Part VI Miscellaneous and General
Functions of Commissioner
I151 General duties of Commissioner.
1
It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers.
2
The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act, and may give advice to any person as to any of those matters.
3
Where—
a
the F18Lord Chancellor so directs by order, or
b
the Commissioner considers it appropriate to do so,
the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice.
4
The Commissioner shall also—
a
where he considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, such codes of practice, and
b
where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice.
5
An order under subsection (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.
6
The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of—
a
any Community finding as defined by paragraph 15(2) of Part II of Schedule 1,
b
any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, which is made for the purposes of Article 26(3) or (4) of the Directive, and
c
such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.
7
The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.
8
The Commissioner may charge such sums as he may with the consent of the F18Lord Chancellor determine for any services provided by the Commissioner by virtue of this Part.
9
In this section—
“good practice” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;
“trade association” includes any body representing data controllers.
52 Reports and codes of practice to be laid before Parliament.
1
The Commissioner shall lay annually before each House of Parliament a general report on the exercise of his functions under this Act.
2
The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.
3
The Commissioner shall lay before each House of Parliament any code of practice prepared under section 51(3) for complying with a direction of the F21Lord Chancellor, unless the code is included in any report laid under subsection (1) or (2).
52AF1Data-sharing code
1
The Commissioner must prepare a code of practice which contains—
a
practical guidance in relation to the sharing of personal data in accordance with the requirements of this Act, and
b
such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data.
2
For this purpose “good practice” means such practice in the sharing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act.
3
Before a code is prepared under this section, the Commissioner must consult such of the following as the Commissioner considers appropriate—
a
trade associations (within the meaning of section 51);
b
data subjects;
c
persons who appear to the Commissioner to represent the interests of data subjects.
4
In this section a reference to the sharing of personal data is to the disclosure of the data by transmission, dissemination or otherwise making it available.
F152BData-sharing code: procedure
1
When a code is prepared under section 52A, it must be submitted to the Secretary of State for approval.
2
Approval may be withheld only if it appears to the Secretary of State that the terms of the code could result in the United Kingdom being in breach of any of its Community obligations or any other international obligation.
3
The Secretary of State must—
a
if approval is withheld, publish details of the reasons for withholding it;
b
if approval is granted, lay the code before Parliament.
4
If, within the 40-day period, either House of Parliament resolves not to approve the code, the code is not to be issued by the Commissioner.
5
If no such resolution is made within that period, the Commissioner must issue the code.
6
Where—
a
the Secretary of State withholds approval, or
b
such a resolution is passed,
the Commissioner must prepare another code of practice under section 52A.
7
Subsection (4) does not prevent a new code being laid before Parliament.
8
A code comes into force at the end of the period of 21 days beginning with the day on which it is issued.
9
A code may include transitional provision or savings.
10
In this section “the 40-day period” means the period of 40 days beginning with the day on which the code is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the 2 days on which it is laid).
11
In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.
F152CAlteration or replacement of data-sharing code
1
The Commissioner—
a
must keep the data-sharing code under review, and
b
may prepare an alteration to that code or a replacement code.
2
Where, by virtue of a review under subsection (1)(a) or otherwise, the Commissioner becomes aware that the terms of the code could result in the United Kingdom being in breach of any of its Community obligations or any other international obligation, the Commissioner must exercise the power under subsection (1)(b) with a view to remedying the situation.
3
Before an alteration or replacement code is prepared under subsection (1), the Commissioner must consult such of the following as the Commissioner considers appropriate—
a
trade associations (within the meaning of section 51);
b
data subjects;
c
persons who appear to the Commissioner to represent the interests of data subjects.
4
Section 52B (other than subsection (6)) applies to an alteration or replacement code prepared under this section as it applies to the code as first prepared under section 52A.
5
In this section “the data-sharing code” means the code issued under section 52B(5) (as altered or replaced from time to time).
52DPublication of data-sharing code
1
The Commissioner must publish the code (and any replacement code) issued under section 52B(5).
2
Where an alteration is so issued, the Commissioner must publish either—
a
the alteration, or
b
the code or replacement code as altered by it.
52EEffect of data-sharing code
1
A failure on the part of any person to act in accordance with any provision of the data-sharing code does not of itself render that person liable to any legal proceedings in any court or tribunal.
2
The data-sharing code is admissible in evidence in any legal proceedings.
3
If any provision of the data-sharing code appears to—
a
the Tribunal or a court conducting any proceedings under this Act,
b
a court or tribunal conducting any other legal proceedings, or
c
the Commissioner carrying out any function under this Act,
to be relevant to any question arising in the proceedings, or in connection with the exercise of that jurisdiction or the carrying out of those functions, in relation to any time when it was in force, that provision of the code must be taken into account in determining that question.
4
In this section “the data-sharing code” means the code issued under section 52B(5) (as altered or replaced from time to time).
53 Assistance by Commissioner in cases involving processing for the special purposes.
1
An individual who is an actual or prospective party to any proceedings under section 7(9), 10(4), 12(8) F19, 12A(3) or 14 or by virtue of section 13 which relate to personal data processed for the special purposes may apply to the Commissioner for assistance in relation to those proceedings.
2
The Commissioner shall, as soon as reasonably practicable after receiving an application under subsection (1), consider it and decide whether and to what extent to grant it, but he shall not grant the application unless, in his opinion, the case involves a matter of substantial public importance.
3
If the Commissioner decides to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant, stating the extent of the assistance to be provided.
4
If the Commissioner decides not to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant of his decision and, if he thinks fit, the reasons for it.
5
In this section—
a
references to “proceedings” include references to prospective proceedings, and
b
“applicant”, in relation to assistance under this section, means an individual who applies for assistance.
6
Schedule 10 has effect for supplementing this section.
I254 International co-operation.
1
The Commissioner—
a
shall continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Convention, and
b
shall be the supervisory authority in the United Kingdom for the purposes of the Data Protection Directive.
2
The F20Lord Chancellor may by order make provision as to the functions to be discharged by the Commissioner as the designated authority in the United Kingdom for the purposes of Article 13 of the Convention.
3
The F20Lord Chancellor may by order make provision as to co-operation by the Commissioner with the European Commission and with supervisory authorities in other EEA States in connection with the performance of their respective duties and, in particular, as to—
a
the exchange of information with supervisory authorities in other EEA States or with the European Commission, and
b
the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases excluded by section 5 from the application of the other provisions of this Act, of functions of the Commissioner specified in the order.
4
The Commissioner shall also carry out any data protection functions which the F20Lord Chancellor may by order direct him to carry out for the purpose of enabling Her Majesty’s Government in the United Kingdom to give effect to any international obligations of the United Kingdom.
5
The Commissioner shall, if so directed by the F20Lord Chancellor, provide any authority exercising data protection functions under the law of a colony specified in the direction with such assistance in connection with the discharge of those functions as the F20Lord Chancellor may direct or approve, on such terms (including terms as to payment) as the F20Lord Chancellor may direct or approve.
6
Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule.
7
The Commissioner shall inform the European Commission and the supervisory authorities in other EEA States—
a
of any approvals granted for the purposes of paragraph 8 of Schedule 4, and
b
of any authorisations granted for the purposes of paragraph 9 of that Schedule.
8
In this section—
“the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981;
“data protection functions” means functions relating to the protection of individuals with respect to the processing of personal information.
F254AInspection of overseas information systems
1
The Commissioner may inspect any personal data recorded in—
a
the Schengen information system,
b
the Europol information system,
c
the Customs information system.
2
The power conferred by subsection (1) is exercisable only for the purpose of assessing whether or not any processing of the data has been or is being carried out in compliance with this Act.
3
The power includes power to inspect, operate and test equipment which is used for the processing of personal data.
4
Before exercising the power, the Commissioner must give notice in writing of his intention to do so to the data controller.
5
But subsection (4) does not apply if the Commissioner considers that the case is one of urgency.
6
Any person who—
a
intentionally obstructs a person exercising the power conferred by subsection (1), or
b
fails without reasonable excuse to give any person exercising the power any assistance he may reasonably require,
is guilty of an offence.
7
In this section—
“the Customs information system” means the information system established under Chapter II of the Convention on the Use of Information Technology for Customs Purposes,
“the Europol information system” means the information system established under Title II of the Convention on the Establishment of a European Police Office,
“the Schengen information system” means the information system established under Title IV of the Convention implementing the Schengen Agreement of 14th June 1985, or any system established in its place in pursuance of any Community obligation.
Unlawful obtaining etc. of personal data
55 Unlawful obtaining etc. of personal data.
1
A person must not knowingly or recklessly, without the consent of the data controller—
a
obtain or disclose personal data or the information contained in personal data, or
b
procure the disclosure to another person of the information contained in personal data.
2
Subsection (1) does not apply to a person who shows—
a
that the obtaining, disclosing or procuring—
i
was necessary for the purpose of preventing or detecting crime, or
ii
was required or authorised by or under any enactment, by any rule of law or by the order of a court,
b
that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,
c
that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or
d
that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.
3
A person who contravenes subsection (1) is guilty of an offence.
4
A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).
5
A person who offers to sell personal data is guilty of an offence if—
a
he has obtained the data in contravention of subsection (1), or
b
he subsequently obtains the data in contravention of that subsection.
6
For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.
7
Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.
8
References in this section to personal data do not include references to personal data which by virtue of section 28 are exempt from this section.
F3Monetary penaltiesF5F6F8
S. 55B inserted (1.10.2009 for certain purposes and 6.4.2010 to the extent that it is not already in force) by Criminal Justice and Immigration Act 2008 (c. 4), ss. 144(1), 153; S.I. 2009/2606, art. 2(n); S.I. 2010/712, art. 4
S. 55C inserted (1.10.2009) by Criminal Justice and Immigration Act 2008 (c. 4), ss. 144(1), 153; S.I. 2009/2606, art. 2(n)
S. 55E inserted (1.10.2009) by Criminal Justice and Immigration Act 2008 (c. 4), ss. 144(1), 153; S.I. 2009/2606, art. 2(n)
F455APower of Commissioner to impose monetary penalty
1
The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—
a
there has been a serious contravention of section 4(4) by the data controller,
b
the contravention was of a kind likely to cause substantial damage or substantial distress, and
c
subsection (2) or (3) applies.
2
This subsection applies if the contravention was deliberate.
3
This subsection applies if the data controller—
a
knew or ought to have known —
i
that there was a risk that the contravention would occur, and
ii
that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but
b
failed to take reasonable steps to prevent the contravention.
4
A monetary penalty notice is a notice requiring the data controller to pay to the Commissioner a monetary penalty of an amount determined by the Commissioner and specified in the notice.
5
The amount determined by the Commissioner must not exceed the prescribed amount.
6
The monetary penalty must be paid to the Commissioner within the period specified in the notice.
7
The notice must contain such information as may be prescribed.
8
Any sum received by the Commissioner by virtue of this section must be paid into the Consolidated Fund.
9
In this section—
“data controller” does not include the Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3);
“prescribed” means prescribed by regulations made by the Secretary of State.
55BF5Monetary penalty notices: procedural rights
1
Before serving a monetary penalty notice, the Commissioner must serve the data controller with a notice of intent.
2
A notice of intent is a notice that the Commissioner proposes to serve a monetary penalty notice.
3
A notice of intent must—
a
inform the data controller that he may make written representations in relation to the Commissioner's proposal within a period specified in the notice, and
b
contain such other information as may be prescribed.
4
The Commissioner may not serve a monetary penalty notice until the time within which the data controller may make representations has expired.
5
A person on whom a monetary penalty notice is served may appeal to the Tribunal against—
a
the issue of the monetary penalty notice;
b
the amount of the penalty specified in the notice.
6
In this section, “prescribed” means prescribed by regulations made by the Secretary of State.
55CF6Guidance about monetary penalty notices
1
The Commissioner must prepare and issue guidance on how he proposes to exercise his functions under sections 55A and 55B.
2
The guidance must, in particular, deal with—
a
the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and
b
how he will determine the amount of the penalty.
3
The Commissioner may alter or replace the guidance.
4
If the guidance is altered or replaced, the Commissioner must issue the altered or replacement guidance.
5
The Commissioner may not issue guidance under this section without the approval of the Secretary of State.
6
The Commissioner must lay any guidance issued under this section before each House of Parliament.
7
The Commissioner must arrange for the publication of any guidance issued under this section in such form and manner as he considers appropriate.
8
In subsections (5) to (7), “guidance” includes altered or replacement guidance.
55DF7Monetary penalty notices: enforcement
1
This section applies in relation to any penalty payable to the Commissioner by virtue of section 55A.
2
In England and Wales, the penalty is recoverable—
a
if a county court so orders, as if it were payable under an order of that court;
b
if the High Court so orders, as if it were payable under an order of that court.
3
In Scotland, the penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.
4
In Northern Ireland, the penalty is recoverable—
a
if a county court so orders, as if it were payable under an order of that court;
b
if the High Court so orders, as if it were payable under an order of that court.
F855ENotices under sections 55A and 55B: supplemental
1
The Secretary of State may by order make further provision in connection with monetary penalty notices and notices of intent.
2
An order under this section may in particular—
a
provide that a monetary penalty notice may not be served on a data controller with respect to the processing of personal data for the special purposes except in circumstances specified in the order;
b
make provision for the cancellation or variation of monetary penalty notices;
c
confer rights of appeal to the Tribunal against decisions of the Commissioner in relation to the cancellation or variation of such notices;
d
make provision for the proceedings of the Tribunal in respect of appeals under section 55B(5) or appeals made by virtue of paragraph (c);
e
make provision for the determination of such appeals;
f
confer rights of appeal against any decision of the Tribunal in relation to monetary penalty notices or their cancellation or variation.
3
An order under this section may apply any provision of this Act with such modifications as may be specified in the order.
4
An order under this section may amend this Act.
Records obtained under data subject’s right of access
I456 Prohibition of requirement as to production of certain records.
1
A person must not, in connection with—
a
the recruitment of another person as an employee,
b
the continued employment of another person, or
c
any contract for the provision of services to him by another person,
require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.
2
A person concerned with the provision (for payment or not) of goods, facilities or services to the public or a section of the public must not, as a condition of providing or offering to provide any goods, facilities or services to another person, require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.
3
Subsections (1) and (2) do not apply to a person who shows—
a
that the imposition of the requirement was required or authorised by or under any enactment, by any rule of law or by the order of a court, or
b
that in the particular circumstances the imposition of the requirement was justified as being in the public interest.
4
Having regard to the provisions of Part V of the M18Police Act 1997 (certificates of criminal records etc.), the imposition of the requirement referred to in subsection (1) or (2) is not to be regarded as being justified as being in the public interest on the ground that it would assist in the prevention or detection of crime.
5
A person who contravenes subsection (1) or (2) is guilty of an offence.
6
In this section “a relevant record” means any record which—
a
has been or is to be obtained by a data subject from any data controller specified in the first column of the Table below in the exercise of the right conferred by section 7, and
b
contains information relating to any matter specified in relation to that data controller in the second column,
and includes a copy of such a record or a part of such a record.
TABLE
Data controller | Subject-matter |
---|---|
1. Any of the following persons— (a) a chief officer of police of a police force in England and Wales. (b) a chief constable of a police force in Scotland. (c) the Chief Constable of the Royal Ulster Constabulary. (d) the Director General of the National Criminal Intelligence Service. (e) the Director General of the National Crime Squad. | (a) Convictions. (b) Cautions. |
2. The Secretary of State. | (a) Convictions. (b) Cautions. (c) His functions under F22section 92 of the Powers of Criminal Courts (Sentencing) Act 2000, section 205(2) or 208 of the Criminal Procedure (Scotland) Act 1995 or section 73 of the Children and Young Persons Act (Northern Ireland) 1968 in relation to any person sentenced to detention. (d) His functions under the Prison Act 1952, the Prisons (Scotland) Act 1989 or the Prison Act (Northern Ireland) 1953 in relation to any person imprisoned or detained. (e) His functions under the Social Security Contributions and Benefits Act 1992, the Social Security Administration Act 1992 or the Jobseekers Act 1995. (f) His functions under Part V of the Police Act 1997. |
3. The Department of Health and Social Services for Northern Ireland. | Its functions under the Social Security Contributions and Benefits (Northern Ireland) Act 1992, the Social Security Administration (Northern Ireland) Act 1992 or the Jobseekers (Northern Ireland) Order 1995. |
7
In the Table in subsection (6)—
“caution” means a caution given to any person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;
“conviction” has the same meaning as in the M19Rehabilitation of Offenders Act 1974 or the M20Rehabilitation of Offenders (Northern Ireland) Order 1978.
8
The F23Lord Chancellor may by order amend—
a
the Table in subsection (6), and
b
subsection (7).
9
For the purposes of this section a record which states that a data controller is not processing any personal data relating to a particular matter shall be taken to be a record containing information relating to that matter.
10
In this section “employee” means an individual who—
a
works under a contract of employment, as defined by section 230(2) of the M21Employment Rights Act 1996, or
b
holds any office,
whether or not he is entitled to remuneration; and “employment” shall be construed accordingly.
57 Avoidance of certain contractual terms relating to health records.
1
Any term or condition of a contract is void in so far as it purports to require an individual—
a
to supply any other person with a record to which this section applies, or with a copy of such a record or a part of such a record, or
b
to produce to any other person such a record, copy or part.
2
This section applies to any record which—
a
has been or is to be obtained by a data subject in the exercise of the right conferred by section 7, and
b
consists of the information contained in any health record as defined by section 68(2).
Information provided to Commissioner or Tribunal
C158 Disclosure of information.
No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude a person from furnishing the Commissioner or the Tribunal with any information necessary for the discharge of their functions under this Act F9or the Freedom of Information Act 2000.
59 Confidentiality of information.
C21
No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—
a
has been obtained by, or furnished to, the Commissioner under or for the purposes of F10the information Acts,
b
relates to an identified or identifiable individual or business, and
c
is not at the time of the disclosure, and has not previously been, available to the public from other sources,
unless the disclosure is made with lawful authority.
2
For the purposes of subsection (1) a disclosure of information is made with lawful authority only if, and to the extent that—
a
the disclosure is made with the consent of the individual or of the person for the time being carrying on the business,
b
the information was provided for the purpose of its being made available to the public (in whatever manner) under any provision of F10the information Acts,
c
the disclosure is made for the purposes of, and is necessary for, the discharge of—
i
any functions under F10the information Acts, or
ii
any Community obligation,
d
the disclosure is made for the purposes of any proceedings, whether criminal or civil and whether arising under, or by virtue of, F10the information Acts or otherwise, or
e
having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest.
3
Any person who knowingly or recklessly discloses information in contravention of subsection (1) is guilty of an offence.
F114
In this section “the information Acts” means this Act and the Freedom of Information Act 2000.
General provisions relating to offences
60 Prosecutions and penalties.
1
No proceedings for an offence under this Act shall be instituted—
a
in England or Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;
b
in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.
2
A person guilty of an offence under any provision of this Act other than paragraph 12 of Schedule 9 is liable—
a
on summary conviction, to a fine not exceeding the statutory maximum, or
b
on conviction on indictment, to a fine.
3
A person guilty of an offence under paragraph 12 of Schedule 9 is liable on summary conviction to a fine not exceeding level 5 on the standard scale.
4
Subject to subsection (5), the court by or before which a person is convicted of—
a
an offence under section 21(1), 22(6), 55 or 56,
b
an offence under section 21(2) relating to processing which is assessable processing for the purposes of section 22, or
c
an offence under section 47(1) relating to an enforcement notice,
may order any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.
5
The court shall not make an order under subsection (4) in relation to any material where a person (other than the offender) claiming to be the owner of or otherwise interested in the material applies to be heard by the court, unless an opportunity is given to him to show cause why the order should not be made.
61 Liability of directors etc.
1
Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.
2
Where the affairs of a body corporate are managed by its members subsection (1) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.
3
Where an offence under this Act has been committed by a Scottish partnership and the contravention in question is proved to have occurred with the consent or connivance of, or to be attributable to any neglect on the part of, a partner, he as well as the partnership shall be guilty of that offence and shall be liable to be proceeded against and punished accordingly.
Amendments of Consumer Credit Act 1974
62 Amendments of Consumer Credit Act 1974.
1
In section 158 of the M1Consumer Credit Act 1974 (duty of agency to disclose filed information)—
a
in subsection (1)—
i
in paragraph (a) for “individual” there is substituted “
partnership or other unincorporated body of persons not consisting entirely of bodies corporate
”
, and
ii
for “him” there is substituted “
it
”
,
b
in subsection (2), for “his” there is substituted “
the consumer’s
”
, and
c
in subsection (3), for “him” there is substituted “
the consumer
”
.
2
In section 159 of that Act (correction of wrong information) for subsection (1) there is substituted—
1
Any individual (the “objector”) given—
a
information under section 7 of the Data Protection Act 1998 by a credit reference agency, or
b
information under section 158,
who considers that an entry in his file is incorrect, and that if it is not corrected he is likely to be prejudiced, may give notice to the agency requiring it either to remove the entry from the file or amend it.
3
In subsections (2) to (6) of that section—
a
for “consumer”, wherever occurring, there is substituted “
objector
”
, and
b
for “Director”, wherever occurring, there is substituted “
the relevant authority
”
.
4
After subsection (6) of that section there is inserted—
7
The Data Protection Commissioner may vary or revoke any order made by him under this section.
8
In this section “the relevant authority” means—
a
where the objector is a partnership or other unincorporated body of persons, the Director, and
b
in any other case, the Data Protection Commissioner.
5
In section 160 of that Act (alternative procedure for business consumers)—
a
in subsection (4)—
i
for “him” there is substituted “
to the consumer
”
, and
ii
in paragraphs (a) and (b) for “he” there is substituted “
the consumer
”
and for “his” there is substituted “
the consumer’s
”
, and
b
after subsection (6) there is inserted—
7
In this section “consumer” has the same meaning as in section 158.
General
C363 Application to Crown.
1
This Act binds the Crown.
2
For the purposes of this Act each government department shall be treated as a person separate from any other government department.
3
Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by any person acting on behalf of the Royal Household, the Duchy of Lancaster or the Duchy of Cornwall, the data controller in respect of those data for the purposes of this Act shall be—
a
in relation to the Royal Household, the Keeper of the Privy Purse,
b
in relation to the Duchy of Lancaster, such person as the Chancellor of the Duchy appoints, and
c
in relation to the Duchy of Cornwall, such person as the Duke of Cornwall, or the possessor for the time being of the Duchy of Cornwall, appoints.
4
Different persons may be appointed under subsection (3)(b) or (c) for different purposes.
5
Neither a government department nor a person who is a data controller by virtue of subsection (3) shall be liable to prosecution under this Act, but section 55 and paragraph 12 of Schedule 9 shall apply to a person in the service of the Crown as they apply to any other person.
63AF12 Application to Parliament.
1
Subject to the following provisions of this section and to section 35A, this Act applies to the processing of personal data by or on behalf of either House of Parliament as it applies to the processing of personal data by other persons.
2
Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by or on behalf of the House of Commons, the data controller in respect of those data for the purposes of this Act shall be the Corporate Officer of that House.
3
Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by or on behalf of the House of Lords, the data controller in respect of those data for the purposes of this Act shall be the Corporate Officer of that House.
4
Nothing in subsection (2) or (3) is to be taken to render the Corporate Officer of the House of Commons or the Corporate Officer of the House of Lords liable to prosecution under this Act, but section 55 and paragraph 12 of Schedule 9 shall apply to a person acting on behalf of either House as they apply to any other person.
I364 Transmission of notices etc. by electronic or other means.
1
This section applies to—
a
a notice or request under any provision of Part II,
b
a notice under subsection (1) of section 24 or particulars made available under that subsection, or
c
an application under section 41(2),
but does not apply to anything which is required to be served in accordance with rules of court.
2
The requirement that any notice, request, particulars or application to which this section applies should be in writing is satisfied where the text of the notice, request, particulars or application—
a
is transmitted by electronic means,
b
is received in legible form, and
c
is capable of being used for subsequent reference.
3
The F24Lord Chancellor may by regulations provide that any requirement that any notice, request, particulars or application to which this section applies should be in writing is not to apply in such circumstances as may be prescribed by the regulations.
65 Service of notices by Commissioner.
1
Any notice authorised or required by this Act to be served on or given to any person by the Commissioner may—
a
if that person is an individual, be served on him—
i
by delivering it to him, or
ii
by sending it to him by post addressed to him at his usual or last-known place of residence or business, or
iii
by leaving it for him at that place;
b
if that person is a body corporate or unincorporate, be served on that body—
i
by sending it by post to the proper officer of the body at its principal office, or
ii
by addressing it to the proper officer of the body and leaving it at that office;
c
if that person is a partnership in Scotland, be served on that partnership—
i
by sending it by post to the principal office of the partnership, or
ii
by addressing it to that partnership and leaving it at that office.
2
In subsection (1)(b) “principal office”, in relation to a registered company, means its registered office and “proper officer”, in relation to any body, means the secretary or other executive officer charged with the conduct of its general affairs.
3
This section is without prejudice to any other lawful method of serving or giving a notice.
66 Exercise of rights in Scotland by children.
1
Where a question falls to be determined in Scotland as to the legal capacity of a person under the age of sixteen years to exercise any right conferred by any provision of this Act, that person shall be taken to have that capacity where he has a general understanding of what it means to exercise that right.
2
Without prejudice to the generality of subsection (1), a person of twelve years of age or more shall be presumed to be of sufficient age and maturity to have such understanding as is mentioned in that subsection.
67 Orders, regulations and rules.
1
Any power conferred by this Act on the F25Lord Chancellor to make an order, regulations or rules shall be exercisable by statutory instrument.
2
Any order, regulations or rules made by the F25Lord Chancellor under this Act may—
a
make different provision for different cases, and
b
make such supplemental, incidental, consequential or transitional provision or savings as the F25Lord Chancellor considers appropriate;
and nothing in section 7(11), 19(5), 26(1) or 30(4) limits the generality of paragraph (a).
3
Before making—
a
an order under any provision of this Act other than section 75(3),
b
any regulations under this Act other than notification regulations (as defined by section 16(2)),
the F25Lord Chancellor shall consult the Commissioner.
4
A statutory instrument containing (whether alone or with other provisions) an order under—
section 10(2)(b),
section 12(5)(b),
section 22(1),
section 30,
section 32(3),
section 38,
section 56(8),
paragraph 10 of Schedule 3, or
paragraph 4 of Schedule 7,
shall not be made unless a draft of the instrument has been laid before and approved by a resolution of each House of Parliament.
5
A statutory instrument which contains (whether alone or with other provisions)—
a
an order under—
section 22(7),
section 23,
section 51(3),
section 54(2), (3) or (4),
paragraph 3, 4 or 14 of Part II of Schedule 1,
paragraph 6 of Schedule 2,
paragraph 2, 7 or 9 of Schedule 3,
paragraph 4 of Schedule 4,
paragraph 6 of Schedule 7,
b
regulations under section 7 which—
i
prescribe cases for the purposes of subsection (2)(b),
ii
are made by virtue of subsection (7), or
iii
relate to the definition of “the prescribed period”,
c
regulations under section 8(1) F26, 9(3) or 9A(5),
d
regulations under section 64,
e
notification regulations (as defined by section 16(2)), or
f
rules under paragraph 7 of Schedule 6,
and which is not subject to the requirement in subsection (4) that a draft of the instrument be laid before and approved by a resolution of each House of Parliament, shall be subject to annulment in pursuance of a resolution of either House of Parliament.
6
A statutory instrument which contains only—
a
regulations prescribing fees for the purposes of any provision of this Act, or
b
regulations under section 7 prescribing fees for the purposes of any other enactment,
shall be laid before Parliament after being made.
68 Meaning of “accessible record”.
1
In this Act “accessible record” means—
a
a health record as defined by subsection (2),
b
an educational record as defined by Schedule 11, or
c
an accessible public record as defined by Schedule 12.
2
In subsection (1)(a) “health record” means any record which—
a
consists of information relating to the physical or mental health or condition of an individual, and
b
has been made by or on behalf of a health professional in connection with the care of that individual.
69 Meaning of “health professional”.
1
In this Act “health professional” means any of the following—
a
a registered medical practitioner,
b
a registered dentist as defined by section 53(1) of the M2Dentists Act 1984,
c
a registered optician as defined by section 36(1) of the M22Opticians Act 1989,
d
F13e
a registered nurse or midwife
f
a registered osteopath as defined by section 41 of the M4Osteopaths Act 1993,
g
a registered chiropractor as defined by section 43 of the M5Chiropractors Act 1994,
h
any person who is registered as a member of a profession to which F14the Health Professions Order 2001 for the time being extends,
i
a clinical psychologist, child psychotherapist or speech therapist,
j
a music therapist employed by a health service body, and
k
a scientist employed by such a body as head of a department.
2
In subsection (1)(a) “registered medical practitioner” includes any person who is provisionally registered under section 15 or 21 of the M6Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of that section.
3
In subsection (1) “health service body” means—
a
a Health Authority established under section 8 of the M24National Health Service Act 1977,
b
a Special Health Authority established under section 11 of that Act,
F15bb
a Primary Care Trust established under section 16A of that Act,
c
a Health Board within the meaning of the M7National Health Service (Scotland) Act 1978,
d
a Special Health Board within the meaning of that Act,
e
the managers of a State Hospital provided under section 102 of that Act,
f
a National Health Service trust first established under section 5 of the M8National Health Service and Community Care Act 1990 or section 12A of the National Health Service (Scotland) Act 1978,
g
a Health and Social Services Board established under Article 16 of the M9Health and Personal Social Services (Northern Ireland) Order 1972,
h
a special health and social services agency established under the M10Health and Personal Social Services (Special Agencies) (Northern Ireland) Order 1990, or
i
a Health and Social Services trust established under Article 10 of the M11Health and Personal Social Services (Northern Ireland) Order 1991.
70 Supplementary definitions.
1
In this Act, unless the context otherwise requires—
“business” includes any trade or profession;
“the Commissioner” means F16 the Information Commissioner;
“credit reference agency” has the same meaning as in the M12Consumer Credit Act 1974;
“the Data Protection Directive” means Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
“EEA State” means a State which is a contracting party to the Agreement on the European Economic Area signed at Oporto on 2nd May 1992 as adjusted by the Protocol signed at Brussels on 17th March 1993;
“enactment” includes an enactment passed after this Act F17and any enactment comprised in, or in any instrument made under, an Act of the Scottish Parliament;
“government department” includes a Northern Ireland department and any body or authority exercising statutory functions on behalf of the Crown;
“Minister of the Crown” has the same meaning as in the Ministers of the M13Crown Act 1975;
“public register” means any register which pursuant to a requirement imposed—
- a
by or under any enactment, or
- b
in pursuance of any international agreement,
is open to public inspection or open to inspection by any person having a legitimate interest;
- a
“pupil”—
- a
in relation to a school in England and Wales, means a registered pupil within the meaning of the M14Education Act 1996,
- b
in relation to a school in Scotland, means a pupil within the meaning of the M15Education (Scotland) Act 1980, and
- c
in relation to a school in Northern Ireland, means a registered pupil within the meaning of the M16Education and Libraries (Northern Ireland) Order 1986;
- a
“recipient”, in relation to any personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law;
“registered company” means a company registered under the enactments relating to companies for the time being in force in the United Kingdom;
“school”—
- a
in relation to England and Wales, has the same meaning as in the Education Act 1996,
- b
in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980, and
- c
in relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986;
- a
“teacher” includes—
- a
in Great Britain, head teacher, and
- b
in Northern Ireland, the principal of a school;
- a
“third party”, in relation to personal data, means any person other than—
- a
the data subject,
- b
the data controller, or
- c
any data processor or other person authorised to process data for the data controller or processor;
- a
“the Tribunal” means F27the Information Tribunal..
2
For the purposes of this Act data are inaccurate if they are incorrect or misleading as to any matter of fact.
71 Index of defined expressions.
The following Table shows provisions defining or otherwise explaining expressions used in this Act (other than provisions defining or explaining an expression only used in the same section or Schedule)—
accessible record | section 68 |
address (in Part III) | section 16(3) |
business | section 70(1) |
the Commissioner | section 70(1) |
credit reference agency | section 70(1) |
data | section 1(1) |
data controller | sections 1(1) and (4) and 63(3) |
data processor | section 1(1) |
the Data Protection Directive | section 70(1) |
data protection principles | section 4 and Schedule 1 |
data subject | section 1(1) |
disclosing (of personal data) | section 1(2)(b) |
EEA State | section 70(1) |
enactment | section 70(1) |
enforcement notice | section 40(1) |
fees regulations (in Part III) | section 16(2) |
government department | section 70(1) |
health professional | section 69 |
inaccurate (in relation to data) | section 70(2) |
information notice | section 43(1) |
Minister of the Crown | section 70(1) |
the non-disclosure provisions (in Part IV) | section 27(3) |
notification regulations (in Part III) | section 16(2) |
obtaining (of personal data) | section 1(2)(a) |
personal data | section 1(1) |
prescribed (in Part III) | section 16(2) |
processing (of information or data) | section 1(1) and paragraph 5 of Schedule 8 |
public register | section 70(1) |
publish (in relation to journalistic, literary or artistic material) | section 32(6) |
pupil (in relation to a school) | section 70(1) |
recipient (in relation to personal data) | section 70(1) |
recording (of personal data) | section 1(2)(a) |
registered company | section 70(1) |
registrable particulars (in Part III) | section 16(1) |
relevant filing system | section 1(1) |
school | section 70(1) |
sensitive personal data | section 2 |
special information notice | section 44(1) |
the special purposes | section 3 |
the subject information provisions (in Part IV) | section 27(2) |
teacher | section 70(1) |
third party (in relation to processing of personal data) | section 70(1) |
the Tribunal | section 70(1) |
using (of personal data) | section 1(2)(b). |
72 Modifications of Act.
During the period beginning with the commencement of this section and ending with 23rd October 2007, the provisions of this Act shall have effect subject to the modifications set out in Schedule 13.
73 Transitional provisions and savings.
Schedule 14 (which contains transitional provisions and savings) has effect.
74 Minor and consequential amendments and repeals and revocations.
1
Schedule 15 (which contains minor and consequential amendments) has effect.
2
The enactments and instruments specified in Schedule 16 are repealed or revoked to the extent specified.
75 Short title, commencement and extent.
1
This Act may be cited as the Data Protection Act 1998.
2
The following provisions of this Act—
a
sections 1 to 3,
b
section 25(1) and (4),
c
section 26,
d
sections 67 to 71,
e
this section,
f
paragraph 17 of Schedule 5,
g
Schedule 11,
h
Schedule 12, and
i
so much of any other provision of this Act as confers any power to make subordinate legislation,
shall come into force on the day on which this Act is passed.
P13
The remaining provisions of this Act shall come into force on such day as the F28Lord Chancellor may by order appoint; and different days may be appointed for different purposes.
4
The day appointed under subsection (3) for the coming into force of section 56 must not be earlier than the first day on which sections 112, 113 and 115 of the M17Police Act 1997 (which provide for the issue by the Secretary of State of criminal conviction certificates, criminal record certificates and enhanced criminal record certificates) are all in force.
5
Subject to subsection (6), this Act extends to Northern Ireland.
6
Any amendment, repeal or revocation made by Schedule 15 or 16 has the same extent as that of the enactment or instrument to which it relates.
Ss. 55A - 55E and cross-heading inserted (1.10.2009 for certain purposes and 1.4.2010 to the extent that it is not already in force) by Criminal Justice and Immigration Act 2008 (c. 4), ss. 144(1), 153; S.I. 2009/2606, art. 2(n); S.I. 2010/712, art. 4