|
Legal Guidance – Data Protection Act 1998
This
Guidance Notice seeks to give information to healers in England on
the legislation connected with the holding and processing of information
about people. This legislation will be relevant for some healers.
Please
note that I am not a qualified legal practitioner and healers affected by
this legislation should seek professional legal advice as appropriate.
Please
read the introductory guidance on the legislative process in the UK and Crown
Dependencies before reading this Notice. Click here
to go to it.
The Data Protection Act 1998
is reproduced below in full under the terms of
Crown Copyright Policy Guidance issued by HMSO (Her Majesty’s Stationery
Office). Copyright is owned by the
Crown and information on reproduction rights may be found on the HMSO website
at http://www.opsi.gov.uk/advice/crown-copyright/copyright-guidance/reproduction-of-legislation.htm
.
The Data Protection Act
was amended by certain provisions within the Criminal Justice and Immigration
Act 2008 which became law in May 2008. The Criminal Justice and Immigration
Act was essentially a piece of legislation to tidy up and to update previous
legislation in a number of areas and only a small part of the Act is relevant
to Data Protection. The parts that are relevant to Data Protection are
reproduced on a separate page on this website and should be read in
conjunction with the reproduction on this page. Please click here
to read the Data Protection extracts from the Criminal Justice and
Immigration Act 2008.
Background
The Data Protection Act 1998 Chapter 29 came into
effect on 1st March 2000 and replaced the earlier Data Protection
Act 1984.
Organisations and people working for themselves or
in partnerships hold information about individual people as part of their day
to day activity. The overall objective of the Data Protection legislation is
to provide a legal framework within which information about people may be
held securely when there is a reasonable need to do so but also to prevent
the unreasonable dissemination of such information. In the electronic age
where it is easy to hold a lot of information about people and to publish or
to transmit it, there is a clear need for information about people to be
managed in a responsible way.
The Data Protection legislation covers the holding
and use of records held in any format (electronic or hard copy) which contain
reference to individual people by which their identity can be recognised. The
legislation covers all records whether factual, expressions of opinion about
people or notes of intention to deal with people in a particular way.
In the context of people working as
healers, situations where there is reasonable need to hold records about
clients might include:
·
Records of conditions being
treated and effect of successive treatments.
·
Records of medical
treatment and other alternative therapy treatments being received by clients.
·
Records of visits and
payments for accounting and tax calculation purposes.
·
The writing up of case
studies when working towards certification in various energies.
There might also be reasonable need for healers who
teach others to hold training records such as:
·
Who has been taught what
and when.
·
Details of practical work
undertaken by students.
·
Records of case study work
undertaken by students.
·
Details of charges made for
accounts and tax calculation purposes.
Some of these situations can fall within the scope
of the Data Protection Act requirement to register as a holder and processor
of information – a Data Controller. I would recommend, therefore, that
healers take the time to read through the reproduction of the legislation
below so that they can familiarise themselves with it and to ensure that they
work in compliance with it where appropriate. It is an offence not to be
registered as an information holder and processor if you should be
registered. The current annual registration fee is £35. The people about whom
healers hold information should have agreed to the information being held
I would recommend also that healers refer back to
the legislation again when a regulatory environment is introduced for energy
healers. This is likely to result in
the need for a lot of detailed record keeping and all of this will have to be
undertaken within the rules set out in the legislation.
The simple overview of the legislation is as
follows.
Part 1 deals with
terminology.
Schedule 1 of Part 1 gives the eight basic
principles or rules around which the legislation has been constructed. These require that information about people
is:
·
fairly and
lawfully processed in the context of common law and other legislation;
·
processed
for limited purposes;
·
adequate,
relevant and not excessive;
·
accurate;
·
not kept
longer than necessary;
·
processed
in accordance with the framework in law;
·
kept
secure;
·
not
transferred abroad without adequate protection.
Schedules 2, 3 and 4 of Part 1 outline the
situations in which it is lawful to process and to hold information relating
to individuals.
Part 2 deals with
the rights of individual about whom information is held to require the holder
of the information to disclose to the individual what information is being
held about him / her. It also deals with remedies in law if incorrect
information is held about an individual.
Part 3 deals with
actions that holders of information need to undertake to register with what
was called the Office of the Data Protection
Commissioner. The Freedom of Information Act 2000 led to the renaming of the
Data Protection Commissioner as the Information Commissioner working from the
Information Commissioner’s Office. The Information Commissioner is
effectively the Regulator for Data Protection. Registration means that the
Office knows who is holding and processing information and knows who is
required to comply with the relevant legislation.
Part 4 deals with
certain situations which are exempt from the general provisions of the
legislation.
Part 5 deals with
offences under the legislation and sets out the basis in law under which the
Information Commissioner can enforce compliance with the legislation.
Part 6 deals with
the relationship between the Information Commissioner and
Parliament and with various other miscellaneous matters.
The website of the Information Commissioner’s office
is at http://www.ico.gov.uk/ . The
website gives guidance on data protection related issues. There is an online
helpline service if you cannot find answers to your queries on the website at
http://www.ico.gov.uk/Global/online_enquiries.aspx.
Reproduction of the legislation
The
legislation is reproduced below. Anything which is underlined in the
Arrangement of Sections has a hyperlink to its place within the legislation.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
An Act to make new provision for the regulation of the
processing of information relating to individuals, including the obtaining,
holding, use or disclosure of such information.
[16th July 1998]
BE IT ENACTED by the Queen's most Excellent Majesty, by
and with the advice and consent of the Lords Spiritual and Temporal, and
Commons, in this present Parliament assembled, and by the authority of the
same, as follows:-
PART I
|
|
|
PRELIMINARY
|
Basic interpretative provisions.
|
1. - (1) In this Act,
unless the context otherwise requires-
|
|
|
"data" means
information which-
|
|
|
(a) is being processed
by means of equipment operating automatically in response to instructions
given for that purpose,
|
|
|
(b) is recorded with the
intention that it should be processed by means of such equipment,
|
|
|
(c) is recorded as part
of a relevant filing system or with the intention that it should form part
of a relevant filing system, or
|
|
|
(d) does not fall within
paragraph (a), (b) or (c) but forms part of an accessible record as defined
by section 68;
|
|
|
"data
controller" means, subject to subsection (4), a person who (either
alone or jointly or in common with other persons) determines the purposes
for which and the manner in which any personal data are, or are to be,
processed;
|
|
|
"data
processor", in relation to personal data, means any person (other than
an employee of the data controller) who processes the data on behalf of the
data controller;
|
|
|
"data subject"
means an individual who is the subject of personal data;
|
|
|
"personal
data" means data which relate to a living individual who can be
identified-
|
|
|
(a) from those data, or
|
|
|
(b) from those data and
other information which is in the possession of, or is likely to come into
the possession of, the data controller,
|
|
|
and includes any
expression of opinion about the individual and any indication of the
intentions of the data controller or any other person in respect of the
individual;
|
|
|
"processing",
in relation to information or data, means obtaining, recording or holding
the information or data or carrying out any operation or set of operations
on the information or data, including-
|
|
|
(a) organisation,
adaptation or alteration of the information or data,
|
|
|
(b) retrieval,
consultation or use of the information or data,
|
|
|
(c) disclosure of the
information or data by transmission, dissemination or otherwise making
available, or
|
|
|
(d) alignment,
combination, blocking, erasure or destruction of the information or data;
|
|
|
"relevant filing
system" means any set of information relating to individuals to the
extent that, although the information is not processed by means of
equipment operating automatically in response to instructions given for
that purpose, the set is structured, either by reference to individuals or
by reference to criteria relating to individuals, in such a way that
specific information relating to a particular individual is readily
accessible.
|
|
|
(2) In this Act, unless the context
otherwise requires-
|
|
|
(a)
"obtaining" or "recording", in relation to personal
data, includes obtaining or recording the information to be contained in
the data, and
|
|
|
(b) "using" or
"disclosing", in relation to personal data, includes using or
disclosing the information contained in the data.
|
|
|
(3) In determining for the purposes
of this Act whether any information is recorded with the intention-
|
|
|
(a) that it should be
processed by means of equipment operating automatically in response to
instructions given for that purpose, or
|
|
|
(b) that it should form
part of a relevant filing system,
|
|
|
it is immaterial that it
is intended to be so processed or to form part of such a system only after
being transferred to a country or territory outside the European Economic
Area (EEA).
|
|
|
(4) Where personal data are processed
only for purposes for which they are required by or under any enactment to
be processed, the person on whom the obligation to process the data is
imposed by or under that enactment is for the purposes of this Act the data
controller.
|
Sensitive personal data.
|
2. In this Act
"sensitive personal data" means personal data consisting of
information as to-
|
|
|
(a) the racial or ethnic
origin of the data subject,
|
|
|
(b) his political
opinions,
|
|
|
(c) his religious
beliefs or other beliefs of a similar nature,
|
|
|
(d) whether he is a
member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
|
|
|
(e) his physical or
mental health or condition,
|
|
|
(f) his sexual life,
|
|
|
(g) the commission or
alleged commission by him of any offence, or
|
|
|
(h) any proceedings for
any offence committed or alleged to have been committed by him, the
disposal of such proceedings or the sentence of any court in such
proceedings.
|
The special purposes.
|
3. In this Act "the special
purposes" means any one or more of the following-
|
|
|
(a) the purposes of
journalism,
|
|
|
(b) artistic purposes,
and
|
|
|
(c) literary purposes.
|
The data
protection principles.
|
4. - (1) References in
this Act to the data protection principles are to the principles set out in
Part I of Schedule 1.
|
|
|
(2) Those principles are to be
interpreted in accordance with Part II of Schedule 1.
|
|
|
(3) Schedule 2 (which applies to all
personal data) and Schedule 3 (which applies only to sensitive personal
data) set out conditions applying for the purposes of the first principle;
and Schedule 4 sets out cases in which the eighth principle does not apply.
|
|
|
(4) Subject to section 27(1), it shall be the duty of a data controller to
comply with the data protection principles in relation to all personal data
with respect to which he is the data controller.
|
Application of Act.
|
5. - (1) Except as otherwise provided by
or under section 54, this Act applies to a data controller in respect of
any data only if-
|
|
|
(a) the data controller
is established in the United
Kingdom and the data are processed in
the context of that establishment, or
|
|
|
(b) the data controller
is established neither in the United Kingdom
nor in any other EEA State but uses equipment in the United Kingdom for processing the data
otherwise than for the purposes of transit through the United Kingdom.
|
|
|
(2)
A data controller falling within subsection (1)(b) must nominate for the
purposes of this Act a representative established in the United Kingdom.
|
|
|
(3)
For the purposes of subsections (1) and (2), each of the following is to be
treated as established in the United
Kingdom-
|
|
|
(a) an individual who is
ordinarily resident in the United
Kingdom,
|
|
|
(b) a body incorporated
under the law of, or of any part of, the United Kingdom,
|
|
|
(c) a partnership or
other unincorporated association formed under the law of any part of the United Kingdom,
and
|
|
|
(d) any person who does
not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom-
|
|
|
(i)
an office, branch or agency through which he carries on any activity, or
|
|
|
(ii) a regular practice;
|
|
|
and the reference to establishment
in any other EEA
State has a
corresponding meaning.
|
The
Commissioner and the Tribunal.
|
6. - (1) The office
originally established by section 3(1)(a) of the Data Protection Act 1984
as the office of Data Protection Registrar shall continue to exist for the
purposes of this Act but shall be known as the Office of Data Protection
Commissioner; and in this Act the Data Protection Commissioner is referred
to as "the Commissioner".
|
|
|
(2)
The Commissioner shall be appointed by Her Majesty by Letters Patent.
|
|
|
(3)
For the purposes of this Act there shall continue to be a Data Protection
Tribunal (in this Act referred to as "the Tribunal").
|
|
|
(4)
The Tribunal shall consist of-
|
|
|
(a) a chairman appointed
by the Lord Chancellor after consultation with the Lord Advocate,
|
|
|
(b) such number of
deputy chairmen so appointed as the Lord Chancellor may determine, and
|
|
|
(c) such number of other
members appointed by the Secretary of State as he may determine.
|
|
|
(5)
The members of the Tribunal appointed under subsection (4)(a) and (b) shall
be-
|
|
|
(a) persons who have a 7
year general qualification, within the meaning of section 71 of the Courts
and Legal Services Act 1990,
|
|
|
(b) advocates or
solicitors in Scotland
of at least 7 years' standing, or
|
|
|
(c) members of the bar
of Northern Ireland or solicitors of the Supreme Court of Northern Ireland of at least 7
years' standing.
|
|
|
(6)
The members of the Tribunal appointed under subsection (4)(c) shall be-
|
|
|
(a) persons to represent
the interests of data subjects, and
|
|
|
(b) persons to represent
the interests of data controllers.
|
|
|
(7)
Schedule 5 has effect in relation to the Commissioner and the Tribunal.
|
|
|
|
|
|
|
PART II
|
|
|
RIGHTS
OF DATA SUBJECTS AND OTHERS
|
Right of access
to personal data.
|
7. - (1) Subject to the following provisions of this section and to
sections 8 and 9, an individual is entitled-
|
|
|
(a) to be informed by
any data controller whether personal data of which that individual is the
data subject are being processed by or on behalf of that data controller,
|
|
|
(b) if that is the case,
to be given by the data controller a description of-
|
|
|
(i)
the personal data of which that individual is the data subject,
|
|
|
(ii) the purposes for
which they are being or are to be processed, and
|
|
|
(iii) the recipients or
classes of recipients to whom they are or may be disclosed,
|
|
|
(c) to have communicated
to him in an intelligible form-
|
|
|
(i)
the information constituting any personal data of which that individual is
the data subject, and
|
|
|
(ii) any information
available to the data controller as to the source of those data, and
|
|
|
(d) where the processing
by automatic means of personal data of which that individual is the data
subject for the purpose of evaluating matters relating to him such as, for
example, his performance at work, his creditworthiness, his reliability or
his conduct, has constituted or is likely to constitute the sole basis for
any decision significantly affecting him, to be informed by the data
controller of the logic involved in that decision-taking.
|
|
|
(2)
A data controller is not obliged to supply any information under subsection
(1) unless he has received-
|
|
|
(a) a request in
writing, and
|
|
|
(b) except in prescribed
cases, such fee (not exceeding the prescribed maximum) as he may require.
|
|
|
(3)
A data controller is not obliged to comply with a request under this
section unless he is supplied with such information as he may reasonably
require in order to satisfy himself as to the identity of the person making
the request and to locate the information which that person seeks.
|
|
|
(4)
Where a data controller cannot comply with the request without disclosing
information relating to another individual who can be identified from that
information, he is not obliged to comply with the request unless-
|
|
|
(a) the other individual
has consented to the disclosure of the information to the person making the
request, or
|
|
|
(b) it is reasonable in
all the circumstances to comply with the request without the consent of the
other individual.
|
|
|
(5)
In subsection (4) the reference to information relating to another
individual includes a reference to information identifying that individual
as the source of the information sought by the request; and that subsection
is not to be construed as excusing a data controller from communicating so
much of the information sought by the request as can be communicated
without disclosing the identity of the other individual concerned, whether
by the omission of names or other identifying particulars or otherwise.
|
|
|
(6)
In determining for the purposes of subsection (4)(b) whether it is
reasonable in all the circumstances to comply with the request without the
consent of the other individual concerned, regard shall be had, in
particular, to-
|
|
|
(a) any duty of
confidentiality owed to the other individual,
|
|
|
(b) any steps taken by
the data controller with a view to seeking the consent of the other
individual,
|
|
|
(c) whether the other
individual is capable of giving consent, and
|
|
|
(d) any express refusal
of consent by the other individual.
|
|
|
(7)
An individual making a request under this section may, in such cases as may
be prescribed, specify that his request is limited to personal data of any
prescribed description.
|
|
|
(8)
Subject to subsection (4), a data controller shall comply with a request
under this section promptly and in any event before the end of the
prescribed period beginning with the relevant day.
|
|
|
(9)
If a court is satisfied on the application of any person who has made a
request under the foregoing provisions of this section that the data
controller in question has failed to comply with the request in
contravention of those provisions, the court may order him to comply with
the request.
|
|
|
(10)
In this section-
|
|
|
"prescribed"
means prescribed by the Secretary of State by regulations;
|
|
|
"the prescribed
maximum" means such amount as may be prescribed;
|
|
|
"the prescribed
period" means forty days or such other period as may be prescribed;
|
|
|
"the relevant
day", in relation to a request under this section, means the day on
which the data controller receives the request or, if later, the first day
on which the data controller has both the required fee and the information
referred to in subsection (3).
|
|
|
(11)
Different amounts or periods may be prescribed under this section in
relation to different cases.
|
Provisions
supplementary to section 7.
|
8. - (1) The Secretary of State may by regulations provide that, in
such cases as may be prescribed, a request for information under any
provision of subsection (1) of section 7 is to be treated as extending also
to information under other provisions of that subsection.
|
|
|
(2)
The obligation imposed by section 7(1)(c)(i) must
be complied with by supplying the data subject with a copy of the
information in permanent form unless-
|
|
|
(a) the supply of such a
copy is not possible or would involve disproportionate effort, or
|
|
|
(b) the data subject
agrees otherwise;
|
|
|
and where any of the
information referred to in section 7(1)(c)(i) is
expressed in terms which are not intelligible without explanation the copy
must be accompanied by an explanation of those terms.
|
|
|
(3)
Where a data controller has previously complied with a request made under
section 7 by an individual, the data controller is not obliged to comply
with a subsequent identical or similar request under that section by that
individual unless a reasonable interval has elapsed between compliance with
the previous request and the making of the current request.
|
|
|
(4)
In determining for the purposes of subsection (3) whether requests under
section 7 are made at reasonable intervals, regard shall be had to the
nature of the data, the purpose for which the data are processed and the
frequency with which the data are altered.
|
|
|
(5)
Section 7(1)(d) is not to be regarded as requiring the provision of
information as to the logic involved in any decision-taking if, and to the
extent that, the information constitutes a trade secret.
|
|
|
(6)
The information to be supplied pursuant to a request under section 7 must
be supplied by reference to the data in question at the time when the
request is received, except that it may take account of any amendment or
deletion made between that time and the time when the information is
supplied, being an amendment or deletion that would have been made
regardless of the receipt of the request.
|
|
|
(7)
For the purposes of section 7(4) and (5) another individual can be
identified from the information being disclosed if he can be identified
from that information, or from that and any other information which, in the
reasonable belief of the data controller, is likely to be in, or to come
into, the possession of the data subject making the request.
|
Application
of section 7 where data controller is credit reference agency.
|
9. - (1) Where the data controller is a credit reference agency,
section 7 has effect subject to the provisions of this section.
|
|
|
(2)
An individual making a request under section 7 may limit his request to
personal data relevant to his financial standing, and shall be taken to
have so limited his request unless the request shows a contrary intention.
|
|
|
(3)
Where the data controller receives a request under section 7 in a case
where personal data of which the individual making the request is the data
subject are being processed by or on behalf of the data controller, the
obligation to supply information under that section includes an obligation
to give the individual making the request a statement, in such form as may
be prescribed by the Secretary of State by regulations, of the individual's
rights-
|
|
|
(a) under section 159 of
the Consumer Credit Act 1974 , and
|
|
|
(b) to the extent
required by the prescribed form, under this Act.
|
Right to
prevent processing likely to cause damage or distress.
|
10. - (1) Subject to
subsection (2), an individual is entitled at any time by notice in writing
to a data controller to require the data controller at the end of such
period as is reasonable in the circumstances to cease, or not to begin,
processing, or processing for a specified purpose or in a specified manner,
any personal data in respect of which he is the data subject, on the ground
that, for specified reasons-
|
|
|
(a) the processing of
those data or their processing for that purpose or in that manner is
causing or is likely to cause substantial damage or substantial distress to
him or to another, and
|
|
|
(b) that damage or
distress is or would be unwarranted.
|
|
|
(2)
Subsection (1) does not apply-
|
|
|
(a) in a case where any
of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or
|
|
|
(b) in such other cases
as may be prescribed by the Secretary of State by order.
|
|
|
(3)
The data controller must within twenty-one days of receiving a notice under
subsection (1) ("the data subject notice") give the individual
who gave it a written notice-
|
|
|
(a) stating that he has
complied or intends to comply with the data subject notice, or
|
|
|
(b) stating his reasons
for regarding the data subject notice as to any extent unjustified and the
extent (if any) to which he has complied or intends to comply with it.
|
|
|
(4)
If a court is satisfied, on the application of any person who has given a
notice under subsection (1) which appears to the court to be justified (or
to be justified to any extent), that the data controller in question has
failed to comply with the notice, the court may order him to take such
steps for complying with the notice (or for complying with it to that
extent) as the court thinks fit.
|
|
|
(5)
The failure by a data subject to exercise the right conferred by subsection
(1) or section 11(1) does not affect any other right conferred on him by
this Part.
|
Right to
prevent processing for purposes of direct marketing.
|
11. - (1) An individual is entitled at any time by notice in writing to
a data controller to require the data controller at the end of such period
as is reasonable in the circumstances to cease, or not to begin, processing
for the purposes of direct marketing personal data in respect of which he
is the data subject.
|
|
|
(2)
If the court is satisfied, on the application of any person who has given a
notice under subsection (1), that the data controller has failed to comply
with the notice, the court may order him to take such steps for complying
with the notice as the court thinks fit.
|
|
|
(3)
In this section "direct marketing" means the communication (by
whatever means) of any advertising or marketing material which is directed
to particular individuals.
|
Rights in
relation to automated decision-taking.
|
12. - (1) An individual is entitled at any time, by notice in writing
to any data controller, to require the data controller to ensure that no
decision taken by or on behalf of the data controller which significantly
affects that individual is based solely on the processing by automatic
means of personal data in respect of which that individual is the data
subject for the purpose of evaluating matters relating to him such as, for
example, his performance at work, his creditworthiness, his reliability or
his conduct.
|
|
|
(2)
Where, in a case where no notice under subsection (1) has effect, a
decision which significantly affects an individual is based solely on such
processing as is mentioned in subsection (1)-
|
|
|
(a) the data controller
must as soon as reasonably practicable notify the individual that the
decision was taken on that basis, and
|
|
|
(b) the individual is
entitled, within twenty-one days of receiving that notification from the
data controller, by notice in writing to require the data controller to
reconsider the decision or to take a new decision otherwise than on that
basis.
|
|
|
(3)
The data controller must, within twenty-one days of receiving a notice
under subsection (2)(b) ("the data subject notice") give the
individual a written notice specifying the steps that he intends to take to
comply with the data subject notice.
|
|
|
(4)
A notice under subsection (1) does not have effect in relation to an exempt
decision; and nothing in subsection (2) applies to an exempt decision.
|
|
|
(5)
In subsection (4) "exempt decision" means any decision-
|
|
|
(a) in respect of which
the condition in subsection (6) and the condition in subsection (7) are
met, or
|
|
|
(b) which is made in
such other circumstances as may be prescribed by the Secretary of State by
order.
|
|
|
(6)
The condition in this subsection is that the decision-
|
|
|
(a) is taken in the course
of steps taken-
|
|
|
(i)
for the purpose of considering whether to enter into a contract with the
data subject,
|
|
|
(ii) with a view to
entering into such a contract, or
|
|
|
(iii) in the course of
performing such a contract, or
|
|
|
(b) is authorised or required by or under any enactment.
|
|
|
(7)
The condition in this subsection is that either-
|
|
|
(a) the effect of the
decision is to grant a request of the data subject, or
|
|
|
(b) steps have been
taken to safeguard the legitimate interests of the data subject (for
example, by allowing him to make representations).
|
|
|
(8)
If a court is satisfied on the application of a data subject that a person
taking a decision in respect of him ("the responsible person")
has failed to comply with subsection (1) or (2)(b), the court may order the
responsible person to reconsider the decision, or to take a new decision
which is not based solely on such processing as is mentioned in subsection
(1).
|
|
|
(9)
An order under subsection (8) shall not affect the rights of any person
other than the data subject and the responsible person.
|
Compensation
for failure to comply with certain requirements.
|
13. - (1) An individual who suffers damage by reason of any
contravention by a data controller of any of the requirements of this Act
is entitled to compensation from the data controller for that damage.
|
|
|
(2)
An individual who suffers distress by reason of any contravention by a data
controller of any of the requirements of this Act is entitled to
compensation from the data controller for that distress if-
|
|
|
(a) the individual also
suffers damage by reason of the contravention, or
|
|
|
(b) the contravention
relates to the processing of personal data for the special purposes.
|
|
|
(3)
In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all
the circumstances was reasonably required to comply with the requirement
concerned.
|
|
Rectification,
blocking, erasure and destruction.
|
14. - (1) If a court is satisfied on the application of a data subject
that personal data of which the applicant is the subject are inaccurate,
the court may order the data controller to rectify, block, erase or destroy
those data and any other personal data in respect of which he is the data
controller and which contain an expression of opinion which appears to the
court to be based on the inaccurate data.
|
|
|
(2)
Subsection (1) applies whether or not the data accurately record
information received or obtained by the data controller from the data
subject or a third party but where the data accurately record such
information, then-
|
|
|
(a) if the requirements
mentioned in paragraph 7 of Part II of Schedule 1 have been complied with,
the court may, instead of making an order under subsection (1), make an
order requiring the data to be supplemented by such statement of the true
facts relating to the matters dealt with by the data as the court may
approve, and
|
|
|
(b) if all or any of
those requirements have not been complied with, the court may, instead of
making an order under that subsection, make such order as it thinks fit for
securing compliance with those requirements with or without a further order
requiring the data to be supplemented by such a statement as is mentioned
in paragraph (a).
|
|
|
(3)
Where the court-
|
|
|
(a) makes an order under
subsection (1), or
|
|
|
(b) is satisfied on the
application of a data subject that personal data of which he was the data
subject and which have been rectified, blocked, erased or destroyed were
inaccurate,
|
|
|
it may, where it
considers it reasonably practicable, order the data controller to notify
third parties to whom the data have been disclosed of the rectification,
blocking, erasure or destruction.
|
|
|
(4)
If a court is satisfied on the application of a data subject-
|
|
|
(a) that he has suffered
damage by reason of any contravention by a data controller of any of the
requirements of this Act in respect of any personal data, in circumstances
entitling him to compensation under section 13, and
|
|
|
(b) that there is a
substantial risk of further contravention in respect of those data in such
circumstances,
|
|
|
the court may order the
rectification, blocking, erasure or destruction of any of those data.
|
|
|
(5)
Where the court makes an order under subsection (4) it may, where it
considers it reasonably practicable, order the data controller to notify
third parties to whom the data have been disclosed of the rectification,
blocking, erasure or destruction.
|
|
|
(6)
In determining whether it is reasonably practicable to require such
notification as is mentioned in subsection (3) or (5) the court shall have
regard, in particular, to the number of persons who would have to be
notified.
|
Jurisdiction
and procedure.
|
15. - (1) The jurisdiction conferred by sections 7 to 14 is exercisable
by the High Court or a county court or, in Scotland, by the Court of
Session or the sheriff.
|
|
|
(2)
For the purpose of determining any question whether an applicant under
subsection (9) of section 7 is entitled to the information which he seeks
(including any question whether any relevant data are exempt from that
section by virtue of Part IV) a court may require the information
constituting any data processed by or on behalf of the data controller and
any information as to the logic involved in any decision-taking as
mentioned in section 7(1)(d) to be made available for its own inspection
but shall not, pending the determination of that question in the
applicant's favour, require the information
sought by the applicant to be disclosed to him or his representatives
whether by discovery (or, in Scotland, recovery) or otherwise.
|
|
|
|
|
PART
III
|
|
|
NOTIFICATION
BY DATA CONTROLLERS
|
Preliminary.
|
16. - (1) In this Part "the registrable
particulars", in relation to a data controller, means-
|
|
|
(a) his name and
address,
|
|
|
(b) if he has nominated
a representative for the purposes of this Act, the name and address of the
representative,
|
|
|
(c) a description of the
personal data being or to be processed by or on behalf of the data
controller and of the category or categories of data subject to which they
relate,
|
|
|
(d) a description of the
purpose or purposes for which the data are being or are to be processed,
|
|
|
(e) a description of any
recipient or recipients to whom the data controller intends or may wish to
disclose the data,
|
|
|
(f) the names, or a
description of, any countries or territories outside the European Economic
Area to which the data controller directly or indirectly transfers, or
intends or may wish directly or indirectly to transfer, the data, and
|
|
|
(g) in any case where-
|
|
|
(i)
personal data are being, or are intended to be, processed in circumstances
in which the prohibition in subsection (1) of section 17 is excluded by
subsection (2) or (3) of that section, and
|
|
|
(ii) the notification
does not extend to those data,
|
|
|
a statement of that
fact.
|
|
|
(2)
In this Part-
|
|
|
"fees
regulations" means regulations made by the Secretary of State under
section 18(5) or 19(4) or (7);
|
|
|
"notification
regulations" means regulations made by the Secretary of State under
the other provisions of this Part;
|
|
|
"prescribed",
except where used in relation to fees regulations, means prescribed by
notification regulations.
|
|
|
(3)
For the purposes of this Part, so far as it relates to the addresses of
data controllers-
|
|
|
(a) the address of a
registered company is that of its registered office, and
|
|
|
(b) the address of a
person (other than a registered company) carrying on a business is that of
his principal place of business in the United Kingdom.
|
Prohibition
on processing without registration.
|
17. - (1) Subject to the following provisions of this section, personal
data must not be processed unless an entry in respect of the data
controller is included in the register maintained by the Commissioner under
section 19 (or is treated by notification regulations made by virtue of
section 19(3) as being so included).
|
|
|
(2)
Except where the processing is assessable processing for the purposes of
section 22, subsection (1) does not apply in relation to personal data
consisting of information which falls neither within paragraph (a) of the
definition of "data" in section 1(1) nor within paragraph (b) of
that definition.
|
|
|
(3)
If it appears to the Secretary of State that processing of a particular
description is unlikely to prejudice the rights and freedoms of data
subjects, notification regulations may provide that, in such cases as may
be prescribed, subsection (1) is not to apply in relation to processing of
that description.
|
|
|
(4)
Subsection (1) does not apply in relation to any processing whose sole
purpose is the maintenance of a public register.
|
Notification
by data controllers.
|
18. - (1) Any data controller who wishes to be included in the register
maintained under section 19 shall give a notification to the Commissioner
under this section.
|
|
|
(2)
A notification under this section must specify in accordance with
notification regulations-
|
|
|
(a) the registrable particulars, and
|
|
|
(b) a general
description of measures to be taken for the purpose of complying with the
seventh data protection principle.
|
|
|
(3)
Notification regulations made by virtue of subsection (2) may provide for
the determination by the Commissioner, in accordance with any requirements
of the regulations, of the form in which the registrable
particulars and the description mentioned in subsection (2)(b) are to be
specified, including in particular the detail required for the purposes of
section 16(1)(c), (d), (e) and (f) and subsection (2)(b).
|
|
|
(4)
Notification regulations may make provision as to the giving of
notification-
|
|
|
(a) by partnerships, or
|
|
|
(b) in other cases where
two or more persons are the data controllers in respect of any personal
data.
|
|
|
(5)
The notification must be accompanied by such fee as may be prescribed by
fees regulations.
|
|
|
(6)
Notification regulations may provide for any fee paid under subsection (5)
or section 19(4) to be refunded in prescribed circumstances.
|
Register of notifications.
|
19. - (1) The Commissioner shall-
|
|
|
(a) maintain a register
of persons who have given notification under section 18, and
|
|
|
(b) make an entry in the
register in pursuance of each notification received by him under that
section from a person in respect of whom no entry as data controller was
for the time being included in the register.
|
|
|
(2)
Each entry in the register shall consist of-
|
|
|
(a) the registrable particulars notified under section 18 or,
as the case requires, those particulars as amended in pursuance of section
20(4), and
|
|
|
(b) such other
information as the Commissioner may be authorised
or required by notification regulations to include in the register.
|
|
|
(3)
Notification regulations may make provision as to the time as from which
any entry in respect of a data controller is to be treated for the purposes
of section 17 as having been made in the register.
|
|
|
(4)
No entry shall be retained in the register for more than the relevant time
except on payment of such fee as may be prescribed by fees regulations.
|
|
|
(5)
In subsection (4) "the relevant time" means twelve months or such
other period as may be prescribed by notification regulations; and
different periods may be prescribed in relation to different cases.
|
|
|
(6)
The Commissioner-
|
|
|
(a) shall provide
facilities for making the information contained in the entries in the
register available for inspection (in visible and legible form) by members
of the public at all reasonable hours and free of charge, and
|
|
|
(b) may provide such
other facilities for making the information contained in those entries
available to the public free of charge as he considers appropriate.
|
|
|
(7)
The Commissioner shall, on payment of such fee, if any, as may be
prescribed by fees regulations, supply any member of the public with a duly
certified copy in writing of the particulars contained in any entry made in
the register.
|
Duty to notify changes.
|
20. - (1) For the purpose specified in subsection (2), notification
regulations shall include provision imposing on every person in respect of
whom an entry as a data controller is for the time being included in the
register maintained under section 19 a duty to notify to the Commissioner,
in such circumstances and at such time or times and in such form as may be
prescribed, such matters relating to the registrable
particulars and measures taken as mentioned in section 18(2)(b) as may be
prescribed.
|
|
|
(2)
The purpose referred to in subsection (1) is that of ensuring, so far as
practicable, that at any time-
|
|
|
(a) the entries in the
register maintained under section 19 contain current names and addresses
and describe the current practice or intentions of the data controller with
respect to the processing of personal data, and
|
|
|
(b) the Commissioner is
provided with a general description of measures currently being taken as
mentioned in section 18(2)(b).
|
|
|
(3)
Subsection (3) of section 18 has effect in relation to notification
regulations made by virtue of subsection (1) as it has effect in relation
to notification regulations made by virtue of subsection (2) of that
section.
|
|
|
(4)
On receiving any notification under notification regulations made by virtue
of subsection (1), the Commissioner shall make such amendments of the
relevant entry in the register maintained under section 19 as are necessary
to take account of the notification.
|
Offences.
|
21. - (1) If section 17(1) is contravened, the data controller is
guilty of an offence.
|
|
|
(2)
Any person who fails to comply with the duty imposed by notification
regulations made by virtue of section 20(1) is guilty of an offence.
|
|
|
(3)
It shall be a defence for a person charged with
an offence under subsection (2) to show that he exercised all due diligence
to comply with the duty.
|
Preliminary
assessment by Commissioner.
|
22. - (1) In this section "assessable processing" means
processing which is of a description specified in an order made by the
Secretary of State as appearing to him to be particularly likely-
|
|
|
(a) to cause substantial
damage or substantial distress to data subjects, or
|
|
|
(b) otherwise
significantly to prejudice the rights and freedoms of data subjects.
|
|
|
(2)
On receiving notification from any data controller under section 18 or
under notification regulations made by virtue of section 20 the
Commissioner shall consider-
|
|
|
(a) whether any of the
processing to which the notification relates is assessable processing, and
|
|
|
(b) if so, whether the
assessable processing is likely to comply with the provisions of this Act.
|
|
|
(3)
Subject to subsection (4), the Commissioner shall, within the period of
twenty-eight days beginning with the day on which he receives a
notification which relates to assessable processing, give a notice to the
data controller stating the extent to which the Commissioner is of the
opinion that the processing is likely or unlikely to comply with the provisions
of this Act.
|
|
|
(4)
Before the end of the period referred to in subsection (3) the Commissioner
may, by reason of special circumstances, extend that period on one occasion
only by notice to the data controller by such further period not exceeding fourteen
days as the Commissioner may specify in the notice.
|
|
|
(5)
No assessable processing in respect of which a notification has been given
to the Commissioner as mentioned in subsection (2) shall be carried on
unless either-
|
|
|
(a) the period of
twenty-eight days beginning with the day on which the notification is
received by the Commissioner (or, in a case falling within subsection (4),
that period as extended under that subsection) has elapsed, or
|
|
|
(b) before the end of
that period (or that period as so extended) the data controller has
received a notice from the Commissioner under subsection (3) in respect of
the processing.
|
|
|
(6)
Where subsection (5) is contravened, the data controller is guilty of an
offence.
|
|
|
(7)
The Secretary of State may by order amend subsections (3), (4) and (5) by
substituting for the number of days for the time being specified there a
different number specified in the order.
|
Power to make
provision for appointment of data protection supervisors.
|
23. - (1) The Secretary of State may by order-
|
|
|
(a) make provision under
which a data controller may appoint a person to act as a data protection
supervisor responsible in particular for monitoring in an independent
manner the data controller's compliance with the provisions of this Act,
and
|
|
|
(b) provide that, in
relation to any data controller who has appointed a data protection
supervisor in accordance with the provisions of the order and who complies
with such conditions as may be specified in the order, the provisions of
this Part are to have effect subject to such exemptions or other
modifications as may be specified in the order.
|
|
|
(2)
An order under this section may-
|
|
|
(a) impose duties on
data protection supervisors in relation to the Commissioner, and
|
|
|
(b) confer functions on
the Commissioner in relation to data protection supervisors.
|
Duty of certain data controllers to make certain information
available.
|
24. - (1) Subject to subsection (3), where personal data are processed
in a case where-
|
|
|
(a) by virtue of
subsection (2) or (3) of section 17, subsection (1) of that section does
not apply to the processing, and
|
|
|
(b) the data controller
has not notified the relevant particulars in respect of that processing
under section 18,
|
|
|
the data controller
must, within twenty-one days of receiving a written request from any
person, make the relevant particulars available to that person in writing
free of charge.
|
|
|
(2)
In this section "the relevant particulars" means the particulars
referred to in paragraphs (a) to (f) of section 16(1).
|
|
|
(3)
This section has effect subject to any exemption conferred for the purposes
of this section by notification regulations.
|
|
|
(4)
Any data controller who fails to comply with the duty imposed by subsection
(1) is guilty of an offence.
|
|
|
(5)
It shall be a defence for a person charged with
an offence under subsection (4) to show that he exercised all due diligence
to comply with the duty.
|
Functions of
Commissioner in relation to making of notification regulations.
|
25. - (1) As soon as practicable after the passing of this Act, the
Commissioner shall submit to the Secretary of State proposals as to the
provisions to be included in the first notification regulations.
|
|
|
(2)
The Commissioner shall keep under review the working of notification
regulations and may from time to time submit to the Secretary of State
proposals as to amendments to be made to the regulations.
|
|
|
(3)
The Secretary of State may from time to time require the Commissioner to
consider any matter relating to notification regulations and to submit to
him proposals as to amendments to be made to the regulations in connection
with that matter.
|
|
|
(4)
Before making any notification regulations, the Secretary of State shall-
|
|
|
(a) consider any
proposals made to him by the Commissioner under subsection (1), (2) or (3),
and
|
|
|
(b) consult the
Commissioner.
|
Fees regulations.
|
26. - (1) Fees regulations prescribing fees for the purposes of any
provision of this Part may provide for different fees to be payable in
different cases.
|
|
|
(2)
In making any fees regulations, the Secretary of State shall have regard to
the desirability of securing that the fees payable to the Commissioner are
sufficient to offset-
|
|
|
(a) the expenses
incurred by the Commissioner and the Tribunal in discharging their
functions and any expenses of the Secretary of State in respect of the
Commissioner or the Tribunal, and
|
|
|
(b) to the extent that
the Secretary of State considers appropriate-
|
|
|
(i)
any deficit previously incurred (whether before or after the passing of
this Act) in respect of the expenses mentioned in paragraph (a), and
|
|
|
(ii) expenses incurred
or to be incurred by the Secretary of State in respect of the inclusion of
any officers or staff of the Commissioner in any scheme under section 1 of
the Superannuation Act 1972.
|
|
PART IV
|
|
|
EXEMPTIONS
|
Preliminary.
|
27. - (1) References in any of the data protection principles or any
provision of Parts II and III to personal data or to the processing of
personal data do not include references to data or processing which by
virtue of this Part are exempt from that principle or other provision.
|
|
|
(2)
In this Part "the subject information provisions" means-
|
|
|
(a) the first data
protection principle to the extent to which it requires compliance with
paragraph 2 of Part II of Schedule 1, and
|
|
|
(b) section 7.
|
|
|
(3)
In this Part "the non-disclosure provisions" means the provisions
specified in subsection (4) to the extent to which they are inconsistent
with the disclosure in question.
|
|
|
(4)
The provisions referred to in subsection (3) are-
|
|
|
(a) the first data
protection principle, except to the extent to which it requires compliance
with the conditions in Schedules 2 and 3,
|
|
|
(b) the second, third,
fourth and fifth data protection principles, and
|
|
|
(c) sections 10 and
14(1) to (3).
|
|
|
(5)
Except as provided by this Part, the subject information provisions shall
have effect notwithstanding any enactment or rule of law prohibiting or
restricting the disclosure, or authorising the
withholding, of information.
|
National security.
|
28. - (1) Personal data are exempt from any of the provisions of-
|
|
|
(a) the data protection
principles,
|
|
|
(b) Parts II, III and V,
and
|
|
|
(c) section 55,
|
|
|
if the exemption from
that provision is required for the purpose of safeguarding national
security.
|
|
|
(2)
Subject to subsection (4), a certificate signed by a Minister of the Crown
certifying that exemption from all or any of the provisions mentioned in
subsection (1) is or at any time was required for the purpose there
mentioned in respect of any personal data shall be conclusive evidence of
that fact.
|
|
|
(3)
A certificate under subsection (2) may identify the personal data to which
it applies by means of a general description and may be expressed to have
prospective effect.
|
|
|
(4)
Any person directly affected by the issuing of a certificate under subsection
(2) may appeal to the Tribunal against the certificate.
|
|
|
(5)
If on an appeal under subsection (4), the Tribunal finds that, applying the
principles applied by the court on an application for judicial review, the
Minister did not have reasonable grounds for issuing the certificate, the
Tribunal may allow the appeal and quash the certificate.
|
|
|
(6)
Where in any proceedings under or by virtue of this Act it is claimed by a
data controller that a certificate under subsection (2) which identifies
the personal data to which it applies by means of a general description
applies to any personal data, any other party to the proceedings may appeal
to the Tribunal on the ground that the certificate does not apply to the
personal data in question and, subject to any determination under
subsection (7), the certificate shall be conclusively presumed so to apply.
|
|
|
(7)
On any appeal under subsection (6), the Tribunal may determine that the
certificate does not so apply.
|
|
|
(8)
A document purporting to be a certificate under subsection (2) shall be
received in evidence and deemed to be such a certificate unless the
contrary is proved.
|
|
|
(9)
A document which purports to be certified by or on behalf of a Minister of
the Crown as a true copy of a certificate issued by that Minister under
subsection (2) shall in any legal proceedings be evidence (or, in Scotland,
sufficient evidence) of that certificate.
|
|
|
(10)
The power conferred by subsection (2) on a Minister of the Crown shall not
be exercisable except by a Minister who is a member of the Cabinet or by
the Attorney General or the Lord Advocate.
|
|
|
(11)
No power conferred by any provision of Part V may be exercised in relation
to personal data which by virtue of this section are exempt from that
provision.
|
|
|
(12)
Schedule 6 shall have effect in relation to appeals under subsection (4) or
(6) and the proceedings of the Tribunal in respect of any such appeal.
|
Crime and taxation.
|
29. - (1) Personal data processed for any of the following purposes-
|
|
|
(a) the prevention or
detection of crime,
|
|
|
(b) the apprehension or
prosecution of offenders, or
|
|
|
(c) the assessment or
collection of any tax or duty or of any imposition of a similar nature,
|
|
|
are exempt from the
first data protection principle (except to the extent to which it requires
compliance with the conditions in Schedules 2 and 3) and section 7 in any
case to the extent to which the application of those provisions to the data
would be likely to prejudice any of the matters mentioned in this
subsection.
|
|
|
(2)
Personal data which-
|
|
|
(a) are processed for
the purpose of discharging statutory functions, and
|
|
|
(b) consist of
information obtained for such a purpose from a person who had it in his possession
for any of the purposes mentioned in subsection (1),
|
|
|
are exempt from the
subject information provisions to the same extent as personal data
processed for any of the purposes mentioned in that subsection.
|
|
|
(3)
Personal data are exempt from the non-disclosure provisions in any case in
which-
|
|
|
(a) the disclosure is
for any of the purposes mentioned in subsection (1), and
|
|
|
(b) the application of
those provisions in relation to the disclosure would be likely to prejudice
any of the matters mentioned in that subsection.
|
|
|
(4)
Personal data in respect of which the data controller is a relevant
authority and which-
|
|
|
(a) consist of a
classification applied to the data subject as part of a system of risk
assessment which is operated by that authority for either of the following
purposes-
|
|
|
(i)
the assessment or collection of any tax or duty or any imposition of a
similar nature, or
|
|
|
(ii) the prevention or
detection of crime, or apprehension or prosecution of offenders, where the
offence concerned involves any unlawful claim for any payment out of, or
any unlawful application of, public funds, and
|
|
|
(b) are processed for
either of those purposes,
|
|
|
are exempt from section
7 to the extent to which the exemption is required in the interests of the
operation of the system.
|
|
|
(5)
In subsection (4)-
|
|
|
"public funds"
includes funds provided by any Community institution;
|
|
|
"relevant
authority" means-
|
|
|
(a) a government
department,
|
|
|
(b) a local authority,
or
|
|
|
(c) any other authority
administering housing benefit or council tax benefit.
|
Health, education and social work.
|
30. - (1) The Secretary of State may by order exempt from the subject
information provisions, or modify those provisions in relation to, personal
data consisting of information as to the physical or mental health or
condition of the data subject.
|
|
|
(2)
The Secretary of State may by order exempt from the subject information
provisions, or modify those provisions in relation to-
|
|
|
(a) personal data in
respect of which the data controller is the proprietor of, or a teacher at,
a school, and which consist of information relating to persons who are or
have been pupils at the school, or
|
|
|
(b) personal data in
respect of which the data controller is an education authority in Scotland,
and which consist of information relating to persons who are receiving, or
have received, further education provided by the authority.
|
|
|
(3)
The Secretary of State may by order exempt from the subject information
provisions, or modify those provisions in relation to, personal data of
such other descriptions as may be specified in the order, being
information-
|
|
|
(a) processed by
government departments or local authorities or by voluntary organisations or other bodies designated by or under
the order, and
|
|
|
(b) appearing to him to
be processed in the course of, or for the purposes of, carrying out social
work in relation to the data subject or other individuals;
|
|
|
but the Secretary of
State shall not under this subsection confer any exemption or make any
modification except so far as he considers that the application to the data
of those provisions (or of those provisions without modification) would be
likely to prejudice the carrying out of social work.
|
|
|
(4)
An order under this section may make different provision in relation to
data consisting of information of different descriptions.
|
|
|
(5)
In this section-
|
|
|
"education
authority" and "further education" have the same meaning as
in the Education (Scotland)
Act 1980 ("the 1980 Act"), and
|
|
|
"proprietor"-
|
|
| |
