PART IPreliminary
1Definition of " data " and related expressions
(1)The following provisions shall have effect for the interpretation of this Act.
(2)" Data " means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.
(3)" Personal data " means data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user), including any expression of opinion about the individual but not any indication of the intentions of the data user in respect of that individual.
(4)" Data subject" means an individual who is the subject of personal data.
(5)" Data user " means a person who holds data, and a person " holds " data if—
(a)the data form part of a collection of data processed or intended to be processed by or on behalf of that person as mentioned in subsection (2) above ; and
(b)that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection ; and
(c)the data are in the form in which they have been or are intended to be processed as mentioned in paragraph (a) above or (though not for the time being in that form) in a form into which they have been converted after being so processed and with a view to being further so processed on a subsequent occasion.
(6)A person carries on a " computer bureau " if he provides other persons with services in respect of data, and a person provides such services if—
(a)as agent for other persons he causes data held by them to be processed as mentioned in subsection (2) above; or
(b)he allows other persons the use of equipment in his possession for the processing as mentioned in that subsection of data held by them.
(7)" Processing ", in relation to data, means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data and, in the case of personal data, means performing any of those operations by reference to the data subject.
(8)Subsection (7) above shall not be construed as applying to any operation performed only for the purpose of preparing the text of documents.
(9)"Disclosing", in relation to data, includes disclosing information extracted from the data ; and where the identification of the individual who is the subject of personal data depends partly on the information constituting the data and partly on other information in the possession of the data user, the data shall not be regarded as disclosed or transferred unless the other information is also disclosed or transferred.
2The data protection principles
(1)Subject to subsection (3) below, references in this Act to the data protection principles are to the principles set out in Part I of Schedule 1 to this Act; and those principles shall be interpreted in accordance with Part II of that Schedule.
(2)The first seven principles apply to personal data held by data users and the eighth applies both to such data and to personal data in respect of which services are provided by persons carrying on computer bureaux.
(3)The Secretary of State may by order modify or supplement those principles for the purpose of providing additional safeguards in relation to personal data consisting of information as to—
(a)the racial origin of the data subject;
(b)his political opinions or religious or other beliefs;
(c)his physical or mental health or his sexual life; or
(d)his criminal convictions;
and references in this Act to the data protection principles include, except where the context otherwise requires, references to any modified or additional principle having effect by virtue of an order under this subsection.
(4)An order under subsection (3) above may modify a principle either by modifying the principle itself or by modifying its interpretation; and where an order under that subsection modifies a principle or provides for an additional principle it may contain provisions for the interpretation of the modified or additional principle.
(5)An order under subsection (3) above modifying the third data protection principle may, to such extent as the Secretary of State thinks appropriate, exclude or modify in relation to that principle any exemption from the non-disclosure provisions which is contained in Part IV of this Act; and the exemptions from those provisions contained in that Part shall accordingly have effect subject to any order made by virtue of this subsection.
(6)An order under subsection (3) above may make different provision in relation to data consisting of information of different descriptions.
3The Registrar and the Tribunal
(1)For the purposes of this Act there shall be—
(a)an officer known as the Data Protection Registrar (in this Act referred to as " the Registrar "); and
(b)a tribunal known as the Data Protection Tribunal (in this Act referred to as " the Tribunal").
(2)The Registrar shall be appointed by Her Majesty by Letters Patent.
(3)The Tribunal shall consist of—
(a)a chairman appointed by the Lord Chancellor after consultation with the Lord Advocate;
(b)such number of deputy chairmen appointed as aforesaid as the Lord Chancellor may determine; and
(c)such number of other members appointed by the Secretary of State as he may determine.
(4)The members of the Tribunal appointed under subsection (3)(a) and (b) above shall be barristers, advocates or solicitors, in each case of not less than seven years' standing.
(5)The members of the Tribunal appointed under subsection (3)(c) above shall be—
(a)persons to represent the interests of data users ; and
(b)persons to represent the interests of data subjects.
(6)Schedule 2 to this Act shall have effect in relation to the Registrar and the Tribunal.
PART IIRegistration and Supervision of Data Users and Computer Bureaux
Registration
4Registration of data users and computer bureaux
(1)The Registrar shall maintain a register of data users who hold, and of persons carrying on computer bureaux who provide services in respect of, personal data and shall make an entry in the register in pursuance of each application for registration accepted by him under this Part of this Act.
(2)Each entry shall state whether it is in respect of a data user, of a person carrying on a computer bureau or of a data user who also carries on such a bureau.
(3)Subject to the provisions of this section, an entry in respect of a data user shall consist of the following particulars—
(a)the name and address of the data user ;
(b)a description of the personal data to be held by him and of the purpose or purposes for which the data are to be held or used ;
(c)a description of the source or sources from which he intends or may wish to obtain the data or the information to be contained in the data ;
(d)a description of any person or persons to whom he intends or may wish to disclose the data ;
(e)the names or a description of any countries or territories outside the United Kingdom to which he intends or may wish directly or indirectly to transfer the data ; and
(f)one or more addresses for the receipt of requests from data subjects for access to the data.
(4)Subject to the provisions of this section, an entry in respect of a person carrying on a computer bureau shall consist of that person's name and address.
(5)Subject to the provisions of this section, an entry in respect of a data user who also carries on a computer bureau shall consist of his name and address and, as respects the personal data to be held by him, the particulars specified in subsection (3)(b) to (f) above.
(6)In the case of a registered company the address referred to in subsections (3)(a), (4) and (5) above is that of its registered office, and the particulars to be included in the entry shall include the company's number in the register of companies.
(7)In the case of a person (other than a registered company) carrying on a business the address referred to in subsections (3)(a), (4) and (5) above is that of his principal place of business.
(8)The Secretary of State may by order vary the particulars to be included in entries made in the register.
5Prohibition of unregistered holding etc. of personal data
(1)A person shall not hold personal data unless an entry in respect of that person as a data user, or as a data user who also carries on a computer bureau, is for the time being contained in the register.
(2)A person in respect of whom such an entry is contained in the register shall not—
(a)hold personal data of any description other than that specified in the entry :
(b)hold any such data, or use any such data held by him, for any purpose other than the purpose or purposes described in the entry ;
(c)obtain such data, or information to be contained in such data, to be held by him from any source which is not described in the entry ;
(d)disclose such data held by him to any person who is not described in the entry ; or
(e)directly or indirectly transfer such data held by him to any country or territory outside the United Kingdom other than one named or described in the entry.
(3)A servant or agent of a person to whom subsection (2) above applies shall, as respects personal data held by that person, be subject to the same restrictions on the use, disclosure or transfer of the data as those to which that person is subject under paragraphs (b), (d) and (e) of that subsection and, as respects personal data to be held by that person, to the same restrictions as those to which he is subject under paragraph (c) of that subsection.
(4)A person shall not, in carrying on a computer bureau, provide services in respect of personal data unless an entry in respect of that person as a person carrying on such a bureau, or as a data user who also carries on such a bureau, is for the time being contained in the register.
(5)Any person who contravenes subsection (1) above or knowingly or recklessly contravenes any of the other provisions of this section shall be guilty of an offence.
6Applications for registration and for amendment of registered particulars
(1)A person applying for registration shall state whether he wishes to be registered as a data user, as a person carrying on a computer bureau or as a data user who also carries on such a bureau, and shall furnish the Registrar, in such form as he may require, with the particulars required to be included in the entry to be made in pursuance of the application.
(2)Where a person intends to hold personal data for two or more purposes he may make separate applications for registration in respect of any of those purposes.
(3)A registered person may at any time apply to the Registrar for the alteration of any particulars included in the entry or entries relating to that person.
(4)Where the alteration would consist of the addition of a purpose for which personal data are to be held, the person may, instead of making an application under subsection (3) above, make a fresh application for registration in respect of the additional purpose.
(5)A registered person shall make an application under subsection (3) above whenever necessary for ensuring that the entry or entries relating to that person contain his current address; and any person who fails to comply with this subsection shall be guilty of an offence.
(6)Any person who, in connection with an application for registration or for the alteration of registered particulars, knowingly or recklessly furnishes the Registrar with information which is false or misleading in a material respect shall be guilty of an offence.
(7)Every application for registration shall be accompanied by the prescribed fee, and every application for the alteration of registered particulars shall be accompanied by such fee, if any, as may be prescribed.
(8)Any application for registration or for the alteration of registered particulars may be withdrawn by notice in writing to the Registrar at any time before the applicant receives a notification in respect of the application under section 7(1) below.
7Acceptance and refusal of applications
(1)Subject to the provisions of this section, the Registrar shall as soon as practicable and in any case within the period of six months after receiving an application for registration or for the alteration of registered particulars notify the applicant in writing whether his application has been accepted or refused; and where the Registrar notifies an applicant that his application has been accepted the notification shall contain a statement of—
(a)the particulars entered in the register, or the alteration made, in pursuance of the application ; and
(b)the date on which the particulars were entered or the alteration was made.
(2)The Registrar shall not refuse an application made in accordance with section 6 above unless—
(a)he considers that the particulars proposed for registration or, as the case may be, the particulars that would result from the proposed alteration, will not give sufficient information as to the matters to which they relate ; or
(b)he is satisfied that the applicant is likely to contravene any of the data protection principles ; or
(c)he considers that the information available to him is insufficient to satisfy him that the applicant is unlikely to contravene any of those principles.
(3)Subsection (2)(a) above shall not be construed as precluding the acceptance by the Registrar of particulars expressed in general terms in cases where that is appropriate, and the Registrar shall accept particulars expressed in such terms in any case in which he is satisfied that more specific particulars would be likely to prejudice the purpose or purposes for which the data are to be held.
(4)Where the Registrar refuses an application under this section he shall give his reasons and inform the applicant of the rights of appeal conferred by section 13 below.
(5)If in any case it appears to the Registrar that an application needs more consideration than can be given to it in the period mentioned in subsection (1) above he shall as soon as practicable and in any case before the end of that period notify the applicant in writing to that effect; and in that event no notification need be given under that subsection until after the end of that period.
(6)Subject to subsection (8) below, a person who has made an application in accordance with section 6 above shall—
(a)until he receives a notification in respect of it under subsection (1) above or the application is withdrawn; and
(b)if he receives a notification under that subsection of the refusal of his application, until the end of the period within which an appeal can be brought against the refusal and, if an appeal is brought, until the determination or withdrawal of the appeal,
be treated for the purposes of section 5 above as if his application had been accepted and the particulars contained in it had been entered in the register or, as the case may be, the alteration requested in the application had been made on the date on which the application was made.
(7)If by reason of special circumstances the Registrar considers that a refusal notified by him to an applicant under subsection (1) above should take effect as a matter of urgency he may include a statement to that effect in the notification of the refusal; and in that event subsection (6)(b) above shall have effect as if for the words from " the period " onwards there were substituted the words " the period of seven days beginning with the date on which that notification is received ".
(8)Subsection (6) above shall not apply to an application made by any person if in the previous two years—
(a)an application by that person has been refused under this section; or
(b)all or any of the particulars constituting an entry contained in the register in respect of that person have been removed in pursuance of a de-registration notice;
but in the case of any such application subsection (1) above shall apply as if for the reference to six months there were substituted a reference to two months and, where the Registrar gives a notification under subsection (5) above in respect of any such application, subsection (6) above shall apply to it as if for the reference to the date on which the application was made there were substituted a reference to the date on which that notification is received.
(9)For the purposes of subsection (6) above an application shall be treated as made or withdrawn—
(a)if the application or notice of withdrawal is sent by registered post or the recorded delivery service, on the date on which it is received for dispatch by the Post Office;
(b)in any other case, on the date on which it is received by the Registrar;
and for the purposes of subsection (8)(a) above an application shall not be treated as having been refused so long as an appeal against the refusal can be brought, while such an appeal is pending or if such an appeal has been allowed.
8Duration and renewal of registration
(1)No entry shall be retained in the register after the expiration of the initial period of registration except in pursuance of a renewal application made to the Registrar in accordance with this section.
(2)Subject to subsection (3) below, the initial period of registration and the period for which an entry is to be retained in pursuance of a renewal application (" the renewal period ") shall be such period (not being less than three years) as may be prescribed beginning with the date on which the entry in question was made or, as the case may be, the date on which that entry would fall to be removed if the renewal application had not been made.
(3)The person making an application for registration or a renewal application may in his application specify as the initial period of registration or, as the case may be, as the renewal period, a period shorter than that prescribed, being a period consisting of one or more complete years.
(4)Where the Registrar notifies an applicant for registration that his application has been accepted the notification shall include a statement of the date when the initial period of registration will expire.
(5)Every renewal application shall be accompanied by the prescribed fee, and no such application shall be made except in the period of six months ending with the expiration of—
(a)the initial period of registration; or
(b)if there have been one or more previous renewal applications, the current renewal period.
(6)Any renewal application may be sent by post, and the Registrar shall acknowledge its receipt and notify the applicant in writing of the date until which the entry in question will be retained in the register in pursuance of the application.
(7)Without prejudice to the foregoing provisions of this section, the Registrar may at any time remove an entry from the register at the request of the person to whom the entry relates.
9Inspection etc. of registered particulars
(1)The Registrar shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge.
(2)The Registrar shall, on payment of such fee, if any, as may be prescribed, supply any member of the public with a duly certified copy in writing of the particulars contained in the entry made in the register in pursuance of any application for registration.
Supervision
10Enforcement notices
(1)If the Registrar is satisfied that a registered person has contravened or is contravening any of the data protection principles he may serve him with a notice (" an enforcement notice ") requiring him to take, within such time as is specified in the notice, such steps as are so specified for complying with the principle or principles in question.
(2)In deciding whether to serve an enforcement notice the Registrar shall consider whether the contravention has caused or is likely to cause any person damage or distress.
(3)An enforcement notice in respect of a contravention of the fifth data protection principle may require the data user—
(a)to rectify or erase the data and any other data held by him and containing an expression of opinion which appears to the Registrar to be based on the inaccurate data; or
(b)in the case of such data as are mentioned in subsection (2) of section 22 below, either to take the steps mentioned in paragraph (a) above or to take such steps as are specified in the notice for securing compliance with the requirements specified in that subsection and, if the Registrar thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Registrar may approve.
(4)The Registrar shall not serve an enforcement notice requiring the person served with the notice to take steps for complying with paragraph (a) of the seventh data protection principle in respect of any data subject unless satisfied that the person has contravened section 21 below by failing to supply information to which the data subject is entitled and which has been duly requested in accordance with that section.
(5)An enforcement notice shall contain—
(a)a statement of the principle or principles which the Registrar is satisfied have been or are being contravened and his reasons for reaching that conclusion; and
(b)particulars of the rights of appeal conferred by section 13 below.
(6)Subject to subsection (7) below, the time specified in an enforcement notice for taking the steps which it requires shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, those steps need not be taken pending the determination or withdrawal of the appeal.
(7)If by reason of special circumstances the Registrar considers that the steps required by an enforcement notice should be taken as a matter of urgency he may include a statement to that effect in the notice; and in that event subsection (6) above shall not apply but the notice shall not require the steps to be taken before the end of the period of seven days beginning with the date on which the notice is served.
(8)The Registrar may cancel an enforcement notice by written notification to the person on whom it was served.
(9)Any person who fails to comply with an enforcement notice shall be guilty of an offence; but it shall be a defence for a person charged with an offence under this subsection to prove that he exercised all due diligence to comply with the notice in question.
11De-registration notices
(1)If the Registrar is satisfied that a registered person has contravened or is contravening any of the data protection principles he may—
(a)serve him with a notice (" a de-registration notice ") stating that he proposes, at the expiration of such period as is specified in the notice, to remove from the register all or any of the particulars constituting the entry or any of the entries contained in the register in respect of that person ; and
(b)subject to the provisions of this section, remove those particulars from the register at the expiration of that period.
(2)In deciding whether to serve a de-registration notice the Registrar shall consider whether the contravention has caused or is likely to cause any person damage or distress, and the Registrar shall not serve such a notice unless he is satisfied that compliance with the principle or principles in question cannot be adequately secured by the service of an enforcement notice.
(3)A de-registration notice shall contain—
(a)a statement of the principle or principles which the Registrar is satisfied have been or are being contravened and his reasons for reaching that conclusion and deciding that compliance cannot be adequately secured by the service of an enforcement notice; and
(b)particulars of the rights of appeal conferred by section 13 below.
(4)Subject to subsection (5) below, the period specified hi a de-registration notice pursuant to subsection (1)(a) above shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the particulars shall not be removed pending the determination or withdrawal of the appeal.
(5)If by reason of special circumstances the Registrar considers that any particulars should be removed from the register as a matter of urgency he may include a statement to that effect in the de-registration notice; and in that event subsection (4) above shall not apply but the particulars shall not be removed before the end of the period of seven days beginning with the date on which the notice is served.
(6)The Registrar may cancel a de-registration notice by written notification to the person on whom it was served.
(7)References in this section to removing any particulars include references to restricting any description which forms part of any particulars.
12Transfer prohibition notices
(1)If it appears to the Registrar that—
(a)a person registered as a data user or as a data user who also carries on a computer bureau ; or
(b)a person treated as so registered by virtue of section 7(6) above,
proposes to transfer personal data held by him to a place outside the United Kingdom, the Registrar may, if satisfied as to the matters mentioned in subsection (2) or (3) below, serve that person with a notice (" a transfer prohibition notice ") prohibiting him from transferring the data either absolutely or until he has taken such steps as are specified in the notice for protecting the interests of the data subjects in question.
(2)Where the place to which the data are to be transferred is not in a State bound by the European Convention the Registrar must be satisfied that the transfer is likely to contravene, or lead to a contravention of, any of the data protection principles.
(3)Where the place to which the data are to be transferred is in a State bound by the European Convention the Registrar must be satisfied either—
(a)that—
(i)the person in question intends to give instructions for the further transfer of the data to a place which is not in such a State ; and
(ii)that the further transfer is likely to contravene, or lead to a contravention of, any of the data protection principles; or
(b)in the case of data to which an order under section 2(3) above applies, that the transfer is likely to contravene or lead to a contravention of, any of the data protection principles as they have effect in relation to such data.
(4)In deciding whether to serve a transfer prohibition notice the Registrar shall consider whether the notice is required for preventing damage or distress to any person and shall have regard to the general desirability of facilitating the free transfer of data between the United Kingdom and other states and territories.
(5)A transfer prohibition notice shall specify the time when it is to take effect and contain—
(a)a statement of the principle or principles which the Registrar is satisfied are likely to be contravened and his reasons for reaching that conclusion ; and
(b)particulars of the rights of appeal conferred by section 13 below.
(6)Subject to subsection (7) below, the time specified in a transfer prohibition notice pursuant to subsection (5) above shall not be before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice shall not take effect pending the determination or withdrawal of the appeal.
(7)If by reason of special circumstances the Registrar considers that the prohibition should take effect as a matter of urgency he may include a statement to that effect in the transfer prohibition notice; and in that event subsection (6) above shall not apply but the notice shall not take effect before the end of the period of seven days beginning with the date on which the notice is served.
(8)The Registrar may cancel a transfer prohibition notice by written notification to the person on whom it was served.
(9)No transfer prohibition notice shall prohibit the transfer of any data where the transfer of the information constituting the data is required or authorised by or under any enactment or required by any convention or other instrument imposing an international obligation on the United Kingdom.
(10)Any person who contravenes a transfer prohibition notice shall be guilty of an offence; but it shall be a defence for a person charged with an offence under this subsection to prove that he exercised all due diligence to avoid a contravention of the notice in question.
(11)For the purposes of this section a place shall be treated as in a State bound by the European Convention if it is in any territory in respect of which the State is bound.
Appeals
13Rights of appeal
(1)A person may appeal to the Tribunal against—
(a)any refusal by the Registrar of an application by that person for registration or for the alteration of registered particulars;
(b)any enforcement notice, de-registration notice or transfer prohibition notice with which that person has been served.
(2)Where a notification that an application has been refused contains a statement by the Registrar in accordance with section 7(7) above, then, whether or not the applicant appeals under paragraph (a) of subsection (1) above, he may appeal against the Registrar's decision to include that statement in the notification.
(3)Where any such notice as is mentioned in paragraph (b) of subsection (1) above contains a statement by the Registrar in accordance with section 10(7), 11(5) or 12(7) above, then, whether or not the person served with the notice appeals under that paragraph, he may appeal against the Registrar's decision to include that statement in the notice or against the effect of the inclusion of the statement as respects any part of the notice.
(4)Schedule 3 to this Act shall have effect in relation to appeals under this section and to the proceedings of the Tribunal in respect of any such appeal.
14Determination of appeals
(1)If on an appeal under section 13(1) above the Tribunal considers—
(a)that the refusal or notice against which the appeal is brought is not in accordance with the law ; or
(b)to the extent that the refusal or notice involved an exercise of discretion by the Registrar, that he ought to have exercised his discretion differently,
the Tribunal shall allow the appeal or substitute such other decision or notice as could have been made or served by the Registrar ; and in any other case the Tribunal shall dismiss the appeal.
(2)The Tribunal may review any determination of fact on which the refusal or notice in question was based.
(3)On an appeal under subsection (2) of section 13 above the Tribunal may direct that the notification of the refusal shall be treated as if it did not contain any such statement as is mentioned in that subsection.
(4)On an appeal under subsection (3) of section 13 above the Tribunal may direct that the notice in question shall have effect as if it did not contain any such statement as is mentioned in that subsection or that the inclusion of the statement shall not have effect in relation to any part of the notice and may make such modifications in the notice as may be required for giving effect to the direction.
(5)Any party to an appeal to the Tribunal may appeal from the decision of the Tribunal on a point of law to the appropriate court; and that court shall be—
(a)the High Court of Justice in England if the address of the person who was the appellant before the Tribunal is in England or Wales ;
(b)the Court of Session if that address is in Scotland; and
(c)the High Court of Justice in Northern Ireland if that address is in Northern Ireland.
(6)In subsection (5) above references to the address of the appellant before the Tribunal are to his address as included or proposed for inclusion in the register.
Miscellaneous and supplementary
15Unauthorised disclosure by computer bureau
(1)Personal data in respect of which services are provided by a person carrying on a computer bureau shall not be disclosed by him without the prior authority of the person for whom those services are provided.
(2)Subsection (1) above applies also to any servant or agent of a person carrying on a computer bureau.
(3)Any person who knowingly or recklessly contravenes this section shall be guilty of an offence.
16Powers of entry and inspection
Schedule 4 to this Act shall have effect for the detection of offences under this Act and contraventions of the data protection principles.
17Disclosure of information
(1)No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude a person from furnishing the Registrar or the Tribunal with any information necessary for the discharge of their functions under this Act.
(2)For the purposes of section 2 of the [1911 c. 28.] Official Secrets Act 1911 (wrongful communication of information)—
(a)the Registrar and his officers and servants ;
(b)the members of the Tribunal; and
(c)any officers or servants of the Tribunal who are not in the service of the Crown,
shall be deemed to hold office under Her Majesty.
(3)The said section 2 shall not be construed as precluding the disclosure of information by any person mentioned in subsection (2)(a) or (b) above or by any officer or servant of the Tribunal where the disclosure is made for the purpose of discharging his duties under this Act or for the purpose of proceedings under or arising out of this Act, including proceedings before the Tribunal.
18Service of notices
(1)Any notice or notification authorised or required by this Act to be served on or given to any person by the Registrar may—
(a)if that person is an individual, be served on him—
(i)by delivering it to him; or
(ii)by sending it to him by post addressed to him at his usual or last-known place of residence or business; or
(iii)by leaving it for him at that place;
(b)if that person is a body corporate or unincorporate, be served on that body—
(i)by sending it by post to the proper officer of the body at its principal office; or
(ii)by addressing it to the proper officer of the body and leaving it at that office.
(2)In subsection (1)(b) above " principal office ", in relation to a registered company, means its registered office and " proper officer ", in relation to any body, means the secretary or other executive officer charged with the conduct of its general affairs.
(3)This section is without prejudice to any other lawful method of serving or giving a notice or notification.
19Prosecutions and penalties
(1)No proceedings for an offence under this Act shall be instituted—
(a)in England or Wales except by the Registrar or by or with the consent of the Director of Public Prosecutions ;
(b)in Northern Ireland except by the Registrar or by or with the consent of the Director of Public Prosecutions for Northern Ireland.
(2)A person guilty of an offence under any provision of this Act other than section 6 or paragraph 12 of Schedule 4 shall be liable—
(a)on conviction on indictment, to a fine; or
(b)on summary conviction, to a fine not exceeding the statutory maximum (as defined in section 74 of the [1982 c. 48.] Criminal Justice Act 1982).
(3)A person guilty of an offence under section 6 above or the said paragraph 12 shall be liable on summary conviction to a fine not exceeding the fifth level on the standard scale (as defined in section 75 of the said Act of 1982).
(4)Subject to subsection (5) below, the court by or before which a person is convicted of an offence under section 5, 10, 12 or 15 above may order any data material appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.
(5)The court shall not make an order under subsection (4) above in relation to any material where a person (other than the offender) claiming to be the owner or otherwise interested in it applies to be heard by the court unless an opportunity is given to him to show cause why the order should not be made.
20Liability of directors etc.
(1)Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.
(2)Where the affairs of a body corporate are managed by its members subsection (1) above shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.
PART IIIRights of Data Subjects
21Right of access to personal data
(1)Subject to the provisions of this section, an individual shall be entitled—
(a)to be informed by any data user whether the data held by him include personal data of which that individual is the data subject; and
(b)to be supplied by any data user with a copy of the information constituting any such personal data held by him;
and where any of the information referred to in paragraph (b) above is expressed in terms which are not intelligible without explanation the information shall be accompanied by an explanation of those terms.
(2)A data user shall not be obliged to supply any information under subsection (1) above except in response to a request in writing and on payment of such fee (not exceeding the prescribed maximum) as he may require ; but a request for information under both paragraphs of that subsection shall be treated as a single request and a request for information under paragraph (a) shall, in the absence of any indication to the contrary, be treated as extending also to information under paragraph (b).
(3)In the case of a data user having separate entries in the register in respect of data held for different purposes a separate request must be made and a separate fee paid under this section in respect of the data to which each entry relates.
(4)A data user shall not be obliged to comply with a request under this section—
(a)unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which he seeks ; and
(b)if he cannot comply with the request without disclosing information relating to another individual who can be identified from that information, unless he is satisfied that the other individual has consented to the disclosure of the information to the person making the request.
(5)In paragraph (b) of subsection (4) above the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that paragraph shall not be construed as excusing a data user from supplying so much of the information sought by the request as can be supplied without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
(6)A data user shall comply with a request under this section within forty days of receiving the request or, if later, receiving the information referred to in paragraph (a) of subsection (4) above and, in a case where it is required, the consent referred to in paragraph (b) of that subsection.
(7)The information to be supplied pursuant to a request under this section shall be supplied by reference to the data in question at the time when the request is received except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.
(8)If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data user in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request; but a court shall not make an order under this subsection if it considers that it would in all the circumstances be unreasonable to do so, whether because of the frequency with which the applicant has made requests to the data user under those provisions or for any other reason.
(9)The Secretary of State may by order provide for enabling a request under this section to be made on behalf of any individual who is incapable by reason of mental disorder of managing his own affairs.
22Compensation for inaccuracy
(1)An individual who is the subject of personal data held by a data user and who suffers damage by reason of the inaccuracy of the data shall be entitled to compensation from the data user for that damage and for any distress which the individual has suffered by reason of the inaccuracy.
(2)In the case of data which accurately record information received or obtained by the data user from the data subject or a third party, subsection (1) above does not apply if the following requirements have been complied with—
(a)the data indicate that the information was received or obtained as aforesaid or the information has not been extracted from the data except in a form which includes an indication to that effect; and
(b)if the data subject has notified the data user that he regards the information as incorrect or misleading, an indication to that effect has been included in the data or the information has not been extracted from the data except in a form which includes an indication to that effect.
(3)In proceedings brought against any person by virtue of this section it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to ensure the accuracy of the data at the material time.
(4)Data are inaccurate for the purposes of this section if incorrect or misleading as to any matter of fact.
23Compensation for loss or unauthorised disclosure
(1)An individual who is the subject of personal data held by a data user or in respect of which services are provided by a person carrying on a computer bureau and who suffers damage by reason of—
(a)the loss of the data ;
(b)the destruction of the data without the authority of the data user or, as the case may be, of the person carrying on the bureau; or
(c)subject to subsection (2) below, the disclosure of the data, or access having been obtained to the data, without such authority as aforesaid,
shall be entitled to compensation from the data user or, as the case may be, the person carrying on the bureau for that damage and for any distress which the individual has suffered by reason of the loss, destruction, disclosure or access.
(2)In the case of a registered data user, subsection (1)(c) above does not apply to disclosure to, or access by, any person falling within a description specified pursuant to section 4(3)(d) above in an entry in the register relating to that data user.
(3)In proceedings brought against any person by virtue of this section it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to prevent the loss, destruction, disclosure or access in question.
24Rectification and erasure
(1)If a court is satisfied on the application of a data subject that personal data held by a data user of which the applicant is the subject are inaccurate within the meaning of section 22 above, the court may order the rectification or erasure of the data and of any data held by the data user and containing an expression of opinion which appears to the court to be based on the inaccurate data.
(2)Subsection (1) above applies whether or not the data accurately record information received or obtained by the data user from the data subject or a third party but where the data accurately record such information, then—
(a)if the requirements mentioned in section 22(2) above have been complied with, the court may, instead of making an order under subsection (1) above, make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve ; and
(b)if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a) above.
(3)If a court is satisfied on the application of a data subject—
(a)that he has suffered damage by reason of the disclosure of personal data, or of access having been obtained to personal data, in circumstances entitling him to compensation under section 23 above ; and
(b)that there is a substantial risk of further disclosure of or access to the data without such authority as is mentioned in that section,
the court may order the erasure of the data; but, in the case of data in respect of which services were being provided by a person carrying on a computer bureau, the court shall not make such an order unless such steps as are reasonably practicable have been taken for notifying the person for whom those services were provided and giving him an opportunity to be heard.
25Jurisdiction and procedure
(1)The jurisdiction conferred by sections 21 and 24 above shall be exercisable by the High Court or a county court or, in Scotland, by the Court of Session or the sheriff.
(2)For the purpose of determining any question whether an applicant under subsection (8) of section 21 above is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV of this Act) a court may require the information constituting any data held by the data user to be made available for its own inspection but shall not, pending the determination of that question in the applicant's favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery (or, in Scotland, recovery) or otherwise.
PART IVExemptions
26Preliminary
(1)References in any provision of Part II or III of this Act to personal data do not include references to data which by virtue of this Part of this Act are exempt from that provision.
(2)In this Part of this Act " the subject access provisions " means—
(a)section 21 above; and
(b)any provision of Part II of this Act conferring a power on the Registrar to the extent to which it is exercisable by reference to paragraph (a) of the seventh data protection principle.
(3)In this Part of this Act " the non-disclosure provisions " means—
(a)sections 5(2)(d) and 15 above; and
(b)any provision of Part II of this Act conferring a power on the Registrar to the extent to which it is exercisable by reference to any data protection principle inconsistent with the disclosure in question.
(4)Except as provided by this Part of this Act the subject access provisions shall apply notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.
27National security
(1)Personal data are exempt from the provisions of Part II of this Act and of sections 21 to 24 above if the exemption is required for the purpose of safeguarding national security.
(2)Any question whether the exemption mentioned in subsection (1) above is or at any time was required for the purpose there mentioned in respect of any personal data shall be determined by a Minister of the Crown ; and a certificate signed by a Minister of the Crown certifying that the exemption is or at any time was so required shall be conclusive evidence of that fact.
(3)Personal data which are not exempt under subsection (1) above are exempt from the non-disclosure provisions in any case in which the disclosure of the data is for the purpose of safeguarding national security.
(4)For the purposes of subsection (3) above a certificate signed by a Minister of the Crown certifying that personal data are or have been disclosed for the purpose mentioned in that subsection shall be conclusive evidence of that fact.
(5)A document purporting to be such a certificate as is mentioned in this section shall be received in evidence and deemed to be such a certificate unless the contrary is proved.
(6)The powers conferred by this section on a Minister of the Crown shall not be exercisable except by a Minister who is a member of the Cabinet or by the Attorney General or the Lord Advocate.
28Crime and taxation
(1)Personal data held for any of the following purposes—
(a)the prevention or detection of crime ;
(b)the apprehension or prosecution of offenders ; or
(c)the assessment or collection of any tax or duty,
are exempt from the subject access provisions in any case in which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.
(2)Personal data which—
(a)are held for the purpose of discharging statutory functions ; and
(b)consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1) above,
are exempt from the subject access provisions to the same extent as personal data held for any of the purposes mentioned in that subsection.
(3)Personal data are exempt from the non-disclosure provisions in any case in which—
(a)the disclosure is for any of the purposes mentioned in subsection (1) above ; and
(b)the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection ;
and in proceedings against any person for contravening a provision mentioned in section 26(3)(a) above it shall be a defence to prove that he had reasonable grounds for believing that failure to make the disclosure in question would have been likely to prejudice any of those matters.
(4)Personal data are exempt from the provisions of Part II of this Act conferring powers on the Registrar, to the extent to which they are exercisable by reference to the first data protection principle, in any case in which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in subsection (1) above.
29Health and social work
(1)The Secretary of State may by order exempt from the subject access provisions, or modify those provisions in relation to, personal data consisting of information as to the physical or mental health of the data subject.
(2)The Secretary of State may by order exempt from the subject access provisions, or modify those provisions in relation to, personal data of such other descriptions as may be specified in the order, being information—
(a)held by government departments or local authorities or by voluntary organisations or other bodies designated by or under the order ; and
(b)appearing to him to be held for, or acquired in the course of, carrying out social work in relation to the data subject or other individuals ;
but the Secretary of State shall not under this subsection confer any exemption or make any modification except so far as he considers that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work.
(3)An order under this section may make different provision in relation to data consisting of information of different descriptions.
30Regulation of financial services etc.
(1)Personal data held for the purpose of discharging statutory functions to which this section applies are exempt from the subject access provisions in any case in which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.
(2)This section applies to any functions designated for the purposes of this section by an order made by the Secretary of State, being functions conferred by or under any enactment appearing to him to be designed for protecting members of the public against financial loss due to dishonesty, incompetence or malpractice by persons concerned in the provision of banking,' insurance, investment or other financial services or in the management of companies or to the conduct of discharged or undischarged bankrupts.
31Judicial appointments and legal professional privilege
(1)Personal data held by a government department are exempt from the subject access provisions if the data consist of information which has been received from a third party and is held as information relevant to the making of judicial appointments.
(2)Personal data are exempt from the subject access provisions if the data consist of information in respect of which a claim to legal professional privilege (or, in Scotland, to confidentiality as between client and professional legal adviser) could be maintained in legal proceedings.
32Payrolls and accounts
(1)Subject to subsection (2) below, personal data held by a data user only for one or more of the following purposes—
(a)calculating amounts payable by way of remuneration or pensions in respect of service in any employment or office or making payments of, or of sums deducted from, such remuneration or pensions ; or
(b)keeping accounts relating to any business or other activity carried on by the data user or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments are made by or to him in respect of those transactions or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity,
are exempt from the provisions of Part II of this Act and of sections 21 to 24 above.
(2)It shall be a condition of the exemption of any data under this section that the data are not used for any purpose other than the purpose or purposes for which they are held and are not disclosed except as permitted by subsections (3) and (4) below; but the exemption shall not be lost by any use or disclosure in breach of that condition if the data user shows that he had taken such care to prevent it as in all the circumstances was reasonably required.
(3)Data held only for one or more of the purposes mentioned in subsection (1)(a) above may be disclosed—
(a)to any person, other than the data user, by whom the remuneration or pensions in question are payable ;
(b)for the purpose of obtaining actuarial advice;
(c)for the purpose of giving information as to the persons in any employment or office for use in medical research into the health of, or injuries suffered by, persons engaged in particular occupations or working in particular places or areas;
(d)if the data subject (or a person acting on his behalf) has requested or consented to the disclosure of the data either generally or in the circumstances in which the disclosure in question is made ; or
(e)if the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (d) above.
(4)Data held for any of the purposes mentioned in subsection (1) above may be disclosed—
(a)for the purpose of audit or where the disclosure is for the purpose only of giving information about the data user's financial affairs ; or
(b)in any case in which disclosure would be permitted by any other provision of this Part of this Act if subsection (2) above were included among the nondisclosure provisions.
(5)In this section " remuneration " includes remuneration in kind and " pensions " includes gratuities or similar benefits.
33Domestic or other limited purposes
(1)Personal data held by an individual and concerned only with the management of his personal, family or household affairs or held by him only for recreational purposes are exempt from the provisions of Part II of this Act and of sections 21 to 24 above.
(2)Subject to subsections (3) and (4) below—
(a)personal data held by an unincorporated members' club and relating only to the members of the club ; and
(b)personal data held by a data user only for the purpose of distributing, or recording the distribution of, articles or information to the data subjects and consisting only of their names, addresses or other particulars necessary for effecting the distribution,
are exempt from the provisions of Part II of this Act and of sections 21 to 24 above.
(3)Neither paragraph (a) nor paragraph (b) of subsection (2) above applies to personal data relating to any data subject unless he has been asked by the club or data user whether he objects to the data relating to him being held as mentioned in that paragraph and has not objected.
(4)It shall be a condition of the exemption of any data under paragraph (b) of subsection (2) above that the data are not used for any purpose other than that for which they are held and of the exemption of any data under either paragraph of that subsection that the data are not disclosed except as permitted by subsection (5) below ; but the first exemption shall not be lost by any use, and neither exemption shall be lost by any disclosure, in breach of that condition if the data user shows that he had taken such care to prevent it as in all the circumstances "was reasonably required.
(5)Data to which subsection (4) above applies may be disclosed—
(a)if the data subject (or a person acting on his behalf) has requested or consented to the disclosure of the data either generally or in the circumstances in which the disclosure in question is made ;
(b)if the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a) above ; or
(c)in any case in which disclosure would be permitted by any other provision of this Part of this Act if subsection (4) above were included among the non-disclosure provisions.
(6)Personal data held only for—
(a)preparing statistics ; or
(b)carrying out research,
are exempt from the subject access provisions ; but it shall be a condition of that exemption that the data are not used or disclosed for any other purpose and that the resulting statistics or the results of the research are not made available in a form which identifies the data subjects or any of them.
34Other exemptions
(1)Personal data held by any person are exempt from the provisions of Part II of this Act and of sections 21 to 24 above if the data consist of information which that person is required by or under any enactment to make available to the public, whether by publishing it, making it available for inspection or otherwise and whether gratuitously or on payment of a fee.
(2)The Secretary of State may by order exempt from the subject access provisions personal data consisting of information the disclosure of which is prohibited or restricted by or under any enactment if he considers that the prohibition or restriction ought to prevail over those provisions in the interests of the data subject or of any other individual.
(3)Where all the personal data relating to a data subject held by a data user (or all such data in respect of which a data user has a separate entry in the register) consist of information in respect of which the data subject is entitled to make a request to the data user under section 158 of the [1974 c. 39.] Consumer Credit Act 1974 (files of credit reference agencies)—
(a)the data are exempt from the subject access provisions ; and
(b)any request in respect of the data under section 21 above shall be treated for all purposes as if it were a request under the said section 158.
(4)Personal data are exempt from; the subject access provisions if the data are kept only for the purpose of replacing other data in the event of the latter being lost, destroyed or impaired.
(5)Personal data are exempt from the non-disclosure provisions in any case in which the disclosure is—
(a)required by or under any enactment, by any rule of law or by the order of a court; or
(b)made for the purpose of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.
(6)Personal data are exempt from the non-disclosure provisions in any case in which—
(a)the disclosure is to the data subject or a person acting on his behalf ; or
(b)the data subject or any such person has requested or consented to the particular disclosure in question ; or
(c)the disclosure is by a data user or a person carrying on a computer bureau to his servant or agent for the purpose of enabling the servant or agent to perform his functions as such ; or
(d)the person making the disclosure has reasonable grounds for believing that the disclosure falls within any of the foregoing paragraphs of this subsection.
(7)Section 4(3)(d) above does not apply to any disclosure falling within paragraph (a), (b) or (c) of subsection (6) above; and that subsection shall apply to the restriction on disclosure in section 33(6) above as it applies to the non-disclosure provisions.
(8)Personal data are exempt from the non-disclosure provisions in any case in which the disclosure is urgently required for preventing injury or other damage to the health of any person or persons; and in proceedings against any person for contravening a provision mentioned in section 26(3)(a) above it shall be a defence to prove that he had reasonable grounds for believing that the disclosure in question was urgently required for that purpose.
(9)A person need not comply with a notice, request or order under the subject access provisions if compliance would expose him to proceedings for any offence other than an offence under this Act; and information disclosed by any person in compliance with such a notice, request or order shall not be admissible against him in proceedings for an offence under this Act.
35Examination marks
(1)Section 21 above shall have effect subject to the provisions of this section in the case of personal data consisting of marks or other information held by a data user—
(a)for the purpose of determining the results of an academic, professional or other examination or of enabling the results of any such examination to be determined ; or
(b)in consequence of the determination of any such results.
(2)Where the period mentioned in subsection (6) of section 21 begins before the results of the examination are announced that period shall be extended until—
(a)the end of five months from the beginning of that period; or
(b)the end of forty days after the date of the announcement,
whichever is the earlier.
(3)Where by virtue of subsection (2) above a request is complied with more than forty days after the beginning of the period mentioned in subsection (6) of section 21, the information to be supplied pursuant to the request shall be supplied both by reference to the data in question at the time when the request is received and (if different) by reference to the data as from time to time held in the period beginning when the request is received and ending when it is complied with.
(4)For the purposes of this section the results of an examination shall be treated as announced when they are first published or (if not published) when they are first made available or communicated to the candidate in question.
(5)In this section " examination " includes any process for determining the knowledge, intelligence, skill or ability of a candidate by reference to his performance in any test, work or other activity.
PART VGeneral
36General duties of Registrar
(1)It shall be the duty of the Registrar so to perform his functions under this Act as to promote the observance of the data protection principles by data users and persons carrying on computer bureaux.
(2)The Registrar may consider any complaint that any of the data protection principles or any provision of this Act has been or is being contravened and shall do so if the complaint appears to him to raise a matter of substance and to have been made without undue delay by a person directly affected; and where the Registrar considers any such complaint he shall notify the complainant of the result of his consideration and of any action which he proposes to take.
(3)The Registrar shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act and other matters within the scope of his functions under this Act and may give advice to any person as to any of those matters.
(4)It shall be the duty of the Registrar, where he considers it appropriate to do so, to encourage trade associations or other bodies representing data users to prepare, and to disseminate to their members, codes of practice for guidance in complying with the data protection principles.
(5)The Registrar shall annually lay before each House of Parliament a general report on the performance of his functions under this Act and may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.
37Co-operation between parties to Convention
The Registrar shall be the designated authority in the United Kingdom for the purposes of Article 13 of the European Convention; and the Secretary of State may by order make provision as to the functions to be discharged by the Registrar in that capacity.
38Application to government departments and police
(1)Except as provided in subsection (2) below, a government department shall be subject to the same obligations and liabilities under this Act as a private person; and for the purposes of this Act each government department shall be treated as a person separate from any other government department and a person in the public service of the Crown shall be treated as a servant of the government department to which his responsibilities or duties relate.
(2)A government department shall not be liable to prosecution under this Act but—
(a)sections 5(3) and 15(2) above (and, so far as relating to those provisions, sections 5(5) and 15(3) above) shall apply to any person who by virtue of this section falls to be treated as a servant of the government department in question; and
(b)section 6(6) above and paragraph 12 of Schedule 4 to this Act shall apply to a person in the public service of the Crown as they apply to any other person.
(3)For the purposes of this Act—
(a)the constables under the direction and control of a chief officer of police shall be treated as his servants ; and
(b)the members of any body of constables maintained otherwise than by a police authority shall be treated as the servants—
(i)of the authority or person by whom that body is maintained, and
(ii)in the case of any members of such a body who are under the direction and control of a chief officer, of that officer.
(4)In the application of subsection (3) above to Scotland, for the reference to a chief officer of police there shall be substituted a reference to a chief constable.
(5)In the application of subsection (3) above to Northern Ireland, for the reference to a chief officer of police there shall be substituted a reference to the Chief Constable of the Royal Ulster Constabulary and for the reference to a police authority there shall be substituted a reference to the Police Authority for Northern Ireland.
39Data held, and services provided, outside the United Kingdom
(1)Subject to the following provisions of this section, this Act does not apply to a data user in respect of data held, or to a person carrying on a computer bureau in respect of services provided, outside the United Kingdom.
(2)For the purposes of subsection (1) above—
(a)data shall be treated as held where the data user exercises the control referred to in subsection (5)(b) of section 1 above in relation to the data; and
(b)services shall be treated as provided where the person carrying on the computer bureau does any of the things referred to in subsection (6)(a) or (b) of that section.
(3)Where a person who is not resident in the United Kingdom—
(a)exercises the control mentioned in paragraph (a) of subsection (2) above ; or
(b)does any of the things mentioned in paragraph (b) of that subsection,
through a servant or agent in the United Kingdom, this Act shall apply as if that control were exercised or, as the case may be, those things were done in the United Kingdom by the servant or agent acting on his own account and not on behalf of the person whose servant or agent he is.
(4)Where by virtue of subsection (3) above a servant or agent is treated as a data user or as a person carrying on a computer bureau he may be described for the purposes of registration by the position or office which he holds; and any such description in an entry in the register shall be treated as applying to the person for the time being holding the position or office in question.
(5)This Act does not apply to data processed wholly outside the United Kingdom unless the data are used or intended to be used in the United Kingdom.
(6)Sections 4(3)(e) and 5(2)(e) and subsection (1) of section 12 above do not apply to the transfer of data which are already outside the United Kingdom; but references in the said section 12 to a contravention of the data protection principles include references to anything that would constitute such contravention if it occurred in relation to the data when held in the United Kingdom.
40Regulations, rules and orders
(1)Any power conferred by this Act to make regulations, rules or orders shall be exercisable by statutory instrument.
(2)Without prejudice to sections 2(6) and 29(3) above, regulations, rules or orders under this Act may make different provision for different cases or circumstances.
(3)Before making an order under any of the foregoing provisions of this Act the Secretary of State shall consult the Registrar.
(4)No order shall be made under section 2(3), 4(8), 29, 30 or 34(2) above unless a draft of the order has been laid before and approved by a resolution of each House of Parliament.
(5)A statutory instrument containing an order under section 21(9) or 37 above or rules under paragraph 4 of Schedule 3 to this Act shall be subject to annulment in pursuance of a resolution of either House of Parliament.
(6)Regulations prescribing fees for the purposes of any provision of this Act or the period mentioned in section 8(2) above shall be laid before Parliament after being made.
(7)Regulations prescribing fees payable to the Registrar under this Act or the period mentioned in section 8(2) above shall be made after consultation with the Registrar and with the approval of the Treasury; and in making any such regulations the Secretary of State shall have regard to the desirability of securing that those fees are sufficient to offset the expenses incurred by the Registrar and the Tribunal in discharging their functions under this Act and any expenses of the Secretary of State in respect of the Tribunal.
41General interpretation
In addition to the provisions of sections 1 and 2 above, the following provisions shall have effect for the interpretation of this Act—
" business " includes any trade or profession ;
"data equipment" means equipment for the automatic processing of data or for recording information so that it can be automatically processed;
" data material" means any document or other material used in connection with data equipment;
" a de-registration notice " means a notice under section 11 above;
" enactment " includes an enactment passed after this Act;
" an enforcement notice " means a notice under section 10 above;
"the European Convention" means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981 ;
"government department" includes a Northern Ireland department and any body or authority exercising statutory functions on behalf of the Crown ;
" prescribed " means prescribed by regulations made by the Secretary of State;
" the Registrar " means the Data Protection Registrar ;
" the register ", except where the reference is to the register of companies, means the register maintained under section 4 above and (except where the reference is to a registered company, to the registered office of a company or to registered post) references to registration shall be construed accordingly ;
" registered company " means a company registered under the enactments relating to companies for the time being in force in any part of the United Kingdom;
" a transfer prohibition notice " means a notice under section 12 above;
" the Tribunal " means the Data Protection Tribunal.
42Commencement and transitional provisions
(1)No application for registration shall be made until such day as the Secretary of State may by order appoint, and sections 5 and 15 above shall not apply until the end of the period of six months beginning with that day.
(2)Until the end of the period of two years beginning with the day appointed under subsection (1) above the Registrar shall not have power—
(a)to refuse an application made in accordance with section 6 above except on the ground mentioned in section 7(2)(a) above; or
(b)to serve an enforcement notice imposing requirements to be complied with, a de-registration notice expiring, or a transfer prohibition notice imposing a prohibition taking effect, before the end of that period.
(3)Where the Registrar proposes to serve any person with an enforcement notice before the end of the period mentioned in subsection (2) above he shall, in determining the time by which the requirements of the notice are to be complied with, have regard to the probable cost to that person of complying with those requirements.
(4)Section 21 above and paragraph 1(b) of Schedule 4 to this Act shall not apply until the end of the period mentioned in subsection (2) above.
(5)Section 22 above shall not apply to damage suffered before the end of the period mentioned in subsection (1) above and in deciding whether to refuse an application or serve a notice under Part II of this Act the Registrar shall treat the provision about accuracy in the fifth data protection principle as inapplicable until the end of that period and as inapplicable thereafter to data shown to have been held by the data user in question since before the end of that period.
(6)Sections 23 and 24(3) above shall not apply to damage suffered before the end of the period of two months beginning with the date on which this Act is passed.
(7)Section 24(1) and (2) above shall not apply before the end of the period mentioned in subsection (1) above.
43Short title and extent
(1)This Act may be cited as the Data Protection Act 1984.
(2)This Act extends to Northern Ireland.
(3)Her Majesty may by Order in Council direct that this Act shall extend to any of the Channel Islands with such exceptions and modifications as may be specified in the Order.