Data Protection Act 1998 (c. 29)

(The document as of February, 2008)

-- Back --

Page 3

Pages: P.1 | P.2 | P.3 | P.4 | P.5 | P.6 | P.7 | P.8

(b) to the data subject or a person acting on his behalf,

(d) in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), (b) or (c).

34 Information available to the public by or under enactment

Personal data are exempt from--

(a) the subject information provisions,

(b) the fourth data protection principle and section 14(1) to (3), and

if the data consist of information which the data controller is obliged by or under any enactment to make available to the public, whether by publishing it, by making it available for inspection, or otherwise and whether gratuitously or on payment of a fee.

35 Disclosures required by law or made in connection with legal proceedings etc

(1) Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

(2) Personal data are exempt from the non-disclosure provisions where the disclosure is necessary--

(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

(b) for the purpose of obtaining legal advice,

or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

36 Domestic purposes

Personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.

37 Miscellaneous exemptions

Schedule 7 (which confers further miscellaneous exemptions) has effect.

38 Powers to make further exemptions by order

(1) The Secretary of State may by order exempt from the subject information provisions personal data consisting of information the disclosure of which is prohibited or restricted by or under any enactment if and to the extent that he considers it necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual that the prohibition or restriction ought to prevail over those provisions.

(2) The Secretary of State may by order exempt from the non-disclosure provisions any disclosures of personal data made in circumstances specified in the order, if he considers the exemption is necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual.

39 Transitional relief

Schedule 8 (which confers transitional exemptions) has effect.

Part V Enforcement

40 Enforcement notices

(1) If the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may serve him with a notice (in this Act referred to as "an enforcement notice") requiring him, for complying with the principle or principles in question, to do either or both of the following--

(a) to take within such time as may be specified in the notice, or to refrain from taking after such time as may be so specified, such steps as are so specified, or

(b) to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified.

(2) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.

(3) An enforcement notice in respect of a contravention of the fourth data protection principle which requires the data controller to rectify, block, erase or destroy any inaccurate data may also require the data controller to rectify, block, erase or destroy any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data.

(4) An enforcement notice in respect of a contravention of the fourth data protection principle, in the case of data which accurately record information received or obtained by the data controller from the data subject or a third party, may require the data controller either--

(a) to rectify, block, erase or destroy any inaccurate data and any other data held by him and containing an expression of opinion as mentioned in subsection (3), or

(b) to take such steps as are specified in the notice for securing compliance with the requirements specified in paragraph 7 of Part II of Schedule 1 and, if the Commissioner thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Commissioner may approve.

(5) Where--

(a) an enforcement notice requires the data controller to rectify, block, erase or destroy any personal data, or

(b) the Commissioner is satisfied that personal data which have been rectified, blocked, erased or destroyed had been processed in contravention of any of the data protection principles,

an enforcement notice may, if reasonably practicable, require the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction; and in determining whether it is reasonably practicable to require such notification regard shall be had, in particular, to the number of persons who would have to be notified.

(6) An enforcement notice must contain--

(a) a statement of the data protection principle or principles which the Commissioner is satisfied have been or are being contravened and his reasons for reaching that conclusion, and

(b) particulars of the rights of appeal conferred by section 48.

(7) Subject to subsection (8), an enforcement notice must not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.

(8) If by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (7) shall not apply but the notice must not require the provisions of the notice to be complied with before the end of the period of seven days beginning with the day on which the notice is served.

(9) Notification regulations (as defined by section 16(2)) may make provision as to the effect of the service of an enforcement notice on any entry in the register maintained under section 19 which relates to the person on whom the notice is served.

(10) This section has effect subject to section 46(1).

41 Cancellation of enforcement notice

(1) If the Commissioner considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection principle or principles to which it relates, he may cancel or vary the notice by written notice to the person on whom it was served.

(2) A person on whom an enforcement notice has been served may, at any time after the expiry of the period during which an appeal can be brought against that notice, apply in writing to the Commissioner for the cancellation or variation of that notice on the ground that, by reason of a change of circumstances, all or any of the provisions of that notice need not be complied with in order to ensure compliance with the data protection principle or principles to which that notice relates.

42 Request for assessment

(1) A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act.

(2) On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to--

(a) satisfy himself as to the identity of the person making the request, and

(b) enable him to identify the processing in question.

(3) The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include--

(a) the extent to which the request appears to him to raise a matter of substance,

(b) any undue delay in making the request, and

(c) whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.

(4) Where the Commissioner has received a request under this section he shall notify the person who made the request--

(a) whether he has made an assessment as a result of the request, and

(b) to the extent that he considers appropriate, having regard in particular to any exemption from section 7 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request.

43 Information notices

(1) If the Commissioner--

(a) has received a request under section 42 in respect of any processing of personal data, or

(b) reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles,

he may serve the data controller with a notice (in this Act referred to as "an information notice") requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information relating to the request or to compliance with the principles as is so specified.

(2) An information notice must contain--

(a) in a case falling within subsection (1)(a), a statement that the Commissioner has received a request under section 42 in relation to the specified processing, or

(b) in a case falling within subsection (1)(b), a statement that the Commissioner regards the specified information as relevant for the purpose of determining whether the data controller has complied, or is complying, with the data protection principles and his reasons for regarding it as relevant for that purpose.

(3) An information notice must also contain particulars of the rights of appeal conferred by section 48.

(4) Subject to subsection (5), the time specified in an information notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.

(5) If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (4) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served.

(6) A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of--

(a) any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Act, or

(b) any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.

(7) In subsection (6) references to the client of a professional legal adviser include references to any person representing such a client.

(8) A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence.

(9) The Commissioner may cancel an information notice by written notice to the person on whom it was served.

(10) This section has effect subject to section 46(3).

44 Special information notices

(1) If the Commissioner--

(a) has received a request under section 42 in respect of any processing of personal data, or

(b) has reasonable grounds for suspecting that, in a case in which proceedings have been stayed under section 32, the personal data to which the proceedings relate--

(i) are not being processed only for the special purposes, or

(ii) are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,

he may serve the data controller with a notice (in this Act referred to as a "special information notice") requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information as is so specified for the purpose specified in subsection (2).

(2) That purpose is the purpose of ascertaining--

(a) whether the personal data are being processed only for the special purposes, or

(b) whether they are being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller.

(3) A special information notice must contain--

(a) in a case falling within paragraph (a) of subsection (1), a statement that the Commissioner has received a request under section 42 in relation to the specified processing, or

(b) in a case falling within paragraph (b) of that subsection, a statement of the Commissioner's grounds for suspecting that the personal data are not being processed as mentioned in that paragraph.

(4) A special information notice must also contain particulars of the rights of appeal conferred by section 48.

(5) Subject to subsection (6), the time specified in a special information notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.

(6) If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (5) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served.

(7) A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of--

(8) In subsection (7) references to the client of a professional legal adviser include references to any person representing such a client.

(9) A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence.

(10) The Commissioner may cancel a special information notice by written notice to the person on whom it was served.

45 Determination by Commissioner as to the special purposes

(1) Where at any time it appears to the Commissioner (whether as a result of the service of a special information notice or otherwise) that any personal data--

(a) are not being processed only for the special purposes, or

(b) are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,

he may make a determination in writing to that effect.

(2) Notice of the determination shall be given to the data controller; and the notice must contain particulars of the right of appeal conferred by section 48.

(3) A determination under subsection (1) shall not take effect until the end of the period within which an appeal can be brought and, where an appeal is brought, shall not take effect pending the determination or withdrawal of the appeal.

46 Restriction on enforcement in case of processing for the special purposes

(1) The Commissioner may not at any time serve an enforcement notice on a data controller with respect to the processing of personal data for the special purposes unless--

(a) a determination under section 45(1) with respect to those data has taken effect, and

(b) the court has granted leave for the notice to be served.

(2) The court shall not grant leave for the purposes of subsection (1)(b) unless it is satisfied--

(a) that the Commissioner has reason to suspect a contravention of the data protection principles which is of substantial public importance, and

(b) except where the case is one of urgency, that the data controller has been given notice, in accordance with rules of court, of the application for leave.

(3) The Commissioner may not serve an information notice on a data controller with respect to the processing of personal data for the special purposes unless a determination under section 45(1) with respect to those data has taken effect.

47 Failure to comply with notice

(1) A person who fails to comply with an enforcement notice, an information notice or a special information notice is guilty of an offence.

(2) A person who, in purported compliance with an information notice or a special information notice--

(a) makes a statement which he knows to be false in a material respect, or

(b) recklessly makes a statement which is false in a material respect,

is guilty of an offence.

(3) It is a defence for a person charged with an offence under subsection (1) to prove that he exercised all due diligence to comply with the notice in question.

48 Rights of appeal

(1) A person on whom an enforcement notice, an information notice or a special information notice has been served may appeal to the Tribunal against the notice.

(2) A person on whom an enforcement notice has been served may appeal to the Tribunal against the refusal of an application under section 41(2) for cancellation or variation of the notice.

(3) Where an enforcement notice, an information notice or a special information notice contains a statement by the Commissioner in accordance with section 40(8), 43(5) or 44(6) then, whether or not the person appeals against the notice, he may appeal against--

(a) the Commissioner's decision to include the statement in the notice, or

(b) the effect of the inclusion of the statement as respects any part of the notice.

(4) A data controller in respect of whom a determination has been made under section 45 may appeal to the Tribunal against the determination.

(5) Schedule 6 has effect in relation to appeals under this section and the proceedings of the Tribunal in respect of any such appeal.

49 Determination of appeals

(1) If on an appeal under section 48(1) the Tribunal considers--

(a) that the notice against which the appeal is brought is not in accordance with the law, or

(b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently,

the Tribunal shall allow the appeal or substitute such other notice or decision as could have been served or made by the Commissioner; and in any other case the Tribunal shall dismiss the appeal.

(2) On such an appeal, the Tribunal may review any determination of fact on which the notice in question was based.

(3) If on an appeal under section 48(2) the Tribunal considers that the enforcement notice ought to be cancelled or varied by reason of a change in circumstances, the Tribunal shall cancel or vary the notice.

(4) On an appeal under subsection (3) of section 48 the Tribunal may direct--

(a) that the notice in question shall have effect as if it did not contain any such statement as is mentioned in that subsection, or

(b) that the inclusion of the statement shall not have effect in relation to any part of the notice,

and may make such modifications in the notice as may be required for giving effect to the direction.

(5) On an appeal under section 48(4), the Tribunal may cancel the determination of the Commissioner.

(6) Any party to an appeal to the Tribunal under section 48 may appeal from the decision of the Tribunal on a point of law to the appropriate court; and that court shall be--

(a) the High Court of Justice in England if the address of the person who was the appellant before the Tribunal is in England or Wales,

(b) the Court of Session if that address is in Scotland, and

(7) For the purposes of subsection (6)--

(a) the address of a registered company is that of its registered office, and

(b) the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the United Kingdom.

50 Powers of entry and inspection

Schedule 9 (powers of entry and inspection) has effect.

Part VI Miscellaneous and General

Functions of Commissioner

51 General duties of Commissioner

(1) It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers.

(2) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act, and may give advice to any person as to any of those matters.

(3) Where--

(a) the Secretary of State so directs by order, or

(b) the Commissioner considers it appropriate to do so,

the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice.

(4) The Commissioner shall also--

(a) where he considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, such codes of practice, and

(b) where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice.

(5) An order under subsection (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.

(6) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of--

(a) any Community finding as defined by paragraph 15(2) of Part II of Schedule 1,

(b) any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, which is made for the purposes of Article 26(3) or (4) of the Directive, and

(c) such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.

(7) The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.

(8) The Commissioner may charge such sums as he may with the consent of the Secretary of State determine for any services provided by the Commissioner by virtue of this Part.

(9) In this section--

"good practice" means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;
"trade association" includes any body representing data controllers.

52 Reports and codes of practice to be laid before Parliament

(1) The Commissioner shall lay annually before each House of Parliament a general report on the exercise of his functions under this Act.

(2) The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.

(3) The Commissioner shall lay before each House of Parliament any code of practice prepared under section 51(3) for complying with a direction of the Secretary of State, unless the code is included in any report laid under subsection (1) or (2).

53 Assistance by Commissioner in cases involving processing for the special purposes

(1) An individual who is an actual or prospective party to any proceedings under section 7(9), 10(4), 12(8) or 14 or by virtue of section 13 which relate to personal data processed for the special purposes may apply to the Commissioner for assistance in relation to those proceedings.

(2) The Commissioner shall, as soon as reasonably practicable after receiving an application under subsection (1), consider it and decide whether and to what extent to grant it, but he shall not grant the application unless, in his opinion, the case involves a matter of substantial public importance.

(3) If the Commissioner decides to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant, stating the extent of the assistance to be provided.

(4) If the Commissioner decides not to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant of his decision and, if he thinks fit, the reasons for it.

(5) In this section--

(a) references to "proceedings" include references to prospective proceedings, and

(b) "applicant", in relation to assistance under this section, means an individual who applies for assistance.

(6) Schedule 10 has effect for supplementing this section.

54 International co-operation

(1) The Commissioner--

(a) shall continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Convention, and

(b) shall be the supervisory authority in the United Kingdom for the purposes of the Data Protection Directive.

(2) The Secretary of State may by order make provision as to the functions to be discharged by the Commissioner as the designated authority in the United Kingdom for the purposes of Article 13 of the Convention.

(3) The Secretary of State may by order make provision as to co-operation by the Commissioner with the European Commission and with supervisory authorities in other EEA States in connection with the performance of their respective duties and, in particular, as to--

(a) the exchange of information with supervisory authorities in other EEA States or with the European Commission, and

(b) the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases excluded by section 5 from the application of the other provisions of this Act, of functions of the Commissioner specified in the order.

(4) The Commissioner shall also carry out any data protection functions which the Secretary of State may by order direct him to carry out for the purpose of enabling Her Majesty's Government in the United Kingdom to give effect to any international obligations of the United Kingdom.

(5) The Commissioner shall, if so directed by the Secretary of State, provide any authority exercising data protection functions under the law of a colony specified in the direction with such assistance in connection with the discharge of those functions as the Secretary of State may direct or approve, on such terms (including terms as to payment) as the Secretary of State may direct or approve.

(6) Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule.

(7) The Commissioner shall inform the European Commission and the supervisory authorities in other EEA States--

(a) of any approvals granted for the purposes of paragraph 8 of Schedule 4, and

(b) of any authorisations granted for the purposes of paragraph 9 of that Schedule.

(8) In this section--

"the Convention" means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981;
"data protection functions" means functions relating to the protection of individuals with respect to the processing of personal information.

Unlawful obtaining etc. of personal data

55 Unlawful obtaining etc. of personal data

(1) A person must not knowingly or recklessly, without the consent of the data controller--

(a) obtain or disclose personal data or the information contained in personal data, or

(b) procure the disclosure to another person of the information contained in personal data.

(2) Subsection (1) does not apply to a person who shows--

(a) that the obtaining, disclosing or procuring--

(i) was necessary for the purpose of preventing or detecting crime, or

(ii) was required or authorised by or under any enactment, by any rule of law or by the order of a court,

(b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,

(c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or

(d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

(3) A person who contravenes subsection (1) is guilty of an offence.

(4) A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).

(5) A person who offers to sell personal data is guilty of an offence if--

(a) he has obtained the data in contravention of subsection (1), or

(b) he subsequently obtains the data in contravention of that subsection.

(6) For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

(7) Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), "personal data" includes information extracted from personal data.

(8) References in this section to personal data do not include references to personal data which by virtue of section 28 are exempt from this section.

Records obtained under data subject's right of access

56 Prohibition of requirement as to production of certain records

(1) A person must not, in connection with--

(a) the recruitment of another person as an employee,

(b) the continued employment of another person, or

require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.

(2) A person concerned with the provision (for payment or not) of goods, facilities or services to the public or a section of the public must not, as a condition of providing or offering to provide any goods, facilities or services to another person, require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.

(3) Subsections (1) and (2) do not apply to a person who shows--

(a) that the imposition of the requirement was required or authorised by or under any enactment, by any rule of law or by the order of a court, or

(b) that in the particular circumstances the imposition of the requirement was justified as being in the public interest.

(4) Having regard to the provisions of Part V of the [1997 c. 50.] Police Act 1997 (certificates of criminal records etc.), the imposition of the requirement referred to in subsection (1) or (2) is not to be regarded as being justified as being in the public interest on the ground that it would assist in the prevention or detection of crime.

(5) A person who contravenes subsection (1) or (2) is guilty of an offence.

(6) In this section "a relevant record" means any record which--

(a) has been or is to be obtained by a data subject from any data controller specified in the first column of the Table below in the exercise of the right conferred by section 7, and

(b) contains information relating to any matter specified in relation to that data controller in the second column,

and includes a copy of such a record or a part of such a record.

TABLE

Data controller

Subject-matter

1. Any of the following persons--

(a)

a chief officer of police of a police force in England and Wales.

(b)

a chief constable of a police force in Scotland.

(c)

the Chief Constable of the Royal Ulster Constabulary.

(d)

Pages: P.1 | P.2 | P.3 | P.4 | P.5 | P.6 | P.7 | P.8

-- Back --

Stat

Other