DATA PROTECTION
The Data Protection Act 1998
The Data Protection Act 1998 implements the Data Protection Directive, the purpose of which is to harmonise data protection legislation throughout the European Union in order to protect the fundamental rights and freedoms of the individual, in particular the right to privacy with respect to the processing of personal data, and to facilitate the free flow of personal data within the European Union.
The Data Protection Act 1998 establishes a system of data protection controls for manual data as well as computerised data; ensures that personal data is used in accordance with the data protection principles; attaches certain conditions to the processing of personal data and adds extra safeguards where the personal data is considered sensitive; establishes certain rights of the data subject; and establishes a framework of notification and enforcement.
Separate provision is made: (1) for the processing of personal data and the protection of privacy in the electronic communications sector; and (2) with regard to the control of patient information.
The Data Protection Directive is also applicable to an internet operation whereby a person identified other persons by name or other details on an internet page.
Extent of the Provisions
Except as otherwise provided, the Data Protection Act 1998 applies to a data controller in respect of any data only if: (1) the data controller is established in the United Kingdom and the data is processed in the context of that establishment; or (2) the data controller is established neither in the United Kingdom nor in any other EEA state but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.
The Data Protection Act 1998 also binds the Crown. Each government department must be treated as a person separate from any other government department.
Since 30 November 2005, and subject to the exemption for personal data covered by Parliamentary privilege, the Data Protection Act 1998 has applied to the processing of personal data by or on behalf of either House of Parliament applied to the processing of personal data by other persons.
Relevant Definitions
In the Data Protection Act 1998, unless the context otherwise requires, 'data' means information which:
(1) is being processed by means of equipment operating automatically in response to instructions given for that purpose; or
(2) is recorded with the intention that it should be processed by means of such equipment; or
(3) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; or
(4) does not fall within head (1), (2) or (3) above but forms part of an accessible record.
Since 30 November 2005, this definition has been extended to include information which is recorded information held by a public authority and which does not fall within any of heads (1) to (4) above.
'Personal data' means data which relates to a living individual who can be identified:
(a) from the data; or
(b) from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in
respect of the individual.
'Data processor', in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
'Data subject' means an individual who is the subject of personal data.
In the Data Protection Act 1998, unless the context otherwise requires: (i) 'obtaining' or 'recording', in relation to personal data, includes obtaining or recording the information to be contained in the data; and (ii) 'using' or 'disclosing', in relation to personal data, includes using or disclosing the information contained in the data.
In the Data Protection Act 1998, 'sensitive personal data' means personal data consisting of information as to:
(A) the racial or ethnic origin of the data subject;
(B) his political opinions;
(C) his religious beliefs or other beliefs of a similar nature;
(D) whether he is a member of a trade union;
(E) his physical or mental health or condition;
(F) his sexual life;
(G) the commission or alleged commission by him of any offence; or
(H) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings, or the sentence of any court in such proceedings.
'Processing', in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
(1) organisation, adaptation or alteration of the information or data;
(2) retrieval, consultation or use of the information or data;
(3) disclosure of the information or data by transmission, dissemination or otherwise making it available; or
(4) alignment, combination, blocking, erasure or destruction of the information or data: Data Protection Act 1998 s 1(1).
'Relevant filing system' means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible: Data Protection Act 1998 s 1(1).
'Accessible record' means: (1) a health record; (2) an educational record; or (3) an accessible public record: s 68(1).
'Health record' means any record which: (a) consists of information relating to the physical or mental health or condition of an individual; and (b) has been made by or on behalf of a health professional in connection with the care of that individual: s 68(2).
For the meaning of 'educational record' see Sch 11; and as to the meaning of 'accessible public record' see Sch 12.
'Public authority' has the same meaning as in the Freedom of Information Act 2000 (see the Data Protection Act 1998 s 1(1) (definition added by the Freedom of Information Act 2000 s 68(1), (2)(b) from 30 November: see s 87(3)).
For these purposes, information is held by a public authority if it is held by the authority otherwise than on behalf of another person, or it is held by another person on behalf of the authority: Freedom of Information Act 2000 s 3(2); applied by the Data Protection Act 1998 s 1(5) (added by the Freedom of Information Act 2000 s 68(1), (3) from 1 January 2005: see s 87(3). Where the
Freedom of Information Act 2000 s 7 prevents Pts I-V (ss 1-61) from applying to certain information held by a public authority, that information is not to be treated for these purposes as 'held' by a public authority: Data Protection Act 1998 s 1(6) (added by the Freedom of Information Act 2000 s 68(1), (2)(b) since 30 November 2005: see s 87(3).
‘Data controller' means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed: ibid s 1(1). Where personal data is processed only for purposes for which it is required by or under any enactment to be processed, the person on whom the obligation to process the data
is imposed by or under that enactment is for the purposes of the Data Protection Act 1998 the data controller: s 1(4). 'Enactment' includes an enactment passed after the Data Protection Act 1998 (ie passed after 16 July 1998): s 70(1).
The 8 Principles by which all Personal Data must be Processed
The Data Protection Act 1998 sets out eight principles by which all personal data must be processed. Special conditions apply for the purposes of the first data protection principle. The eighth data protection principle does not apply in certain cases.
It is the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.
1. The first data protection principle.
The first data protection principle is that personal data must be processed fairly and lawfully and, in particular, must not be processed unless: (1) at least one of the specified conditions which apply to all personal data is met; and (2) in the case of sensitive personal data, at least one of the specified conditions which apply only to sensitive personal data is also met.
Processed Fairly
In determining for the purposes of the first data protection principle whether personal data is processed fairly, regard is to be had to the method by which the data is obtained, including in particular whether any person from whom it is obtained is deceived or misled as to the purpose or purposes for which it is to be processed. Data is to be treated as obtained fairly if it consists of
information obtained from a person who is authorised by or under any enactment to supply it, or is required to supply it by or under any enactment or by any Convention or other instrument imposing an international obligation on the United Kingdom.
Personal data is not to be treated as processed fairly unless: (a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him: (i) the identity of the data controller; (ii) if he has
nominated a representative for the purposes of the Data Protection Act 1998, the identity of that representative; (iii) the purpose or purposes for which the data is intended to be processed; and (iv) any further information which is necessary, having regard to the specific circumstances in which the data is or is to be processed, to enable processing in respect of the data subject to be fair; and (b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in heads (i) to (iv) above.
Personal data which contains a general identifier falling within a description prescribed by the Lord Chancellor by order are not to be treated as processed fairly and lawfully unless it is processed in compliance with any conditions so prescribed in relation to general identifiers of that description. Data Protection Act 1998 Sch 1 Pt II para 4(1) (amended by the Transfer of Functions (Miscellaneous) Order 2001, SI 2001/3500, Sch 2 Pt I para 6(1)(x)). 'A general identifier' means any identifier (eg a number or code used for identification purposes) which relates to an individual, and forms part of a set of similar identifiers which is of general application: Data Protection Act 1998
Sch 1 Pt II para 4(2). No such Order has yet been made.
For the purposes of the first data protection principle, the conditions which apply to the processing of all personal data are as follows: (1) the data subject must have given his consent to the processing; (2) the processing must be necessary either for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract; (3) the processing must be necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract; (4) the processing must be necessary in order to protect the vital interests of the data subject; (5) the processing must be necessary: (a) for the administration of justice; or (b) for the exercise of any functions of either House of Parliament; or (c) for the exercise of any functions conferred on any person by or under any enactment; or (d) for the exercise of any functions of the Crown, a Minister of the Crown or a government department; or (e) for the exercise of any other functions of a public nature exercised in the public interest by any person; (6) the processing must be necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data is disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
Conditions to be met in relation to sensitive personal data
For the purposes of the first data protection principle, the conditions which apply to the processing of sensitive personal data are as follows: (1) the data subject must have given his explicit consent to the processing of the personal data; (2) the processing must be necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment; (3) the processing must be necessary: (a) in order to protect the vital interests of the data subject or another person, either in a case where consent cannot be given by or on behalf of the data subject or where the data controller cannot reasonably be expected to obtain the consent of the data subject; or (b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld; (4) the processing: (a) must be carried out in the course of its legitimate activities by any body or association which is not established or conducted for profit, and exists for political, philosophical religious or trade-union purposes; (b) must be carried out with appropriate safeguards for the rights and freedoms of data subjects; (c) must relate only to individuals who are members of the body or association or who have regular contact with it in connection with its purposes; and (d) must not involve disclosure of the personal data to a third party without the consent of the data subject; (5) the information contained in the personal data must have been made public as a result of steps deliberately taken by the data subject; (6) the processing must be necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or must be otherwise necessary for the purposes of establishing, exercising or defending legal rights; (7) the processing must be necessary: (a) for the administration of justice; (b) for the exercise of any functions of either House of Parliament; (c) for the exercise of any functions conferred on any person by or under an enactment; or (d) for the exercise of any functions of the Crown, a Minister of the Crown or a government department; (8) the processing must be necessary for medical purposes and must be undertaken by a health professional, or by a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional; (9) the processing must be: (a) of sensitive personal data consisting of information as to racial or ethnic origin; (b) necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained; and (c) carried out with appropriate safeguards for the rights and freedoms of data subjects; and (10) the personal data must be processed in circumstances specified in an order made by the Lord Chancellor for these purposes.
As regards the tenth condition, the following circumstances have been specified by the Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417 (as amended): (1) where the processing: (a) is in the substantial public interest; (b) is necessary for the purposes of the prevention or detection of any unlawful act (or failure to act); and (c) must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice those purposes (Schedule para (1); (2) where the processing: (a) is in the substantial public interest; (b) is necessary for the discharge of any function which is designed for protecting members of the public against (i) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person; or (ii) mismanagement in the administration of, or failures in services provided by, any body or association; and (c) must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the discharge of that function (Schedule para 2); (3) where the disclosure of personal data: (a) is in the substantial public interest; (b) is in connection with (i) the commission by any person of any unlawful act or failure to act (whether alleged or established); (ii) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person (whether alleged or established); or (iii) mismanagement in the administration of, or failures in services provided by, any body or association (whether alleged or established); (c) is for the special purposes as defined in the Data Protection Act 1998 s 3; and (d) is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest (Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417, Schedule para 3); (4) where the processing: (a) is in the substantial public interest; (b) is necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service; and (c) is carried out without the explicit consent of the data subject because the processing (i) is necessary in a case where consent cannot be given by the data subject; (ii) is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of the data subject; or (iii) must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the provision of that counselling, advice, support or other service (Schedule para 4); (5) where the processing: (a) is necessary for the purpose of: (i) carrying on insurance business; or (ii) making determinations in connection with eligibility for, and benefits payable under, an occupational pension scheme as defined in the Pension Schemes Act 1993 s 1; (b) is of sensitive personal data consisting of information relating to a person's physical or mental health or condition (see the Data Protection Act 1998 s 2(e); and relating to a data subject who is the parent, grandparent, great grandparent or sibling of, in the case of head (5)(a)(i) supra, the insured person, or, in the case of head (5)(a)(ii) supra, the member of the scheme; (c) is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of that data subject and the data controller is not aware of the data subject withholding his consent; and (d) does not support measures or decisions with respect to that data subject (Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417, Schedule para 5); (6) where the processing: (a) is of sensitive personal data in relation to any particular data subject that is subject to processing which was already under way immediately before the coming into force of the Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417 (ie 1 March 2000); (b) is necessary for the purpose of: (i) effecting or carrying out contracts of long term insurance to which head (5) supra also applies; or (ii) establishing or administering an occupational pension scheme as defined in the Pension Schemes Act 1993 s 1; and (c) either (i) is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of the data subject and that data subject has not informed the data controller that he does not so consent; or (ii) must necessarily be carried out even without the explicit consent of the data subject so as not to prejudice those purposes (Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417, Schedule para 6); (7) where the processing: (a) is of sensitive personal data consisting of information falling within the Data Protection Act 1998 s 2(c), (e); (b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons holding different beliefs or of different states of physical or mental health or different physical or mental conditions as described in the Act, with a view to enabling such equality to be promoted or maintained; (c) does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject; and (d) does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person. Where any individual has given notice in writing to any data controller who is processing personal data under these provisions requiring that data controller to cease processing personal data in respect of which that individual is the data subject at the end of such period as is reasonable in the circumstances, that data controller must have ceased processing those personal data at the end of that period (Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417, Schedule para 7); (8) where the processing: (a) is of sensitive personal data consisting of information falling within the Data Protection Act 1998 s 2(b); (b) is carried out by any person or organisation included in the register maintained pursuant to the Registration of Political Parties Act 1998 s 1 in the course of his or its legitimate political activities; and (c) does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person. Where any individual has given notice in writing to any data controller who is processing personal data under these provisions requiring that data controller to cease processing personal data in respect of which that individual is the data subject at the end of such period as is reasonable in the circumstances, that data controller must have ceased processing those personal data at the end of that period (Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417, Schedule para 8); (9) where the processing: (a) is in the substantial public interest; (b) is necessary for research purposes; (c) does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject; and (d) does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person (Schedule para 9); or (10) where the processing is necessary for the exercise of any functions conferred on a constable by any rule of law (Schedule para 10).
2. The second data protection principle
The second data protection principle is that personal data must be obtained only for one or more specified and lawful purposes, and must not be further processed in any manner incompatible with that purpose or those purposes.
3. The third data protection principle
The third data protection principle is that personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
4. The fourth data protection principle
The fourth data protection principle is that personal data must be accurate and, where necessary, kept up to date.
This principle is not to be regarded as being contravened by reason of any inaccuracy in personal data which accurately records information obtained by the data controller from the data subject or a third party in a case where: (1) having regard to the purpose or purposes for which the data was obtained and further processed, the data controller has taken reasonable steps to ensure the
accuracy of the data; and (2) if the data subject has notified the data controller of the data subject's view that the data is inaccurate, the data indicates that fact.
5. The fifth data protection principle
The fifth data protection principle is that personal data processed for any purpose or purposes must not be kept for longer than is necessary for that purpose or those purposes.
6. The sixth data protection principle
The sixth data protection principle is that personal data must be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
7. The seventh data protection principle
The seventh data protection principle is that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to: (1) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (2) the nature of the data to be protected.
The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with this principle: (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and (b) take reasonable steps to ensure compliance with those measures. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh data protection principle unless: (i) the processing is carried out under a contract which is made or evidenced in writing, and under which the data processor is to act only on instructions from the data controller; and (ii) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh data protection principle.
8. The eighth data protection principle
The eighth data protection principle is that personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to: (1) the nature of the personal data; (2) the country or territory of origin of the information contained in the data; (3) the country or territory of final destination of that information; (4) the purposes for which and period during which the data is intended to be processed; (5) the law in force in the country or territory in question; (6) the international obligations of that country or territory; (7) any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases); and (8) any security measures taken in respect of the data in that country or territory.
Where: (a) in any proceedings under the Data Protection Act 1998 any question arises as to whether the requirement of the eighth data protection principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the European Economic Area; and (b) a Community finding has been made in relation to transfers of the kind in
question, that question is to be determined in accordance with that finding.
Except in such circumstances and to such extent as the Lord Chancellor may by order provide, the eighth data protection principle does not apply to a transfer falling within any of the following cases: (i) where the data subject has given his consent to the transfer; (ii) where the transfer is necessary for the performance of a contract between the data subject and the data controller, or for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller; (iii) where the transfer is necessary for the conclusion, or the performance, of a contract between the data controller and a person other than the data subject which is entered into at the request of the data subject, or is in the interests of the data subject; (iv) where the transfer is necessary for reasons of substantial public interest; (v) where the transfer is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or is necessary for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights; (vi) where the transfer is necessary in order to protect the vital interests of the data subject; (vii) where the transfer is of part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data is or may be disclosed after the transfer; (viii) where the transfer is made on terms which are of a kind approved by the Information Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects; and (ix) where the transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.
The Information Commissioner
For the purposes of the Data Protection Act 1998 and of the Freedom of Information Act 2000 there is an officer known as the Information Commissioner, who is appointed by Her Majesty by Letters Patent.
It is the duty of the Information Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under the Data Protection Act 1998 as to promote the observance of the requirements of the Act by data controllers. The Commissioner must arrange for the dissemination in such form and manner as he considers appropriate of such
information as it may appear to him expedient to give to the public about the operation of the Act, about good practice, and about other matters within the scope of his functions under the Act, and may give advice to any person as to any of those matters.
Where: (1) the Lord Chancellor so directs by order; or (2) the Commissioner considers it appropriate to do so, the Commissioner must, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice. Where he considers it appropriate to do so, the Commissioner must encourage trade associations to prepare, and to disseminate to their members, such codes of practice; and where any trade association submits a code of practice to him for his consideration, he must consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, he must notify the trade association whether in his opinion the code promotes the following of good practice.
In exercise of the power given under s 51(3) (as amended), the Commissioner has issued: (1) the CCTV code of practice (2000), which provides guidance as to good practice for users of CCTV (closed circuit television) and similar surveillance equipment; and (2) the Employment Practices Data Protection Code, of which Part1: Recruitment and Selection (2002), Part 2: Employment Records (2002) and Part 3: Monitoring at Work (2003) had been issued at the date on which this volume states the law.
The Commissioner must arrange for the dissemination in such form and manner as he considers appropriate of: (a) any Community finding; (b) any decision of the European Commission; and (c) such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.
The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and must inform the data controller of the results of the assessment. The Commissioner may charge such sums as he may with the consent of the Lord Chancellor determine for any services provided by the Commissioner.
The Commissioner must lay annually before each House of Parliament a general report on the exercise of his functions under the Data Protection Act 1998. The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.
An individual who is an actual or prospective party to any proceedings which relate to personal data processed for the special purposes may apply to the Information Commissioner for assistance in relation to those proceedings. The Commissioner must, as soon as reasonably practicable after receiving such an application, consider it and decide whether and to what extent to grant it, but
he must not grant the application unless, in his opinion, the case involves a matter of substantial public importance. If the Commissioner decides to provide assistance, he must, as soon as reasonably practicable after making the decision, notify the applicant, stating the extent of the assistance to be provided. If the Commissioner decides not to provide assistance, he must, as
soon as reasonably practicable after making the decision, notify the applicant of his decision and, if he thinks fit, the reasons for it.
The Information Commissioner is the designated authority in the United Kingdom for the purposes of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Lord Chancellor may by order make provision as to the functions to be discharged by the Commissioner.
The Commissioner must, at the request of a foreign designated authority, furnish to that authority such information referred to in the Convention, and in particular the data protection legislation in force in the United Kingdom at the time the request is made, as is the subject of the request. He must also, at the request of a foreign designated authority, take appropriate measures, for furnishing to that authority information relating to the processing of personal data in the United Kingdom. Equally, the Commissioner may request a foreign designated authority to furnish to him or, as the case may be, to take appropriate measures for furnishing to him, information that is required under the Convention
The Information Tribunal
For the purposes of the Data Protection Act 1998 and of the Freedom of Information Act 2000 there is a tribunal known as the Information Tribunal. The Tribunal consists of: (1) a chairman appointed by the Lord Chancellor after consultation with the Secretary of State; (2) such number of deputy chairmen so appointed as the Lord Chancellor may determine; and (3) such number of other
members appointed by the Lord Chancellor as he may determined.
Disclosure of information
No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from furnishing the Information Commissioner or the Information Tribunal with any information necessary for the discharge of their functions under the Data Protection Act 1998 or the Freedom of Information Act 2000.
Rights of access to personal data
An individual is entitled: (1) to be informed by any data controller whether personal data of which that individual is the data subject is being processed by or on behalf of that data controller; and (2) if that is the case, to be given by the data controller a description of: (a) personal data of which that
individual is the data subject; (b) the purposes for which it is being or is to be processed; and (c) the recipients or classes of recipients to whom it is or may be disclosed; and (3) to have communicated to him in an intelligible form: (a) the information constituting any personal data of which that individual is the data subject; and (b) any information available to the data controller as to the source of the data; and (4) where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking. The Lord Chancellor may by regulations provide that, in such cases as may be prescribed, a request for information under any one of these provisions is to be treated as extending also to information under any of the
other provisions.
The information to be supplied pursuant to a request must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.
Where a data controller has previously complied with a request made by an individual, the data controller is not obliged to comply with a subsequent identical or similar request by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
Compliance with requests for information
A data controller is not obliged to supply any information unless he has received a request in writing and, except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require. As to the amount prescribed see the Data Protection (Subject Access) (Fees and
Miscellaneous Provisions) Regulations 2000, SI 2000/191 (amended by SI 2001/3223) – generally between £10 fee and £50 (where 500 pages or more). Where a data controller reasonably requires further information in order to satisfy himself as to the identity of the person making a request and to locate the information which that person seeks, and has informed him of that requirement, the data controller is not obliged to comply with the request unless he is supplied with that further information. Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless: (1) the other individual has consented to the disclosure of the information to the person making the request; or (2) it is reasonable in all the circumstances to comply with the request without the consent of the other individual. An individual making a request may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description. A data controller must comply with a request promptly and in any event before the end of the prescribed period beginning with the relevant day. If a court is satisfied on the application of any person who has made a request under these provisions that the data controller in question has failed to comply with the request in contravention of these provisions, the court may order him to comply with the request.
Where the data controller is a credit reference agency, the provisions described above have effect subject to the following provisions. An individual making a request may limit his request to personal data relevant to his financial standing, and is taken to have so limited his request unless the request shows a contrary intention. Where the data controller receives a request in a case where personal data of which the individual making the request is the data subject are being processed by or on behalf of the data controller, the obligation to supply information includes an obligation to give the individual making the request a statement, in such form as may be prescribed by the Lord Chancellor by regulations, of the individual's rights (a) under the Consumer Credit Act 1974; and (b) to the extent required by the prescribed form, under the Data Protection Act 1998.
Data Subject’s other Rights
An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons: (1) the processing of the data or the processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another; and (2) that damage or distress is or would be unwarranted. The data controller must within 21 days of receiving a notice ('the data subject notice') give the individual who gave it a written notice: (a) stating that he has complied or intends to comply with the data subject notice; or (b) stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it. If a court is satisfied, on the application of any person who has given a notice which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.
An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject. If the court is satisfied, on the application of any person who has given a notice that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
These provisions do not apply in relation to the processing of telecommunications billing data for certain marketing purposes.
An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in
respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct. Where, in a case where no notice has effect, a decision which significantly affects an
individual is based solely on such processing as is mentioned above: (1) the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis; and (2) the individual is entitled, within 21 days of receiving that notification from the data controller, by
notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis. The data controller must, within 21 days of receiving a notice under head (2) above ('the data subject notice') give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice. If a court is satisfied on the application of a data subject that a person taking a decision in respect of him ('the responsible person') has failed to comply with the provisions described above, the court may order the responsible person to reconsider the decision, or to take a new decision which is not based solely on such processing
as is mentioned above.
An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject. If the court is satisfied, on the application of any person who has given a notice, that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
These provisions do not apply in relation to the processing of telecommunications billing data for certain marketing purposes.
The following provisions ceased to have effect from 23 October 2007 (The Data Protection Act 1998 s 12A is added with temporary effect for the period ending with 23 October 2007: see s 72, Sch 13 para 1):
A data subject is entitled at any time by notice in writing: (1) to require the data controller to rectify, block, erase or destroy exempt manual data which are inaccurate or incomplete; or (2) to require the data controller to cease holding exempt manual data in a way incompatible with the legitimate purposes pursued by the data controller. A notice under head (1) or head (2) above must state the data subject's reasons for believing that the data is inaccurate or incomplete or, as the case may be, his reasons for believing that it is held in a way incompatible with the legitimate purposes pursued by the data controller.
If the court is satisfied, on the application of any person who has given a notice which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice
(or for complying with it to that extent) as the court thinks fit.
For these purposes, personal data is incomplete if, and only if, the data, although not inaccurate, is such that its incompleteness would constitute a contravention of the third or fourth data protection principles, if those principles applied to the data.
Compensation
An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Data Protection Act 1998 is entitled to compensation from the data controller for that damage. An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of the Data Protection Act 1998 is entitled to compensation from the data controller for that distress if: (1) the individual also suffers damage by reason of the contravention; or (2) the contravention relates to the processing of personal data for the special
purposes. In proceedings brought against a person by virtue of these provisions, it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject is inaccurate, the court may order the data controller to rectify, block, erase or destroy the data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data. Where the court makes such an order, or is satisfied on the application of a data subject that personal data of which he was the data subject and which has been rectified, blocked, erased or destroyed was inaccurate, it may, where it considers it reasonably practicable, order the data controller to notify
third parties to whom the data has been disclosed of the rectification, blocking, erasure or destruction. If a court is satisfied on the application of a data subject: (1) that he has suffered damage by reason of any contravention by a data controller of any of the requirements of the Data Protection Act 1998 in respect of any personal data, in circumstances entitling him to compensation
; and (2) that there is a substantial risk of further contravention in respect of the data in such circumstances, the court may order the rectification, blocking, erasure or destruction of any of the data
Special Duties for Public Authorities
From 30 November 2005, the Data Protection Act 1998 was amended to extend subject access to a potentially wide class of data held by public authorities but in a way which is delimited by exemptions and qualifications. The regime operates according to the following principles: (1) certain data that is otherwise exempt under the Data Protection Act 1998 is brought within the scope of the Act when it is held by public authorities but only in relation to subject access and accuracy; and (2) 'structured' information held by public authorities is treated as 'personal data' for the purposes of the Data Protection Act 1998, but access to the residual 'unstructured' information is qualified; and (3) a request for personal information about the applicant under the Freedom of Information Act 2000 is treated as a subject access request under the Data Protection Act 1998 instead.
The Data Protection Act 1998 was also amended on 30 November 2005 to provide that a public authority is not obliged to comply with a subject access request in relation to any unstructured personal data unless the request contains a description of the data.
Even if the data is described by the data subject in his request, a public authority is not obliged to comply with such a request in relation to unstructured personal data if the authority estimates that the cost of complying with the request so far as relating to the data would exceed the appropriate
limit.
Any estimate for the purposes of these provisions must be made in accordance with regulations made under the Freedom of Information Act 2000. The appropriate limit for the purposes of the Data Protection Act 1998 s 9A(3), (4) is (1) £600 for public authorities listed in the Freedom of Information Act 2000 Sch 1 Pt 1 (paras 1-6); and (2) £450 for other public authorities: Freedom of Information (Appropriate Limit and Fees) Regulations 2004, SI 2004/3244, reg 3.
The Freedom of Information Act 2000 provides that, as from 30 November 2005, any information to which a request for information under the Act relates is exempt information if it constitutes personal data of which the applicant is the data subject. Information is also exempt information for these purposes if: (1) it constitutes personal data of which the applicant is not the data subject; and (2) either of the two conditions below is satisfied.
The first condition is: (a) in a case where the information falls within the relevant parts of the definition of 'data' given in the Data Protection Act 1998, that the disclosure of the information to a member of the public otherwise than under the Freedom of Information Act 2000 would contravene: (i) any of the data protection principles; or (ii) the right to prevent processing likely to cause damage or distress; and (b) in any other case, that the disclosure of the information to a member of the public otherwise than under the Freedom of Information Act 2000 would contravene any of the data protection principles if the exemptions in the Data Protection Act 1998 which relate to manual data held by public authorities were disregarded.
The second condition is that by virtue of any provision of Part IV of the Data Protection Act 1998 the information is exempt from the data subject's right of access to personal data.
The exemptions in the Data Protection Act 1998 Sch 8 Pt III were available after 23 October 2001 but before 24 October 2007. During the period beginning with 24 October 2001 and ending with 23 October 2007, such data wass exempt from: (1) the first data protection principle except to the extent to which it requires compliance with Sch 1 Pt II para 2; (2) the second, third, fourth and fifth data protection principles; and (3) the provisions of s 14(1)-(3): see Sch 8 paras 1(2), 14(2).
The Data Protection Act 1998 provides that, as from a day to be appointed, (no date appointed yet) a person must not, in connection with: (1) the recruitment of another person as an employee; (2) the continued employment of another person; or (3) any contract for the provision of services to him by another person, require that other person or a third party to supply him with a relevant record or to produce a relevant record to him (this relates to criminal and associated records). A person concerned with the provision (whether or not for payment) of goods, facilities or services to the public or a section of the public must not, as a condition of providing or offering to provide any goods, facilities or services to another person, require that other person or a third party to supply him with a relevant record or to produce a relevant record to him. These provisions do not apply to a person who shows: (a) that the imposition of the requirement was required or authorised by or under any enactment, by any rule of law or by the order of a court; or (b) that in the particular circumstances the imposition of the requirement was justified as being in the public interest.
Duty of ‘data controllers’ to register with the Information Commissioner
Personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner (or is treated by notification regulations as being so included).
If this provision is contravened, the data controller is guilty of an offence.
However, (except where the processing is assessable processing) this provision does not apply in relation to personal data consisting of information which is neither being processed by means of equipment operating automatically in response to instructions given for that purpose, nor is recorded with the intention that it should be processed by means of such equipment.
'Assessable processing' means processing which is of a description specified in an order made by the Lord Chancellor as appearing to him to be particularly likely: (1) to cause substantial damage or substantial distress to data subjects; or (2) otherwise significantly to prejudice the rights and freedoms of data subjects: s 22(1) (amended by the Transfer of Functions (Miscellaneous) Order 2001, SI 2001/3500, Sch 2 Pt 1 para 6(1)(j)). In any case in which the Commissioner considers under the Data Protection Act 1998 s 22(2)(a) that any of the processing to which a notification relates is assessable processing within the meaning of that provision, he must, within 10 days of receipt of the notification, give a written notice to the data controller who has given the notification, acknowledging its receipt; and such a notice must indicate the date on which the Commissioner received the notification, and the processing which the Commissioner considers to be assessable processing: Data Protection (Notification and Notification Fees) Regulations 2000, SI 2000/188, reg 9.
Exceptions to the this requirement
Nor (except where the processing is assessable processing) does the provision as to notification apply where the processing falls within one or more of the following descriptions of processing:
Necessary Personnel Records
(1) where the processing is for the purposes of appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the data controller, and: (a) is of personal data in respect of which the data subject is a past, existing or prospective member of staff of the data controller, or any person the processing of whose personal data is necessary for the exempt purposes; (b) is of personal data consisting of the name, address and other identifiers of the data subject or information as to qualifications, work experience or pay, or other matters the processing of which is necessary for the exempt purposes; (c) does not involve disclosure of the personal data to any third party other than with the consent of the data subject, or where it is necessary to make such disclosure for the exempt purposes; and (d) does not involve keeping the personal data after the relationship between the data controller and staff member ends, unless and for so long as it is necessary to do so for the exempt purposes; or
Marketing Records
(2) where the processing is for the purposes of advertising or marketing the data controller's business, activity, goods or services and promoting public relations in connection with that business or activity, or those goods or services, and: (a) is of personal data in respect of which the data subject is a past, existing or prospective customer or supplier, or any person the processing of whose personal data is necessary for the exempt purposes; (b) is of personal data consisting of the name, address and other identifiers of the data subject or information as to other matters the processing of which is necessary for the exempt purposes; (c) does not involve disclosure of the personal data to any third party other than with the consent of the data subject, or where it is necessary to make such disclosure for the exempt purposes; and (d) does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes; or
Accounts
(3) where the processing is for the purposes of keeping accounts relating to any business or other activity carried on by the data controller, or deciding whether to accept any person as a customer or supplier, or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by or to the data controller in respect of those transactions, or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity, and: (a) is of personal data in respect of which the data subject is a past, existing or prospective customer or supplier; or any person the processing of whose personal data is necessary for the (b) is of personal data consisting of the name, address and other identifiers of the data subject or information as to financial standing; or other matters the processing of which is necessary for the exempt purposes; (c) does not involve disclosure of the personal data to any third party other than with the consent of the data subject, or where it is necessary to make such disclosure for the exempt purposes; and (d) does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes;
Not for profit associations
(4) where the processing is carried out by a data controller which is a body or association which is not established or conducted for profit, and is for the purposes of establishing or maintaining membership of or support for the body or association, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it, and: (a) is of personal data in respect of which the data subject is a past, existing or prospective member of the body or organisation, any person who has regular contact with the body or organisation in connection with the exempt purposes, or any person the processing of whose personal data is necessary for the exempt purposes; (b) is of personal data consisting of the name, address and other identifiers of the data subject or information as to eligibility for membership of the body or association, or other matters the processing of which is necessary for the exempt purposes; (c) does not involve disclosure of the personal data to any third party other than with the consent of the data subject, or where it is necessary to make such disclosure for the exempt purposes; and (d) does not involve keeping the personal data after the relationship between the data controller and data subject ends, unless and for so long as it is necessary to do so for the exempt purposes; or (5) where the processing does not fall within one or more of the descriptions given in heads (1) to (4) above solely by virtue of the fact that disclosure of the personal data to a person other than those specified in the descriptions is required by or under any enactment, by any rule of law or by the order of a court, or may be made by virtue of an exemption from the non-disclosure provisions
Required Notification
Any data controller who wishes to be included in the register must give a notification to the Information Commissioner. Such a notification must specify in accordance with notification regulations: (1) the registrable particulars; and (2) a general description of measures to be taken for the purpose of complying with the seventh data protection principle. (The seventh data protection principle is that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.) Notification regulations may also make provision as to the giving of notification: (a) by partnerships; or (b) in other cases where two or more persons are the data controllers in respect of any personal data. The notification must be accompanied by such fee as may be prescribed by fees regulations.
In the Data Protection Act 1998 Pt III (ss 16-26) (as amended), 'the registrable particulars', in relation to a data controller, means: (1) his name and address (s 16(1)(a)); (2) if he has nominated a representative for the purposes of the Data Protection Act 1998, the name and address of the representative (s 16(1)(b)); (3) a description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which it relates (s 16(1)(c)); (4) a description of the purpose or purposes for which the data is being or is to be processed (s 16(1)(d)); (5) a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data (s 16(1)(e)); (6) the names, or a description of, any countries or territories outside the European Economic Area to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data (s 16(1)(f)); (7) where the data controller is a public authority, a statement of that fact (s16(1)(ff) (added by the Freedom of Information Act 2000 s 71 as from 30 November 2005 unless an earlier date is appointed: see s 87(3) (amended by the Transfer of Functions (Miscellaneous) Order 2001,
2001/3500, art 8, Sch 2 Pt I para 8(1)(o))); and (8) in any case where: (a) personal data is being, or is intended to be, processed in circumstances in which the prohibition in the Data Protection Act 1998 s 17(1) is excluded by s 17(2) or s 17(3); and (b) the notification does not extend to the data, a statement of that fact: s 16(1)(g).
The Information Commissioner must: (1) maintain a register of persons who have given notification; and (2) make an entry in the register in pursuance of each notification received by him from a person in respect of whom no entry as data controller was for the time being included in the register. Each entry in the register must consist of: (a) the registrable particulars or, as the case
requires, those particulars as amended; and (b) such other information as the Commissioner may be authorised or required by notification regulations to include in the register.
Under the notification regulations, in addition to the matters mentioned in head (a) above, the Commissioner may include in a register entry: (i) a registration number issued by the Commissioner in respect of that entry; (ii) the date on which the entry is treated as having been included in pursuance of a notification; (iii) the date on which the entry falls or may fall to be removed; and (iv) information additional to the registrable particulars for the purpose of assisting persons consulting the register to communicate with any data controller to whom the entry relates concerning matters relating to the processing of personal data.
Notification regulations may make provision as to the time as from which any entry in respect of a data controller is to be treated as having been made in the register. Under the notification regulations, the time from which an entry in respect of a data controller who has given a notification in accordance with the regulations is to be treated for the purposes of the Data Protection Act 1998 as having been made in the register is as follows: (A) in the case of a data controller who has given the notification by sending it by registered post or the recorded delivery service, the day after the day on which it is received for dispatch by the postal operator concerned; and (B) in the case of a data controller who has given a notification by some other means, the day on which it is received by the Commissioner.
No entry may be retained in the register for more than the relevant time except on payment of such fee as may be prescribed by fees regulations. The Commissioner must provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and may also provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate.
The Commissioner must, on payment of such fee, if any, as may be prescribed by fees regulations, supply any member of the public with a duly certified copy in writing of the particulars contained in any entry made in the register.
For the purpose of ensuring, so far as practicable, that at any time: (1) the entries in the register contain current names and addresses and describe the current practice or intentions of the data
controller with respect to the processing of personal data; and (2) the Information Commissioner is provided with a general description of measures currently being taken, notification regulations must include provision imposing on every person in respect of whom an entry as a data controller is for the time being included in the register a duty to notify to the Commissioner, in such circumstances and at such time or times and in such form as may be prescribed, such matters relating to the registrable particulars and measures taken as may be prescribed.
Under the regulations, every person in respect of whom an entry is for the time being included in the register is under a duty to give the Commissioner a notification specifying any respect in which: (a) that entry becomes inaccurate or incomplete as a statement of his current registrable particulars
; or (b) the general description of measures notified or, as the case may be, that description as amended in pursuance of a notification under the regulations, becomes inaccurate or incomplete, and setting out the changes which need to be made to that entry or general description in order to make it accurate and complete.
On receiving any notification under notification regulations, the Commissioner must make such amendments of the relevant entry in the register as are necessary to take account of the notification.
On receiving notification from any data controller or under notification regulations, the Information Commissioner must consider: (1) whether any of the processing to which the notification relates is assessable processing; and (2) if so, whether the assessable processing is likely to comply with the
provisions of the Data Protection Act 1998. The Commissioner must, within the period of 28 days beginning with the day on which he receives a notification which relates to assessable processing, give a notice to the data controller stating the extent to which the Commissioner is of the opinion that the processing is likely or unlikely to comply with the provisions of the Data Protection Act 1998.
Where certain personal data is processed, the data controller must, within 21 days of receiving a written request from any person, make the relevant particulars available to that person in writing free of charge. These provisions have effect subject to any exemption conferred for these purposes by notification regulations. Any data controller who fails to comply with the duty mentioned above is guilty of an offence.
The Information Commissioner must keep under review the working of notification regulations and may from time to time submit to the Lord Chancellor proposals as to amendments to be made to the regulations. The Lord Chancellor may from time to time require the Commissioner to consider any matter relating to notification regulations and to submit to him proposals as to amendments to be
made to the regulations in connection with that matter. Before making any notification regulations, the Lord Chancellor must: (1) consider any proposals made to him by the Commissioner under the provisions described above; and (2) consult the Commissioner.
The Information Commissioner must keep under review the working of notification regulations and may from time to time submit to the Lord Chancellor proposals as to amendments to be made to the regulations. The Lord Chancellor may from time to time require the Commissioner to consider any matter relating to notification regulations and to submit to him proposals as to amendments to be
made to the regulations in connection with that matter. Before making any notification regulations, the Lord Chancellor must: (1) consider any proposals made to him by the Commissioner under the provisions described above; and (2) consult the Commissioner.
National Security
Personal data is exempt from certain provisions of the Data Protection Act 1998 if the exemption from that provision is required for the purpose of safeguarding national security. A certificate signed by a Minister of the Crown certifying that exemption from all or any of those provisions is or at any
time was required for the purpose there mentioned in respect of any personal data is conclusive evidence of that fact. Such a certificate may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect. Any person directly affected by the issuing of a certificate may appeal to the Information Tribunal against the certificate. Where in any proceedings under or by virtue of the Data Protection Act 1998 it is claimed by a data controller that a certificate which identifies the personal data to which it applies by means of a general description applies to any personal data, any other party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question and, subject to any determination, the certificate is conclusively presumed so to apply. A document purporting to be a certificate must be received in evidence and deemed to be such a certificate unless the contrary is proved. A document which purports to be certified by or on behalf of a
Minister of the Crown as a true copy of a certificate issued by that minister is in any legal proceedings evidence of that certificate. The power conferred on a Minister of the Crown is not exercisable except by a minister who is a member of the Cabinet or by the Attorney General.
No power conferred by any provision of Part V of the Data Protection Act 1998 may be exercised in relation to personal data which by virtue of the provisions described above is exempt from that provision.
Crime and Taxation
Personal data processed for any of the following purposes: (1) the prevention or detection of crime; (2) the apprehension or prosecution of offenders; or (3) the assessment or collection of any tax or duty or of any imposition of a similar nature, is exempt from certain provisions of the Data Protection Act 1998 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned above. Personal data which: (a) is processed for the purpose of discharging statutory functions; and (b) consists of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in heads (1) to (3) above, exempt from the subject information provisions to the same extent as personal data processed for any of those purposes.
Personal data is exempt from the non-disclosure provisions in any case in which the disclosure is for any of the purposes mentioned in heads (1) to (3) above and the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned there.
Personal data in respect of which the data controller is a relevant authority and which: (i) consists of a classification applied to the data subject as part of a system of risk assessment which is operated by that authority for either of the following purposes: (A) the assessment or collection of any tax or duty or any imposition of a similar nature; or (B) the prevention or detection of crime, or apprehension or prosecution of offenders, where the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds; and (ii) is processed for either of those purposes, is exempt from provisions relating to the right of access to personal data to the extent to which the exemption is required in the interests of the operation of the system.
Health, Education and Social Work
The Lord Chancellor may by order exempt from the subject information provisions or modify those provisions in relation to: (1) personal data consisting of information as to the physical or mental health or condition of the data subject; (2) personal data in respect of which the data controller is the proprietor of, or a teacher at, a school, and which consists of information relating to persons who are or have been pupils at the school; (3) personal data of such other descriptions as may be specified in the order, being information: (a) processed by government departments or local authorities or by voluntary organisations or other bodies designated by or under the order; and (b) appearing to him to be processed in the course of, or for the purposes of, carrying out social work in relation to the data subject or other individuals, but the Lord Chancellor must not confer any exemption or make any modification under head (3) except so far as he considers that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work. An order made under these provisions may make different provision in relation to data consisting of information of different descriptions.
Regulatory Activity
Personal data processed for the purposes of discharging regulatory functions is exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.
A regulatory function is any relevant function which is designed: (1) for protecting members of the public against: (a) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate; (b) financial loss due to the conduct of discharged or undischarged bankrupts; or (c) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity; or (2) for protecting charities against misconduct or mismanagement (whether by trustees or other persons) in their administration; or (3) for protecting the property of charities from loss or misapplication; or (4) for the recovery of the property of charities; or (5) for securing the health, safety and welfare of persons at work; or (6) for protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work.
Personal data processed for the purpose of discharging any function which: (i) is conferred by or under any enactment on the Parliamentary Commissioner for Administration, the Commission for Local Administration in England or the Commission for Local Administration in Wales, the Health Service Commissioner for England or the Health Service Commissioner for Wales, or the Welsh Administration Ombudsman; and (ii) is designed for protecting members of the public against maladministration by public bodies, failures in services provided by public bodies, or a failure of a public body to provide a service which it was a function of the body to provide, is exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.
Personal data processed for the purpose of discharging any function which is conferred on the operator of the ombudsman scheme by or under Part XVI of the Financial Services and Markets Act 2000 is exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of the
function.
Personal data processed for the purpose of discharging any function which is conferred by or under any enactment on the Office of Fair Trading and which is designed: (A) for protecting members of the public against conduct which may adversely affect their interests by persons carrying on a business; or (B) for regulating agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity; or (C) for regulating conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market, is exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.
Journalistic, Literary or Artistic material
Personal data which is processed only for the special purposes is exempt from certain provisions of the Data Protection Act 1998 if: (1) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material; (2) the data controller reasonably believes
that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest; and (3) the data controller reasonably believes that, in all the circumstances, compliance with the provision is incompatible with the special purposes.
In considering for the purposes of head (2) above whether the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to his compliance with any code of practice which is relevant to the publication in question, and is designated by the Lord Chancellor by order for these purposes. Where at any time ('the relevant time') in any proceedings against a data controller the data controller claims, or it appears to the court, that any personal data to which the proceedings relate is being processed: (a) only for the special purposes; and (b) with a view to the publication by any person of any journalistic, literary or artistic material which, at the time 24 hours immediately before the relevant time, had not
previously been published by the data controller, the court must stay the proceedings until either of the conditions mentioned below is met. Those conditions are: (i) that a determination of the Information Commissioner with respect to the data in question takes effect; or (ii) in a case where the proceedings were stayed on the making of a claim, that the claim is withdrawn.
Research, History and Statistics
For the purposes of the second data protection principle, the further processing of personal data only for research purposes in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which it was obtained. Personal data which is processed only for research purposes in compliance with the relevant conditions may, notwithstanding the fifth data protection principle, be kept indefinitely. Personal data which is processed only for research purposes is exempt from provisions relating to the right of access to personal data if: (1) it is processed in compliance with the relevant conditions; and (2) the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them. For these purposes, personal data is not to be treated as processed otherwise than for research purposes merely because the data is disclosed: (a) to any person, for research purposes only; (b) to the data subject or a person acting on his behalf; (c) at the request, or with the consent, of the data subject or a person acting on his behalf; or (d) in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within head (a), (b) or (c) above.
Other Exemptions
From 1 January 2005, the Data Protection Act 1998 has provided that personal data which constitutes recorded information held by a public authority and falls within the scope of the Data Protection Act 1998 is exempt from: (1) the first, second, third, fifth, seventh and eighth data protection principles; and (2) the sixth data protection principle except so far as it relates to the rights conferred on data subjects; and (3) the provisions of the Data Protection Act 1998 relating to the right to prevent processing likely to cause damage or distress, the right to prevent processing for purposes of direct marketing, and rights in relation to automated decision-taking; and (4)
the right to compensation, except so far as it relates to damage caused by a contravention of the rights conferred on data subjects, or of the fourth data protection principle and to any distress which is also suffered by reason of that contravention; and (5) Part III of the Data Protection Act 1998; and (6) the provisions relating to the unlawful obtaining of personal data.
Personal data is also exempt from the remaining data protection principles and the remaining provisions of Part II of the Data Protection Act 1998 if it relates to appointments or removals, pay, discipline, superannuation or other personnel matters, in relation to: (a) service in any of the armed forces of the Crown; (b) service in any office or employment under the Crown or under any
public authority; or (c) service in any office or employment, or under any contract for services, in respect of which power to take action, or to determine or approve the action taken, in such matters is vested in Her Majesty, any Minister of the Crown, the National Assembly for Wales or any public authority
Legal Proceedings
Personal data is exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.
Personal data is exempt from the non-disclosure provisions where the disclosure is necessary: (1) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings); or (2) for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
Parliamentary Privilege
From 1 January 2005, the Data Protection Act 19981 has provided that personal data is exempt, if exemption is required for the purpose of avoiding an infringement of the privileges of either House of Parliament, from the following provisions of the Data Protection Act 1998: (1) the first data
protection principle, except to the extent to which it requires compliance with the relevant conditions; and (2) the second, third, fourth and fifth data protection principles; and (3) the provisions conferring rights on data subjects; and (4) the provisions conferring the right to prevent processing likely to cause damage or distress and the right to rectification, blocking, erasure and destruction.
Personal, Family or Household Affairs
Personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) is exempt from the data protection principles, provisions concerning the rights of data subjects and others, and provisions concerning notification
by data controllers.
Powers to make further exemptions by order
The Lord Chancellor may by order exempt from the subject information provisions personal data consisting of information the disclosure of which is prohibited or restricted by or under any enactment if and to the extent that he considers it necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual that the prohibition or restriction
ought to prevail over those provisions. The Lord Chancellor may by order exempt from the non-disclosure provisions6 any disclosures of personal data made in circumstances specified in the order, if he considers the exemption is necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual.
Provision is made relating to further miscellaneous exemptions and transitional relief.
Enforcement Notices
If the Information Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may serve him with a notice (an 'enforcement notice') requiring him, for complying with the principle or principles in question, to do either or both of the following: (1) to take within such time as may be specified in the notice, or to refrain from taking after such time as may be so specified, such steps as are so specified; or (2) to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing it for a purpose so specified or in a manner so specified, after
such time as may be so specified.
In deciding whether to serve an enforcement notice, the Commissioner must consider whether the contravention has caused or is likely to cause any person damage or distress. An enforcement notice in respect of a contravention of the fourth data protection principle, which requires the data controller to rectify, block, erase or destroy any inaccurate data, may also require the data controller to rectify, block, erase or destroy any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data.
An enforcement notice in respect of a contravention of the fourth data protection principle, in the case of data which accurately records information received or obtained by the data controller from the data subject or a third party, may require the data controller either: (a) to rectify, block, erase or destroy any inaccurate data and any other data held by him and containing an expression of opinion; or (b) to take such steps as are specified in the notice for securing compliance with requirements and, if the Commissioner thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Commissioner may approve.
Where: (i) an enforcement notice requires the data controller to rectify, block, erase or destroy any personal data; or (ii) the Commissioner is satisfied that personal data which has been rectified, blocked, erased or destroyed had been processed in contravention of any of the data protection principles, an enforcement notice may, if reasonably practicable, require the data controller to notify third parties to whom the data has been disclosed of the rectification, blocking, erasure or destruction; and in determining whether it is reasonably practicable to require such notification regard must be had, in particular, to the number of persons who would have to be notified.
An enforcement notice must contain: (A) a statement of the data protection principle or principles which the Commissioner is satisfied have been or are being contravened and his reasons for reaching that conclusion; and (B) particulars of the rights of appeal.
An enforcement notice may not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal. Notification regulations may make provision as to the effect of the service of an enforcement notice on any entry in the register which relates to the person on whom the notice is served.
Request for Assessment.
A request may be made to the Information Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the Data Protection Act 1998. On receiving such a request, the Commissioner must make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request, and to enable him to identify the processing in question.
Where the Commissioner has received a request he must notify the person who made the request: (1) whether he has made an assessment as a result of the request; and (2) to the extent that he considers appropriate, having regard in particular to any exemption applying in relation to the personal data concerned, of any view formed or action taken as a result of the request.
Information Notices
If the Information Commissioner: (1) has received a request in respect of any processing of personal data; or (2) reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles, he may serve the data controller with a notice (an 'information notice') requiring the data controller, within
such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information relating to the request or to compliance with the principles as is so specified. An information notice must contain: (a) in a case falling within head (1) above, a statement that the Commissioner has received a request in relation to the specified processing; or
(b) in a case falling within head (2) above, a statement that the Commissioner regards the specified information as relevant for the purpose of determining whether the data controller has complied, or is complying, with the data protection principles and his reasons for regarding it as relevant for that
purpose9. An information notice must also contain particulars of the rights of appeal. The time specified in an information notice must not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal. A person is not required to furnish the Commissioner with any information in respect of: (i) any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under the Data Protection Act 1998; or (ii) any
communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of the Data Protection Act 1998 (including proceedings before the Information Tribunal) and for the purposes of such proceedings. A person is not required to furnish the
Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under the Data Protection Act 1998, expose him to proceedings for that offence. The Commissioner may cancel an information notice by written notice to the person on whom it was served.
Special Information Notices
If the Information Commissioner: (1) has received a request in respect of any processing of personal data; or (2) has reasonable grounds for suspecting that, in a case in which proceedings have been stayed, the personal data to which the proceedings relate is not being processed only for the special purposes or is not being processed with a view to the publication by any
person of any journalistic, literary or artistic material which has not previously been published by the data controller, he may serve the data controller with a notice (a 'special information notice') requiring the data controller, within such time as is specified in the notice, to furnish the
Commissioner, in such form as may be so specified, with such information as is so specified for the purpose described below.
That purpose is the purpose of ascertaining: (a) whether the personal data is being processed only for the special purposes; or (b) whether it is being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller. A special information notice must contain: (i) in a case falling within head (1) above, a statement that the Commissioner has received a request in relation to the specified processing; or (ii) in a case falling within head (2) above, a statement of the Commissioner's grounds for suspecting that the personal data is not being processed as mentioned in that provision.
A special information notice must also contain particulars of the rights of appeal. The time specified in a special information notice must not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.
A person is not required to furnish the Commissioner with any information in respect of: (A) any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under the Data Protection Act 1998; or (B) any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of the Data Protection Act 1998 (including proceedings before the Information Tribunal) and for the purposes of such proceedings. A person is not required to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under the Data Protection Act 1998, expose him to proceedings for that offence. The Commissioner may cancel a special information notice by written notice to the person on whom it was served.
Determination by the Information Commissioner as to the Special Purposes
Where at any time it appears to the Information Commissioner (whether as a result of the service of a special information notice or otherwise) that any personal data is not being processed only for the special purposes, or is not being processed with a view to the publication by any person of any
journalistic, literary or artistic material which has not previously been published by the data controller, he may make a determination in writing to that effect. Notice of the determination must be given to the data controller; and the notice must contain particulars of the right of appeal. A determination does not take effect until the end of the period within which an appeal can be
brought and, where an appeal is brought, does not take effect pending the determination or withdrawal of the appeal.
Restriction on Enforcement in case of Processing for the Special Purposes.
The Information Commissioner may not at any time serve an enforcement notice on a data controller with respect to the processing of personal data for the special purposes unless: (1) a determination with respect to the data has taken effect; and (2) the court has granted permission for the notice to be served.
The court must not grant permission for the purposes of head (2) above unless it is satisfied: (a) that the Commissioner has reason to suspect a contravention of the data protection principles which is of substantial public importance; and (b) except where the case is one of urgency, that the data controller has been given notice, in accordance with rules of court, of the application for permission.
The Commissioner may not serve an information notice on a data controller with respect to the processing of personal data for the special purposes unless a determination with respect to the data has taken effect.
Offences
The following offences are created by the Data Protection Act 1998:
(1) a data controller is guilty of an offence if personal data is processed and he does not have an entry in respect of him included (or treated by notification regulations as being so included) in the register maintained by the Information Commissioner;
(2) a person who fails to comply with the duty imposed by notification regulations is guilty of an offence;
(3) a data controller is guilty of an offence if assessable processing in respect of which a notification has been given to the Commissioner is carried on before the statutory time limit has expired or (otherwise) before the data controller has received the required notice from the Commissioner in respect of the processing;
(4) a data controller is guilty of an offence if he has not given the required notification and he fails to comply with the duty to make relevant particulars available to a person where personal data of a particular description is processed;
(5) a person who fails to comply with an enforcement notice, an information notice or a special information notice is guilty of an offence;
(6) a person who, in purported compliance with an information notice or a special information notice, knowingly or recklessly makes a statement which is false in a material respect is guilty of an offence;
(7) a person who knowingly or recklessly, and without the consent of the data controller, obtains or discloses personal data or the information contained in personal data is guilty of an offence;
(8) a person who knowingly or recklessly, and without the consent of the data controller procures the disclosure to another person of the information contained in personal data is guilty of an offence;
(9) a person who sells personal data which he has obtained in contravention of head (7) or head (8) above is guilty of an offence;
(10) a person who offers to sell personal data which has been obtained or is subsequently obtained as mentioned in head (9) above is guilty of an offence;
(11) a person who requires another person or a third party to supply him with or to produce to him a relevant record in connection with the other person's recruitment or continued employment or with any contract for the other person's provision of services to him is guilty of an offence;
(12) a person who, as a condition of providing or offering to provide any goods, facilities or services to another person, requires that other person or a third party to supply him with a relevant record or to produce a relevant record to him is guilty of an offence;
(13) a person who is or has been the Commissioner or an agent of the Commissioner or a member of his staff who knowingly or recklessly discloses information without lawful authority is guilty of an offence;
(14) a person is guilty of an offence if he either intentionally obstructs a person in the execution of a warrant so issued or fails without reasonable excuse to give any person executing such a warrant such assistance as he may reasonably require.
No proceedings for an offence under the Data Protection Act 1998 may be instituted in England or Wales, except by the Information Commissioner or by or with the consent of the Director of Public Prosecutions.
A person guilty of an offence under any provision of the Act is liable: (a) on summary conviction, to a fine not exceeding the statutory maximum; or (b) on conviction on indictment, to a fine. A person guilty of an offence under head (14) above is liable on summary conviction to a fine not exceeding level 5 on the standard scale. Where an offence under the Data Protection Act 1998 has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate is guilty of that offence and liable to be proceeded against and punished accordingly. The court by or before which a person is convicted of an offence under heads (1) to (3), (5) and (7) to (12) above may order any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.
Unlawful Obtaining etc of Personal Data.
A person must not knowingly or recklessly, without the consent of the data controller: (1) obtain or disclose personal data or the information contained in personal data; or (2) procure the disclosure to another person of the information contained in personal data.
This does not apply to a person who shows: (a) that the obtaining, disclosing or procuring: (i) was necessary for the purpose of preventing or detecting crime; or (ii) was required or authorised by or under any enactment, by any rule of law or by the order of a court; or (b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person; or (c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it; or (d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.
Appeals to the Information Tribunal
A person may appeal to the Information Tribunal against: (1) an enforcement notice, an information notice or a special information notice which has been served on him; or (2) the refusal of an application for cancellation or variation of an enforcement notice which has been served upon him.
Where an enforcement notice, an information notice or a special information notice contains a statement by the Information Commissioner then, whether or not the person appeals against the notice, he may appeal against: (a) the Commissioner's decision to include the statement in the notice; or (b) the effect of the inclusion of the statement as respects any part of the notice.
A data controller in respect of whom a determination has been made may appeal to the Tribunal against the determination.
Provision has been made for rules of procedure in relation to such appeals and the proceedings of the Tribunal in respect of any such appeal.
An appeal is brought by a written notice of appeal served on the Tribunal within 28 days of the date on which the notice relating to the disputed decision was served on or given to the appellant.
Upon receipt of a notice of appeal, the proper officer must send an acknowledgement of the service of a notice of appeal to the appellant, and a copy of the notice of appeal to the Commissioner, unless the appeal is under head (a) or head (b) above, in which case the proper officer must send a copy of the notice of appeal to the Commissioner only if the Tribunal is of the opinion that the interests of justice require the Commissioner to assist it by giving evidence or being heard on any matter relating to the appeal.
In reply, the Commissioner must send to the Tribunal a copy of the notice relating to the disputed decision, and he must send to the Tribunal and the appellant a written reply acknowledging service upon him of the notice of appeal, and stating whether or not he intends to oppose the appeal and, if so, the grounds upon which he relies in opposing the appeal. This must be done, where the Commissioner receives a copy of a notice of appeal other than under head (a) or head (b) above, within 21 days of the date of that receipt; and, where the Commissioner receives a copy of a notice of appeal under head (a) or head (b) above, within such time (not exceeding 21 days from the date of that receipt) as the Tribunal may allow. Where the appellant's notice of appeal has stated that he is not likely to wish a hearing to be held, the Commissioner must in his reply inform the Tribunal and the appellant whether he considers that a hearing is likely to be desirable. Where the appeal is under head (1) above in relation to an information notice, the Commissioner may include in his reply a statement of representations as to why it might be necessary in the interests of justice for the appeal to be heard and determined otherwise than by the chairman sitting alone.
With the permission of the Tribunal, the appellant may amend his notice of appeal or deliver supplementary grounds of appeal. Upon receipt of a copy of an amended notice of appeal or amended grounds of appeal, the Commissioner may amend his reply to the notice of appeal, and must send the amended reply to the Tribunal and the appellant within such time constraints as operate in the case of an unamended notice of appeal. The Commissioner may in any case, with the permission of the Tribunal, amend his reply to the notice of appeal, and must send the amended reply to the Tribunal and the appellant.
Other than where the appeal is made under head (a) or head (b) above, the Commissioner may include in his reply, where he is of the opinion that an appeal does not lie to, or cannot be entertained by, the Tribunal, or that the notice of appeal discloses no reasonable grounds of appeal, a notice to that effect stating the grounds for such contention and applying for the appeal to be
struck out. Such an application may be heard as a preliminary issue or at the beginning of the hearing of the substantive appeal.
The appellant may at any time withdraw his appeal by sending to the Tribunal a notice of withdrawal signed by him or on his behalf, and the proper officer must send a copy of that notice to the Commissioner. Such a notice, if sent by post in a registered letter or by the recorded delivery service to the proper officer of the Tribunal, has effect on the date on which it is received for dispatch by the postal operator concerned.
Where an appeal is withdrawn in this way a fresh appeal may not be brought by the appellant in relation to the same disputed decision except with the permission of the Tribunal.
For the purpose of determining an appeal, the Tribunal may make an order requiring the occupier of any premises to permit the Tribunal to enter at a specified time and inspect, examine, operate or test any equipment on those premises used or intended to be used in connection with the processing of personal data, and to inspect, examine or test any documents or other material
on those premises connected with the processing of personal data, although documents or other material which the appellant could not be compelled to produce on the trial of an action in that part of the United Kingdom where the appeal is to be determined are immune from such inspection, examination or testing.
Right of appeal to the High Court
Any party to an appeal to the Tribunal may appeal from the decision of the Tribunal on a point of law to the High Court of Justice if the address of the person who was the appellant before the Tribunal is in England or Wales.
Appeals in relation to a National Security Certificate
Any person directly affected by the issuing of a national security certificate may appeal to the Information Tribunal against the certificate. Such an appeal to the Tribunal may also be made by any person who is party to proceedings under or by virtue of the Data Protection Act 1998 on the ground that a national security certificate does not have the scope claimed for it by the data
controller; and on any such appeal, the Tribunal may determine that the certificate does not apply.
Provision has been made for rules of procedure in relation to such appeals and the proceedings of the Tribunal in respect of any such appeal. When exercising its functions under these provisions, the Tribunal must secure that information is not disclosed contrary to the interests of national security.
An appeal must be brought by a written notice of appeal served on the Tribunal. In the case of an appeal against the certificate itself, a notice of appeal may be served on the Tribunal at any time during the currency of the disputed certification to which it relates. Where the appeal is against the scope of the certificate, a notice of appeal must be served on the Tribunal within 28 days of the date on which the claim constituting the disputed certification was made.
Upon receipt of such a notice of appeal, the proper officer must send an acknowledgment of the service of a notice of appeal to the appellant, and a copy of the notice of appeal both to the relevant minister and to the Information Commissioner. In the case of an appeal against the scope of the
certificate, the proper officer must send a copy of the notice of appeal also to the respondent data controller.
No later than 42 days after receipt of such a copy of a notice of appeal, the relevant minister must send to the Tribunal a copy of the certificate to which the appeal relates, and a written notice stating: (1) in relation to an appeal against the certificate itself: (a) whether or not he intends to oppose the appeal and, if so, a summary of the circumstances relating to the issue of the certificate, and the reasons for the issue of the certificate; (b) the grounds upon which he relies in opposing the appeal; and (c) a statement of the evidence upon which he relies in support of those grounds; and (2) in relation to an appeal against the scope of the certificate: (a) whether or not he wishes to make representations in relation to the appeal and, if so the extent to which he intends to support or oppose the appeal; (b) the grounds upon which he relies in supporting or opposing the appeal; and (c) a statement of the evidence upon which he relies in support of those grounds.
Except where the Tribunal proposes a summary disposal of the appeal, the proper officer must send a copy of the notice to the appellant, to the Commissioner and (in the case of an appeal against the scope of the certificate) to the respondent data controller.
Within 42 days of the date on which a respondent data controller receives a copy of a notice of appeal, he must send to the Tribunal a written reply acknowledging service upon him of the notice of appeal, and stating whether or not he intends to oppose the appeal and, if so, the grounds upon which he relies in opposing the appeal. Except where the Tribunal proposes a summary disposal of the appeal, the proper officer must send a copy of the reply to the relevant minister, to the appellant and to the Commissioner.
With the permission of the Tribunal, the appellant may amend his notice of appeal or deliver supplementary grounds of appeal. Upon receipt of a copy of such an amended notice of appeal or amended grounds of appeal (or in any case, with the permission of the Tribunal), the relevant minister may amend his notice in reply and (in the case of an appeal against the scope of the
certificate) the respondent data controller may amend his reply to the notice of appeal.
Where the relevant minister or (in the case of an appeal against the scope of the certificate) the respondent data controller is of the opinion that an appeal does not lie to, or cannot be entertained by, the Tribunal, or that the notice of appeal discloses no reasonable grounds of appeal, he may include in his notice or, as the case may be, his reply a notice to that effect stating
the grounds for such contention and applying for the appeal to be struck out. An application for striking out may be heard as a preliminary issue or at the beginning of the hearing of the substantive appeal.
The relevant minister may send a notice of objection to the Tribunal where he objects, on grounds of the need to secure that information is not disclosed contrary to the interests of national security, to the disclosure of: (i) his notice in reply to the appellant, the Commissioner or (in the case of an appeal against the scope of the certificate) the respondent data controller; or (ii) the reply of a respondent data controller to the appellant or the Commissioner. Such a notice of objection must state the reasons for the objection; and in the case of a notice in reply to the appellant, if and to
the extent it is possible to do so without disclosing information contrary to the interests of national security, it must be accompanied by a version of the relevant minister's notice in a form which can be shown to the appellant, the Commissioner or, as the case may be, the respondent data controller. Where the relevant minister sends a notice of objection, the Tribunal must not disclose
the material in question otherwise than in accordance with the procedure for determinations on relevant minister's objections and applications.
The appellant may at any time withdraw his appeal by sending to the Tribunal a notice of withdrawal signed by him or on his behalf, and the proper officer must send a copy of that notice to the relevant minister, the Commissioner, and (in the case of an appeal against the scope of the certificate) the respondent data controller. Such a notice, if sent by post in a registered letter or by the recorded delivery service to the proper officer of the Tribunal, has effect on the date on which it is received for dispatch by the postal operator concerned. Where an appeal is withdrawn in this way a fresh appeal may not be brought by the appellant in relation to the same disputed certification except with the permission of the Tribunal
Issue and Execution of Warrants
If a circuit judge is satisfied by information on oath supplied by the Information Commissioner that there are reasonable grounds for suspecting that a data controller has contravened or is contravening any of the data protection principles, or that an offence under the Data Protection Act 1998 has been or is being committed, and that evidence of the contravention or of the commission
of the offence is to be found on any premises, he may grant a warrant to the Commissioner. A warrant so issued authorises the Commissioner or any of his officers or staff at any time within seven days of the date of the warrant to enter the premises, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of personal data and to inspect and seize any documents or other material found there which may be such evidence.
Unless the judge is satisfied that the case is one of urgency or that compliance with the following provisions would defeat the object of the entry, he must not issue such a warrant unless he is satisfied: (1) that the Commissioner has given seven days' notice in writing to the occupier of the premises in question demanding access to them; and (2) that: (a) access was demanded at a reasonable hour and was unreasonably refused; or (b) although entry to the premises was granted, the occupier unreasonably refused to comply with a request by the Commissioner or any of the Commissioner's officers or staff to permit the Commissioner or the officer or member of staff to do any of the things authorised by the warrant; and (3) that the occupier, has, after the refusal, been notified by the Commissioner of the application for the warrant and has had an opportunity of being heard by the judge on the question whether or not it should be issued.
A warrant so issued must be executed at a reasonable hour unless it appears to the person executing it that there are grounds for suspecting that the evidence in question would not be found if it were so executed. A person executing