly news alerts New and updated content Latest Q&A Energy efficiency and buildings The Department for Energy Security and Net Zero (DESNZ) has issued its 2025 post‑implementation review (PIR) of the Energy Savings Opportunity Scheme (ESOS) Regulations 2014 (SI 2014/1643). Using Phase 3 compliance notifications from the Environment Agency, together with unpublished interim data from Phase 3 action plans, and building on the 2020 PIR, it recommends holding off any major amendments to the ESOS Regulations until a full evaluation ends in May 2026, after which a comprehensive PIR will be completed. The research evaluates how energy audits and reporting identify and deliver energy efficiency savings across organisations. See: LNB News 14/08/2025 6...

In this issue: Key developments and materials Electricity and gas market regulation, licensing and taxation Networks and network connections Capacity Market, balancing services and energy system flexibility Nuclear energy Oil and gas International energy New and updated content Dates for your diary Trackers Energy resources on Lexis+® Daily and weekly news alerts Key developments and materials DESNZ announces 100 schools now have Great British Energy solar panels DESNZ confirmed that Great British Energy solar arrays are now fitted at 100 schools and colleges nationwide. By summer 2026, roughly 250 institutions will benefit through a focused deployment that gives precedence to deprived communities in the North East, West Midlands and North West, and guarantees a minimum of ten schools in each English region. Across their lifespan, these installations are expected to deliver around £220m in cumulative savings for the 250 schools and colleges, allowing funds to be redirected into teaching spaces. See:...

Scope of this Practice Note This Practice Note addresses matters linked to technology used to help firms comply with their regulatory duties—often referred to as ‘regtech’. It reviews how the Financial Conduct Authority (FCA) and the Bank of England (BoE) (including the Prudential Regulation Authority (PRA)) engage with regtech, highlights industry activity, and records both the proposal and subsequent withdrawal of an FCA ‘Robo Handbook’. It examines these facets of what has come to be known as ‘regtech’: what is regtech? the FCA’s approach FCA TechSprints digital sandbox other regulator-side developments towards a Robo Handbook industry-side developments other initiatives What is regtech? Regtech is a broad label for the use of technology to help firms discharge regulatory requirements more efficiently and effectively than legacy systems allow—and, at times, for the use of technology by regulators to support their own supervisory responsibilities. The expression is used either in contrast to, or as a subset of, fintech....

This Practice Note sets out the essentials of Regulation (EU) 2024/2847, the EU Cyber Resilience Act (CRA): its background, timeline, aims, and how it aligns with other EU laws. For details on the CRA’s scope or core duties for economic operators, see the following Practice Notes: The EU Cyber Resilience Act—scope and classification of products The EU Cyber Resilience Act—obligations, compliance and enforcement Regulation (EU) 2024/2847, known as the CRA, is the first EU measure to set mandatory cybersecurity requirements for ‘products with digital elements’ across the EU. From December 2027, products that do not satisfy these requirements cannot be placed on the EU market. Accordingly, compliance will be crucial for market entry for both hardware and software. Manufacturers, importers and distributors will have extensive cybersecurity responsibilities and risk significant fines for non-compliance. The CRA was published in the Official Journal of the EU on 20 November 2024, entered into force on 10 December 2024, and applies in full from 11...

The extended producer responsibility (EPR) regime for packaging and packaging waste The extended producer responsibility (EPR) regime for packaging and packaging waste shifts the entire cost of managing household packaging waste from households to packaging producers, placing on them accountability for their packaging costs throughout its lifecycle. Lower charges apply to sustainable packaging, incentivising designs that use fewer materials and are easier to recycle. Under EPR, Local Authorities (LAs) receive producer-funded payments covering the net costs of collecting, managing, recycling and disposing of this household packaging waste. EPR is governed by the Producer Responsibility Obligations (Packaging and Packaging Waste) Regulations 2024, SI 2024/1332 (as amended). These regulations define a range of persons and bodies with specific functions within the regime. These are: producers—these are the principal duty holders compliance schemes the Scheme Administrator (SA) (PackUK) ‘relevant authorities’ which are LAs as household waste collection and disposal authorities responsible for household waste services reprocessors and exporters the ‘appropriate agency’—in England, the Environment...

Use this in conjunction with our Decision-making guide, which outlines our organisation’s approach to decision-making and explains why we have such a process in place. We recognise that colleagues make decisions at work every day. We do not expect you to follow the Decision-making guide and this framework for minor or operational business decisions, though some of the principles in this framework may prove helpful in day-to-day practice. The Decision-making guide and framework should be applied whenever a significant business decision is required, so that such choices are grounded in evidence and logic. A significant business decision is one that [ insert your criteria, eg may have a significant effect on our business, operations, staff, customers or external stakeholders ], eg [ insert examples eg a decision to proceed with a key project or business initiative, a decision relating to a complex situation or that is likely to have a commercial impact ]. The full criteria for a significant business decision is set out in the Decision-making guide. This framework...

Danish SCCs A set of Standard Contractual Clauses (SCCs) designed to meet Article 28(3) of the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), specifically addresses contractual arrangements between controllers and processors and was formally issued by the Danish data protection supervisory authority (the Danish SCCs). Their release followed an opinion from the European Data Protection Board (EDPB). The Danish SCCs are distinct from SCCs that concern cross-border international personal data transfers under Chapter V of the EU GDPR...

1 General information Date complaint received [ Enter date ] How was the complaint received? ☐ Email ☐ Letter ☐ In person ☐ Telephone ☐ Other—[ please specify ] When replying to the complainant, choose the most appropriate communication method. Date complaint acknowledged [ Enter a date that should be 30 days from the date you received the complaint. ] Proposed deadline for responding to complaint [ Enter a date that meets the expectation that you will handle the complaint without any delay. ] Person investigating complaint and completing this record [ Provide details of the individual who investigated the complaint and completed this report. This could be your data protection officer. ] Date of report [ Enter date ] 2 Complainant Name of data subject ...

In any specific context, a controller handling personal data or information must assess if the processing activity complies with what is now the applicable Assimilated Regulation (EU) 2016/679, the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018 (DPA 2018)...

The Freedom of Information Act 2000 (FIA 2000) and the Data Protection Act 1998 (DPA 1998) are distinct regimes, save for the overlap raised here. They otherwise operate separately from one another as a rule. FIA 2000 contains various exemptions. Those exemptions mean the kind, character or even the presence of the information need not be revealed under FIA 2000. For this scenario, the pertinent carve-out is in FIA 2000, s 40, in particular FIA 2000, ss 40(1) and 40(5)(a). Where the material amounts to personal data and the data subject seeks disclosure via FIA 2000, the exemption applies in absolute terms...

We have concentrated specifically on sections 108–110 of the Digital Economy Act 2017 (DEA 2017) and sections 132–133 of the draft Data Protection Bill 2017 (DPB 2017) for the purposes of this Q&A. Part III of the Data Protection Act 1998 (DPA 1998) obliges data controllers who handle personal data to notify the Information Commissioner of their processing for inclusion in the register maintained by the Information Commissioner’s Office (ICO). Controllers seeking to register must pay an applicable fee. For further details, consult the Data Protection (Notification and Notification Fees) Regulations 2000, SI 2000/188, and official guidance from the Information Commissioner...