"An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. [16th July 1998]"
Part II - Rights of data subjects and others
Section 7 - Right of access to personal data.
(1)Subject to the following provisions of this section and to [F1sections 8, 9 and 9A], an individual is entitled—
(a)to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
(b)if that is the case, to be given by the data controller a description of—
(i)the personal data of which that individual is the data subject,
(ii)the purposes for which they are being or are to be processed, and
(iii)the recipients or classes of recipients to whom they are or may be disclosed,
(c)to have communicated to him in an intelligible form—
(i)the information constituting any personal data of which that individual is the data subject, and
(ii)any information available to the data controller as to the source of those data, and
(d)where the processing by automatic means of personal data of which that individual is the data subject for
the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.
(2)A data controller is not obliged to supply any information under subsection (1) unless he has received—
(a)a request in writing, and
(b)except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.
F2 (3)Where a data controller—
(a)reasonably requires further information in order to satisfy himself as to the identity of the person making a request under this section and to locate the information which that person seeks, and
(b)has informed him of that requirement,
the data controller is not obliged to comply with the request unless he is supplied with that further information.]
(4)Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless—
(a)the other individual has consented to the disclosure of the information to the person making the request, or
(b)it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
(5)In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
(6)In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to—
(a)any duty of confidentiality owed to the other individual,
(b)any steps taken by the data controller with a view to seeking the consent of the other individual,
(c)whether the other individual is capable of giving consent, and
(d)any express refusal of consent by the other individual.
(7)An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description.
(8)Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.
(9)If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in
contravention of those provisions, the court may order him to comply with the request.
(10)In this section—
“prescribed” means prescribed by the [F3 Secretary of State] by regulations;
“the prescribed maximum” means such amount as may be prescribed;
“the prescribed period” means forty days or such other period as may be prescribed;
“the relevant day”, in relation to a request under this section, means the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3).
(11)Different amounts or periods may be prescribed under this section in relation to different cases.
F4 (12)A person is a relevant person for the purposes of subsection (4)(c) if he—
(a)is a person referred to in paragraph 4(a) or (b) or paragraph 8(a) or (b) of Schedule 11;
(b)is employed by an education authority (within the meaning of paragraph 6 of Schedule 11) in pursuance of its functions relating to education and the information relates to him, or he supplied the information in his capacity as such an employee; or
(c)is the person making the request.]
F5 (12)A person is a relevant person for the purposes of subsection (4)(c) if he—
(a)is a person referred to in paragraph 1(p) or (q) of the Schedule to the Data Protection (Subject Access Modification) (Social Work) Order 2000; or
(b)is or has been employed by any person or body referred to in paragraph 1 of that Schedule in connection with functions which are or have been exercised in relation to the data consisting of the information; or
(c)has provided for reward a service similar to a service provided in the exercise of any functions specified in paragraph 1(a)(i), (b), (c) or (d) of that Schedule,
and the information relates to him or he supplied the information in his official capacity or, as the case may be, in connection with the provision of that service.]
Annotations:
Amendments (Textual)
F1Words in s. 7(1) substituted (30.11.2000 for certain purposes and otherwise 1.1.2005) by 2000 c. 36, ss. 69(1), 87(1)(3) (with ss. 7(1)(7),56, 78); S.I. 2004/1909, art. 2; S.I. 2004/3122, art. 2
F2S. 7(3) substituted (14.5.2001) by 2000 c. 36, s. 73, Sch. 6 para. 1 (with ss. 56, 78); S.I. 2001/1637, art. 2(d)
F3Words in s. 7 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887), art. 9, Sch. 2 para. 9(1)(a)
F4S. 7(12) inserted after s. 7(11) (1.3.2000) by virtue of S.I. 2000/414, art. 7(2)
F5S. 7(12) inserted (1.3.2000) by S.I. 2000/415, art. 7(2)
Modifications etc. (not altering text)
C1S. 7 excluded (1.3.2000) by S.I. 2000/414, art. 5(1)
S. 7 modified (1.3.2000) by S.I. 2000/414, art. 6
S. 7 modified (1.3.2000) by S.I. 2000/191, reg. 4(1)
S. 7 excluded (1.3.2000) by S.I. 2000/413, art. 5(1)
S. 7 modified (1.3.2000) by S.I. 2000/413, arts. 6(1), 7(3)
S. 7 modified (1.3.2000) by S.I. 2000/415, art. 6
C2S. 7 excluded (1.3.2000) by The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419), art. 2 Sch. (as amended (1.10.2009) by S.I. 2009/1892, art. 3, Sch. 3 para. 1)
C3S. 7(1) extended (1.3.2000) by S.I. 2000/191, reg. 2(2)
C4S. 7(1)(a)(b)(c) extended (1.3.2000) by S.I. 2000/191, reg. 2(1)
C5S. 7(1)(b)-(d) excluded (1.3.2000) by S.I. 2000/415, art. 5(1)
C6S. 7(4)(9) modified (1.3.2000) by S.I. 2000/413, art. 8(a)(b)
S. 7(4)(9) modified (1.3.2000) by S.I. 2000/414, art. 7(1)(a)(b)
S. 7(4)(9) modified (1.3.2000) by S.I. 2000/415, art. 7(1)(a)(b)
Commencement Information
I1S. 7 wholly in force at 1.3.2000; s. 7 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 7 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)
Section 8 - Provisions supplementary to section 7.
(1)The [F6 Secretary of State] may by regulations provide that, in such cases as may be prescribed, a request for information under any provision of subsection (1) of section 7 is to be treated as extending also to information under other provisions of that subsection.
(2)The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless—
(a)the supply of such a copy is not possible or would involve disproportionate effort, or
(b)the data subject agrees otherwise;
and where any of the information referred to in section 7(1)(c)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.
(3)Where a data controller has previously complied with a request made under section 7 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
(4)In determining for the purposes of subsection (3) whether requests under section 7 are made at reasonable intervals, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.
(5)Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.
(6)The information to be supplied pursuant to a request under section 7 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.
(7)For the purposes of section 7(4) and (5) another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.
Annotations:
Amendments (Textual)
F6Words in s. 8 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887), art. 9, Sch. 2 para. 9(1)(a)
Commencement Information
I2S. 8 wholly in force at 1.3.2000; s. 8 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 8 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)
Section 9 - Application of section 7 where data controller is credit reference agency.
(1)Where the data controller is a credit reference agency, section 7 has effect subject to the provisions of this section.
(2)An individual making a request under section 7 may limit his request to personal data relevant to his financial standing, and shall be taken to have so limited his request unless the request shows a contrary intention.
(3)Where the data controller receives a request under section 7 in a case where personal data of which the individual making the request is the data subject are being processed by or on behalf of the data controller, the obligation to supply information under that section includes an obligation to give the individual making the request a statement, in such form as may be prescribed by the [F7 Secretary of State] by regulations, of the individual’s rights—
(a)under section 159 of the M1Consumer Credit Act 1974 , and
(b)to the extent required by the prescribed form, under this Act.
Annotations:
Amendments (Textual)
F7Words in s. 9 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887), art. 9, Sch. 2 para. 9(1)(a)
Commencement Information
I3S. 9 wholly in force at 1.3.2000; s. 9 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 9 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)
Marginal Citations
M11974 c. 39.
[F89AUnstructured personal data held by public authorities.
(1)In this section “unstructured personal data” means any personal data falling within paragraph (e) of the definition of “data” in section 1(1), other than information which is recorded as part of, or with the intention that it should form part of, any set of information relating to individuals to the extent that the set is structured by reference to individuals or by reference to criteria relating to individuals.
(2)A public authority is not obliged to comply with subsection (1) of section 7 in relation to any unstructured personal data unless the request under that section contains a description of the data.
(3)Even if the data are described by the data subject in his request, a public authority is not obliged to comply with subsection (1) of section 7 in relation to unstructured personal data if the authority estimates that the cost of complying with the request so far as relating to those data would exceed the appropriate limit.
(4)Subsection (3) does not exempt the public authority from its obligation to comply with paragraph (a) of section 7(1) in relation to the unstructured personal data unless the estimated cost of complying with that paragraph alone in relation to those data would exceed the appropriate limit.
(5)In subsections (3) and (4) “the appropriate limit” means such amount as may be prescribed by the [F9 Secretary of State]by regulations, and different amounts may be prescribed in relation to different cases.
(6)Any estimate for the purposes of this section must be made in accordance with regulations under section 12(5) of the Freedom of Information Act 2000.]
Annotations:
Amendments (Textual)
F8S. 9A inserted (30.11.2000 for certain purposes and otherwise 1.1.2005) by 2000 c. 36, ss. 69(2), 87(1)(3) (with ss. 56, 78); S.I. 2004/1909,art. 2; S.I. 2004/3122, art. 2 (s. 69(2) of the amending Act was itself amended (19.8.2003) by S.I. 2003/1887, art. 9, Sch. 2 para. 12(1)(b))
F9Words in s. 9A substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887), art. 9, Sch. 2 paras. 9(1)(a), 12(1)(b)
Section 10 - Right to prevent processing likely to cause damage or distress.
(1)Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—
(a)the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
(b)that damage or distress is or would be unwarranted.
(2)Subsection (1) does not apply—
(a)in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or
(b)in such other cases as may be prescribed by the [F10 Secretary of State] by order.
(3)The data controller must within twenty-one days of receiving a notice under subsection (1) (“the data subject notice”) give the individual who gave it a written notice—
(a)stating that he has complied or intends to comply with the data subject notice, or
(b)stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.
(4)If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.
(5)The failure by a data subject to exercise the right conferred by subsection (1) or section 11(1) does not affect any other right conferred on him by this Part.
Annotations:
Amendments (Textual)
F10Words in s. 10 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887), art. 9, Sch. 2 para. 9(1)(a)
Commencement Information
I4S. 10 wholly in force at 1.3.2000; s. 10 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 10 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)
Section 11 - Right to prevent processing for purposes of direct marketing.
(1)An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
(2)If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
[F11(2A)This section shall not apply in relation to the processing of such data as are mentioned in paragraph (1) of regulation 8 of the Telecommunications (Data Protection and Privacy) Regulations 1999 (processing of telecommunications billing data for certain marketing purposes) for the purposes mentioned in paragraph (2) of that regulation.]
(3)In this section “direct marketing” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
Annotations:
Amendments (Textual)
F11S. 11(2A) inserted (1.3.2000) by S.I. 1999/2093, reg. 3(3), Sch. 1 Pt. II para. 3
Section 12 - Rights in relation to automated decision-taking.
(1)An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.
(2)Where, in a case where no notice under subsection (1) has effect, a decision which significantly affects an individual is based solely on such processing as is mentioned in subsection (1)—
(a)the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis, and
(b)the individual is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.
(3)The data controller must, within twenty-one days of receiving a notice under subsection (2)(b) (“the data subject notice”) give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice.
(4)A notice under subsection (1) does not have effect in relation to an exempt decision; and nothing in subsection (2) applies to an exempt decision.
(5)In subsection (4) “exempt decision” means any decision—
(a)in respect of which the condition in subsection (6) and the condition in subsection (7) are met, or
(b)which is made in such other circumstances as may be prescribed by the [F12 Secretary of State] by order.
(6)The condition in this subsection is that the decision—
(a)is taken in the course of steps taken—
(i)for the purpose of considering whether to enter into a contract with the data subject,
(ii)with a view to entering into such a contract, or
(iii)in the course of performing such a contract, or
(b)is authorised or required by or under any enactment.
(7) The condition in this subsection is that either—
(a) the effect of the decision is to grant a request of the data subject, or
(b) steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing him to make representations).
(8) If a court is satisfied on the application of a data subject that a person taking a decision in respect of him (“the responsible person”) has failed to comply with subsection (1) or (2)(b), the court may order the responsible person to reconsider the decision, or to take a new decision which is not based solely on such processing as is mentioned in subsection (1).
(9) An order under subsection (8) shall not affect the rights of any person other than the data subject and the responsible person.
Annotations:
Amendments (Textual)
F12Words in s. 12 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887), art. 9, Sch. 2 para. 9(1)(a)
Commencement Information
I5S. 12 wholly in force at 1.3.2000; s. 12 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 12 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)
[F1312A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Annotations:
Amendments (Textual)
F13S. 12A inserted (temp. from 1.3.2000 to 23.10.2007) by 1998 c. 29, s. 72, Sch. 13 para. 1; S.I. 2000/183, art. 2(1)
Section 13 - Compensation for failure to comply with certain requirements.
(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
(a) the individual also suffers damage by reason of the contravention, or
(b)the contravention relates to the processing of personal data for the special purposes.
(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
Section 14 - Rectification, blocking, erasure and destruction.
(1) If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.
(2) Subsection (1) applies whether or not the data accurately record information received or obtained by the
data controller from the data subject or a third party but where the data accurately record such information, then—
(a) if the requirements mentioned in paragraph 7 of Part II of Schedule 1 have been complied with, the court may, instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve, and
(b) if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a).
(3) Where the court—
(a)makes an order under subsection (1), or
(b)is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate,
it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.
(4)If a court is satisfied on the application of a data subject—
(a) that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 13, and
(b) that there is a substantial risk of further contravention in respect of those data in such circumstances,
the court may order the rectification, blocking, erasure or destruction of any of those data.
(5) Where the court makes an order under subsection (4) it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.
(6) In determining whether it is reasonably practicable to require such notification as is mentioned in subsection (3) or (5) the court shall have regard, in particular, to the number of persons who would have to be notified.
Section 15 - Jurisdiction and procedure.
(1) The jurisdiction conferred by sections 7 to 14 is exercisable by the High Court or a county court or, in Scotland, by the Court of Session or the sheriff.
(2) For the purpose of determining any question whether an applicant under subsection (9) of section 7 is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV) a court may require the information constituting any data processed by or on behalf of the data controller and any information as to the logic involved in any decision-taking as mentioned in section 7(1)(d) to be made available for its own inspection but shall not, pending the determination of that question in the applicant’s favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery (or, in Scotland, recovery) or otherwise.
SCHEDULE 1 - The data protection principles
Part I - The principles
1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4 Personal data shall be accurate and, where necessary, kept up to date.
5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6 Personal data shall be processed in accordance with the rights of data subjects under this Act.
7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Part II - Interpretation of the principles in Part I
The first principle
Section 1
(1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.
(2)Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who—
(a)is authorised by or under any enactment to supply it, or
(b)is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom.
Section 2
(1)Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless—
(a)in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and
(b)in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3).
(2)In sub-paragraph (1)(b) “the relevant time” means—
(a)the time when the data controller first processes the data, or
(b)in a case where at that time disclosure to a third party within a reasonable period is envisaged—
(i)if the data are in fact disclosed to such a person within that period, the time when the data are first disclosed,
(ii)if within that period the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to such a person within that period, the time when the data controller does become, or ought to become, so aware, or
(iii)in any other case, the end of that period.
(3)The information referred to in sub-paragraph (1) is as follows, namely—
(a)the identity of the data controller,
(b)if he has nominated a representative for the purposes of this Act, the identity of that representative,
(c)the purpose or purposes for which the data are intended to be processed, and
(d)any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
Section 3
(1)Paragraph 2(1)(b) does not apply where either of the primary conditions in sub-paragraph (2), together with such further conditions as may be prescribed by the [F1 Secretary of State] by order, are met.
(2)The primary conditions referred to in sub-paragraph (1) are—
(a)that the provision of that information would involve a disproportionate effort, or
(b)that the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
Annotations:
Amendments (Textual)
F1Words in Sch. 1 Pt. 2 para. 3 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887), art. 9,Sch. 2 para. 9(1)(b)
Commencement Information
I1Sch. 1 Pt. II para. 3 wholly in force at 1.3.2000; Sch. 1 Pt. II para. 3 in force for certain purposes at Royal Assent see s. 75(2)(i); Sch. 1 Pt. II para. 3 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)
Section4
(1) Personal data which contain a general identifier falling within a description prescribed by the [F2 Secretary of State] by order are not to be treated as processed fairly and lawfully unless they are processed in compliance with any conditions so prescribed in relation to general identifiers of that description.
(2)In sub-paragraph (1) “a general identifier” means any identifier (such as, for example, a number or code used for identification purposes) which—
(a)relates to an individual, and
(b)forms part of a set of similar identifiers which is of general application.
Annotations:
Amendments (Textual)
F2Words in Sch. 1 Pt. 2 para. 4 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887), art. 9,Sch. 2 para. 9(1)(b)
Commencement Information
I2Sch. 1 Pt. II para. 4 wholly in force at 1.3.2000; Sch. 1 Pt. II para. 4 in force for certain purposes at Royal Assent see s. 75(2)(i); Sch. 1 Pt. II para. 4 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)
The second principle
Section 5
The purpose or purposes for which personal data are obtained may in particular be specified—
(a)in a notice given for the purposes of paragraph 2 by the data controller to the data subject, or
(b)in a notification given to the Commissioner under Part III of this Act.
Section 6
In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.
The fourth principle
Section 7
The fourth principle is not to be regarded as being contravened by reason of any inaccuracy in personal data which accurately record information obtained by the data controller from the data subject or a third party in a case where—
(a)having regard to the purpose or purposes for which the data were obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the data, and
(b)if the data subject has notified the data controller of the data subject’s view that the data are inaccurate, the data indicate that fact.
The sixth principle
Section 8
A person is to be regarded as contravening the sixth principle if, but only if—
(a)he contravenes section 7 by failing to supply information in accordance with that section,
(b)he contravenes section 10 by failing to comply with a notice given under subsection (1) of that section to the extent that the notice is justified or by failing to give a notice under subsection
(3) of that section,
(c)he contravenes section 11 by failing to comply with a notice given under subsection (1) of that section, or
(d)he contravenes section 12 by failing to comply with a notice given under subsection (1) or
(2)(b) of that section or by failing to give a notification under subsection (2)(a) of that section or a notice under subsection (3) of that section.
The seventh principle
Section 9
Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b)the nature of the data to be protected.
Section 10
The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
Section 11
Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—
(a)choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b)take reasonable steps to ensure compliance with those measures.
Section 12
Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—
(a)the processing is carried out under a contract—
(i)which is made or evidenced in writing, and
(ii)under which the data processor is to act only on instructions from the data controller, and
(b)the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.
The eighth principle
Section 13
An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to—
(a)the nature of the personal data,
(b)the country or territory of origin of the information contained in the data,
(c)the country or territory of final destination of that information,
(d)the purposes for which and period during which the data are intended to be processed,
(e)the law in force in the country or territory in question,
(f)the international obligations of that country or territory,
(g)any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and
(h)any security measures taken in respect of the data in that country or territory.
Section 14
The eighth principle does not apply to a transfer falling within any paragraph of Schedule 4, except in such circumstances and to such extent as the [F3 Secretary of State] may by order provide.
Annotations:
Amendments (Textual)
F3Words in Sch. 1 Pt. 2 para. 14 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887), art. 9,Sch. 2 para. 9(1)(b)
Commencement Information
I3Sch. 1 Pt. II para. 14 wholly in force at 1.3.2000; Sch. 1 Pt. II para. 14 in force for certain purposes at Royal Assent see s. 75(2)(i); Sch. 1 Pt. II para. 14 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)
Section 15
(1)Where—
(a)in any proceedings under this Act any question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the European Economic Area, and
(b)a Community finding has been made in relation to transfers of the kind in question,
that question is to be determined in accordance with that finding.
(2)In sub-paragraph (1) “Community finding” means a finding of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, that a country or territory outside the European Economic Area does, or does not, ensure an adequate level of protection within the meaning of Article 25(2) of the Directive.
No comments:
Post a Comment