Data Protection Act 1998 (c. 29)

(The document as of February, 2008)

-- Back --

Page 2

Pages: P.1 | P.2 | P.3 | P.4 | P.5 | P.6 | P.7 | P.8

(f) the names, or a description of, any countries or territories outside the European Economic Area to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data, and

(g) in any case where--

(i) personal data are being, or are intended to be, processed in circumstances in which the prohibition in subsection (1) of section 17 is excluded by subsection (2) or (3) of that section, and

(ii) the notification does not extend to those data,

a statement of that fact.

(2) In this Part--

"fees regulations" means regulations made by the Secretary of State under section 18(5) or 19(4) or (7);
"notification regulations" means regulations made by the Secretary of State under the other provisions of this Part;
"prescribed", except where used in relation to fees regulations, means prescribed by notification regulations.

(3) For the purposes of this Part, so far as it relates to the addresses of data controllers--

(a) the address of a registered company is that of its registered office, and

(b) the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the United Kingdom.

17 Prohibition on processing without registration

(1) Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under section 19 (or is treated by notification regulations made by virtue of section 19(3) as being so included).

(2) Except where the processing is assessable processing for the purposes of section 22, subsection (1) does not apply in relation to personal data consisting of information which falls neither within paragraph (a) of the definition of "data" in section 1(1) nor within paragraph (b) of that definition.

(3) If it appears to the Secretary of State that processing of a particular description is unlikely to prejudice the rights and freedoms of data subjects, notification regulations may provide that, in such cases as may be prescribed, subsection (1) is not to apply in relation to processing of that description.

(4) Subsection (1) does not apply in relation to any processing whose sole purpose is the maintenance of a public register.

18 Notification by data controllers

(1) Any data controller who wishes to be included in the register maintained under section 19 shall give a notification to the Commissioner under this section.

(2) A notification under this section must specify in accordance with notification regulations--

(a) the registrable particulars, and

(b) a general description of measures to be taken for the purpose of complying with the seventh data protection principle.

(3) Notification regulations made by virtue of subsection (2) may provide for the determination by the Commissioner, in accordance with any requirements of the regulations, of the form in which the registrable particulars and the description mentioned in subsection (2)(b) are to be specified, including in particular the detail required for the purposes of section 16(1)(c), (d), (e) and (f) and subsection (2)(b).

(4) Notification regulations may make provision as to the giving of notification--

(a) by partnerships, or

(b) in other cases where two or more persons are the data controllers in respect of any personal data.

(5) The notification must be accompanied by such fee as may be prescribed by fees regulations.

(6) Notification regulations may provide for any fee paid under subsection (5) or section 19(4) to be refunded in prescribed circumstances.

19 Register of notifications

(1) The Commissioner shall--

(a) maintain a register of persons who have given notification under section 18, and

(b) make an entry in the register in pursuance of each notification received by him under that section from a person in respect of whom no entry as data controller was for the time being included in the register.

(2) Each entry in the register shall consist of--

(a) the registrable particulars notified under section 18 or, as the case requires, those particulars as amended in pursuance of section 20(4), and

(b) such other information as the Commissioner may be authorised or required by notification regulations to include in the register.

(3) Notification regulations may make provision as to the time as from which any entry in respect of a data controller is to be treated for the purposes of section 17 as having been made in the register.

(4) No entry shall be retained in the register for more than the relevant time except on payment of such fee as may be prescribed by fees regulations.

(5) In subsection (4) "the relevant time" means twelve months or such other period as may be prescribed by notification regulations; and different periods may be prescribed in relation to different cases.

(6) The Commissioner--

(a) shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and

(b) may provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate.

(7) The Commissioner shall, on payment of such fee, if any, as may be prescribed by fees regulations, supply any member of the public with a duly certified copy in writing of the particulars contained in any entry made in the register.

20 Duty to notify changes

(1) For the purpose specified in subsection (2), notification regulations shall include provision imposing on every person in respect of whom an entry as a data controller is for the time being included in the register maintained under section 19 a duty to notify to the Commissioner, in such circumstances and at such time or times and in such form as may be prescribed, such matters relating to the registrable particulars and measures taken as mentioned in section 18(2)(b) as may be prescribed.

(2) The purpose referred to in subsection (1) is that of ensuring, so far as practicable, that at any time--

(a) the entries in the register maintained under section 19 contain current names and addresses and describe the current practice or intentions of the data controller with respect to the processing of personal data, and

(b) the Commissioner is provided with a general description of measures currently being taken as mentioned in section 18(2)(b).

(3) Subsection (3) of section 18 has effect in relation to notification regulations made by virtue of subsection (1) as it has effect in relation to notification regulations made by virtue of subsection (2) of that section.

(4) On receiving any notification under notification regulations made by virtue of subsection (1), the Commissioner shall make such amendments of the relevant entry in the register maintained under section 19 as are necessary to take account of the notification.

21 Offences

(1) If section 17(1) is contravened, the data controller is guilty of an offence.

(2) Any person who fails to comply with the duty imposed by notification regulations made by virtue of section 20(1) is guilty of an offence.

(3) It shall be a defence for a person charged with an offence under subsection (2) to show that he exercised all due diligence to comply with the duty.

22 Preliminary assessment by Commissioner

(1) In this section "assessable processing" means processing which is of a description specified in an order made by the Secretary of State as appearing to him to be particularly likely--

(a) to cause substantial damage or substantial distress to data subjects, or

(b) otherwise significantly to prejudice the rights and freedoms of data subjects.

(2) On receiving notification from any data controller under section 18 or under notification regulations made by virtue of section 20 the Commissioner shall consider--

(a) whether any of the processing to which the notification relates is assessable processing, and

(b) if so, whether the assessable processing is likely to comply with the provisions of this Act.

(3) Subject to subsection (4), the Commissioner shall, within the period of twenty-eight days beginning with the day on which he receives a notification which relates to assessable processing, give a notice to the data controller stating the extent to which the Commissioner is of the opinion that the processing is likely or unlikely to comply with the provisions of this Act.

(4) Before the end of the period referred to in subsection (3) the Commissioner may, by reason of special circumstances, extend that period on one occasion only by notice to the data controller by such further period not exceeding fourteen days as the Commissioner may specify in the notice.

(5) No assessable processing in respect of which a notification has been given to the Commissioner as mentioned in subsection (2) shall be carried on unless either--

(a) the period of twenty-eight days beginning with the day on which the notification is received by the Commissioner (or, in a case falling within subsection (4), that period as extended under that subsection) has elapsed, or

(b) before the end of that period (or that period as so extended) the data controller has received a notice from the Commissioner under subsection (3) in respect of the processing.

(6) Where subsection (5) is contravened, the data controller is guilty of an offence.

(7) The Secretary of State may by order amend subsections (3), (4) and (5) by substituting for the number of days for the time being specified there a different number specified in the order.

23 Power to make provision for appointment of data protection supervisors

(1) The Secretary of State may by order--

(a) make provision under which a data controller may appoint a person to act as a data protection supervisor responsible in particular for monitoring in an independent manner the data controller's compliance with the provisions of this Act, and

(b) provide that, in relation to any data controller who has appointed a data protection supervisor in accordance with the provisions of the order and who complies with such conditions as may be specified in the order, the provisions of this Part are to have effect subject to such exemptions or other modifications as may be specified in the order.

(2) An order under this section may--

(a) impose duties on data protection supervisors in relation to the Commissioner, and

(b) confer functions on the Commissioner in relation to data protection supervisors.

24 Duty of certain data controllers to make certain information available

(1) Subject to subsection (3), where personal data are processed in a case where--

(a) by virtue of subsection (2) or (3) of section 17, subsection (1) of that section does not apply to the processing, and

(b) the data controller has not notified the relevant particulars in respect of that processing under section 18,

the data controller must, within twenty-one days of receiving a written request from any person, make the relevant particulars available to that person in writing free of charge.

(2) In this section "the relevant particulars" means the particulars referred to in paragraphs (a) to (f) of section 16(1).

(3) This section has effect subject to any exemption conferred for the purposes of this section by notification regulations.

(4) Any data controller who fails to comply with the duty imposed by subsection (1) is guilty of an offence.

(5) It shall be a defence for a person charged with an offence under subsection (4) to show that he exercised all due diligence to comply with the duty.

25 Functions of Commissioner in relation to making of notification regulations

(1) As soon as practicable after the passing of this Act, the Commissioner shall submit to the Secretary of State proposals as to the provisions to be included in the first notification regulations.

(2) The Commissioner shall keep under review the working of notification regulations and may from time to time submit to the Secretary of State proposals as to amendments to be made to the regulations.

(3) The Secretary of State may from time to time require the Commissioner to consider any matter relating to notification regulations and to submit to him proposals as to amendments to be made to the regulations in connection with that matter.

(4) Before making any notification regulations, the Secretary of State shall--

(a) consider any proposals made to him by the Commissioner under subsection (1), (2) or (3), and

(b) consult the Commissioner.

26 Fees regulations

(1) Fees regulations prescribing fees for the purposes of any provision of this Part may provide for different fees to be payable in different cases.

(2) In making any fees regulations, the Secretary of State shall have regard to the desirability of securing that the fees payable to the Commissioner are sufficient to offset--

(a) the expenses incurred by the Commissioner and the Tribunal in discharging their functions and any expenses of the Secretary of State in respect of the Commissioner or the Tribunal, and

(b) to the extent that the Secretary of State considers appropriate--

(i) any deficit previously incurred (whether before or after the passing of this Act) in respect of the expenses mentioned in paragraph (a), and

(ii) expenses incurred or to be incurred by the Secretary of State in respect of the inclusion of any officers or staff of the Commissioner in any scheme under section 1 of the [1972 c. 11.] Superannuation Act 1972.

Part IV Exemptions

27 Preliminary

(1) References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.

(2) In this Part "the subject information provisions" means--

(a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1, and

(b) section 7.

(3) In this Part "the non-disclosure provisions" means the provisions specified in subsection (4) to the extent to which they are inconsistent with the disclosure in question.

(4) The provisions referred to in subsection (3) are--

(a) the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3,

(b) the second, third, fourth and fifth data protection principles, and

(5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

28 National security

(1) Personal data are exempt from any of the provisions of--

(a) the data protection principles,

(b) Parts II, III and V, and

if the exemption from that provision is required for the purpose of safeguarding national security.

(2) Subject to subsection (4), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in subsection (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact.

(3) A certificate under subsection (2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.

(4) Any person directly affected by the issuing of a certificate under subsection (2) may appeal to the Tribunal against the certificate.

(5) If on an appeal under subsection (4), the Tribunal finds that, applying the principles applied by the court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may allow the appeal and quash the certificate.

(6) Where in any proceedings under or by virtue of this Act it is claimed by a data controller that a certificate under subsection (2) which identifies the personal data to which it applies by means of a general description applies to any personal data, any other party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question and, subject to any determination under subsection (7), the certificate shall be conclusively presumed so to apply.

(7) On any appeal under subsection (6), the Tribunal may determine that the certificate does not so apply.

(8) A document purporting to be a certificate under subsection (2) shall be received in evidence and deemed to be such a certificate unless the contrary is proved.

(9) A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (2) shall in any legal proceedings be evidence (or, in Scotland, sufficient evidence) of that certificate.

(10) The power conferred by subsection (2) on a Minister of the Crown shall not be exercisable except by a Minister who is a member of the Cabinet or by the Attorney General or the Lord Advocate.

(11) No power conferred by any provision of Part V may be exercised in relation to personal data which by virtue of this section are exempt from that provision.

(12) Schedule 6 shall have effect in relation to appeals under subsection (4) or (6) and the proceedings of the Tribunal in respect of any such appeal.

29 Crime and taxation

(1) Personal data processed for any of the following purposes--

(a) the prevention or detection of crime,

(b) the apprehension or prosecution of offenders, or

are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3) and section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.

(2) Personal data which--

(a) are processed for the purpose of discharging statutory functions, and

(b) consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1),

are exempt from the subject information provisions to the same extent as personal data processed for any of the purposes mentioned in that subsection.

(3) Personal data are exempt from the non-disclosure provisions in any case in which--

(a) the disclosure is for any of the purposes mentioned in subsection (1), and

(b) the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection.

(4) Personal data in respect of which the data controller is a relevant authority and which--

(a) consist of a classification applied to the data subject as part of a system of risk assessment which is operated by that authority for either of the following purposes--

(i) the assessment or collection of any tax or duty or any imposition of a similar nature, or

(ii) the prevention or detection of crime, or apprehension or prosecution of offenders, where the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds, and

(b) are processed for either of those purposes,

are exempt from section 7 to the extent to which the exemption is required in the interests of the operation of the system.

(5) In subsection (4)--

"public funds" includes funds provided by any Community institution;
"relevant authority" means--
(a)
a government department,
(b)
a local authority, or
(c)
any other authority administering housing benefit or council tax benefit.

30 Health, education and social work

(1) The Secretary of State may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data consisting of information as to the physical or mental health or condition of the data subject.

(2) The Secretary of State may by order exempt from the subject information provisions, or modify those provisions in relation to--

(a) personal data in respect of which the data controller is the proprietor of, or a teacher at, a school, and which consist of information relating to persons who are or have been pupils at the school, or

(b) personal data in respect of which the data controller is an education authority in Scotland, and which consist of information relating to persons who are receiving, or have received, further education provided by the authority.

(3) The Secretary of State may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data of such other descriptions as may be specified in the order, being information--

(a) processed by government departments or local authorities or by voluntary organisations or other bodies designated by or under the order, and

(b) appearing to him to be processed in the course of, or for the purposes of, carrying out social work in relation to the data subject or other individuals;

but the Secretary of State shall not under this subsection confer any exemption or make any modification except so far as he considers that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work.

(4) An order under this section may make different provision in relation to data consisting of information of different descriptions.

(5) In this section--

"education authority" and "further education" have the same meaning as in the [1980 c. 44.] Education (Scotland) Act 1980 ("the 1980 Act"), and
"proprietor"--
(a)
in relation to a school in England or Wales, has the same meaning as in the [1996 c. 56.] Education Act 1996,
(b)
in relation to a school in Scotland, means--
(c)
in the case of a self-governing school, the board of management within the meaning of the [1989 c. 39.] Self-Governing Schools etc. (Scotland) Act 1989,
(ii)
in the case of an independent school, the proprietor within the meaning of the 1980 Act,
(iii)
in the case of a grant-aided school, the managers within the meaning of the 1980 Act, and
(iv)
in the case of a public school, the education authority within the meaning of the 1980 Act, and
(g)
in relation to a school in Northern Ireland, has the same meaning as in the [S.I. 1986/594 (N.I.3).] Education and Libraries (Northern Ireland) Order 1986 and includes, in the case of a controlled school, the Board of Governors of the school.

31 Regulatory activity

(1) Personal data processed for the purposes of discharging functions to which this subsection applies are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.

(2) Subsection (1) applies to any relevant function which is designed--

(a) for protecting members of the public against--

(i) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate,

(ii) financial loss due to the conduct of discharged or undischarged bankrupts, or

(iii) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity,

(b) for protecting charities against misconduct or mismanagement (whether by trustees or other persons) in their administration,

(d) for the recovery of the property of charities,

(e) for securing the health, safety and welfare of persons at work, or

(f) for protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work.

(3) In subsection (2) "relevant function" means--

(a) any function conferred on any person by or under any enactment,

(b) any function of the Crown, a Minister of the Crown or a government department, or

(4) Personal data processed for the purpose of discharging any function which--

(a) is conferred by or under any enactment on--

(i) the Parliamentary Commissioner for Administration,

(ii) the Commission for Local Administration in England, the Commission for Local Administration in Wales or the Commissioner for Local Administration in Scotland,

(iii) the Health Service Commissioner for England, the Health Service Commissioner for Wales or the Health Service Commissioner for Scotland,

(iv) the Welsh Administration Ombudsman,

(v) the Assembly Ombudsman for Northern Ireland, or

(vi) the Northern Ireland Commissioner for Complaints, and

(b) is designed for protecting members of the public against--

(i) maladministration by public bodies,

(ii) failures in services provided by public bodies, or

(iii) a failure of a public body to provide a service which it was a function of the body to provide,

are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.

(5) Personal data processed for the purpose of discharging any function which--

(a) is conferred by or under any enactment on the Director General of Fair Trading, and

(b) is designed--

(i) for protecting members of the public against conduct which may adversely affect their interests by persons carrying on a business,

(ii) for regulating agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or

(iii) for regulating conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market,

32 Journalism, literature and art

(1) Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if--

(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

(2) Subsection (1) relates to the provisions of--

(a) the data protection principles except the seventh data protection principle,

(b) section 7,

(d) section 12, and

(e) section 14(1) to (3).

(3) In considering for the purposes of subsection (1)(b) whether the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to his compliance with any code of practice which--

(a) is relevant to the publication in question, and

(b) is designated by the Secretary of State by order for the purposes of this subsection.

(4) Where at any time ("the relevant time") in any proceedings against a data controller under section 7(9), 10(4), 12(8) or 14 or by virtue of section 13 the data controller claims, or it appears to the court, that any personal data to which the proceedings relate are being processed--

(a) only for the special purposes, and

(b) with a view to the publication by any person of any journalistic, literary or artistic material which, at the time twenty-four hours immediately before the relevant time, had not previously been published by the data controller,

the court shall stay the proceedings until either of the conditions in subsection (5) is met.

(5) Those conditions are--

(a) that a determination of the Commissioner under section 45 with respect to the data in question takes effect, or

(b) in a case where the proceedings were stayed on the making of a claim, that the claim is withdrawn.

(6) For the purposes of this Act "publish", in relation to journalistic, literary or artistic material, means make available to the public or any section of the public.

33 Research, history and statistics

(1) In this section--

"research purposes" includes statistical or historical purposes;
"the relevant conditions", in relation to any processing of personal data, means the conditions--
(a)
that the data are not processed to support measures or decisions with respect to particular individuals, and
(b)
that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

(2) For the purposes of the second data protection principle, the further processing of personal data only for research purposes in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which they were obtained.

(3) Personal data which are processed only for research purposes in compliance with the relevant conditions may, notwithstanding the fifth data protection principle, be kept indefinitely.

(4) Personal data which are processed only for research purposes are exempt from section 7 if--

(a) they are processed in compliance with the relevant conditions, and

(b) the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them.

(5) For the purposes of subsections (2) to (4) personal data are not to be treated as processed otherwise than for research purposes merely because the data are disclosed--

(a) to any person, for research purposes only,

(b) to the data subject or a person acting on his behalf,

Pages: P.1 | P.2 | P.3 | P.4 | P.5 | P.6 | P.7 | P.8

-- Back --

Stat