Data Protection Act 1998 (c. 29)

(The document as of February, 2008)

-- Back --

Page 1

Pages: P.1 | P.2 | P.3 | P.4 | P.5 | P.6 | P.7 | P.8

Data Protection Act 1998

1998 CHAPTER 29

ARRANGEMENT OF SECTIONS

An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.

[16th July 1998]

Be it enacted by the Queen's most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:--

Part I Preliminary

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires--

• "data" means information which--

  (a)

  is being processed by means of equipment operating automatically in response to instructions given for that purpose,

  (b)

  is recorded with the intention that it should be processed by means of such equipment,

  (c)

  is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or

  (d)

  does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68;

• "data controller" means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

• "data processor", in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;

• "data subject" means an individual who is the subject of personal data;

• "personal data" means data which relate to a living individual who can be identified--

  (a)

  from those data, or

  (b)

  from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

  and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

• "processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including--

  (a)

  organisation, adaptation or alteration of the information or data,

  (b)

  retrieval, consultation or use of the information or data,

  (c)

  disclosure of the information or data by transmission, dissemination or otherwise making available, or

  (d)

  alignment, combination, blocking, erasure or destruction of the information or data;

• "relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

(2) In this Act, unless the context otherwise requires--

(a) "obtaining" or "recording", in relation to personal data, includes obtaining or recording the information to be contained in the data, and

(b) "using" or "disclosing", in relation to personal data, includes using or disclosing the information contained in the data.

(3) In determining for the purposes of this Act whether any information is recorded with the intention--

(a) that it should be processed by means of equipment operating automatically in response to instructions given for that purpose, or

(b) that it should form part of a relevant filing system,

it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area.

(4) Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to--

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

3 The special purposes

In this Act "the special purposes" means any one or more of the following--

(a) the purposes of journalism,

(b) artistic purposes, and

(c) literary purposes.

4 The data protection principles

(1) References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1.

(2) Those principles are to be interpreted in accordance with Part II of Schedule 1.

(3) Schedule 2 (which applies to all personal data) and Schedule 3 (which applies only to sensitive personal data) set out conditions applying for the purposes of the first principle; and Schedule 4 sets out cases in which the eighth principle does not apply.

(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.

5 Application of Act

(1) Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if--

(a) the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or

(b) the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.

(2) A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom.

(3) For the purposes of subsections (1) and (2), each of the following is to be treated as established in the United Kingdom--

(a) an individual who is ordinarily resident in the United Kingdom,

(b) a body incorporated under the law of, or of any part of, the United Kingdom,

(c) a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and

(d) any person who does not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom--

(i) an office, branch or agency through which he carries on any activity, or

(ii) a regular practice;

and the reference to establishment in any other EEA State has a corresponding meaning.

6 The Commissioner and the Tribunal

(1) The office originally established by section 3(1)(a) of the [1984 c. 35.] Data Protection Act 1984 as the office of Data Protection Registrar shall continue to exist for the purposes of this Act but shall be known as the office of Data Protection Commissioner; and in this Act the Data Protection Commissioner is referred to as "the Commissioner".

(2) The Commissioner shall be appointed by Her Majesty by Letters Patent.

(3) For the purposes of this Act there shall continue to be a Data Protection Tribunal (in this Act referred to as "the Tribunal").

(4) The Tribunal shall consist of--

(a) a chairman appointed by the Lord Chancellor after consultation with the Lord Advocate,

(b) such number of deputy chairmen so appointed as the Lord Chancellor may determine, and

(c) such number of other members appointed by the Secretary of State as he may determine.

(5) The members of the Tribunal appointed under subsection (4)(a) and (b) shall be--

(a) persons who have a 7 year general qualification, within the meaning of section 71 of the [1990 c. 41.] Courts and Legal Services Act 1990,

(b) advocates or solicitors in Scotland of at least 7 years' standing, or

(c) members of the bar of Northern Ireland or solicitors of the Supreme Court of Northern Ireland of at least 7 years' standing.

(6) The members of the Tribunal appointed under subsection (4)(c) shall be--

(a) persons to represent the interests of data subjects, and

(b) persons to represent the interests of data controllers.

(7) Schedule 5 has effect in relation to the Commissioner and the Tribunal.

Part II Rights of data subjects and others

7 Right of access to personal data

(1) Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled--

(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

(b) if that is the case, to be given by the data controller a description of--

(i) the personal data of which that individual is the data subject,

(ii) the purposes for which they are being or are to be processed, and

(iii) the recipients or classes of recipients to whom they are or may be disclosed,

(c) to have communicated to him in an intelligible form--

(i) the information constituting any personal data of which that individual is the data subject, and

(ii) any information available to the data controller as to the source of those data, and

(d) where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.

(2) A data controller is not obliged to supply any information under subsection (1) unless he has received--

(a) a request in writing, and

(b) except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.

(3) A data controller is not obliged to comply with a request under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks.

(4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless--

(a) the other individual has consented to the disclosure of the information to the person making the request, or

(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

(5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to--

(a) any duty of confidentiality owed to the other individual,

(b) any steps taken by the data controller with a view to seeking the consent of the other individual,

(c) whether the other individual is capable of giving consent, and

(d) any express refusal of consent by the other individual.

(7) An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description.

(8) Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.

(9) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.

(10) In this section--

• "prescribed" means prescribed by the Secretary of State by regulations;

• "the prescribed maximum" means such amount as may be prescribed;

• "the prescribed period" means forty days or such other period as may be prescribed;

• "the relevant day", in relation to a request under this section, means the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3).

(11) Different amounts or periods may be prescribed under this section in relation to different cases.

8 Provisions supplementary to section 7

(1) The Secretary of State may by regulations provide that, in such cases as may be prescribed, a request for information under any provision of subsection (1) of section 7 is to be treated as extending also to information under other provisions of that subsection.

(2) The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless--

(a) the supply of such a copy is not possible or would involve disproportionate effort, or

(b) the data subject agrees otherwise;

and where any of the information referred to in section 7(1)(c)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.

(3) Where a data controller has previously complied with a request made under section 7 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.

(4) In determining for the purposes of subsection (3) whether requests under section 7 are made at reasonable intervals, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.

(5) Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.

(6) The information to be supplied pursuant to a request under section 7 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

(7) For the purposes of section 7(4) and (5) another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.

9 Application of section 7 where data controller is credit reference agency

(1) Where the data controller is a credit reference agency, section 7 has effect subject to the provisions of this section.

(2) An individual making a request under section 7 may limit his request to personal data relevant to his financial standing, and shall be taken to have so limited his request unless the request shows a contrary intention.

(3) Where the data controller receives a request under section 7 in a case where personal data of which the individual making the request is the data subject are being processed by or on behalf of the data controller, the obligation to supply information under that section includes an obligation to give the individual making the request a statement, in such form as may be prescribed by the Secretary of State by regulations, of the individual's rights--

(a) under section 159 of the [1974 c. 39.] Consumer Credit Act 1974 , and

(b) to the extent required by the prescribed form, under this Act.

10 Right to prevent processing likely to cause damage or distress

(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons--

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b) that damage or distress is or would be unwarranted.

(2) Subsection (1) does not apply--

(a) in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or

(b) in such other cases as may be prescribed by the Secretary of State by order.

(3) The data controller must within twenty-one days of receiving a notice under subsection (1) ("the data subject notice") give the individual who gave it a written notice--

(a) stating that he has complied or intends to comply with the data subject notice, or

(b) stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.

(4) If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(5) The failure by a data subject to exercise the right conferred by subsection (1) or section 11(1) does not affect any other right conferred on him by this Part.

11 Right to prevent processing for purposes of direct marketing

(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

(2) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.

(3) In this section "direct marketing" means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.

12 Rights in relation to automated decision-taking

(1) An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.

(2) Where, in a case where no notice under subsection (1) has effect, a decision which significantly affects an individual is based solely on such processing as is mentioned in subsection (1)--

(a) the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis, and

(b) the individual is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.

(3) The data controller must, within twenty-one days of receiving a notice under subsection (2)(b) ("the data subject notice") give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice.

(4) A notice under subsection (1) does not have effect in relation to an exempt decision; and nothing in subsection (2) applies to an exempt decision.

(5) In subsection (4) "exempt decision" means any decision--

(a) in respect of which the condition in subsection (6) and the condition in subsection (7) are met, or

(b) which is made in such other circumstances as may be prescribed by the Secretary of State by order.

(6) The condition in this subsection is that the decision--

(a) is taken in the course of steps taken--

(i) for the purpose of considering whether to enter into a contract with the data subject,

(ii) with a view to entering into such a contract, or

(iii) in the course of performing such a contract, or

(b) is authorised or required by or under any enactment.

(7) The condition in this subsection is that either--

(a) the effect of the decision is to grant a request of the data subject, or

(b) steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing him to make representations).

(8) If a court is satisfied on the application of a data subject that a person taking a decision in respect of him ("the responsible person") has failed to comply with subsection (1) or (2)(b), the court may order the responsible person to reconsider the decision, or to take a new decision which is not based solely on such processing as is mentioned in subsection (1).

(9) An order under subsection (8) shall not affect the rights of any person other than the data subject and the responsible person.

13 Compensation for failure to comply with certain requirements

(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if--

(a) the individual also suffers damage by reason of the contravention, or

(b) the contravention relates to the processing of personal data for the special purposes.

(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.

14 Rectification, blocking, erasure and destruction

(1) If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.

(2) Subsection (1) applies whether or not the data accurately record information received or obtained by the data controller from the data subject or a third party but where the data accurately record such information, then--

(a) if the requirements mentioned in paragraph 7 of Part II of Schedule 1 have been complied with, the court may, instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve, and

(b) if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a).

(3) Where the court--

(a) makes an order under subsection (1), or

(b) is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate,

it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(4) If a court is satisfied on the application of a data subject--

(a) that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 13, and

(b) that there is a substantial risk of further contravention in respect of those data in such circumstances,

the court may order the rectification, blocking, erasure or destruction of any of those data.

(5) Where the court makes an order under subsection (4) it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(6) In determining whether it is reasonably practicable to require such notification as is mentioned in subsection (3) or (5) the court shall have regard, in particular, to the number of persons who would have to be notified.

15 Jurisdiction and procedure

(1) The jurisdiction conferred by sections 7 to 14 is exercisable by the High Court or a county court or, in Scotland, by the Court of Session or the sheriff.

(2) For the purpose of determining any question whether an applicant under subsection (9) of section 7 is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV) a court may require the information constituting any data processed by or on behalf of the data controller and any information as to the logic involved in any decision-taking as mentioned in section 7(1)(d) to be made available for its own inspection but shall not, pending the determination of that question in the applicant's favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery (or, in Scotland, recovery) or otherwise.

Part III Notification by data controllers

16 Preliminary

(1) In this Part "the registrable particulars", in relation to a data controller, means--

(a) his name and address,

(b) if he has nominated a representative for the purposes of this Act, the name and address of the representative,

(c) a description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which they relate,

(d) a description of the purpose or purposes for which the data are being or are to be processed,

(e) a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data,

(f) the names, or a description of, any countries or territories outside the European Economic Area to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data, and

Pages: P.1 | P.2 | P.3 | P.4 | P.5 | P.6 | P.7 | P.8

-- Back --