Chwilio Deddfwriaeth

Data Protection Act 1998

Status:

Point in time view as at 01/07/2005. This version of this Act contains provisions that are not valid for this point in time. Help about Status

Close

Status

Not valid for this point in time generally means that a provision was not in force for the point in time you have selected to view it on.

Changes to legislation:

Data Protection Act 1998 is up to date with all changes known to be in force on or before 19 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

Part IU.K. Preliminary

1 Basic interpretative provisions.U.K.

(1)In this Act, unless the context otherwise requires—

  • data” means information which—

    (a)

    is being processed by means of equipment operating automatically in response to instructions given for that purpose,

    (b)

    is recorded with the intention that it should be processed by means of such equipment,

    (c)

    is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, F1. . .

    (d)

    does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68; [F2or

    (e)

    is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d);]

  • data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

  • data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;

  • data subject” means an individual who is the subject of personal data;

  • personal data” means data which relate to a living individual who can be identified—

    (a)

    from those data, or

    (b)

    from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

    and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

  • processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—

    (a)

    organisation, adaptation or alteration of the information or data,

    (b)

    retrieval, consultation or use of the information or data,

    (c)

    disclosure of the information or data by transmission, dissemination or otherwise making available, or

    (d)

    alignment, combination, blocking, erasure or destruction of the information or data;

  • [F3public authority” means a public authority as defined by the Freedom of Information Act 2000 or a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002;]

  • relevant filing system” means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

(2)In this Act, unless the context otherwise requires—

(a)obtaining” or “recording”, in relation to personal data, includes obtaining or recording the information to be contained in the data, and

(b)using” or “disclosing”, in relation to personal data, includes using or disclosing the information contained in the data.

(3)In determining for the purposes of this Act whether any information is recorded with the intention—

(a)that it should be processed by means of equipment operating automatically in response to instructions given for that purpose, or

(b)that it should form part of a relevant filing system,

it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area.

(4)Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.

[F4(5)In paragraph (e) of the definition of “data” in subsection (1), the reference to information “held” by a public authority shall be construed in accordance with section 3(2) of the Freedom of Information Act 2000 [F5or section 3(2), (4) and (5) of the Freedom of Information (Scotland) Act 2002.]

(6)Where

(a)]section 7 of the Freedom of Information Act 2000 prevents Parts I to V of that Act[F6 or]

[F6(b)section 7(1) of the Freedom of Information (Scotland) Act 2002 prevents that Act,]

from applying to certain information held by a public authority, that information is not to be treated for the purposes of paragraph (e) of the definition of “data” in subsection (1) as held by a public authority.

Textual Amendments

F1In s. 1(1) in definition of "data" word repealed (1.1.2005) by 2000 c. 36, ss. 68(2)(a), 86, 87(3), Sch. 8 Pt. III (with ss. 56, 78); S.I. 2004/1909, art. 2; S.I. 2004/3122, art. 2

F2In s. 1(1) in definition of "data" paragraph (e) and preceding word inserted (1.1.2005) by 2000 c. 36, ss. 68(2)(a), 87(3) (with ss. 56, 78); S.I. 2004/1909, art. 2; S.I. 2004/3122, art. 2

F3In s. 1(1) definition of "public authority" inserted (1.1.2005) by 2000 c. 36, ss. 68(2)(b), 87(3) (with ss. 56, 78); S.I. 2004/1909, art. 2; S.I. 2004/3122, art. 2; and this same definition substituted (1.1.2005) by The Freedom of Information (Scotland) Act 2002 (Consequential Modifications) Order 2004 (S.I. 2004/3089), art. 2(2)(a)

2 Sensitive personal data.U.K.

In this Act “sensitive personal data” means personal data consisting of information as to—

(a)the racial or ethnic origin of the data subject,

(b)his political opinions,

(c)his religious beliefs or other beliefs of a similar nature,

(d)whether he is a member of a trade union (within the meaning of the M1Trade Union and Labour Relations (Consolidation) Act 1992),

(e)his physical or mental health or condition,

(f)his sexual life,

(g)the commission or alleged commission by him of any offence, or

(h)any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Marginal Citations

3 The special purposes.U.K.

In this Act “the special purposes” means any one or more of the following—

(a)the purposes of journalism,

(b)artistic purposes, and

(c)literary purposes.

4 The data protection principles.U.K.

(1)References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1.

(2)Those principles are to be interpreted in accordance with Part II of Schedule 1.

(3)Schedule 2 (which applies to all personal data) and Schedule 3 (which applies only to sensitive personal data) set out conditions applying for the purposes of the first principle; and Schedule 4 sets out cases in which the eighth principle does not apply.

(4)Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.

5 Application of Act.U.K.

(1)Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if—

(a)the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or

(b)the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.

(2)A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom.

(3)For the purposes of subsections (1) and (2), each of the following is to be treated as established in the United Kingdom—

(a)an individual who is ordinarily resident in the United Kingdom,

(b)a body incorporated under the law of, or of any part of, the United Kingdom,

(c)a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and

(d)any person who does not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom—

(i)an office, branch or agency through which he carries on any activity, or

(ii)a regular practice;

and the reference to establishment in any other EEA State has a corresponding meaning.

Modifications etc. (not altering text)

C1S. 5 modified by S.I. 1993/1813, art. 4(2) (as substituted (coming into force in accordance with art. 1(2) of the amending S.I.) by S.I. 2001/1544, art. 3(5)(6))

6 The Commissioner and the Tribunal.U.K.

[F7(1)For the purposes of this Act and of the Freedom of Information Act 2000 there shall be an officer known as the Information Commissioner (in this Act referred to as “the Commissioner”).]

(2)The Commissioner shall be appointed by Her Majesty by Letters Patent.

[F8(3)For the purposes of this Act and of the Freedom of Information Act 2000 there shall be a tribunal known as the Information Tribunal (in this Act referred to as “the Tribunal”).]

(4)The Tribunal shall consist of—

(a)a chairman appointed by the Lord Chancellor after consultation with the Lord Advocate,

(b)such number of deputy chairmen so appointed as the Lord Chancellor may determine, and

(c)such number of other members appointed by the [F9 Secretary of State] as he may determine.

(5)The members of the Tribunal appointed under subsection (4)(a) and (b) shall be—

(a)persons who have a 7 year general qualification, within the meaning of section 71 of the M2Courts and Legal Services Act 1990,

(b)advocates or solicitors in Scotland of at least 7 years’ standing, or

(c)members of the bar of Northern Ireland or solicitors of the Supreme Court of Northern Ireland of at least 7 years’ standing.

(6)The members of the Tribunal appointed under subsection (4)(c) shall be—

(a)persons to represent the interests of data subjects,

[F10(aa)persons to represent the interests of those who make requests for information under the Freedom of Information Act 2000,]

(b)persons to represent the interests of data controllers [F11and

(bb)persons to represent the interests of public authorities.]

(7)Schedule 5 has effect in relation to the Commissioner and the Tribunal.

Textual Amendments

F10S. 6(6)(aa) substituted for word in s. 6(6)(a) (14.5.2001) by 2000 c. 36, s. 18(4), Sch. 2 Pt. II para. 16(a) (with ss. 7(1)(7), 56, 78); S.I. 2001/1637, art. 2(b)

F11S. 6(6)(bb) and the preceding word inserted (14.5.2001) by 2000 c. 36, s. 18(4), Sch. 2 Pt. II para. 16(b) (with ss. 7(1)(7), 56, 78); S.I. 2001/1637, art. 2(b)

Modifications etc. (not altering text)

C2S. 6(4)(a)(b): transfer of certain functions (1.7.1999) by 1999/1750, arts. 1, 2, Sch. 1 (with art. 7); S.I. 1998/3178, art. 3

S. 6(4)(a)(b) modified (30.6.1999) by S.I. 1999/1748, art. 3, Sch. 1 para. 20

C3S. 6(4)(a): functions of the Lord Advocate transferred to the Secretary of State, and all property, rights and liabilities to which the Lord Advocate is entitled or subject in connection with any such function transferred to the Secretary of State for Scotland (19.5.1999) by S.I. 1999/678, arts. 2, 3, Sch. (with art. 7)

Marginal Citations

Part IIU.K. Rights of data subjects and others

7 Right of access to personal data.U.K.

(1)Subject to the following provisions of this section and to [F12sections 8, 9 and 9A], an individual is entitled—

(a)to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

(b)if that is the case, to be given by the data controller a description of—

(i)the personal data of which that individual is the data subject,

(ii)the purposes for which they are being or are to be processed, and

(iii)the recipients or classes of recipients to whom they are or may be disclosed,

(c)to have communicated to him in an intelligible form—

(i)the information constituting any personal data of which that individual is the data subject, and

(ii)any information available to the data controller as to the source of those data, and

(d)where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.

(2)A data controller is not obliged to supply any information under subsection (1) unless he has received—

(a)a request in writing, and

(b)except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.

[F13(3)Where a data controller—

(a)reasonably requires further information in order to satisfy himself as to the identity of the person making a request under this section and to locate the information which that person seeks, and

(b)has informed him of that requirement,

the data controller is not obliged to comply with the request unless he is supplied with that further information.]

(4)Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless—

(a)the other individual has consented to the disclosure of the information to the person making the request, or

(b)it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

(5)In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(6)In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to—

(a)any duty of confidentiality owed to the other individual,

(b)any steps taken by the data controller with a view to seeking the consent of the other individual,

(c)whether the other individual is capable of giving consent, and

(d)any express refusal of consent by the other individual.

(7)An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description.

(8)Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.

(9)If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.

(10)In this section—

  • prescribed” means prescribed by the [F14 Secretary of State] by regulations;

  • the prescribed maximum” means such amount as may be prescribed;

  • the prescribed period” means forty days or such other period as may be prescribed;

  • the relevant day”, in relation to a request under this section, means the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3).

(11)Different amounts or periods may be prescribed under this section in relation to different cases.

Textual Amendments

F12Words in s. 7(1) substituted (30.11.2000 for certain purposes and otherwise 1.1.2005) by 2000 c. 36, ss. 69(1), 87(1)(3) (with ss. 7(1)(7), 56, 78); S.I. 2004/1909, art. 2; S.I. 2004/3122, art. 2

Modifications etc. (not altering text)

C4S. 7 excluded (1.3.2000) by S.I. 2000/414, art. 5(1)

S. 7 modified (1.3.2000) by S.I. 2000/414, art. 6

S. 7 modified (1.3.2000) by S.I. 2000/191, reg. 4(1)

S. 7 excluded (1.3.2000) by S.I. 2000/413, art. 5(1)

S. 7 modified (1.3.2000) by S.I. 2000/413, arts. 6(1), 7(3)

S. 7 modified (1.3.2000) by S.I. 2000/415, art. 6

C8S. 7(1) extended (1.3.2000) by S.I. 2000/191, reg. 2(2)

C9S. 7(1)(a)(b)(c) extended (1.3.2000) by S.I. 2000/191, reg. 2(1)

C10S. 7(1)(b)-(d) excluded (1.3.2000) by S.I. 2000/415, art. 5(1)

C11S. 7(4)(9) modified (1.3.2000) by S.I. 2000/413, art. 8(a)(b)

S. 7(4)(9) modified (1.3.2000) by S.I. 2000/414, art. 7(1)(a)(b)

S. 7(4)(9) modified (1.3.2000) by S.I. 2000/415, art. 7(1)(a)(b)

Commencement Information

I1S. 7 wholly in force at 1.3.2000; s. 7 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 7 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

8 Provisions supplementary to section 7.U.K.

(1)The [F15 Secretary of State] may by regulations provide that, in such cases as may be prescribed, a request for information under any provision of subsection (1) of section 7 is to be treated as extending also to information under other provisions of that subsection.

(2)The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless—

(a)the supply of such a copy is not possible or would involve disproportionate effort, or

(b)the data subject agrees otherwise;

and where any of the information referred to in section 7(1)(c)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.

(3)Where a data controller has previously complied with a request made under section 7 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.

(4)In determining for the purposes of subsection (3) whether requests under section 7 are made at reasonable intervals, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.

(5)Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.

(6)The information to be supplied pursuant to a request under section 7 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

(7)For the purposes of section 7(4) and (5) another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.

Textual Amendments

Commencement Information

I2S. 8 wholly in force at 1.3.2000; s. 8 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 8 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

9 Application of section 7 where data controller is credit reference agency.U.K.

(1)Where the data controller is a credit reference agency, section 7 has effect subject to the provisions of this section.

(2)An individual making a request under section 7 may limit his request to personal data relevant to his financial standing, and shall be taken to have so limited his request unless the request shows a contrary intention.

(3)Where the data controller receives a request under section 7 in a case where personal data of which the individual making the request is the data subject are being processed by or on behalf of the data controller, the obligation to supply information under that section includes an obligation to give the individual making the request a statement, in such form as may be prescribed by the [F16 Secretary of State] by regulations, of the individual’s rights—

(a)under section 159 of the M3Consumer Credit Act 1974 , and

(b)to the extent required by the prescribed form, under this Act.

Textual Amendments

Commencement Information

I3S. 9 wholly in force at 1.3.2000; s. 9 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 9 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

Marginal Citations

[F179A Unstructured personal data held by public authorities.U.K.

(1)In this section “unstructured personal data” means any personal data falling within paragraph (e) of the definition of “data” in section 1(1), other than information which is recorded as part of, or with the intention that it should form part of, any set of information relating to individuals to the extent that the set is structured by reference to individuals or by reference to criteria relating to individuals.

(2)A public authority is not obliged to comply with subsection (1) of section 7 in relation to any unstructured personal data unless the request under that section contains a description of the data.

(3)Even if the data are described by the data subject in his request, a public authority is not obliged to comply with subsection (1) of section 7 in relation to unstructured personal data if the authority estimates that the cost of complying with the request so far as relating to those data would exceed the appropriate limit.

(4)Subsection (3) does not exempt the public authority from its obligation to comply with paragraph (a) of section 7(1) in relation to the unstructured personal data unless the estimated cost of complying with that paragraph alone in relation to those data would exceed the appropriate limit.

(5)In subsections (3) and (4) “the appropriate limit” means such amount as may be prescribed by the [F18 Secretary of State] by regulations, and different amounts may be prescribed in relation to different cases.

(6)Any estimate for the purposes of this section must be made in accordance with regulations under section 12(5) of the Freedom of Information Act 2000.]

Textual Amendments

F17S. 9A inserted (30.11.2000 for certain purposes and otherwise 1.1.2005) by 2000 c. 36, ss. 69(2), 87(1)(3) (with ss. 56, 78); S.I. 2004/1909, art. 2; S.I. 2004/3122, art. 2 (s. 69(2) of the amending Act was itself amended (19.8.2003) by S.I. 2003/1887, art. 9, Sch. 2 para. 12(1)(b))

10 Right to prevent processing likely to cause damage or distress.U.K.

(1)Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—

(a)the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b)that damage or distress is or would be unwarranted.

(2)Subsection (1) does not apply—

(a)in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or

(b)in such other cases as may be prescribed by the [F19 Secretary of State] by order.

(3)The data controller must within twenty-one days of receiving a notice under subsection (1) (“the data subject notice”) give the individual who gave it a written notice—

(a)stating that he has complied or intends to comply with the data subject notice, or

(b)stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.

(4)If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(5)The failure by a data subject to exercise the right conferred by subsection (1) or section 11(1) does not affect any other right conferred on him by this Part.

Textual Amendments

Commencement Information

I4S. 10 wholly in force at 1.3.2000; s. 10 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 10 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

11 Right to prevent processing for purposes of direct marketing.U.K.

(1)An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

(2)If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.

[F20(2A)This section shall not apply in relation to the processing of such data as are mentioned in paragraph (1) of regulation 8 of the Telecommunications (Data Protection and Privacy) Regulations 1999 (processing of telecommunications billing data for certain marketing purposes) for the purposes mentioned in paragraph (2) of that regulation.]

(3)In this section “direct marketing” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.

Textual Amendments

12 Rights in relation to automated decision-taking.U.K.

(1)An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.

(2)Where, in a case where no notice under subsection (1) has effect, a decision which significantly affects an individual is based solely on such processing as is mentioned in subsection (1)—

(a)the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis, and

(b)the individual is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.

(3)The data controller must, within twenty-one days of receiving a notice under subsection (2)(b) (“the data subject notice”) give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice.

(4)A notice under subsection (1) does not have effect in relation to an exempt decision; and nothing in subsection (2) applies to an exempt decision.

(5)In subsection (4) “exempt decision” means any decision—

(a)in respect of which the condition in subsection (6) and the condition in subsection (7) are met, or

(b)which is made in such other circumstances as may be prescribed by the [F21 Secretary of State] by order.

(6)The condition in this subsection is that the decision—

(a)is taken in the course of steps taken—

(i)for the purpose of considering whether to enter into a contract with the data subject,

(ii)with a view to entering into such a contract, or

(iii)in the course of performing such a contract, or

(b)is authorised or required by or under any enactment.

(7)The condition in this subsection is that either—

(a)the effect of the decision is to grant a request of the data subject, or

(b)steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing him to make representations).

(8)If a court is satisfied on the application of a data subject that a person taking a decision in respect of him (“the responsible person”) has failed to comply with subsection (1) or (2)(b), the court may order the responsible person to reconsider the decision, or to take a new decision which is not based solely on such processing as is mentioned in subsection (1).

(9)An order under subsection (8) shall not affect the rights of any person other than the data subject and the responsible person.

Textual Amendments

Commencement Information

I5S. 12 wholly in force at 1.3.2000; s. 12 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 12 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

[F2212A Rights of data subjects in relation to exempt manual data.U.K.

(1)A data subject is entitled at any time by notice in writing—

(a)to require the data controller to rectify, block, erase or destroy exempt manual data which are inaccurate or incomplete, or

(b)to require the data controller to cease holding exempt manual data in a way incompatible with the legitimate purposes pursued by the data controller.

(2)A notice under subsection (1)(a) or (b) must state the data subject’s reasons for believing that the data are inaccurate or incomplete or, as the case may be, his reasons for believing that they are held in a way incompatible with the legitimate purposes pursued by the data controller.

(3)If the court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent) that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(4)In this section “exempt manual data” means—

(a)in relation to the first transitional period, as defined by paragraph 1(2) of Schedule 8, data to which paragraph 3 or 4 of that Schedule applies, and

(b)in relation to the second transitional period, as so defined, data to which paragraph 14 [F23or 14A] of that Schedule applies.

(5)For the purposes of this section personal data are incomplete if, and only if, the data, although not inaccurate, are such that their incompleteness would constitute a contravention of the third or fourth data protection principles, if those principles applied to the data.]

Textual Amendments

F22S. 12A inserted (temp. from 1.3.2000 to 23.10.2007) by 1998 c. 29, s. 72, Sch. 13 para. 1; S.I. 2000/183, art. 2(1)

F23Words in s. 12A(4)(b) inserted (1.1.2005) by virtue of 2000 c. 36, ss. 70(4), 87(3) (with ss. 56, 78); S.I. 2004/1909, art. 2; S.I. 2004/3122, art. 2

13 Compensation for failure to comply with certain requirements.U.K.

(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a)the individual also suffers damage by reason of the contravention, or

(b)the contravention relates to the processing of personal data for the special purposes.

(3)In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.

14 Rectification, blocking, erasure and destruction.U.K.

(1)If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.

(2)Subsection (1) applies whether or not the data accurately record information received or obtained by the data controller from the data subject or a third party but where the data accurately record such information, then—

(a)if the requirements mentioned in paragraph 7 of Part II of Schedule 1 have been complied with, the court may, instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve, and

(b)if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a).

(3)Where the court—

(a)makes an order under subsection (1), or

(b)is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate,

it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(4)If a court is satisfied on the application of a data subject—

(a)that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 13, and

(b)that there is a substantial risk of further contravention in respect of those data in such circumstances,

the court may order the rectification, blocking, erasure or destruction of any of those data.

(5)Where the court makes an order under subsection (4) it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(6)In determining whether it is reasonably practicable to require such notification as is mentioned in subsection (3) or (5) the court shall have regard, in particular, to the number of persons who would have to be notified.

15 Jurisdiction and procedure.U.K.

(1)The jurisdiction conferred by sections 7 to 14 is exercisable by the High Court or a county court or, in Scotland, by the Court of Session or the sheriff.

(2)For the purpose of determining any question whether an applicant under subsection (9) of section 7 is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV) a court may require the information constituting any data processed by or on behalf of the data controller and any information as to the logic involved in any decision-taking as mentioned in section 7(1)(d) to be made available for its own inspection but shall not, pending the determination of that question in the applicant’s favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery (or, in Scotland, recovery) or otherwise.

Part IIIU.K. Notification by data controllers

16 Preliminary.U.K.

(1)In this Part “the registrable particulars”, in relation to a data controller, means—

(a)his name and address,

(b)if he has nominated a representative for the purposes of this Act, the name and address of the representative,

(c)a description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which they relate,

(d)a description of the purpose or purposes for which the data are being or are to be processed,

(e)a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data,

(f)the names, or a description of, any countries or territories outside the European Economic Area to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data,

[F24(ff)where the data controller is a public authority, a statement of that fact,] and

(g)in any case where—

(i)personal data are being, or are intended to be, processed in circumstances in which the prohibition in subsection (1) of section 17 is excluded by subsection (2) or (3) of that section, and

(ii)the notification does not extend to those data,

a statement of that fact.

(2)In this Part—

  • fees regulations” means regulations made by the [F25 Secretary of State] under section 18(5) or 19(4) or (7);

  • notification regulations” means regulations made by the [F25 Secretary of State] under the other provisions of this Part;

  • prescribed”, except where used in relation to fees regulations, means prescribed by notification regulations.

(3)For the purposes of this Part, so far as it relates to the addresses of data controllers—

(a)the address of a registered company is that of its registered office, and

(b)the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the United Kingdom.

Textual Amendments

Commencement Information

I6S. 16 wholly in force at 1.3.2000; s. 16 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 16 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

17 Prohibition on processing without registration.U.K.

(1)Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under section 19 (or is treated by notification regulations made by virtue of section 19(3) as being so included).

(2)Except where the processing is assessable processing for the purposes of section 22, subsection (1) does not apply in relation to personal data consisting of information which falls neither within paragraph (a) of the definition of “data” in section 1(1) nor within paragraph (b) of that definition.

(3)If it appears to the [F26 Secretary of State] that processing of a particular description is unlikely to prejudice the rights and freedoms of data subjects, notification regulations may provide that, in such cases as may be prescribed, subsection (1) is not to apply in relation to processing of that description.

(4)Subsection (1) does not apply in relation to any processing whose sole purpose is the maintenance of a public register.

Textual Amendments

Modifications etc. (not altering text)

C12S. 17(1) excluded (1.3.2000) by S.I. 2000/188, reg. 3

18 Notification by data controllers.U.K.

(1)Any data controller who wishes to be included in the register maintained under section 19 shall give a notification to the Commissioner under this section.

(2)A notification under this section must specify in accordance with notification regulations—

(a)the registrable particulars, and

(b)a general description of measures to be taken for the purpose of complying with the seventh data protection principle.

(3)Notification regulations made by virtue of subsection (2) may provide for the determination by the Commissioner, in accordance with any requirements of the regulations, of the form in which the registrable particulars and the description mentioned in subsection (2)(b) are to be specified, including in particular the detail required for the purposes of section 16(1)(c), (d), (e) and (f) and subsection (2)(b).

(4)Notification regulations may make provision as to the giving of notification—

(a)by partnerships, or

(b)in other cases where two or more persons are the data controllers in respect of any personal data.

(5)The notification must be accompanied by such fee as may be prescribed by fees regulations.

(6)Notification regulations may provide for any fee paid under subsection (5) or section 19(4) to be refunded in prescribed circumstances.

Commencement Information

I7S. 18 wholly in force at 1.3.2000; s. 18 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 18 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

19 Register of notifications.U.K.

(1)The Commissioner shall—

(a)maintain a register of persons who have given notification under section 18, and

(b)make an entry in the register in pursuance of each notification received by him under that section from a person in respect of whom no entry as data controller was for the time being included in the register.

(2)Each entry in the register shall consist of—

(a)the registrable particulars notified under section 18 or, as the case requires, those particulars as amended in pursuance of section 20(4), and

(b)such other information as the Commissioner may be authorised or required by notification regulations to include in the register.

(3)Notification regulations may make provision as to the time as from which any entry in respect of a data controller is to be treated for the purposes of section 17 as having been made in the register.

(4)No entry shall be retained in the register for more than the relevant time except on payment of such fee as may be prescribed by fees regulations.

(5)In subsection (4) “the relevant time” means twelve months or such other period as may be prescribed by notification regulations; and different periods may be prescribed in relation to different cases.

(6)The Commissioner—

(a)shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and

(b)may provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate.

(7)The Commissioner shall, on payment of such fee, if any, as may be prescribed by fees regulations, supply any member of the public with a duly certified copy in writing of the particulars contained in any entry made in the register.

Modifications etc. (not altering text)

C13S. 19(4) applied (with modifications) (1.3.2000) by S.I. 2000/188, reg. 15(2)(3) (as amended by S.I. 2001/3214, reg. 2(2))

C14S. 19(5) applied (with modifications) (1.3.2000) by S.I. 2000/188, reg. 15(2)(3)

Commencement Information

I8S. 19 wholly in force at 1.3.2000; s. 19 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 19 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

20 Duty to notify changes.U.K.

(1)For the purpose specified in subsection (2), notification regulations shall include provision imposing on every person in respect of whom an entry as a data controller is for the time being included in the register maintained under section 19 a duty to notify to the Commissioner, in such circumstances and at such time or times and in such form as may be prescribed, such matters relating to the registrable particulars and measures taken as mentioned in section 18(2)(b) as may be prescribed.

(2)The purpose referred to in subsection (1) is that of ensuring, so far as practicable, that at any time—

(a)the entries in the register maintained under section 19 contain current names and addresses and describe the current practice or intentions of the data controller with respect to the processing of personal data, and

(b)the Commissioner is provided with a general description of measures currently being taken as mentioned in section 18(2)(b).

(3)Subsection (3) of section 18 has effect in relation to notification regulations made by virtue of subsection (1) as it has effect in relation to notification regulations made by virtue of subsection (2) of that section.

(4)On receiving any notification under notification regulations made by virtue of subsection (1), the Commissioner shall make such amendments of the relevant entry in the register maintained under section 19 as are necessary to take account of the notification.

21 Offences.U.K.

(1)If section 17(1) is contravened, the data controller is guilty of an offence.

(2)Any person who fails to comply with the duty imposed by notification regulations made by virtue of section 20(1) is guilty of an offence.

(3)It shall be a defence for a person charged with an offence under subsection (2) to show that he exercised all due diligence to comply with the duty.

22 Preliminary assessment by Commissioner.U.K.

(1)In this section “assessable processing” means processing which is of a description specified in an order made by the [F27 Secretary of State] as appearing to him to be particularly likely—

(a)to cause substantial damage or substantial distress to data subjects, or

(b)otherwise significantly to prejudice the rights and freedoms of data subjects.

(2)On receiving notification from any data controller under section 18 or under notification regulations made by virtue of section 20 the Commissioner shall consider—

(a)whether any of the processing to which the notification relates is assessable processing, and

(b)if so, whether the assessable processing is likely to comply with the provisions of this Act.

(3)Subject to subsection (4), the Commissioner shall, within the period of twenty-eight days beginning with the day on which he receives a notification which relates to assessable processing, give a notice to the data controller stating the extent to which the Commissioner is of the opinion that the processing is likely or unlikely to comply with the provisions of this Act.

(4)Before the end of the period referred to in subsection (3) the Commissioner may, by reason of special circumstances, extend that period on one occasion only by notice to the data controller by such further period not exceeding fourteen days as the Commissioner may specify in the notice.

(5)No assessable processing in respect of which a notification has been given to the Commissioner as mentioned in subsection (2) shall be carried on unless either—

(a)the period of twenty-eight days beginning with the day on which the notification is received by the Commissioner (or, in a case falling within subsection (4), that period as extended under that subsection) has elapsed, or

(b)before the end of that period (or that period as so extended) the data controller has received a notice from the Commissioner under subsection (3) in respect of the processing.

(6)Where subsection (5) is contravened, the data controller is guilty of an offence.

(7)The [F27 Secretary of State] may by order amend subsections (3), (4) and (5) by substituting for the number of days for the time being specified there a different number specified in the order.

Textual Amendments

Commencement Information

I9S. 22 wholly in force at 1.3.2000; s. 22 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 22 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

23 Power to make provision for appointment of data protection supervisors.U.K.

(1)The [F28 Secretary of State] may by order—

(a)make provision under which a data controller may appoint a person to act as a data protection supervisor responsible in particular for monitoring in an independent manner the data controller’s compliance with the provisions of this Act, and

(b)provide that, in relation to any data controller who has appointed a data protection supervisor in accordance with the provisions of the order and who complies with such conditions as may be specified in the order, the provisions of this Part are to have effect subject to such exemptions or other modifications as may be specified in the order.

(2)An order under this section may—

(a)impose duties on data protection supervisors in relation to the Commissioner, and

(b)confer functions on the Commissioner in relation to data protection supervisors.

Textual Amendments

Commencement Information

I10S. 23 wholly in force at 1.3.2000; s. 23 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 23 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

24 Duty of certain data controllers to make certain information available.U.K.

(1)Subject to subsection (3), where personal data are processed in a case where—

(a)by virtue of subsection (2) or (3) of section 17, subsection (1) of that section does not apply to the processing, and

(b)the data controller has not notified the relevant particulars in respect of that processing under section 18,

the data controller must, within twenty-one days of receiving a written request from any person, make the relevant particulars available to that person in writing free of charge.

(2)In this section “the relevant particulars” means the particulars referred to in paragraphs (a) to (f) of section 16(1).

(3)This section has effect subject to any exemption conferred for the purposes of this section by notification regulations.

(4)Any data controller who fails to comply with the duty imposed by subsection (1) is guilty of an offence.

(5)It shall be a defence for a person charged with an offence under subsection (4) to show that he exercised all due diligence to comply with the duty.

25 Functions of Commissioner in relation to making of notification regulations.U.K.

(1)As soon as practicable after the passing of this Act, the Commissioner shall submit to the Secretary of State proposals as to the provisions to be included in the first notification regulations.

(2)The Commissioner shall keep under review the working of notification regulations and may from time to time submit to the [F29 Secretary of State] proposals as to amendments to be made to the regulations.

(3)The [F29 Secretary of State] may from time to time require the Commissioner to consider any matter relating to notification regulations and to submit to him proposals as to amendments to be made to the regulations in connection with that matter.

(4)Before making any notification regulations, the [F29 Secretary of State] shall—

(a)consider any proposals made to him by the Commissioner under [F30subsection (2) or (3)], and

(b)consult the Commissioner.

Textual Amendments

F30Words in s. 25(4)(a) substituted (26.11.2001) by S.I. 2001/3500, art. 8, Sch. 2 Pt. I para. 6(2)

Commencement Information

I11S. 25 wholly in force at 1.3.2000; s. 25(1)(4) in force at Royal Assent see s. 75(2)(i); s. 25 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

26 Fees regulations.U.K.

(1)Fees regulations prescribing fees for the purposes of any provision of this Part may provide for different fees to be payable in different cases.

(2)In making any fees regulations, the [F31 Secretary of State] shall have regard to the desirability of securing that the fees payable to the Commissioner are sufficient to offset—

(a)the expenses incurred by the Commissioner and the Tribunal in discharging their functions [F32under this Act]and any expenses of the Secretary of State in respect of the Commissioner or the Tribunal [F33so far as attributable to their functions under this Act], and

(b)to the extent that the Secretary of State considers appropriate—

(i)any deficit previously incurred (whether before or after the passing of this Act) in respect of the expenses mentioned in paragraph (a), and

(ii)expenses incurred or to be incurred by the Secretary of State in respect of the inclusion of any officers or staff of the Commissioner in any scheme under section 1 of the M4Superannuation Act 1972.

Part IVU.K. Exemptions

27 Preliminary.U.K.

(1)References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.

(2)In this Part “the subject information provisions” means—

(a)the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1, and

(b)section 7.

(3)In this Part “the non-disclosure provisions” means the provisions specified in subsection (4) to the extent to which they are inconsistent with the disclosure in question.

(4)The provisions referred to in subsection (3) are—

(a)the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3,

(b)the second, third, fourth and fifth data protection principles, and

(c)sections 10 and 14(1) to (3).

(5)Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

28 National security.U.K.

(1)Personal data are exempt from any of the provisions of—

(a)the data protection principles,

(b)Parts II, III and V, and

(c)[F34sections 54A and] 55,

if the exemption from that provision is required for the purpose of safeguarding national security.

(2)Subject to subsection (4), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in subsection (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact.

(3)A certificate under subsection (2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.

(4)Any person directly affected by the issuing of a certificate under subsection (2) may appeal to the Tribunal against the certificate.

(5)If on an appeal under subsection (4), the Tribunal finds that, applying the principles applied by the court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may allow the appeal and quash the certificate.

(6)Where in any proceedings under or by virtue of this Act it is claimed by a data controller that a certificate under subsection (2) which identifies the personal data to which it applies by means of a general description applies to any personal data, any other party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question and, subject to any determination under subsection (7), the certificate shall be conclusively presumed so to apply.

(7)On any appeal under subsection (6), the Tribunal may determine that the certificate does not so apply.

(8)A document purporting to be a certificate under subsection (2) shall be received in evidence and deemed to be such a certificate unless the contrary is proved.

(9)A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (2) shall in any legal proceedings be evidence (or, in Scotland, sufficient evidence) of that certificate.

(10)The power conferred by subsection (2) on a Minister of the Crown shall not be exercisable except by a Minister who is a member of the Cabinet or by the Attorney General or the Lord Advocate.

(11)No power conferred by any provision of Part V may be exercised in relation to personal data which by virtue of this section are exempt from that provision.

(12)Schedule 6 shall have effect in relation to appeals under subsection (4) or (6) and the proceedings of the Tribunal in respect of any such appeal.

Textual Amendments

Modifications etc. (not altering text)

C15S. 28(8)(9)(10)(12) applied (with modifications) (1.3.2000) by S.I. 1999/2093, reg. 32(8)(a)

S. 28(8)(9)(10)(12) applied (11.12.2003) by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (2003/2426), {reg. 28(8)(b)} (with regs. 4, 15(3), 28, 29)

C16S. 28(10): functions of the Lord Advocate transferred to the Advocate General for Scotland, and all property, rights and liabilities to which the Lord Advocate is entitled or subject in connection with any such function transferred to the Advocate General for Scotland (20.5.1999) by S.I. 1999/679, arts. 2, 3, Sch; S.I. 1998/3178, art. 2(2), Sch. 4

29 Crime and taxation.U.K.

(1)Personal data processed for any of the following purposes—

(a)the prevention or detection of crime,

(b)the apprehension or prosecution of offenders, or

(c)the assessment or collection of any tax or duty or of any imposition of a similar nature,

are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3) and section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.

(2)Personal data which—

(a)are processed for the purpose of discharging statutory functions, and

(b)consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1),

are exempt from the subject information provisions to the same extent as personal data processed for any of the purposes mentioned in that subsection.

(3)Personal data are exempt from the non-disclosure provisions in any case in which—

(a)the disclosure is for any of the purposes mentioned in subsection (1), and

(b)the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection.

(4)Personal data in respect of which the data controller is a relevant authority and which—

(a)consist of a classification applied to the data subject as part of a system of risk assessment which is operated by that authority for either of the following purposes—

(i)the assessment or collection of any tax or duty or any imposition of a similar nature, or

(ii)the prevention or detection of crime, or apprehension or prosecution of offenders, where the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds, and

(b)are processed for either of those purposes,

are exempt from section 7 to the extent to which the exemption is required in the interests of the operation of the system.

(5)In subsection (4)— “public funds” includes funds provided by any Community institution; “relevant authority” means—

(a)a government department,

(b)a local authority, or

(c)any other authority administering housing benefit or council tax benefit.

30 Health, education and social work.U.K.

(1)The [F35 Secretary of State] may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data consisting of information as to the physical or mental health or condition of the data subject.

(2)The [F35 Secretary of State] may by order exempt from the subject information provisions, or modify those provisions in relation to—

(a)personal data in respect of which the data controller is the proprietor of, or a teacher at, a school, and which consist of information relating to persons who are or have been pupils at the school, or

(b)personal data in respect of which the data controller is an education authority in Scotland, and which consist of information relating to persons who are receiving, or have received, further education provided by the authority.

(3)The [F35 Secretary of State] may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data of such other descriptions as may be specified in the order, being information—

(a)processed by government departments or local authorities or by voluntary organisations or other bodies designated by or under the order, and

(b)appearing to him to be processed in the course of, or for the purposes of, carrying out social work in relation to the data subject or other individuals;

but the [F35 Secretary of State] shall not under this subsection confer any exemption or make any modification except so far as he considers that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work.

(4)An order under this section may make different provision in relation to data consisting of information of different descriptions.

(5)In this section—

  • education authority” and “further education” have the same meaning as in the M5Education (Scotland) Act 1980 (“the 1980 Act”), and

  • proprietor”—

    (a)

    in relation to a school in England or Wales, has the same meaning as in the M6Education Act 1996,

    (b)

    in relation to a school in Scotland, means—

    (i)

    [F36in the case of a self-governing school, the board of management within the meaning of the M7Self-Governing Schools etc. (Scotland) Act 1989,]

    (ii)

    in the case of an independent school, the proprietor within the meaning of the 1980 Act,

    (iii)

    in the case of a grant-aided school, the managers within the meaning of the 1980 Act, and

    (iv)

    in the case of a public school, the education authority within the meaning of the 1980 Act, and

    (c)

    in relation to a school in Northern Ireland, has the same meaning as in the M8Education and Libraries (Northern Ireland) Order 1986 and includes, in the case of a controlled school, the Board of Governors of the school.

Textual Amendments

F35Words in s. 30 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887), art. 9 {Sch. 2 para. 9(1)(a)}

Modifications etc. (not altering text)

C17S. 30: transfer of functions (1.7.1999) by S.I. 1999/672, arts. 2, 3, Sch. 1

Commencement Information

I12S. 30 wholly in force at 1.3.2000; s. 30 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 30 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

Marginal Citations

31 Regulatory activity.U.K.

(1)Personal data processed for the purposes of discharging functions to which this subsection applies are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.

(2)Subsection (1) applies to any relevant function which is designed—

(a)for protecting members of the public against—

(i)financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate,

(ii)financial loss due to the conduct of discharged or undischarged bankrupts, or

(iii)dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity,

(b)for protecting charities [F37or community interest companies] against misconduct or mismanagement (whether by trustees [F38, directors] or other persons) in their administration,

(c)for protecting the property of charities [F37or community interest companies] from loss or misapplication,

(d)for the recovery of the property of charities [F37or community interest companies] ,

(e)for securing the health, safety and welfare of persons at work, or

(f)for protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work.

(3)In subsection (2) “relevant function” means—

(a)any function conferred on any person by or under any enactment,

(b)any function of the Crown, a Minister of the Crown or a government department, or

(c)any other function which is of a public nature and is exercised in the public interest.

(4)Personal data processed for the purpose of discharging any function which—

(a)is conferred by or under any enactment on—

(i)the Parliamentary Commissioner for Administration,

(ii)the Commission for Local Administration in England [F39or] , the Commission for Local Administration in Wales F40. . . ,

(iii)the Health Service Commissioner for England [F41or] , the Health Service Commissioner for Wales F42. . . ,

(iv)the Welsh Administration Ombudsman,

(v)the Assembly Ombudsman for Northern Ireland, F43. . .

(vi)the Northern Ireland Commissioner for Complaints, [F44or]

[F45(vii) the Scottish Public Services Ombudsman, and]

(b)is designed for protecting members of the public against—

(i)maladministration by public bodies,

(ii)failures in services provided by public bodies, or

(iii)a failure of a public body to provide a service which it was a function of the body to provide,

are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.

[F46(4A)Personal data processed for the purpose of discharging any function which is conferred by or under Part XVI of the Financial Services and Markets Act 2000 on the body established by the Financial Services Authority for the purposes of that Part are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of the function.]

(5)Personal data processed for the purpose of discharging any function which—

(a)is conferred by or under any enactment on the [F47the Office of Fair Trading] , and

(b)is designed—

(i)for protecting members of the public against conduct which may adversely affect their interests by persons carrying on a business,

(ii)for regulating agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or

(iii)for regulating conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market,

are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.

[F48(6)Personal data processed for the purpose of the function of considering a complaint under section 113(1) or (2) or 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003, or section 24D, 26, 26ZA or 26ZB of the Children Act 1989, are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.]

Textual Amendments

F46S. 31(4A) inserted (1.12.2001) by 2000 c. 8, s. 233; S.I. 2001/3538, art. 2(1)

Modifications etc. (not altering text)

C19S. 31 extended (2.12.1999) by S.I. 1999/3145, arts. 1, 9(3)(b); S.I. 1999/3208, art. 2

32 Journalism, literature and art.U.K.

(1)Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

(2)Subsection (1) relates to the provisions of—

(a)the data protection principles except the seventh data protection principle,

(b)section 7,

(c)section 10,

(d)section 12, and

[F49(dd)section 12A,]

(e)section 14(1) to (3).

(3)In considering for the purposes of subsection (1)(b) whether the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to his compliance with any code of practice which—

(a)is relevant to the publication in question, and

(b)is designated by the [F50 Secretary of State] by order for the purposes of this subsection.

(4)Where at any time (“the relevant time”) in any proceedings against a data controller under section 7(9), 10(4), 12(8) [F51, 12A(3)] or 14 or by virtue of section 13 the data controller claims, or it appears to the court, that any personal data to which the proceedings relate are being processed—

(a)only for the special purposes, and

(b)with a view to the publication by any person of any journalistic, literary or artistic material which, at the time twenty-four hours immediately before the relevant time, had not previously been published by the data controller,

the court shall stay the proceedings until either of the conditions in subsection (5) is met.

(5)Those conditions are—

(a)that a determination of the Commissioner under section 45 with respect to the data in question takes effect, or

(b)in a case where the proceedings were stayed on the making of a claim, that the claim is withdrawn.

(6)For the purposes of this Act “publish”, in relation to journalistic, literary or artistic material, means make available to the public or any section of the public.

Textual Amendments

F49S. 32(2)(dd) inserted (temp. from 1.3.2000 to 23.10.2007) by 1998 c. 29, s. 75(3), Sch. 13 para. 2(a); S.I. 2000/183, art. 2(1)

F51Words in s. 32(4) inserted (temp. from 1.3.2000 to 23.10.2007) by 1998 c. 29, s. 72, Sch. 13 para. 2(b); S.I. 2000/183, art. 2(1)

Commencement Information

I13S. 32 wholly in force at 1.3.2000; s. 32 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 32 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

33 Research, history and statistics.U.K.

(1)In this section— “research purposes” includes statistical or historical purposes; “the relevant conditions”, in relation to any processing of personal data, means the conditions—

(a)that the data are not processed to support measures or decisions with respect to particular individuals, and

(b)that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

(2)For the purposes of the second data protection principle, the further processing of personal data only for research purposes in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which they were obtained.

(3)Personal data which are processed only for research purposes in compliance with the relevant conditions may, notwithstanding the fifth data protection principle, be kept indefinitely.

(4)Personal data which are processed only for research purposes are exempt from section 7 if—

(a)they are processed in compliance with the relevant conditions, and

(b)the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them.

(5)For the purposes of subsections (2) to (4) personal data are not to be treated as processed otherwise than for research purposes merely because the data are disclosed—

(a)to any person, for research purposes only,

(b)to the data subject or a person acting on his behalf,

(c)at the request, or with the consent, of the data subject or a person acting on his behalf, or

(d)in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), (b) or (c).

[F5233A Manual data held by public authorities.U.K.

(1)Personal data falling within paragraph (e) of the definition of “data” in section 1(1) are exempt from—

(a)the first, second, third, fifth, seventh and eighth data protection principles,

(b)the sixth data protection principle except so far as it relates to the rights conferred on data subjects by sections 7 and 14,

(c)sections 10 to 12,

(d)section 13, except so far as it relates to damage caused by a contravention of section 7 or of the fourth data protection principle and to any distress which is also suffered by reason of that contravention,

(e)Part III, and

(f)section 55.

(2)Personal data which fall within paragraph (e) of the definition of “data” in section 1(1) and relate to appointments or removals, pay, discipline, superannuation or other personnel matters, in relation to—

(a)service in any of the armed forces of the Crown,

(b)service in any office or employment under the Crown or under any public authority, or

(c)service in any office or employment, or under any contract for services, in respect of which power to take action, or to determine or approve the action taken, in such matters is vested in Her Majesty, any Minister of the Crown, the National Assembly for Wales, any Northern Ireland Minister (within the meaning of the Freedom of Information Act 2000) or any public authority,

are also exempt from the remaining data protection principles and the remaining provisions of Part II.]

Textual Amendments

34 Information available to the public by or under enactment.U.K.

Personal data are exempt from—

(a)the subject information provisions,

(b)the fourth data protection principle and [F53sections 12A and 14(1) to (3).], and

(c)the non-disclosure provisions,

if the data consist of information which the data controller is obliged by or under any enactment [F54other than an enactment contained in the Freedom of Information Act 2000] to make available to the public, whether by publishing it, by making it available for inspection, or otherwise and whether gratuitously or on payment of a fee.

Textual Amendments

F53Words in s. 34(b) substituted (temp. from 1.3.2000 to 23.10.2007) by 1998 c. 29, s. 72, Sch. 13 para. 3; S.I. 2000/183, art. 2(1)

F54Words in s. 34 inserted (30.11.2002) by 2000 c. 36, ss. 72, 87(3) (with ss. 56, 78); S.I. 2002/2812, art. 2

35 Disclosures required by law or made in connection with legal proceedings etc.U.K.

(1)Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

(2)Personal data are exempt from the non-disclosure provisions where the disclosure is necessary—

(a)for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

(b)for the purpose of obtaining legal advice,

or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

[F5535A Parliamentary privilege.U.K.

Personal data are exempt from—

(a)the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3,

(b)the second, third, fourth and fifth data protection principles,

(c)section 7, and

(d)sections 10 and 14(1) to (3),

if the exemption is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.]

Textual Amendments

36 Domestic purposes.U.K.

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.

37 Miscellaneous exemptions.U.K.

Schedule 7 (which confers further miscellaneous exemptions) has effect.

38 Powers to make further exemptions by order.U.K.

(1)The [F56 Secretary of State] may by order exempt from the subject information provisions personal data consisting of information the disclosure of which is prohibited or restricted by or under any enactment if and to the extent that he considers it necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual that the prohibition or restriction ought to prevail over those provisions.

(2)The [F56 Secretary of State] may by order exempt from the non-disclosure provisions any disclosures of personal data made in circumstances specified in the order, if he considers the exemption is necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual.

Textual Amendments

Commencement Information

I14S. 38 wholly in force at 1.3.2000; s. 38 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 38 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

39 Transitional relief.U.K.

Schedule 8 (which confers transitional exemptions) has effect.

Part VU.K. Enforcement

Modifications etc. (not altering text)

C20Pt. V applied (with modifications) (1.3.2000) by S.I. 1999/2093, reg. 36(1), Sch. 4

Pt. V applied (with modifications) (1.3.2000) by S.I. 2000/190, art. 5(2)

40 Enforcement notices.U.K.

(1)If the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may serve him with a notice (in this Act referred to as “an enforcement notice”) requiring him, for complying with the principle or principles in question, to do either or both of the following—

(a)to take within such time as may be specified in the notice, or to refrain from taking after such time as may be so specified, such steps as are so specified, or

(b)to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified.

(2)In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.

(3)An enforcement notice in respect of a contravention of the fourth data protection principle which requires the data controller to rectify, block, erase or destroy any inaccurate data may also require the data controller to rectify, block, erase or destroy any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data.

(4)An enforcement notice in respect of a contravention of the fourth data protection principle, in the case of data which accurately record information received or obtained by the data controller from the data subject or a third party, may require the data controller either—

(a)to rectify, block, erase or destroy any inaccurate data and any other data held by him and containing an expression of opinion as mentioned in subsection (3), or

(b)to take such steps as are specified in the notice for securing compliance with the requirements specified in paragraph 7 of Part II of Schedule 1 and, if the Commissioner thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Commissioner may approve.

(5)Where—

(a)an enforcement notice requires the data controller to rectify, block, erase or destroy any personal data, or

(b)the Commissioner is satisfied that personal data which have been rectified, blocked, erased or destroyed had been processed in contravention of any of the data protection principles,

an enforcement notice may, if reasonably practicable, require the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction; and in determining whether it is reasonably practicable to require such notification regard shall be had, in particular, to the number of persons who would have to be notified.

(6)An enforcement notice must contain—

(a)a statement of the data protection principle or principles which the Commissioner is satisfied have been or are being contravened and his reasons for reaching that conclusion, and

(b)particulars of the rights of appeal conferred by section 48.

(7)Subject to subsection (8), an enforcement notice must not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.

(8)If by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (7) shall not apply but the notice must not require the provisions of the notice to be complied with before the end of the period of seven days beginning with the day on which the notice is served.

(9)Notification regulations (as defined by section 16(2)) may make provision as to the effect of the service of an enforcement notice on any entry in the register maintained under section 19 which relates to the person on whom the notice is served.

(10)This section has effect subject to section 46(1).

Modifications etc. (not altering text)

C22S. 40 applied (30.6.1999) by 1999 c. iv , s. 6(15) (with s.6(16)(4))

S. 40 extended (1.3.2000) by S.I. 1999/2093, reg. 34, Sch. 3 para. 4

Ss. 40, 41, 43 extended (with modifications) (1.3.2000) by S.I. 1999/2093, reg.34, Sch. 3 para. 5(2)

Commencement Information

I15S. 40 wholly in force at 1.3.2000; s. 40 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 40 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

41 Cancellation of enforcement notice.U.K.

(1)If the Commissioner considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection principle or principles to which it relates, he may cancel or vary the notice by written notice to the person on whom it was served.

(2)A person on whom an enforcement notice has been served may, at any time after the expiry of the period during which an appeal can be brought against that notice, apply in writing to the Commissioner for the cancellation or variation of that notice on the ground that, by reason of a change of circumstances, all or any of the provisions of that notice need not be complied with in order to ensure compliance with the data protection principle or principles to which that notice relates.

Modifications etc. (not altering text)

C23Ss. 40, 41, 43 extended (with modifications) (1.3.2000) by S.I. 1999/2093, reg. 34, Sch. 3 para. 5(2)

Yn ddilys o 06/04/2010

[F5741AAssessment noticesU.K.

(1)The Commissioner may serve a data controller within subsection (2) with a notice (in this Act referred to as an “assessment notice”) for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles.

(2)A data controller is within this subsection if the data controller is—

(a)a government department,

(b)a public authority designated for the purposes of this section by an order made by the Secretary of State, or

(c)a person of a description designated for the purposes of this section by such an order.

(3)An assessment notice is a notice which requires the data controller to do all or any of the following—

(a)permit the Commissioner to enter any specified premises;

(b)direct the Commissioner to any documents on the premises that are of a specified description;

(c)assist the Commissioner to view any information of a specified description that is capable of being viewed using equipment on the premises;

(d)comply with any request from the Commissioner for—

(i)a copy of any of the documents to which the Commissioner is directed;

(ii)a copy (in such form as may be requested) of any of the information which the Commissioner is assisted to view;

(e)direct the Commissioner to any equipment or other material on the premises which is of a specified description;

(f)permit the Commissioner to inspect or examine any of the documents, information, equipment or material to which the Commissioner is directed or which the Commissioner is assisted to view;

(g)permit the Commissioner to observe the processing of any personal data that takes place on the premises;

(h)make available for interview by the Commissioner a specified number of persons of a specified description who process personal data on behalf of the data controller (or such number as are willing to be interviewed).

(4)In subsection (3) references to the Commissioner include references to the Commissioner's officers and staff.

(5)An assessment notice must, in relation to each requirement imposed by the notice, specify—

(a)the time at which the requirement is to be complied with, or

(b)the period during which the requirement is to be complied with.

(6)An assessment notice must also contain particulars of the rights of appeal conferred by section 48.

(7)The Commissioner may cancel an assessment notice by written notice to the data controller on whom it was served.

(8)Where a public authority has been designated by an order under subsection (2)(b) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be appropriate for the authority to be designated.

(9)The Secretary of State may not make an order under subsection (2)(c) which designates a description of persons unless—

(a)the Commissioner has made a recommendation that the description be designated, and

(b)the Secretary of State has consulted—

(i)such persons as appear to the Secretary of State to represent the interests of those that meet the description;

(ii)such other persons as the Secretary of State considers appropriate.

(10)The Secretary of State may not make an order under subsection (2)(c), and the Commissioner may not make a recommendation under subsection (9)(a), unless the Secretary of State or (as the case may be) the Commissioner is satisfied that it is necessary for the description of persons in question to be designated having regard to—

(a)the nature and quantity of data under the control of such persons, and

(b)any damage or distress which may be caused by a contravention by such persons of the data protection principles.

(11)Where a description of persons has been designated by an order under subsection (2)(c) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be necessary for the description to be designated having regard to the matters mentioned in subsection (10).

(12)In this section—

  • public authority” includes any body, office-holder or other person in respect of which—

    (a)

    an order may be made under section 4 or 5 of the Freedom of Information Act 2000, or

    (b)

    an order may be made under section 4 or 5 of the Freedom of Information (Scotland) Act 2002;

  • specified” means specified in an assessment notice.

Textual Amendments

F57Ss. 41A-41C inserted (1.2.2010 as regards s. 41C and 6.4.2010 as regards ss. 41A, 41B) by Coroners and Justice Act 2009 (c. 25), ss. 173, 182 (with s. 180); S.I. 2010/145, art. 2, Sch. para. 15; S.I. 2010/816, art. 2, Sch. para. 12

Yn ddilys o 06/04/2010

41BAssessment notices: limitationsU.K.

(1)A time specified in an assessment notice under section 41A(5) in relation to a requirement must not fall, and a period so specified must not begin, before the end of the period within which an appeal can be brought against the notice, and if such an appeal is brought the requirement need not be complied with pending the determination or withdrawal of the appeal.

(2)If by reason of special circumstances the Commissioner considers that it is necessary for the data controller to comply with a requirement in an assessment notice as a matter of urgency, the Commissioner may include in the notice a statement to that effect and a statement of the reasons for that conclusion; and in that event subsection (1) applies in relation to the requirement as if for the words from “within” to the end there were substituted of 7 days beginning with the day on which the notice is served.

(3)A requirement imposed by an assessment notice does not have effect in so far as compliance with it would result in the disclosure of—

(a)any communication between a professional legal adviser and the adviser's client in connection with the giving of legal advice with respect to the client's obligations, liabilities or rights under this Act, or

(b)any communication between a professional legal adviser and the adviser's client, or between such an adviser or the adviser's client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.

(4)In subsection (3) references to the client of a professional legal adviser include references to any person representing such a client.

(5)Nothing in section 41A authorises the Commissioner to serve an assessment notice on—

(a)a judge,

(b)a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or

(c)the Office for Standards in Education, Children's Services and Skills in so far as it is a data controller in respect of information processed for the purposes of functions exercisable by Her Majesty's Chief Inspector of Eduction, Children's Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.

(6)In this section “judge” includes —

(a)a justice of the peace (or, in Northern Ireland, a lay magistrate),

(b)a member of a tribunal, and

(c)a clerk or other officer entitled to exercise the jurisdiction of a court or tribunal;

and in this subsection “tribunal” means any tribunal in which legal proceedings may be brought.

Textual Amendments

F57Ss. 41A-41C inserted (1.2.2010 as regards s. 41C and 6.4.2010 as regards ss. 41A, 41B) by Coroners and Justice Act 2009 (c. 25), ss. 173, 182 (with s. 180); S.I. 2010/145, art. 2, Sch. para. 15; S.I. 2010/816, art. 2, Sch. para. 12

Yn ddilys o 01/02/2010

41CCode of practice about assessment noticesU.K.

(1)The Commissioner must prepare and issue a code of practice as to the manner in which the Commissioner's functions under and in connection with section 41A are to be exercised.

(2)The code must in particular—

(a)specify factors to be considered in determining whether to serve an assessment notice on a data controller;

(b)specify descriptions of documents and information that—

(i)are not to be examined or inspected in pursuance of an assessment notice, or

(ii)are to be so examined or inspected only by persons of a description specified in the code;

(c)deal with the nature of inspections and examinations carried out in pursuance of an assessment notice;

(d)deal with the nature of interviews carried out in pursuance of an assessment notice;

(e)deal with the preparation, issuing and publication by the Commissioner of assessment reports in respect of data controllers that have been served with assessment notices.

(3)The provisions of the code made by virtue of subsection (2)(b) must, in particular, include provisions that relate to—

(a)documents and information concerning an individual's physical or mental health;

(b)documents and information concerning the provision of social care for an individual.

(4)An assessment report is a report which contains—

(a)a determination as to whether a data controller has complied or is complying with the data protection principles,

(b)recommendations as to any steps which the data controller ought to take, or refrain from taking, to ensure compliance with any of those principles, and

(c)such other matters as are specified in the code.

(5)The Commissioner may alter or replace the code.

(6)If the code is altered or replaced, the Commissioner must issue the altered or replacement code.

(7)The Commissioner may not issue the code (or an altered or replacement code) without the approval of the Secretary of State.

(8)The Commissioner must arrange for the publication of the code (and any altered or replacement code) issued under this section in such form and manner as the Commissioner considers appropriate.

(9)In this section “social care” has the same meaning as in Part 1 of the Health and Social Care Act 2008 (see section 9(3) of that Act).]

Textual Amendments

F57Ss. 41A-41C inserted (1.2.2010 as regards s. 41C and 6.4.2010 as regards ss. 41A, 41B) by Coroners and Justice Act 2009 (c. 25), ss. 173, 182 (with s. 180); S.I. 2010/145, art. 2, Sch. para. 15; S.I. 2010/816, art. 2, Sch. para. 12

42 Request for assessment.U.K.

(1)A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act.

(2)On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to—

(a)satisfy himself as to the identity of the person making the request, and

(b)enable him to identify the processing in question.

(3)The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include—

(a)the extent to which the request appears to him to raise a matter of substance,

(b)any undue delay in making the request, and

(c)whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.

(4)Where the Commissioner has received a request under this section he shall notify the person who made the request—

(a)whether he has made an assessment as a result of the request, and

(b)to the extent that he considers appropriate, having regard in particular to any exemption from section 7 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request.

43 Information notices.U.K.

(1)If the Commissioner—

(a)has received a request under section 42 in respect of any processing of personal data, or

(b)reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles,

he may serve the data controller with a notice (in this Act referred to as “an information notice”) requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information relating to the request or to compliance with the principles as is so specified.

(2)An information notice must contain—

(a)in a case falling within subsection (1)(a), a statement that the Commissioner has received a request under section 42 in relation to the specified processing, or

(b)in a case falling within subsection (1)(b), a statement that the Commissioner regards the specified information as relevant for the purpose of determining whether the data controller has complied, or is complying, with the data protection principles and his reasons for regarding it as relevant for that purpose.

(3)An information notice must also contain particulars of the rights of appeal conferred by section 48.

(4)Subject to subsection (5), the time specified in an information notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.

(5)If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (4) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served.

(6)A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of—

(a)any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Act, or

(b)any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.

(7)In subsection (6) references to the client of a professional legal adviser include references to any person representing such a client.

(8)A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence.

(9)The Commissioner may cancel an information notice by written notice to the person on whom it was served.

(10)This section has effect subject to section 46(3).

Modifications etc. (not altering text)

C24Ss. 40, 41, 43 extended (with modifications) (1.3.2000) by S.I. 1999/2093, reg. 34, Sch. 3 para. 5(2)

44 Special information notices.U.K.

(1)If the Commissioner—

(a)has received a request under section 42 in respect of any processing of personal data, or

(b)has reasonable grounds for suspecting that, in a case in which proceedings have been stayed under section 32, the personal data to which the proceedings relate—

(i)are not being processed only for the special purposes, or

(ii)are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,

he may serve the data controller with a notice (in this Act referred to as a “special information notice”) requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information as is so specified for the purpose specified in subsection (2).

(2)That purpose is the purpose of ascertaining—

(a)whether the personal data are being processed only for the special purposes, or

(b)whether they are being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller.

(3)A special information notice must contain—

(a)in a case falling within paragraph (a) of subsection (1), a statement that the Commissioner has received a request under section 42 in relation to the specified processing, or

(b)in a case falling within paragraph (b) of that subsection, a statement of the Commissioner’s grounds for suspecting that the personal data are not being processed as mentioned in that paragraph.

(4)A special information notice must also contain particulars of the rights of appeal conferred by section 48.

(5)Subject to subsection (6), the time specified in a special information notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.

(6)If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (5) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served.

(7)A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of—

(a)any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Act, or

(b)any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.

(8)In subsection (7) references to the client of a professional legal adviser include references to any person representing such a client.

(9)A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence.

(10)The Commissioner may cancel a special information notice by written notice to the person on whom it was served.

45 Determination by Commissioner as to the special purposes.U.K.

(1)Where at any time it appears to the Commissioner (whether as a result of the service of a special information notice or otherwise) that any personal data—

(a)are not being processed only for the special purposes, or

(b)are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,

he may make a determination in writing to that effect.

(2)Notice of the determination shall be given to the data controller; and the notice must contain particulars of the right of appeal conferred by section 48.

(3)A determination under subsection (1) shall not take effect until the end of the period within which an appeal can be brought and, where an appeal is brought, shall not take effect pending the determination or withdrawal of the appeal.

46 Restriction on enforcement in case of processing for the special purposes.U.K.

(1)The Commissioner may not at any time serve an enforcement notice on a data controller with respect to the processing of personal data for the special purposes unless—

(a)a determination under section 45(1) with respect to those data has taken effect, and

(b)the court has granted leave for the notice to be served.

(2)The court shall not grant leave for the purposes of subsection (1)(b) unless it is satisfied—

(a)that the Commissioner has reason to suspect a contravention of the data protection principles which is of substantial public importance, and

(b)except where the case is one of urgency, that the data controller has been given notice, in accordance with rules of court, of the application for leave.

(3)The Commissioner may not serve an information notice on a data controller with respect to the processing of personal data for the special purposes unless a determination under section 45(1) with respect to those data has taken effect.

47 Failure to comply with notice.U.K.

(1)A person who fails to comply with an enforcement notice, an information notice or a special information notice is guilty of an offence.

(2)A person who, in purported compliance with an information notice or a special information notice—

(a)makes a statement which he knows to be false in a material respect, or

(b)recklessly makes a statement which is false in a material respect,

is guilty of an offence.

(3)It is a defence for a person charged with an offence under subsection (1) to prove that he exercised all due diligence to comply with the notice in question.

48 Rights of appeal.U.K.

(1)A person on whom an enforcement notice, an information notice or a special information notice has been served may appeal to the Tribunal against the notice.

(2)A person on whom an enforcement notice has been served may appeal to the Tribunal against the refusal of an application under section 41(2) for cancellation or variation of the notice.

(3)Where an enforcement notice, an information notice or a special information notice contains a statement by the Commissioner in accordance with section 40(8), 43(5) or 44(6) then, whether or not the person appeals against the notice, he may appeal against—

(a)the Commissioner’s decision to include the statement in the notice, or

(b)the effect of the inclusion of the statement as respects any part of the notice.

(4)A data controller in respect of whom a determination has been made under section 45 may appeal to the Tribunal against the determination.

(5)Schedule 6 has effect in relation to appeals under this section and the proceedings of the Tribunal in respect of any such appeal.

49 Determination of appeals.U.K.

(1)If on an appeal under section 48(1) the Tribunal considers—

(a)that the notice against which the appeal is brought is not in accordance with the law, or

(b)to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently,

the Tribunal shall allow the appeal or substitute such other notice or decision as could have been served or made by the Commissioner; and in any other case the Tribunal shall dismiss the appeal.

(2)On such an appeal, the Tribunal may review any determination of fact on which the notice in question was based.

(3)If on an appeal under section 48(2) the Tribunal considers that the enforcement notice ought to be cancelled or varied by reason of a change in circumstances, the Tribunal shall cancel or vary the notice.

(4)On an appeal under subsection (3) of section 48 the Tribunal may direct—

(a)that the notice in question shall have effect as if it did not contain any such statement as is mentioned in that subsection, or

(b)that the inclusion of the statement shall not have effect in relation to any part of the notice,

and may make such modifications in the notice as may be required for giving effect to the direction.

(5)On an appeal under section 48(4), the Tribunal may cancel the determination of the Commissioner.

(6)Any party to an appeal to the Tribunal under section 48 may appeal from the decision of the Tribunal on a point of law to the appropriate court; and that court shall be—

(a)the High Court of Justice in England if the address of the person who was the appellant before the Tribunal is in England or Wales,

(b)the Court of Session if that address is in Scotland, and

(c)the High Court of Justice in Northern Ireland if that address is in Northern Ireland.

(7)For the purposes of subsection (6)—

(a)the address of a registered company is that of its registered office, and

(b)the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the United Kingdom.

50 Powers of entry and inspection.U.K.

Schedule 9 (powers of entry and inspection) has effect.

Part VIU.K. Miscellaneous and General

Functions of CommissionerF58U.K.

51 General duties of Commissioner.U.K.

(1)It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers.

(2)The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act, and may give advice to any person as to any of those matters.

(3)Where—

(a)the [F59 Secretary of State] so directs by order, or

(b)the Commissioner considers it appropriate to do so,

the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice.

(4)The Commissioner shall also—

(a)where he considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, such codes of practice, and

(b)where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice.

(5)An order under subsection (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.

(6)The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of—

(a)any Community finding as defined by paragraph 15(2) of Part II of Schedule 1,

(b)any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, which is made for the purposes of Article 26(3) or (4) of the Directive, and

(c)such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.

(7)The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.

(8)The Commissioner may charge such sums as he may with the consent of the [F59 Secretary of State] determine for any services provided by the Commissioner by virtue of this Part.

(9)In this section—

  • good practice” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;

  • trade association” includes any body representing data controllers.

Textual Amendments

Commencement Information

I16S. 51 wholly in force at 1.3.2000; s. 51 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 51 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

52 Reports and codes of practice to be laid before Parliament.U.K.

(1)The Commissioner shall lay annually before each House of Parliament a general report on the exercise of his functions under this Act.

(2)The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.

(3)The Commissioner shall lay before each House of Parliament any code of practice prepared under section 51(3) for complying with a direction of the [F60 Secretary of State] , unless the code is included in any report laid under subsection (1) or (2).

Yn ddilys o 01/02/2010

[F6152AData-sharing codeU.K.

(1)The Commissioner must prepare a code of practice which contains—

(a)practical guidance in relation to the sharing of personal data in accordance with the requirements of this Act, and

(b)such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data.

(2)For this purpose “good practice” means such practice in the sharing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act.

(3)Before a code is prepared under this section, the Commissioner must consult such of the following as the Commissioner considers appropriate—

(a)trade associations (within the meaning of section 51);

(b)data subjects;

(c)persons who appear to the Commissioner to represent the interests of data subjects.

(4)In this section a reference to the sharing of personal data is to the disclosure of the data by transmission, dissemination or otherwise making it available.

Textual Amendments

Yn ddilys o 01/02/2010

[F6152BData-sharing code: procedureU.K.

(1)When a code is prepared under section 52A, it must be submitted to the Secretary of State for approval.

(2)Approval may be withheld only if it appears to the Secretary of State that the terms of the code could result in the United Kingdom being in breach of any of its Community obligations or any other international obligation.

(3)The Secretary of State must—

(a)if approval is withheld, publish details of the reasons for withholding it;

(b)if approval is granted, lay the code before Parliament.

(4)If, within the 40-day period, either House of Parliament resolves not to approve the code, the code is not to be issued by the Commissioner.

(5)If no such resolution is made within that period, the Commissioner must issue the code.

(6)Where—

(a)the Secretary of State withholds approval, or

(b)such a resolution is passed,

the Commissioner must prepare another code of practice under section 52A.

(7)Subsection (4) does not prevent a new code being laid before Parliament.

(8)A code comes into force at the end of the period of 21 days beginning with the day on which it is issued.

(9)A code may include transitional provision or savings.

(10)In this section “the 40-day period” means the period of 40 days beginning with the day on which the code is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the 2 days on which it is laid).

(11)In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.]

Textual Amendments

Yn ddilys o 01/02/2010

[F6152CAlteration or replacement of data-sharing codeU.K.

(1)The Commissioner—

(a)must keep the data-sharing code under review, and

(b)may prepare an alteration to that code or a replacement code.

(2)Where, by virtue of a review under subsection (1)(a) or otherwise, the Commissioner becomes aware that the terms of the code could result in the United Kingdom being in breach of any of its Community obligations or any other international obligation, the Commissioner must exercise the power under subsection (1)(b) with a view to remedying the situation.

(3)Before an alteration or replacement code is prepared under subsection (1), the Commissioner must consult such of the following as the Commissioner considers appropriate—

(a)trade associations (within the meaning of section 51);

(b)data subjects;

(c)persons who appear to the Commissioner to represent the interests of data subjects.

(4)Section 52B (other than subsection (6)) applies to an alteration or replacement code prepared under this section as it applies to the code as first prepared under section 52A.

(5)In this section “the data-sharing code” means the code issued under section 52B(5) (as altered or replaced from time to time).]

Textual Amendments

Yn ddilys o 01/02/2010

52DPublication of data-sharing codeU.K.

(1)The Commissioner must publish the code (and any replacement code) issued under section 52B(5).

(2)Where an alteration is so issued, the Commissioner must publish either—

(a)the alteration, or

(b)the code or replacement code as altered by it.

Textual Amendments

Yn ddilys o 01/02/2010

52EEffect of data-sharing codeU.K.

(1)A failure on the part of any person to act in accordance with any provision of the data-sharing code does not of itself render that person liable to any legal proceedings in any court or tribunal.

(2)The data-sharing code is admissible in evidence in any legal proceedings.

(3)If any provision of the data-sharing code appears to—

(a)the Tribunal or a court conducting any proceedings under this Act,

(b)a court or tribunal conducting any other legal proceedings, or

(c)the Commissioner carrying out any function under this Act,

to be relevant to any question arising in the proceedings, or in connection with the exercise of that jurisdiction or the carrying out of those functions, in relation to any time when it was in force, that provision of the code must be taken into account in determining that question.

(4)In this section “the data-sharing code” means the code issued under section 52B(5) (as altered or replaced from time to time).]

Textual Amendments

53 Assistance by Commissioner in cases involving processing for the special purposes.U.K.

(1)An individual who is an actual or prospective party to any proceedings under section 7(9), 10(4), 12(8) [F62, 12A(3)] or 14 or by virtue of section 13 which relate to personal data processed for the special purposes may apply to the Commissioner for assistance in relation to those proceedings.

(2)The Commissioner shall, as soon as reasonably practicable after receiving an application under subsection (1), consider it and decide whether and to what extent to grant it, but he shall not grant the application unless, in his opinion, the case involves a matter of substantial public importance.

(3)If the Commissioner decides to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant, stating the extent of the assistance to be provided.

(4)If the Commissioner decides not to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant of his decision and, if he thinks fit, the reasons for it.

(5)In this section—

(a)references to “proceedings” include references to prospective proceedings, and

(b)applicant”, in relation to assistance under this section, means an individual who applies for assistance.

(6)Schedule 10 has effect for supplementing this section.

Textual Amendments

F62Words in s. 53(1) inserted (temp. from 1.3.2000 to 23.10.2007) by 1998 c. 29, s. 72, Sch. 13 para. 4; S.I. 2000/183, art. 2(1)

54 International co-operation.U.K.

(1)The Commissioner—

(a)shall continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Convention, and

(b)shall be the supervisory authority in the United Kingdom for the purposes of the Data Protection Directive.

(2)The [F63 Secretary of State] may by order make provision as to the functions to be discharged by the Commissioner as the designated authority in the United Kingdom for the purposes of Article 13 of the Convention.

(3)The [F63 Secretary of State] may by order make provision as to co-operation by the Commissioner with the European Commission and with supervisory authorities in other EEA States in connection with the performance of their respective duties and, in particular, as to—

(a)the exchange of information with supervisory authorities in other EEA States or with the European Commission, and

(b)the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases excluded by section 5 from the application of the other provisions of this Act, of functions of the Commissioner specified in the order.

(4)The Commissioner shall also carry out any data protection functions which the [F63 Secretary of State] may by order direct him to carry out for the purpose of enabling Her Majesty’s Government in the United Kingdom to give effect to any international obligations of the United Kingdom.

(5)The Commissioner shall, if so directed by the [F63 Secretary of State] , provide any authority exercising data protection functions under the law of a colony specified in the direction with such assistance in connection with the discharge of those functions as the [F63 Secretary of State] may direct or approve, on such terms (including terms as to payment) as the [F63 Secretary of State] may direct or approve.

(6)Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule.

(7)The Commissioner shall inform the European Commission and the supervisory authorities in other EEA States—

(a)of any approvals granted for the purposes of paragraph 8 of Schedule 4, and

(b)of any authorisations granted for the purposes of paragraph 9 of that Schedule.

(8)In this section—

  • the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981;

  • data protection functions” means functions relating to the protection of individuals with respect to the processing of personal information.

Textual Amendments

Commencement Information

I17S. 54 wholly in force at 1.3.2000; s. 54 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 54 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

[F5854AInspection of overseas information systemsU.K.

(1)The Commissioner may inspect any personal data recorded in—

(a)the Schengen information system,

(b)the Europol information system,

(c)the Customs information system.

(2)The power conferred by subsection (1) is exercisable only for the purpose of assessing whether or not any processing of the data has been or is being carried out in compliance with this Act.

(3)The power includes power to inspect, operate and test equipment which is used for the processing of personal data.

(4)Before exercising the power, the Commissioner must give notice in writing of his intention to do so to the data controller.

(5)But subsection (4) does not apply if the Commissioner considers that the case is one of urgency.

(6)Any person who—

(a)intentionally obstructs a person exercising the power conferred by subsection (1), or

(b)fails without reasonable excuse to give any person exercising the power any assistance he may reasonably require,

is guilty of an offence.

(7)In this section—

  • the Customs information system” means the information system established under Chapter II of the Convention on the Use of Information Technology for Customs Purposes,

  • the Europol information system” means the information system established under Title II of the Convention on the Establishment of a European Police Office,

  • the Schengen information system” means the information system established under Title IV of the Convention implementing the Schengen Agreement of 14th June 1985, or any system established in its place in pursuance of any Community obligation.]

Unlawful obtaining etc. of personal dataU.K.

55 Unlawful obtaining etc. of personal data.U.K.

(1)A person must not knowingly or recklessly, without the consent of the data controller—

(a)obtain or disclose personal data or the information contained in personal data, or

(b)procure the disclosure to another person of the information contained in personal data.

(2)Subsection (1) does not apply to a person who shows—

(a)that the obtaining, disclosing or procuring—

(i)was necessary for the purpose of preventing or detecting crime, or

(ii)was required or authorised by or under any enactment, by any rule of law or by the order of a court,

(b)that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,

(c)that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or

(d)that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

(3)A person who contravenes subsection (1) is guilty of an offence.

(4)A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).

(5)A person who offers to sell personal data is guilty of an offence if—

(a)he has obtained the data in contravention of subsection (1), or

(b)he subsequently obtains the data in contravention of that subsection.

(6)For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

(7)Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.

(8)References in this section to personal data do not include references to personal data which by virtue of section 28 [F64or 33A] are exempt from this section.

Textual Amendments

Yn ddilys o 01/10/2009

[F65Monetary penaltiesF66F67F68]U.K.

Textual Amendments

F65Ss. 55A - 55E and cross-heading inserted (1.10.2009 for certain purposes and 1.4.2010 to the extent that it is not already in force) by Criminal Justice and Immigration Act 2008 (c. 4), ss. 144(1), 153; S.I. 2009/2606, art. 2(n); S.I. 2010/712, art. 4

F66S. 55B inserted (1.10.2009 for certain purposes and 6.4.2010 to the extent that it is not already in force) by Criminal Justice and Immigration Act 2008 (c. 4), ss. 144(1), 153; S.I. 2009/2606, art. 2(n); S.I. 2010/712, art. 4

[F6955APower of Commissioner to impose monetary penaltyU.K.

(1)The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—

(a)there has been a serious contravention of section 4(4) by the data controller,

(b)the contravention was of a kind likely to cause substantial damage or substantial distress, and

(c)subsection (2) or (3) applies.

(2)This subsection applies if the contravention was deliberate.

(3)This subsection applies if the data controller—

(a)knew or ought to have known —

(i)that there was a risk that the contravention would occur, and

(ii)that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

(b)failed to take reasonable steps to prevent the contravention.

(4)A monetary penalty notice is a notice requiring the data controller to pay to the Commissioner a monetary penalty of an amount determined by the Commissioner and specified in the notice.

(5)The amount determined by the Commissioner must not exceed the prescribed amount.

(6)The monetary penalty must be paid to the Commissioner within the period specified in the notice.

(7)The notice must contain such information as may be prescribed.

(8)Any sum received by the Commissioner by virtue of this section must be paid into the Consolidated Fund.

(9)In this section—

  • data controller” does not include the Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3);

  • prescribed” means prescribed by regulations made by the Secretary of State.]

Textual Amendments

F69S. 55A inserted (1.10.2009 for certain purposes and 6.4.2010 to the extent that it is not already in force) by Criminal Justice and Immigration Act 2008 (c. 4), ss. 144(1), 153; S.I. 2009/2606, art. 2(n); S.I. 2010/712, art. 4

[F6655BMonetary penalty notices: procedural rightsU.K.

(1)Before serving a monetary penalty notice, the Commissioner must serve the data controller with a notice of intent.

(2)A notice of intent is a notice that the Commissioner proposes to serve a monetary penalty notice.

(3)A notice of intent must—

(a)inform the data controller that he may make written representations in relation to the Commissioner's proposal within a period specified in the notice, and

(b)contain such other information as may be prescribed.

(4)The Commissioner may not serve a monetary penalty notice until the time within which the data controller may make representations has expired.

(5)A person on whom a monetary penalty notice is served may appeal to the Tribunal against—

(a)the issue of the monetary penalty notice;

(b)the amount of the penalty specified in the notice.

(6)In this section, “prescribed” means prescribed by regulations made by the Secretary of State.]

[F6755CGuidance about monetary penalty noticesU.K.

(1)The Commissioner must prepare and issue guidance on how he proposes to exercise his functions under sections 55A and 55B.

(2)The guidance must, in particular, deal with—

(a)the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and

(b)how he will determine the amount of the penalty.

(3)The Commissioner may alter or replace the guidance.

(4)If the guidance is altered or replaced, the Commissioner must issue the altered or replacement guidance.

(5)The Commissioner may not issue guidance under this section without the approval of the Secretary of State.

(6)The Commissioner must lay any guidance issued under this section before each House of Parliament.

(7)The Commissioner must arrange for the publication of any guidance issued under this section in such form and manner as he considers appropriate.

(8)In subsections (5) to (7), “guidance” includes altered or replacement guidance.]

Yn ddilys o 01/04/2010

[F7055DMonetary penalty notices: enforcementU.K.

(1)This section applies in relation to any penalty payable to the Commissioner by virtue of section 55A.

(2)In England and Wales, the penalty is recoverable—

(a)if a county court so orders, as if it were payable under an order of that court;

(b)if the High Court so orders, as if it were payable under an order of that court.

(3)In Scotland, the penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.

(4)In Northern Ireland, the penalty is recoverable—

(a)if a county court so orders, as if it were payable under an order of that court;

(b)if the High Court so orders, as if it were payable under an order of that court.]

[F6855ENotices under sections 55A and 55B: supplementalU.K.

(1)The Secretary of State may by order make further provision in connection with monetary penalty notices and notices of intent.

(2)An order under this section may in particular—

(a)provide that a monetary penalty notice may not be served on a data controller with respect to the processing of personal data for the special purposes except in circumstances specified in the order;

(b)make provision for the cancellation or variation of monetary penalty notices;

(c)confer rights of appeal to the Tribunal against decisions of the Commissioner in relation to the cancellation or variation of such notices;

(d)make provision for the proceedings of the Tribunal in respect of appeals under section 55B(5) or appeals made by virtue of paragraph (c);

(e)make provision for the determination of such appeals;

(f)confer rights of appeal against any decision of the Tribunal in relation to monetary penalty notices or their cancellation or variation.

(3)An order under this section may apply any provision of this Act with such modifications as may be specified in the order.

(4)An order under this section may amend this Act.]

Records obtained under data subject’s right of accessU.K.

56 Prohibition of requirement as to production of certain records.U.K.

(1)A person must not, in connection with—

(a)the recruitment of another person as an employee,

(b)the continued employment of another person, or

(c)any contract for the provision of services to him by another person,

require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.

(2)A person concerned with the provision (for payment or not) of goods, facilities or services to the public or a section of the public must not, as a condition of providing or offering to provide any goods, facilities or services to another person, require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.

(3)Subsections (1) and (2) do not apply to a person who shows—

(a)that the imposition of the requirement was required or authorised by or under any enactment, by any rule of law or by the order of a court, or

(b)that in the particular circumstances the imposition of the requirement was justified as being in the public interest.

(4)Having regard to the provisions of Part V of the M9Police Act 1997 (certificates of criminal records etc.), the imposition of the requirement referred to in subsection (1) or (2) is not to be regarded as being justified as being in the public interest on the ground that it would assist in the prevention or detection of crime.

(5)A person who contravenes subsection (1) or (2) is guilty of an offence.

(6)In this section “a relevant record” means any record which—

(a)has been or is to be obtained by a data subject from any data controller specified in the first column of the Table below in the exercise of the right conferred by section 7, and

(b)contains information relating to any matter specified in relation to that data controller in the second column,

and includes a copy of such a record or a part of such a record.

TABLE

Data controllerSubject-matter

1. Any of the following persons—

(a) a chief officer of police of a police force in England and Wales.

(b) a chief constable of a police force in Scotland.

(c) the Chief Constable of the Royal Ulster Constabulary.

(d) the Director General of the National Criminal Intelligence Service.

(e) the Director General of the National Crime Squad.

(a) Convictions.

(b) Cautions.

2. The Secretary of State.

(a) Convictions.

(b) Cautions.

(c) His functions under [F71section 92 of the Powers of Criminal Courts (Sentencing) Act 2000], section 205(2) or 208 of the Criminal Procedure (Scotland) Act 1995 or section 73 of the Children and Young Persons Act (Northern Ireland) 1968 in relation to any person sentenced to detention.

(d) His functions under the Prison Act 1952, the Prisons (Scotland) Act 1989 or the Prison Act (Northern Ireland) 1953 in relation to any person imprisoned or detained.

(e) His functions under the Social Security Contributions and Benefits Act 1992, the Social Security Administration Act 1992 or the Jobseekers Act 1995.

(f) His functions under Part V of the Police Act 1997.

3. The Department of Health and Social Services for Northern Ireland.Its functions under the Social Security Contributions and Benefits (Northern Ireland) Act 1992, the Social Security Administration (Northern Ireland) Act 1992 or the Jobseekers (Northern Ireland) Order 1995.

[F72(6A)A record is not a relevant record to the extent that it relates, or is to relate, only to personal data falling within paragraph (e) of the definition of “data” in section 1(1).]

(7)In the Table in subsection (6)—

  • caution” means a caution given to any person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;

  • conviction” has the same meaning as in the M10Rehabilitation of Offenders Act 1974 or the M11Rehabilitation of Offenders (Northern Ireland) Order 1978.

(8)The [F73 Secretary of State] may by order amend—

(a)the Table in subsection (6), and

(b)subsection (7).

(9)For the purposes of this section a record which states that a data controller is not processing any personal data relating to a particular matter shall be taken to be a record containing information relating to that matter.

(10)In this section “employee” means an individual who—

(a)works under a contract of employment, as defined by section 230(2) of the M12Employment Rights Act 1996, or

(b)holds any office,

whether or not he is entitled to remuneration; and “employment” shall be construed accordingly.

Textual Amendments

F71S. 56(6) Table: words in entry 2 substituted (25.8.2000) by 2000 c. 6, ss. 165, 168, Sch. 9 para. 191

F72S. 56(6A) inserted (1.1.2005) by 2000 c. 36, ss. 68(4), 87(3) (with ss. 56, 78); S.I. 2004/1909, art. 2; S.I. 2004/3122, art. 2

Commencement Information

I18S. 56 partly in force; s. 56 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 56 in force for specified purposes at 3.3.2011by S.I. 2011/601, art. 2

Marginal Citations

57 Avoidance of certain contractual terms relating to health records.U.K.

(1)Any term or condition of a contract is void in so far as it purports to require an individual—

(a)to supply any other person with a record to which this section applies, or with a copy of such a record or a part of such a record, or

(b)to produce to any other person such a record, copy or part.

(2)This section applies to any record which—

(a)has been or is to be obtained by a data subject in the exercise of the right conferred by section 7, and

(b)consists of the information contained in any health record as defined by section 68(2).

Information provided to Commissioner or TribunalU.K.

58 Disclosure of information.U.K.

No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude a person from furnishing the Commissioner or the Tribunal with any information necessary for the discharge of their functions under this Act [F74or the Freedom of Information Act 2000].

Textual Amendments

F74Words in s. 58 inserted (30.11.2000) by 2000 c. 36, ss. 18(4), 87(1)(i), Sch. 2 Pt. II para. 18 (with ss. 7(1)(7), 56, 78)

Modifications etc. (not altering text)

C25S. 58 applied (with modifications) (1.3.2000) by S.I. 1999/2093. reg. 32(8)(b)

S. 58 applied (with modifications) (11.12.2003) by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), reg. 28(8)(c) (with regs. 4, 15(3), 28, 29)

59 Confidentiality of information.U.K.

(1)No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a)has been obtained by, or furnished to, the Commissioner under or for the purposes of [F75the information Acts],

(b)relates to an identified or identifiable individual or business, and

(c)is not at the time of the disclosure, and has not previously been, available to the public from other sources,

unless the disclosure is made with lawful authority.

(2)For the purposes of subsection (1) a disclosure of information is made with lawful authority only if, and to the extent that—

(a)the disclosure is made with the consent of the individual or of the person for the time being carrying on the business,

(b)the information was provided for the purpose of its being made available to the public (in whatever manner) under any provision of [F75the information Acts],

(c)the disclosure is made for the purposes of, and is necessary for, the discharge of—

(i)any functions under [F75the information Acts], or

(ii)any Community obligation,

(d)the disclosure is made for the purposes of any proceedings, whether criminal or civil and whether arising under, or by virtue of, [F75the information Acts] or otherwise, or

(e)having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest.

(3)Any person who knowingly or recklessly discloses information in contravention of subsection (1) is guilty of an offence.

[F76(4)In this section “the information Acts” means this Act and the Freedom of Information Act 2000.]

Textual Amendments

Modifications etc. (not altering text)

C26S. 59(1): disclosure powers extended (14.12.2001) by 2001 c. 24, ss. 17, 127(2)(a), Sch. 4 Pt. I para. 42

General provisions relating to offencesU.K.

60 Prosecutions and penalties.U.K.

(1)No proceedings for an offence under this Act shall be instituted—

(a)in England or Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;

(b)in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.

(2)A person guilty of an offence under any provision of this Act other than [F77section 54A and] paragraph 12 of Schedule 9 is liable—

(a)on summary conviction, to a fine not exceeding the statutory maximum, or

(b)on conviction on indictment, to a fine.

(3)A person guilty of an offence under [F78section 54A and] paragraph 12 of Schedule 9 is liable on summary conviction to a fine not exceeding level 5 on the standard scale.

(4)Subject to subsection (5), the court by or before which a person is convicted of—

(a)an offence under section 21(1), 22(6), 55 or 56,

(b)an offence under section 21(2) relating to processing which is assessable processing for the purposes of section 22, or

(c)an offence under section 47(1) relating to an enforcement notice,

may order any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.

(5)The court shall not make an order under subsection (4) in relation to any material where a person (other than the offender) claiming to be the owner of or otherwise interested in the material applies to be heard by the court, unless an opportunity is given to him to show cause why the order should not be made.

Textual Amendments

F77Words in s. 60(2)(3) inserted (26.4.2004) by Crime (International Co-operation) Act 2003 (c. 32), ss. 91, 94, Sch. 5 para. 70, S.I. 2004/786, {art. 3}

F78Words in s. 60(2)(3) inserted (26.4.2004) by Crime (International Co-operation) Act 2003 (c. 32), ss. 91, 94, Sch. 5 para. 70, S.I. 2004/786, {art. 3}

61 Liability of directors etc.U.K.

(1)Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.

(2)Where the affairs of a body corporate are managed by its members subsection (1) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.

(3)Where an offence under this Act has been committed by a Scottish partnership and the contravention in question is proved to have occurred with the consent or connivance of, or to be attributable to any neglect on the part of, a partner, he as well as the partnership shall be guilty of that offence and shall be liable to be proceeded against and punished accordingly.

Amendments of Consumer Credit Act 1974U.K.

62 Amendments of Consumer Credit Act 1974.U.K.

(1)In section 158 of the M13Consumer Credit Act 1974 (duty of agency to disclose filed information)—

(a)in subsection (1)—

(i)in paragraph (a) for “individual” there is substituted “ partnership or other unincorporated body of persons not consisting entirely of bodies corporate ”, and

(ii)for “him” there is substituted “ it ”,

(b)in subsection (2), for “his” there is substituted “ the consumer’s ”, and

(c)in subsection (3), for “him” there is substituted “ the consumer ”.

(2)In section 159 of that Act (correction of wrong information) for subsection (1) there is substituted—

(1)Any individual (the “objector”) given—

(a)information under section 7 of the Data Protection Act 1998 by a credit reference agency, or

(b)information under section 158,

who considers that an entry in his file is incorrect, and that if it is not corrected he is likely to be prejudiced, may give notice to the agency requiring it either to remove the entry from the file or amend it.

(3)In subsections (2) to (6) of that section—

(a)for “consumer”, wherever occurring, there is substituted “ objector ”, and

(b)for “Director”, wherever occurring, there is substituted “ the relevant authority ”.

(4)After subsection (6) of that section there is inserted—

(7)The Data Protection Commissioner may vary or revoke any order made by him under this section.

(8)In this section “the relevant authority” means—

(a)where the objector is a partnership or other unincorporated body of persons, the Director, and

(b)in any other case, the Data Protection Commissioner.

(5)In section 160 of that Act (alternative procedure for business consumers)—

(a)in subsection (4)—

(i)for “him” there is substituted “ to the consumer ”, and

(ii)in paragraphs (a) and (b) for “he” there is substituted “ the consumer ” and for “his” there is substituted “ the consumer’s ”, and

(b)after subsection (6) there is inserted—

(7)In this section “consumer” has the same meaning as in section 158.

Marginal Citations

GeneralU.K.

63 Application to Crown.U.K.

(1)This Act binds the Crown.

(2)For the purposes of this Act each government department shall be treated as a person separate from any other government department.

(3)Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by any person acting on behalf of the Royal Household, the Duchy of Lancaster or the Duchy of Cornwall, the data controller in respect of those data for the purposes of this Act shall be—

(a)in relation to the Royal Household, the Keeper of the Privy Purse,

(b)in relation to the Duchy of Lancaster, such person as the Chancellor of the Duchy appoints, and

(c)in relation to the Duchy of Cornwall, such person as the Duke of Cornwall, or the possessor for the time being of the Duchy of Cornwall, appoints.

(4)Different persons may be appointed under subsection (3)(b) or (c) for different purposes.

(5)Neither a government department nor a person who is a data controller by virtue of subsection (3) shall be liable to prosecution under this Act, but [F79sections 54A and] 55 and paragraph 12 of Schedule 9 shall apply to a person in the service of the Crown as they apply to any other person.

Textual Amendments

Modifications etc. (not altering text)

C27S. 63 extended (2.12.1999) by S.I. 1999/3145, arts. 1, 9(3)(c); S.I. 1999/3208, art. 2

[F8063A Application to Parliament.U.K.

(1)Subject to the following provisions of this section and to section 35A, this Act applies to the processing of personal data by or on behalf of either House of Parliament as it applies to the processing of personal data by other persons.

(2)Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by or on behalf of the House of Commons, the data controller in respect of those data for the purposes of this Act shall be the Corporate Officer of that House.

(3)Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by or on behalf of the House of Lords, the data controller in respect of those data for the purposes of this Act shall be the Corporate Officer of that House.

(4)Nothing in subsection (2) or (3) is to be taken to render the Corporate Officer of the House of Commons or the Corporate Officer of the House of Lords liable to prosecution under this Act, but section 55 and paragraph 12 of Schedule 9 shall apply to a person acting on behalf of either House as they apply to any other person.]

Textual Amendments

64 Transmission of notices etc. by electronic or other means.U.K.

(1)This section applies to—

(a)a notice or request under any provision of Part II,

(b)a notice under subsection (1) of section 24 or particulars made available under that subsection, or

(c)an application under section 41(2),

but does not apply to anything which is required to be served in accordance with rules of court.

(2)The requirement that any notice, request, particulars or application to which this section applies should be in writing is satisfied where the text of the notice, request, particulars or application—

(a)is transmitted by electronic means,

(b)is received in legible form, and

(c)is capable of being used for subsequent reference.

(3)The [F81 Secretary of State] may by regulations provide that any requirement that any notice, request, particulars or application to which this section applies should be in writing is not to apply in such circumstances as may be prescribed by the regulations.

Textual Amendments

Commencement Information

I19S. 64 wholly in force at 1.3.2000; s. 64 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 64 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

65 Service of notices by Commissioner.U.K.

(1)Any notice authorised or required by this Act to be served on or given to any person by the Commissioner may—

(a)if that person is an individual, be served on him—

(i)by delivering it to him, or

(ii)by sending it to him by post addressed to him at his usual or last-known place of residence or business, or

(iii)by leaving it for him at that place;

(b)if that person is a body corporate or unincorporate, be served on that body—

(i)by sending it by post to the proper officer of the body at its principal office, or

(ii)by addressing it to the proper officer of the body and leaving it at that office;

(c)if that person is a partnership in Scotland, be served on that partnership—

(i)by sending it by post to the principal office of the partnership, or

(ii)by addressing it to that partnership and leaving it at that office.

(2)In subsection (1)(b) “principal office”, in relation to a registered company, means its registered office and “proper officer”, in relation to any body, means the secretary or other executive officer charged with the conduct of its general affairs.

(3)This section is without prejudice to any other lawful method of serving or giving a notice.

66 Exercise of rights in Scotland by children.U.K.

(1)Where a question falls to be determined in Scotland as to the legal capacity of a person under the age of sixteen years to exercise any right conferred by any provision of this Act, that person shall be taken to have that capacity where he has a general understanding of what it means to exercise that right.

(2)Without prejudice to the generality of subsection (1), a person of twelve years of age or more shall be presumed to be of sufficient age and maturity to have such understanding as is mentioned in that subsection.

67 Orders, regulations and rules.U.K.

(1)Any power conferred by this Act on the [F82 Secretary of State] to make an order, regulations or rules shall be exercisable by statutory instrument.

(2)Any order, regulations or rules made by the [F82 Secretary of State] under this Act may—

(a)make different provision for different cases, and

(b)make such supplemental, incidental, consequential or transitional provision or savings as the [F82 Secretary of State] considers appropriate;

and nothing in section 7(11), 19(5), 26(1) or 30(4) limits the generality of paragraph (a).

(3)Before making—

(a)an order under any provision of this Act other than section 75(3),

(b)any regulations under this Act other than notification regulations (as defined by section 16(2)),

the [F82 Secretary of State] shall consult the Commissioner.

(4)A statutory instrument containing (whether alone or with other provisions) an order under—

  • section 10(2)(b),

  • section 12(5)(b),

  • section 22(1),

  • section 30,

  • section 32(3),

  • section 38,

  • section 56(8),

  • paragraph 10 of Schedule 3, or

  • paragraph 4 of Schedule 7,

shall not be made unless a draft of the instrument has been laid before and approved by a resolution of each House of Parliament.

(5)A statutory instrument which contains (whether alone or with other provisions)—

(a)an order under—

  • section 22(7),

  • section 23,

  • section 51(3),

  • section 54(2), (3) or (4),

  • paragraph 3, 4 or 14 of Part II of Schedule 1,

  • paragraph 6 of Schedule 2,

  • paragraph 2, 7 or 9 of Schedule 3,

  • paragraph 4 of Schedule 4,

  • paragraph 6 of Schedule 7,

(b)regulations under section 7 which—

(i)prescribe cases for the purposes of subsection (2)(b),

(ii)are made by virtue of subsection (7), or

(iii)relate to the definition of “the prescribed period”,

(c)regulations under section 8(1) [F83, 9(3) or 9A(5)],

(d)regulations under section 64,

(e)notification regulations (as defined by section 16(2)), or

(f)rules under paragraph 7 of Schedule 6,

and which is not subject to the requirement in subsection (4) that a draft of the instrument be laid before and approved by a resolution of each House of Parliament, shall be subject to annulment in pursuance of a resolution of either House of Parliament.

(6)A statutory instrument which contains only—

(a)regulations prescribing fees for the purposes of any provision of this Act, or

(b)regulations under section 7 prescribing fees for the purposes of any other enactment,

shall be laid before Parliament after being made.

Textual Amendments

F83Words in s. 67(5)(c) substituted (30.11.2000 for certain purposes and otherwise 1.1.2005) by 2000 c. 36, ss. 69(3), 87(1)(3) (with ss. 56, 78); S.I. 2004/1909, art. 2; S.I. 2004/3122, art. 2

Modifications etc. (not altering text)

C28S. 67(1)(2)(5)(f) applied (with modifications) (11.12.2003) by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), reg. 28(8)(d) (with regs. 4, 15(3), 28, 29)

68 Meaning of “accessible record”.U.K.

(1)In this Act “accessible record” means—

(a)a health record as defined by subsection (2),

(b)an educational record as defined by Schedule 11, or

(c)an accessible public record as defined by Schedule 12.

(2)In subsection (1)(a) “health record” means any record which—

(a)consists of information relating to the physical or mental health or condition of an individual, and

(b)has been made by or on behalf of a health professional in connection with the care of that individual.

69 Meaning of “health professional”.U.K.

(1)In this Act “health professional” means any of the following—

(a)a registered medical practitioner,

(b)a registered dentist as defined by section 53(1) of the M14Dentists Act 1984,

[F84(c)a registered dispensing optician or a registered optometrist within the meaning of the Opticians Act 1989,]

(d)a registered pharmaceutical chemist as defined by section 24(1) of the M15Pharmacy Act 1954 or a registered person as defined by Article 2(2) of the M16Pharmacy (Northern Ireland) Order 1976,

[F85(e)a registered nurse or midwife]

(f)a registered osteopath as defined by section 41 of the M17Osteopaths Act 1993,

(g)a registered chiropractor as defined by section 43 of the M18Chiropractors Act 1994,

(h)any person who is registered as a member of a profession to which [F86the Health Professions Order 2001] for the time being extends,

(i)a clinical psychologist [F87or child psychotherapist] ,

(j)F88. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(k)a scientist employed by such a body as head of a department.

(2)In subsection (1)(a) “registered medical practitioner” includes any person who is provisionally registered under section 15 or 21 of the M19Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of that section.

(3)In subsection (1) “health service body” means—

(a)a [F89Strategic Health Authority or a] Health Authority established under section 8 of the M20National Health Service Act 1977,

(b)a Special Health Authority established under section 11 of that Act,

[F90(bb)a Primary Care Trust established under section 16A of that Act,]

[F91(bbb)a Local Health Board established under section 16BA of that Act,]

(c)a Health Board within the meaning of the M21National Health Service (Scotland) Act 1978,

(d)a Special Health Board within the meaning of that Act,

(e)the managers of a State Hospital provided under section 102 of that Act,

(f)a National Health Service trust first established under section 5 of the M22National Health Service and Community Care Act 1990 or section 12A of the National Health Service (Scotland) Act 1978,

[F92(fa)an NHS foundation trust;]

(g)a Health and Social Services Board established under Article 16 of the M23Health and Personal Social Services (Northern Ireland) Order 1972,

(h)a special health and social services agency established under the M24Health and Personal Social Services (Special Agencies) (Northern Ireland) Order 1990, or

(i)a Health and Social Services trust established under Article 10 of the M25Health and Personal Social Services (Northern Ireland) Order 1991.

Textual Amendments

F84S. 69(1)(c) substituted by The Opticians Act 1989 (Amendment) Order 2005 (S.I. 2005/848), art. 28, Sch. 1 para. 12 (with art. 29, Sch. 2) (the amendment coming into force in accordance with art. 1(2)-(6))

F85S. 69(1)(e) substituted by The Nursing and Midwifery Order 2001 (S.I. 2002/253), art. 54(3), Sch. 5 para. 14 (with art. 3(18)) (the amendment coming into force in accordance with art. 1(2)(3) of the amending S.I.)

F86Words in s. 69(1)(h) substituted by The Health Professions Order 2001 (S.I. 2002/254), art. 48(3), Sch. 4 para. 7 (with art. 3(19)) (the amendment coming into force in accordance with art. 1(2)(3) of the amending S.I.)

F90S. 69(3)(bb) inserted (8.2.2000) by S.I. 2000/90, art. 3(1), Sch. 1 para. 33

Marginal Citations

70 Supplementary definitions.U.K.

(1)In this Act, unless the context otherwise requires—

  • business” includes any trade or profession;

  • the Commissioner” means [F93 the Information Commissioner];

  • credit reference agency” has the same meaning as in the M26Consumer Credit Act 1974;

  • the Data Protection Directive” means Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

  • EEA State” means a State which is a contracting party to the Agreement on the European Economic Area signed at Oporto on 2nd May 1992 as adjusted by the Protocol signed at Brussels on 17th March 1993;

  • enactment” includes an enactment passed after this Act [F94and any enactment comprised in, or in any instrument made under, an Act of the Scottish Parliament];

  • government department” includes a Northern Ireland department and any body or authority exercising statutory functions on behalf of the Crown;

  • Minister of the Crown” has the same meaning as in the Ministers of the M27Crown Act 1975;

  • public register” means any register which pursuant to a requirement imposed—

    (a)

    by or under any enactment, or

    (b)

    in pursuance of any international agreement,

    is open to public inspection or open to inspection by any person having a legitimate interest;

  • pupil”—

    (a)

    in relation to a school in England and Wales, means a registered pupil within the meaning of the M28Education Act 1996,

    (b)

    in relation to a school in Scotland, means a pupil within the meaning of the M29Education (Scotland) Act 1980, and

    (c)

    in relation to a school in Northern Ireland, means a registered pupil within the meaning of the M30Education and Libraries (Northern Ireland) Order 1986;

  • recipient”, in relation to any personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law;

  • registered company” means a company registered under the enactments relating to companies for the time being in force in the United Kingdom;

  • school”—

    (a)

    in relation to England and Wales, has the same meaning as in the Education Act 1996,

    (b)

    in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980, and

    (c)

    in relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986;

  • teacher” includes—

    (a)

    in Great Britain, head teacher, and

    (b)

    in Northern Ireland, the principal of a school;

  • third party”, in relation to personal data, means any person other than—

    (a)

    the data subject,

    (b)

    the data controller, or

    (c)

    any data processor or other person authorised to process data for the data controller or processor;

  • the Tribunal” means [F95the Information Tribunal]..

(2)For the purposes of this Act data are inaccurate if they are incorrect or misleading as to any matter of fact.

Textual Amendments

F93Words in s. 70(1) substituted (30.1.2001) by 2000 c. 36, ss. 18(4), 87(2)(c), Sch. 2 Pt. I para. 14(a) (with ss. 7(1)(7), 56, 78)

F94Words inserted (1.7.1999) in definition of “enactment” in s. 70(1) by S.I. 1999/1820, arts. 1(2), 4, Sch. 2 Pt. I para. 133; S.I. 1999/3178, art. 3

Marginal Citations

71 Index of defined expressions.U.K.

The following Table shows provisions defining or otherwise explaining expressions used in this Act (other than provisions defining or explaining an expression only used in the same section or Schedule)—

accessible recordsection 68
address (in Part III)section 16(3)
businesssection 70(1)
the Commissionersection 70(1)
credit reference agencysection 70(1)
datasection 1(1)
data controllersections 1(1) and (4) and 63(3)
data processorsection 1(1)
the Data Protection Directivesection 70(1)
data protection principlessection 4 and Schedule 1
data subjectsection 1(1)
disclosing (of personal data)section 1(2)(b)
EEA Statesection 70(1)
enactmentsection 70(1)
enforcement noticesection 40(1)
fees regulations (in Part III)section 16(2)
government departmentsection 70(1)
health professionalsection 69
inaccurate (in relation to data)section 70(2)
information noticesection 43(1)
Minister of the Crownsection 70(1)
the non-disclosure provisions (in Part IV)section 27(3)
notification regulations (in Part III)section 16(2)
obtaining (of personal data)section 1(2)(a)
personal datasection 1(1)
prescribed (in Part III)section 16(2)
processing (of information or data)section 1(1) and paragraph 5 of Schedule 8
[F96public authority section 1(1)]
public registersection 70(1)
publish (in relation to journalistic, literary or artistic material)section 32(6)
pupil (in relation to a school)section 70(1)
recipient (in relation to personal data)section 70(1)
recording (of personal data)section 1(2)(a)
registered companysection 70(1)
registrable particulars (in Part III)section 16(1)
relevant filing systemsection 1(1)
schoolsection 70(1)
sensitive personal datasection 2
special information noticesection 44(1)
the special purposessection 3
the subject information provisions (in Part IV)section 27(2)
teachersection 70(1)
third party (in relation to processing of personal data)section 70(1)
the Tribunalsection 70(1)
using (of personal data)section 1(2)(b).

Textual Amendments

F96S. 71 Table: entry inserted (1.1.2005) by 2000 c. 36, ss. 68(5), 87(3) (with ss. 56, 78); S.I. 2004/1909, art. 2; S.I. 2004/3122, art. 2

72 Modifications of Act.U.K.

During the period beginning with the commencement of this section and ending with 23rd October 2007, the provisions of this Act shall have effect subject to the modifications set out in Schedule 13.

73 Transitional provisions and savings.U.K.

Schedule 14 (which contains transitional provisions and savings) has effect.

74 Minor and consequential amendments and repeals and revocations.U.K.

(1)Schedule 15 (which contains minor and consequential amendments) has effect.

(2)The enactments and instruments specified in Schedule 16 are repealed or revoked to the extent specified.

75 Short title, commencement and extent.U.K.

(1)This Act may be cited as the Data Protection Act 1998.

(2)The following provisions of this Act—

(a)sections 1 to 3,

(b)section 25(1) and (4),

(c)section 26,

(d)sections 67 to 71,

(e)this section,

(f)paragraph 17 of Schedule 5,

(g)Schedule 11,

(h)Schedule 12, and

(i)so much of any other provision of this Act as confers any power to make subordinate legislation,

shall come into force on the day on which this Act is passed.

(3)The remaining provisions of this Act shall come into force on such day as the [F97 Secretary of State] may by order appoint; and different days may be appointed for different purposes.

(4)The day appointed under subsection (3) for the coming into force of section 56 must not be earlier than the first day on which sections 112, 113 and 115 of the M31Police Act 1997 (which provide for the issue by the Secretary of State of criminal conviction certificates, criminal record certificates and enhanced criminal record certificates) are all in force.

(5)Subject to subsection (6), this Act extends to Northern Ireland.

(6)Any amendment, repeal or revocation made by Schedule 15 or 16 has the same extent as that of the enactment or instrument to which it relates.

Subordinate Legislation Made

P1S. 75(3) power partly exercised:

1.3.2000 appointed by S.I. 2000/183, art. 2(1) (with art. 2(2))

7.7.2008 appointed by S.I. 2008/1592, art. 2

3.3.2011 appointed by S.I. 2011/601, art. 2

Textual Amendments

Marginal Citations

Yn ôl i’r brig

Options/Help

Print Options

You have chosen to open The Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act as a PDF

The Whole Act you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open y Ddeddf Gyfan

Y Ddeddf Gyfan you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

Close

Mae deddfwriaeth ar gael mewn fersiynau gwahanol:

Y Diweddaraf sydd Ar Gael (diwygiedig):Y fersiwn ddiweddaraf sydd ar gael o’r ddeddfwriaeth yn cynnwys newidiadau a wnaed gan ddeddfwriaeth ddilynol ac wedi eu gweithredu gan ein tîm golygyddol. Gellir gweld y newidiadau nad ydym wedi eu gweithredu i’r testun eto yn yr ardal ‘Newidiadau i Ddeddfwriaeth’.

Gwreiddiol (Fel y’i Deddfwyd neu y’i Gwnaed): Mae'r wreiddiol fersiwn y ddeddfwriaeth fel ag yr oedd pan gafodd ei deddfu neu eu gwneud. Ni wnaed unrhyw newidiadau i’r testun.

Pwynt Penodol mewn Amser: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.

Close

Gweler y wybodaeth ychwanegol ochr yn ochr â’r cynnwys

Rhychwant ddaearyddol: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Dangos Llinell Amser Newidiadau: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Close

Dewisiadau Agor

Dewisiadau gwahanol i agor deddfwriaeth er mwyn gweld rhagor o gynnwys ar y sgrin ar yr un pryd

Close

Rhagor o Adnoddau

Gallwch wneud defnydd o ddogfennau atodol hanfodol a gwybodaeth ar gyfer yr eitem ddeddfwriaeth o’r tab hwn. Yn ddibynnol ar yr eitem ddeddfwriaeth sydd i’w gweld, gallai hyn gynnwys:

  • y PDF print gwreiddiol y fel deddfwyd fersiwn a ddefnyddiwyd am y copi print
  • rhestr o newidiadau a wnaed gan a/neu yn effeithio ar yr eitem hon o ddeddfwriaeth
  • manylion rhoi grym a newid cyffredinol
  • pob fformat o’r holl ddogfennau cysylltiedig
  • slipiau cywiro
  • dolenni i ddeddfwriaeth gysylltiedig ac adnoddau gwybodaeth eraill
Close

Llinell Amser Newidiadau

This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.

Close

Rhagor o Adnoddau

Defnyddiwch y ddewislen hon i agor dogfennau hanfodol sy’n cyd-fynd â’r ddeddfwriaeth a gwybodaeth am yr eitem hon o ddeddfwriaeth. Gan ddibynnu ar yr eitem o ddeddfwriaeth sy’n cael ei gweld gall hyn gynnwys:

  • y PDF print gwreiddiol y fel deddfwyd fersiwn a ddefnyddiwyd am y copi print
  • slipiau cywiro

liciwch ‘Gweld Mwy’ neu ddewis ‘Rhagor o Adnoddau’ am wybodaeth ychwanegol gan gynnwys

  • rhestr o newidiadau a wnaed gan a/neu yn effeithio ar yr eitem hon o ddeddfwriaeth
  • manylion rhoi grym a newid cyffredinol
  • pob fformat o’r holl ddogfennau cysylltiedig
  • dolenni i ddeddfwriaeth gysylltiedig ac adnoddau gwybodaeth eraill