Data Protection Act 1998 (c. 29)

(The document as of February, 2008)

-- Back --

Page 5

Pages: P.1 | P.2 | P.3 | P.4 | P.5 | P.6 | P.7 | P.8

(h) Schedule 12, and

(i) so much of any other provision of this Act as confers any power to make subordinate legislation,

shall come into force on the day on which this Act is passed.

(3) The remaining provisions of this Act shall come into force on such day as the Secretary of State may by order appoint; and different days may be appointed for different purposes.

(4) The day appointed under subsection (3) for the coming into force of section 56 must not be earlier than the first day on which sections 112, 113 and 115 of the [1997 c. 50.] Police Act 1997 (which provide for the issue by the Secretary of State of criminal conviction certificates, criminal record certificates and enhanced criminal record certificates) are all in force.

(5) Subject to subsection (6), this Act extends to Northern Ireland.

(6) Any amendment, repeal or revocation made by Schedule 15 or 16 has the same extent as that of the enactment or instrument to which it relates.

SCHEDULES

Section 4(1) and (2).

SCHEDULE 1 The data protection principles

Part I The principles

1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless--

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4 Personal data shall be accurate and, where necessary, kept up to date.

5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Part II Interpretation of the principles in Part I

The first principle

1 (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.

(2) Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who--

(a) is authorised by or under any enactment to supply it, or

(b) is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom.

2 (1) Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless--

(a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and

(b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3).

(2) In sub-paragraph (1)(b) "the relevant time" means--

(a) the time when the data controller first processes the data, or

(b) in a case where at that time disclosure to a third party within a reasonable period is envisaged--

(i) if the data are in fact disclosed to such a person within that period, the time when the data are first disclosed,

(ii) if within that period the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to such a person within that period, the time when the data controller does become, or ought to become, so aware, or

(iii) in any other case, the end of that period.

(3) The information referred to in sub-paragraph (1) is as follows, namely--

(a) the identity of the data controller,

(b) if he has nominated a representative for the purposes of this Act, the identity of that representative,

(d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

3 (1) Paragraph 2(1)(b) does not apply where either of the primary conditions in sub-paragraph (2), together with such further conditions as may be prescribed by the Secretary of State by order, are met.

(2) The primary conditions referred to in sub-paragraph (1) are--

(a) that the provision of that information would involve a disproportionate effort, or

(b) that the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4 (1) Personal data which contain a general identifier falling within a description prescribed by the Secretary of State by order are not to be treated as processed fairly and lawfully unless they are processed in compliance with any conditions so prescribed in relation to general identifiers of that description.

(2) In sub-paragraph (1) "a general identifier" means any identifier (such as, for example, a number or code used for identification purposes) which--

(a) relates to an individual, and

(b) forms part of a set of similar identifiers which is of general application.

The second principle

5 The purpose or purposes for which personal data are obtained may in particular be specified--

(a) in a notice given for the purposes of paragraph 2 by the data controller to the data subject, or

(b) in a notification given to the Commissioner under Part III of this Act.

6 In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.

The fourth principle

7 The fourth principle is not to be regarded as being contravened by reason of any inaccuracy in personal data which accurately record information obtained by the data controller from the data subject or a third party in a case where--

(a) having regard to the purpose or purposes for which the data were obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the data, and

(b) if the data subject has notified the data controller of the data subject's view that the data are inaccurate, the data indicate that fact.

The sixth principle

8 A person is to be regarded as contravening the sixth principle if, but only if--

(a) he contravenes section 7 by failing to supply information in accordance with that section,

(b) he contravenes section 10 by failing to comply with a notice given under subsection (1) of that section to the extent that the notice is justified or by failing to give a notice under subsection (3) of that section,

(d) he contravenes section 12 by failing to comply with a notice given under subsection (1) or (2)(b) of that section or by failing to give a notification under subsection (2)(a) of that section or a notice under subsection (3) of that section.

The seventh principle

9 Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to--

(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b) the nature of the data to be protected.

10 The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle--

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.

12 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless--

(a) the processing is carried out under a contract--

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

The eighth principle

13 An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to--

(a) the nature of the personal data,

(b) the country or territory of origin of the information contained in the data,

(d) the purposes for which and period during which the data are intended to be processed,

(e) the law in force in the country or territory in question,

(f) the international obligations of that country or territory,

(g) any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and

(h) any security measures taken in respect of the data in that country or territory.

14 The eighth principle does not apply to a transfer falling within any paragraph of Schedule 4, except in such circumstances and to such extent as the Secretary of State may by order provide.

15 (1) Where--

(a) in any proceedings under this Act any question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the European Economic Area, and

(b) a Community finding has been made in relation to transfers of the kind in question,

that question is to be determined in accordance with that finding.

(2) In sub-paragraph (1) "Community finding" means a finding of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, that a country or territory outside the European Economic Area does, or does not, ensure an adequate level of protection within the meaning of Article 25(2) of the Directive.

Section 4(3).

SCHEDULE 2 Conditions relevant for purposes of the first principle: processing of any personal data

1 The data subject has given his consent to the processing.

2 The processing is necessary--

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3 The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4 The processing is necessary in order to protect the vital interests of the data subject.

5 The processing is necessary--

(a) for the administration of justice,

(b) for the exercise of any functions conferred on any person by or under any enactment,

(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

6 (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.

Section 4(3).

SCHEDULE 3 Conditions relevant for purposes of the first principle: processing of sensitive personal data

1 The data subject has given his explicit consent to the processing of the personal data.

2 (1) The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.

(2) The Secretary of State may by order--

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

3 The processing is necessary--

(a) in order to protect the vital interests of the data subject or another person, in a case where--

(i) consent cannot be given by or on behalf of the data subject, or

(ii) the data controller cannot reasonably be expected to obtain the consent of the data subject, or

(b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

4 The processing--

(a) is carried out in the course of its legitimate activities by any body or association which--

(i) is not established or conducted for profit, and

(ii) exists for political, philosophical, religious or trade-union purposes,

(b) is carried out with appropriate safeguards for the rights and freedoms of data subjects,

(c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and

(d) does not involve disclosure of the personal data to a third party without the consent of the data subject.

5 The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

6 The processing--

(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

7 (1) The processing is necessary--

(a) for the administration of justice,

(b) for the exercise of any functions conferred on any person by or under an enactment, or

(2) The Secretary of State may by order--

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

8 (1) The processing is necessary for medical purposes and is undertaken by--

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2) In this paragraph "medical purposes" includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

9 (1) The processing--

(a) is of sensitive personal data consisting of information as to racial or ethnic origin,

(b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and

(2) The Secretary of State may by order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.

10 The personal data are processed in circumstances specified in an order made by the Secretary of State for the purposes of this paragraph.

Section 4(3).

SCHEDULE 4 Cases where the eighth principle does not apply

1 The data subject has given his consent to the transfer.

2 The transfer is necessary--

(a) for the performance of a contract between the data subject and the data controller, or

(b) for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller.

3 The transfer is necessary--

(a) for the conclusion of a contract between the data controller and a person other than the data subject which--

(i) is entered into at the request of the data subject, or

(ii) is in the interests of the data subject, or

(b) for the performance of such a contract.

4 (1) The transfer is necessary for reasons of substantial public interest.

(2) The Secretary of State may by order specify--

(a) circumstances in which a transfer is to be taken for the purposes of sub-paragraph (1) to be necessary for reasons of substantial public interest, and

(b) circumstances in which a transfer which is not required by or under an enactment is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest.

5 The transfer--

(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

6 The transfer is necessary in order to protect the vital interests of the data subject.

7 The transfer is of part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.

8 The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.

9 The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.

Section 6(7).

SCHEDULE 5 The Data Protection Commissioner and the Data Protection Tribunal

Part I The Commissioner

Status and capacity

1 (1) The corporation sole by the name of the Data Protection Registrar established by the [1984 c. 35.] Data Protection Act 1984 shall continue in existence by the name of the Data Protection Commissioner.

(2) The Commissioner and his officers and staff are not to be regarded as servants or agents of the Crown.

Tenure of office

2 (1) Subject to the provisions of this paragraph, the Commissioner shall hold office for such term not exceeding five years as may be determined at the time of his appointment.

(2) The Commissioner may be relieved of his office by Her Majesty at his own request.

(3) The Commissioner may be removed from office by Her Majesty in pursuance of an Address from both Houses of Parliament.

(4) The Commissioner shall in any case vacate his office--

(a) on completing the year of service in which he attains the age of sixty-five years, or

(b) if earlier, on completing his fifteenth year of service.

(5) Subject to sub-paragraph (4), a person who ceases to be Commissioner on the expiration of his term of office shall be eligible for re-appointment, but a person may not be re-appointed for a third or subsequent term as Commissioner unless, by reason of special circumstances, the person's re-appointment for such a term is desirable in the public interest.

Salary etc.

3 (1) There shall be paid--

(a) to the Commissioner such salary, and

(b) to or in respect of the Commissioner such pension,

as may be specified by a resolution of the House of Commons.

(2) A resolution for the purposes of this paragraph may--

(a) specify the salary or pension,

(b) provide that the salary or pension is to be the same as, or calculated on the same basis as, that payable to, or to or in respect of, a person employed in a specified office under, or in a specified capacity in the service of, the Crown, or

(c) specify the salary or pension and provide for it to be increased by reference to such variables as may be specified in the resolution.

(3) A resolution for the purposes of this paragraph may take effect from the date on which it is passed or from any earlier or later date specified in the resolution.

(4) A resolution for the purposes of this paragraph may make different provision in relation to the pension payable to or in respect of different holders of the office of Commissioner.

(5) Any salary or pension payable under this paragraph shall be charged on and issued out of the Consolidated Fund.

(6) In this paragraph "pension" includes an allowance or gratuity and any reference to the payment of a pension includes a reference to the making of payments towards the provision of a pension.

Officers and staff

4 (1) The Commissioner--

(a) shall appoint a deputy commissioner, and

(b) may appoint such number of other officers and staff as he may determine.

(2) The remuneration and other conditions of service of the persons appointed under this paragraph shall be determined by the Commissioner.

(3) The Commissioner may pay such pensions, allowances or gratuities to or in respect of the persons appointed under this paragraph, or make such payments towards the provision of such pensions, allowances or gratuities, as he may determine.

(4) The references in sub-paragraph (3) to pensions, allowances or gratuities to or in respect of the persons appointed under this paragraph include references to pensions, allowances or gratuities by way of compensation to or in respect of any of those persons who suffer loss of office or employment.

(5) Any determination under sub-paragraph (1)(b), (2) or (3) shall require the approval of the Secretary of State.

(6) The [1969 c. 57.] Employers' Liability (Compulsory Insurance) Act 1969 shall not require insurance to be effected by the Commissioner.

5 (1) The deputy commissioner shall perform the functions conferred by this Act on the Commissioner during any vacancy in that office or at any time when the Commissioner is for any reason unable to act.

(2) Without prejudice to sub-paragraph (1), any functions of the Commissioner under this Act may, to the extent authorised by him, be performed by any of his officers or staff.

Authentication of seal of the Commissioner

6 The application of the seal of the Commissioner shall be authenticated by his signature or by the signature of some other person authorised for the purpose.

Presumption of authenticity of documents issued by the Commissioner

7 Any document purporting to be an instrument issued by the Commissioner and to be duly executed under the Commissioner's seal or to be signed by or on behalf of the Commissioner shall be received in evidence and shall be deemed to be such an instrument unless the contrary is shown.

Money

8 The Secretary of State may make payments to the Commissioner out of money provided by Parliament.

9 (1) All fees and other sums received by the Commissioner in the exercise of his functions under this Act or section 159 of the [1974 c. 39.] Consumer Credit Act 1974 shall be paid by him to the Secretary of State.

(2) Sub-paragraph (1) shall not apply where the Secretary of State, with the consent of the Treasury, otherwise directs.

(3) Any sums received by the Secretary of State under sub-paragraph (1) shall be paid into the Consolidated Fund.

Accounts

10 (1) It shall be the duty of the Commissioner--

(a) to keep proper accounts and other records in relation to the accounts,

(b) to prepare in respect of each financial year a statement of account in such form as the Secretary of State may direct, and

(c) to send copies of that statement to the Comptroller and Auditor General on or before 31st August next following the end of the year to which the statement relates or on or before such earlier date after the end of that year as the Treasury may direct.

(2) The Comptroller and Auditor General shall examine and certify any statement sent to him under this paragraph and lay copies of it together with his report thereon before each House of Parliament.

(3) In this paragraph "financial year" means a period of twelve months beginning with 1st April.

Application of Part I in Scotland

11 Paragraphs 1(1), 6 and 7 do not extend to Scotland.

Part II The Tribunal

Tenure of office

Pages: P.1 | P.2 | P.3 | P.4 | P.5 | P.6 | P.7 | P.8

-- Back --

Stat