Search Legislation

Data Protection Act 1984

Status:

This is the original version (as it was originally enacted).

Data Protection Act 1984

1984 CHAPTER 35

An Act to regulate the use of automatically processed information relating to individuals and the provision of services in respect of such information.

[12th July 1984]

Be it enactedby the authority of the same, as follows:—

Part IPreliminary

1Definition of " data " and related expressions

(1)The following provisions shall have effect for the interpretation of this Act.

(2)" Data " means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.

(3)" Personal data " means data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user), including any expression of opinion about the individual but not any indication of the intentions of the data user in respect of that individual.

(4)" Data subject" means an individual who is the subject of personal data.

(5)" Data user " means a person who holds data, and a person " holds " data if—

(a)the data form part of a collection of data processed or intended to be processed by or on behalf of that person as mentioned in subsection (2) above ; and

(b)that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection ; and

(c)the data are in the form in which they have been or are intended to be processed as mentioned in paragraph (a) above or (though not for the time being in that form) in a form into which they have been converted after being so processed and with a view to being further so processed on a subsequent occasion.

(6)A person carries on a " computer bureau " if he provides other persons with services in respect of data, and a person provides such services if—

(a)as agent for other persons he causes data held by them to be processed as mentioned in subsection (2) above; or

(b)he allows other persons the use of equipment in his possession for the processing as mentioned in that subsection of data held by them.

(7)" Processing ", in relation to data, means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data and, in the case of personal data, means performing any of those operations by reference to the data subject.

(8)Subsection (7) above shall not be construed as applying to any operation performed only for the purpose of preparing the text of documents.

(9)"Disclosing", in relation to data, includes disclosing information extracted from the data ; and where the identification of the individual who is the subject of personal data depends partly on the information constituting the data and partly on other information in the possession of the data user, the data shall not be regarded as disclosed or transferred unless the other information is also disclosed or transferred.

2The data protection principles

(1)Subject to subsection (3) below, references in this Act to the data protection principles are to the principles set out in Part I of Schedule 1 to this Act; and those principles shall be interpreted in accordance with Part II of that Schedule.

(2)The first seven principles apply to personal data held by data users and the eighth applies both to such data and to personal data in respect of which services are provided by persons carrying on computer bureaux.

(3)The Secretary of State may by order modify or supplement those principles for the purpose of providing additional safeguards in relation to personal data consisting of information as to—

(a)the racial origin of the data subject;

(b)his political opinions or religious or other beliefs;

(c)his physical or mental health or his sexual life; or

(d)his criminal convictions;

and references in this Act to the data protection principles include, except where the context otherwise requires, references to any modified or additional principle having effect by virtue of an order under this subsection.

(4)An order under subsection (3) above may modify a principle either by modifying the principle itself or by modifying its interpretation; and where an order under that subsection modifies a principle or provides for an additional principle it may contain provisions for the interpretation of the modified or additional principle.

(5)An order under subsection (3) above modifying the third data protection principle may, to such extent as the Secretary of State thinks appropriate, exclude or modify in relation to that principle any exemption from the non-disclosure provisions which is contained in Part IV of this Act; and the exemptions from those provisions contained in that Part shall accordingly have effect subject to any order made by virtue of this subsection.

(6)An order under subsection (3) above may make different provision in relation to data consisting of information of different descriptions.

3The Registrar and the Tribunal

(1)For the purposes of this Act there shall be—

(a)an officer known as the Data Protection Registrar (in this Act referred to as " the Registrar "); and

(b)a tribunal known as the Data Protection Tribunal (in this Act referred to as " the Tribunal").

(2)The Registrar shall be appointed by Her Majesty by Letters Patent.

(3)The Tribunal shall consist of—

(a)a chairman appointed by the Lord Chancellor after consultation with the Lord Advocate;

(b)such number of deputy chairmen appointed as aforesaid as the Lord Chancellor may determine; and

(c)such number of other members appointed by the Secretary of State as he may determine.

(4)The members of the Tribunal appointed under subsection (3)(a) and (b) above shall be barristers, advocates or solicitors, in each case of not less than seven years' standing.

(5)The members of the Tribunal appointed under subsection (3)(c) above shall be—

(a)persons to represent the interests of data users ; and

(b)persons to represent the interests of data subjects.

(6)Schedule 2 to this Act shall have effect in relation to the Registrar and the Tribunal.

Part IIRegistration and Supervision of Data Users and Computer Bureaux

Registration

4Registration of data users and computer bureaux

(1)The Registrar shall maintain a register of data users who hold, and of persons carrying on computer bureaux who provide services in respect of, personal data and shall make an entry in the register in pursuance of each application for registration accepted by him under this Part of this Act.

(2)Each entry shall state whether it is in respect of a data user, of a person carrying on a computer bureau or of a data user who also carries on such a bureau.

(3)Subject to the provisions of this section, an entry in respect of a data user shall consist of the following particulars—

(a)the name and address of the data user ;

(b)a description of the personal data to be held by him and of the purpose or purposes for which the data are to be held or used ;

(c)a description of the source or sources from which he intends or may wish to obtain the data or the information to be contained in the data ;

(d)a description of any person or persons to whom he intends or may wish to disclose the data ;

(e)the names or a description of any countries or territories outside the United Kingdom to which he intends or may wish directly or indirectly to transfer the data ; and

(f)one or more addresses for the receipt of requests from data subjects for access to the data.

(4)Subject to the provisions of this section, an entry in respect of a person carrying on a computer bureau shall consist of that person's name and address.

(5)Subject to the provisions of this section, an entry in respect of a data user who also carries on a computer bureau shall consist of his name and address and, as respects the personal data to be held by him, the particulars specified in subsection (3)(b) to (f) above.

(6)In the case of a registered company the address referred to in subsections (3)(a), (4) and (5) above is that of its registered office, and the particulars to be included in the entry shall include the company's number in the register of companies.

(7)In the case of a person (other than a registered company) carrying on a business the address referred to in subsections (3)(a), (4) and (5) above is that of his principal place of business.

(8)The Secretary of State may by order vary the particulars to be included in entries made in the register.

5Prohibition of unregistered holding etc. of personal data

(1)A person shall not hold personal data unless an entry in respect of that person as a data user, or as a data user who also carries on a computer bureau, is for the time being contained in the register.

(2)A person in respect of whom such an entry is contained in the register shall not—

(a)hold personal data of any description other than that specified in the entry :

(b)hold any such data, or use any such data held by him, for any purpose other than the purpose or purposes described in the entry ;

(c)obtain such data, or information to be contained in such data, to be held by him from any source which is not described in the entry ;

(d)disclose such data held by him to any person who is not described in the entry ; or

(e)directly or indirectly transfer such data held by him to any country or territory outside the United Kingdom other than one named or described in the entry.

(3)A servant or agent of a person to whom subsection (2) above applies shall, as respects personal data held by that person, be subject to the same restrictions on the use, disclosure or transfer of the data as those to which that person is subject under paragraphs (b), (d) and (e) of that subsection and, as respects personal data to be held by that person, to the same restrictions as those to which he is subject under paragraph (c) of that subsection.

(4)A person shall not, in carrying on a computer bureau, provide services in respect of personal data unless an entry in respect of that person as a person carrying on such a bureau, or as a data user who also carries on such a bureau, is for the time being contained in the register.

(5)Any person who contravenes subsection (1) above or knowingly or recklessly contravenes any of the other provisions of this section shall be guilty of an offence.

6Applications for registration and for amendment of registered particulars

(1)A person applying for registration shall state whether he wishes to be registered as a data user, as a person carrying on a computer bureau or as a data user who also carries on such a bureau, and shall furnish the Registrar, in such form as he may require, with the particulars required to be included in the entry to be made in pursuance of the application.

(2)Where a person intends to hold personal data for two or more purposes he may make separate applications for registration in respect of any of those purposes.

(3)A registered person may at any time apply to the Registrar for the alteration of any particulars included in the entry or entries relating to that person.

(4)Where the alteration would consist of the addition of a purpose for which personal data are to be held, the person may, instead of making an application under subsection (3) above, make a fresh application for registration in respect of the additional purpose.

(5)A registered person shall make an application under subsection (3) above whenever necessary for ensuring that the entry or entries relating to that person contain his current address; and any person who fails to comply with this subsection shall be guilty of an offence.

(6)Any person who, in connection with an application for registration or for the alteration of registered particulars, knowingly or recklessly furnishes the Registrar with information which is false or misleading in a material respect shall be guilty of an offence.

(7)Every application for registration shall be accompanied by the prescribed fee, and every application for the alteration of registered particulars shall be accompanied by such fee, if any, as may be prescribed.

(8)Any application for registration or for the alteration of registered particulars may be withdrawn by notice in writing to the Registrar at any time before the applicant receives a notification in respect of the application under section 7(1) below.

7Acceptance and refusal of applications

(1)Subject to the provisions of this section, the Registrar shall as soon as practicable and in any case within the period of six months after receiving an application for registration or for the alteration of registered particulars notify the applicant in writing whether his application has been accepted or refused; and where the Registrar notifies an applicant that his application has been accepted the notification shall contain a statement of—

(a)the particulars entered in the register, or the alteration made, in pursuance of the application ; and

(b)the date on which the particulars were entered or the alteration was made.

(2)The Registrar shall not refuse an application made in accordance with section 6 above unless—

(a)he considers that the particulars proposed for registration or, as the case may be, the particulars that would result from the proposed alteration, will not give sufficient information as to the matters to which they relate ; or

(b)he is satisfied that the applicant is likely to contravene any of the data protection principles ; or

(c)he considers that the information available to him is insufficient to satisfy him that the applicant is unlikely to contravene any of those principles.

(3)Subsection (2)(a) above shall not be construed as precluding the acceptance by the Registrar of particulars expressed in general terms in cases where that is appropriate, and the Registrar shall accept particulars expressed in such terms in any case in which he is satisfied that more specific particulars would be likely to prejudice the purpose or purposes for which the data are to be held.

(4)Where the Registrar refuses an application under this section he shall give his reasons and inform the applicant of the rights of appeal conferred by section 13 below.

(5)If in any case it appears to the Registrar that an application needs more consideration than can be given to it in the period mentioned in subsection (1) above he shall as soon as practicable and in any case before the end of that period notify the applicant in writing to that effect; and in that event no notification need be given under that subsection until after the end of that period.

(6)Subject to subsection (8) below, a person who has made an application in accordance with section 6 above shall—

(a)until he receives a notification in respect of it under subsection (1) above or the application is withdrawn; and

(b)if he receives a notification under that subsection of the refusal of his application, until the end of the period within which an appeal can be brought against the refusal and, if an appeal is brought, until the determination or withdrawal of the appeal,

be treated for the purposes of section 5 above as if his application had been accepted and the particulars contained in it had been entered in the register or, as the case may be, the alteration requested in the application had been made on the date on which the application was made.

(7)If by reason of special circumstances the Registrar considers that a refusal notified by him to an applicant under subsection (1) above should take effect as a matter of urgency he may include a statement to that effect in the notification of the refusal; and in that event subsection (6)(b) above shall have effect as if for the words from " the period " onwards there were substituted the words

the period of seven days beginning with the date on which that notification is received.

(8)Subsection (6) above shall not apply to an application made by any person if in the previous two years—

(a)an application by that person has been refused under this section; or

(b)all or any of the particulars constituting an entry contained in the register in respect of that person have been removed in pursuance of a de-registration notice;

but in the case of any such application subsection (1) above shall apply as if for the reference to six months there were substituted a reference to two months and, where the Registrar gives a notification under subsection (5) above in respect of any such application, subsection (6) above shall apply to it as if for the reference to the date on which the application was made there were substituted a reference to the date on which that notification is received.

(9)For the purposes of subsection (6) above an application shall be treated as made or withdrawn—

(a)if the application or notice of withdrawal is sent by registered post or the recorded delivery service, on the date on which it is received for dispatch by the Post Office;

(b)in any other case, on the date on which it is received by the Registrar;

and for the purposes of subsection (8)(a) above an application shall not be treated as having been refused so long as an appeal against the refusal can be brought, while such an appeal is pending or if such an appeal has been allowed.

8Duration and renewal of registration

(1)No entry shall be retained in the register after the expiration of the initial period of registration except in pursuance of a renewal application made to the Registrar in accordance with this section.

(2)Subject to subsection (3) below, the initial period of registration and the period for which an entry is to be retained in pursuance of a renewal application (" the renewal period ") shall be such period (not being less than three years) as may be prescribed beginning with the date on which the entry in question was made or, as the case may be, the date on which that entry would fall to be removed if the renewal application had not been made.

(3)The person making an application for registration or a renewal application may in his application specify as the initial period of registration or, as the case may be, as the renewal period, a period shorter than that prescribed, being a period consisting of one or more complete years.

(4)Where the Registrar notifies an applicant for registration that his application has been accepted the notification shall include a statement of the date when the initial period of registration will expire.

(5)Every renewal application shall be accompanied by the prescribed fee, and no such application shall be made except in the period of six months ending with the expiration of—

(a)the initial period of registration; or

(b)if there have been one or more previous renewal applications, the current renewal period.

(6)Any renewal application may be sent by post, and the Registrar shall acknowledge its receipt and notify the applicant in writing of the date until which the entry in question will be retained in the register in pursuance of the application.

(7)Without prejudice to the foregoing provisions of this section, the Registrar may at any time remove an entry from the register at the request of the person to whom the entry relates.

9Inspection etc. of registered particulars

(1)The Registrar shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge.

(2)The Registrar shall, on payment of such fee, if any, as may be prescribed, supply any member of the public with a duly certified copy in writing of the particulars contained in the entry made in the register in pursuance of any application for registration.

Supervision

10Enforcement notices

(1)If the Registrar is satisfied that a registered person has contravened or is contravening any of the data protection principles he may serve him with a notice (" an enforcement notice ") requiring him to take, within such time as is specified in the notice, such steps as are so specified for complying with the principle or principles in question.

(2)In deciding whether to serve an enforcement notice the Registrar shall consider whether the contravention has caused or is likely to cause any person damage or distress.

(3)An enforcement notice in respect of a contravention of the fifth data protection principle may require the data user—

(a)to rectify or erase the data and any other data held by him and containing an expression of opinion which appears to the Registrar to be based on the inaccurate data; or

(b)in the case of such data as are mentioned in subsection (2) of section 22 below, either to take the steps mentioned in paragraph (a) above or to take such steps as are specified in the notice for securing compliance with the requirements specified in that subsection and, if the Registrar thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Registrar may approve.

(4)The Registrar shall not serve an enforcement notice requiring the person served with the notice to take steps for complying with paragraph (a) of the seventh data protection principle in respect of any data subject unless satisfied that the person has contravened section 21 below by failing to supply information to which the data subject is entitled and which has been duly requested in accordance with that section.

(5)An enforcement notice shall contain—

(a)a statement of the principle or principles which the Registrar is satisfied have been or are being contravened and his reasons for reaching that conclusion; and

(b)particulars of the rights of appeal conferred by section 13 below.

(6)Subject to subsection (7) below, the time specified in an enforcement notice for taking the steps which it requires shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, those steps need not be taken pending the determination or withdrawal of the appeal.

(7)If by reason of special circumstances the Registrar considers that the steps required by an enforcement notice should be taken as a matter of urgency he may include a statement to that effect in the notice; and in that event subsection (6) above shall not apply but the notice shall not require the steps to be taken before the end of the period of seven days beginning with the date on which the notice is served.

(8)The Registrar may cancel an enforcement notice by written notification to the person on whom it was served.

(9)Any person who fails to comply with an enforcement notice shall be guilty of an offence; but it shall be a defence for a person charged with an offence under this subsection to prove that he exercised all due diligence to comply with the notice in question.

11De-registration notices

(1)If the Registrar is satisfied that a registered person has contravened or is contravening any of the data protection principles he may—

(a)serve him with a notice (" a de-registration notice ") stating that he proposes, at the expiration of such period as is specified in the notice, to remove from the register all or any of the particulars constituting the entry or any of the entries contained in the register in respect of that person ; and

(b)subject to the provisions of this section, remove those particulars from the register at the expiration of that period.

(2)In deciding whether to serve a de-registration notice the Registrar shall consider whether the contravention has caused or is likely to cause any person damage or distress, and the Registrar shall not serve such a notice unless he is satisfied that compliance with the principle or principles in question cannot be adequately secured by the service of an enforcement notice.

(3)A de-registration notice shall contain—

(a)a statement of the principle or principles which the Registrar is satisfied have been or are being contravened and his reasons for reaching that conclusion and deciding that compliance cannot be adequately secured by the service of an enforcement notice; and

(b)particulars of the rights of appeal conferred by section 13 below.

(4)Subject to subsection (5) below, the period specified hi a de-registration notice pursuant to subsection (1)(a) above shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the particulars shall not be removed pending the determination or withdrawal of the appeal.

(5)If by reason of special circumstances the Registrar considers that any particulars should be removed from the register as a matter of urgency he may include a statement to that effect in the de-registration notice; and in that event subsection (4) above shall not apply but the particulars shall not be removed before the end of the period of seven days beginning with the date on which the notice is served.

(6)The Registrar may cancel a de-registration notice by written notification to the person on whom it was served.

(7)References in this section to removing any particulars include references to restricting any description which forms part of any particulars.

12Transfer prohibition notices

(1)If it appears to the Registrar that—

(a)a person registered as a data user or as a data user who also carries on a computer bureau ; or

(b)a person treated as so registered by virtue of section 7(6) above,

proposes to transfer personal data held by him to a place outside the United Kingdom, the Registrar may, if satisfied as to the matters mentioned in subsection (2) or (3) below, serve that person with a notice (" a transfer prohibition notice ") prohibiting him from transferring the data either absolutely or until he has taken such steps as are specified in the notice for protecting the interests of the data subjects in question.

(2)Where the place to which the data are to be transferred is not in a State bound by the European Convention the Registrar must be satisfied that the transfer is likely to contravene, or lead to a contravention of, any of the data protection principles.

(3)Where the place to which the data are to be transferred is in a State bound by the European Convention the Registrar must be satisfied either—

(a)that—

(i)the person in question intends to give instructions for the further transfer of the data to a place which is not in such a State ; and

(ii)that the further transfer is likely to contravene, or lead to a contravention of, any of the data protection principles; or

(b)in the case of data to which an order under section 2(3) above applies, that the transfer is likely to contravene or lead to a contravention of, any of the data protection principles as they have effect in relation to such data.

(4)In deciding whether to serve a transfer prohibition notice the Registrar shall consider whether the notice is required for preventing damage or distress to any person and shall have regard to the general desirability of facilitating the free transfer of data between the United Kingdom and other states and territories.

(5)A transfer prohibition notice shall specify the time when it is to take effect and contain—

(a)a statement of the principle or principles which the Registrar is satisfied are likely to be contravened and his reasons for reaching that conclusion ; and

(b)particulars of the rights of appeal conferred by section 13 below.

(6)Subject to subsection (7) below, the time specified in a transfer prohibition notice pursuant to subsection (5) above shall not be before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice shall not take effect pending the determination or withdrawal of the appeal.

(7)If by reason of special circumstances the Registrar considers that the prohibition should take effect as a matter of urgency he may include a statement to that effect in the transfer prohibition notice; and in that event subsection (6) above shall not apply but the notice shall not take effect before the end of the period of seven days beginning with the date on which the notice is served.

(8)The Registrar may cancel a transfer prohibition notice by written notification to the person on whom it was served.

(9)No transfer prohibition notice shall prohibit the transfer of any data where the transfer of the information constituting the data is required or authorised by or under any enactment or required by any convention or other instrument imposing an international obligation on the United Kingdom.

(10)Any person who contravenes a transfer prohibition notice shall be guilty of an offence; but it shall be a defence for a person charged with an offence under this subsection to prove that he exercised all due diligence to avoid a contravention of the notice in question.

(11)For the purposes of this section a place shall be treated as in a State bound by the European Convention if it is in any territory in respect of which the State is bound.

Appeals

13Rights of appeal

(1)A person may appeal to the Tribunal against—

(a)any refusal by the Registrar of an application by that person for registration or for the alteration of registered particulars;

(b)any enforcement notice, de-registration notice or transfer prohibition notice with which that person has been served.

(2)Where a notification that an application has been refused contains a statement by the Registrar in accordance with section 7(7) above, then, whether or not the applicant appeals under paragraph (a) of subsection (1) above, he may appeal against the Registrar's decision to include that statement in the notification.

(3)Where any such notice as is mentioned in paragraph (b) of subsection (1) above contains a statement by the Registrar in accordance with section 10(7), 11(5) or 12(7) above, then, whether or not the person served with the notice appeals under that paragraph, he may appeal against the Registrar's decision to include that statement in the notice or against the effect of the inclusion of the statement as respects any part of the notice.

(4)Schedule 3 to this Act shall have effect in relation to appeals under this section and to the proceedings of the Tribunal in respect of any such appeal.

14Determination of appeals

(1)If on an appeal under section 13(1) above the Tribunal considers—

(a)that the refusal or notice against which the appeal is brought is not in accordance with the law ; or

(b)to the extent that the refusal or notice involved an exercise of discretion by the Registrar, that he ought to have exercised his discretion differently,

the Tribunal shall allow the appeal or substitute such other decision or notice as could have been made or served by the Registrar ; and in any other case the Tribunal shall dismiss the appeal.

(2)The Tribunal may review any determination of fact on which the refusal or notice in question was based.

(3)On an appeal under subsection (2) of section 13 above the Tribunal may direct that the notification of the refusal shall be treated as if it did not contain any such statement as is mentioned in that subsection.

(4)On an appeal under subsection (3) of section 13 above the Tribunal may direct that the notice in question shall have effect as if it did not contain any such statement as is mentioned in that subsection or that the inclusion of the statement shall not have effect in relation to any part of the notice and may make such modifications in the notice as may be required for giving effect to the direction.

(5)Any party to an appeal to the Tribunal may appeal from the decision of the Tribunal on a point of law to the appropriate court; and that court shall be—

(a)the High Court of Justice in England if the address of the person who was the appellant before the Tribunal is in England or Wales ;

(b)the Court of Session if that address is in Scotland;

and

(c)the High Court of Justice in Northern Ireland if that address is in Northern Ireland.

(6)In subsection (5) above references to the address of the appellant before the Tribunal are to his address as included or proposed for inclusion in the register.

Miscellaneous and supplementary

15Unauthorised disclosure by computer bureau

(1)Personal data in respect of which services are provided by a person carrying on a computer bureau shall not be disclosed by him without the prior authority of the person for whom those services are provided.

(2)Subsection (1) above applies also to any servant or agent of a person carrying on a computer bureau.

(3)Any person who knowingly or recklessly contravenes this section shall be guilty of an offence.

16Powers of entry and inspection

Schedule 4 to this Act shall have effect for the detection of offences under this Act and contraventions of the data protection principles.

17Disclosure of information

(1)No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude a person from furnishing the Registrar or the Tribunal with any information necessary for the discharge of their functions under this Act.

(2)For the purposes of section 2 of the Official Secrets Act 1911 (wrongful communication of information)—

(a)the Registrar and his officers and servants ;

(b)the members of the Tribunal; and

(c)any officers or servants of the Tribunal who are not in the service of the Crown,

shall be deemed to hold office under Her Majesty.

(3)The said section 2 shall not be construed as precluding the disclosure of information by any person mentioned in subsection (2)(a) or (b) above or by any officer or servant of the Tribunal where the disclosure is made for the purpose of discharging his duties under this Act or for the purpose of proceedings under or arising out of this Act, including proceedings before the Tribunal.

18Service of notices

(1)Any notice or notification authorised or required by this Act to be served on or given to any person by the Registrar may—

(a)if that person is an individual, be served on him—

(i)by delivering it to him; or

(ii)by sending it to him by post addressed to him at his usual or last-known place of residence or business; or

(iii)by leaving it for him at that place;

(b)if that person is a body corporate or unincorporate, be served on that body—

(i)by sending it by post to the proper officer of the body at its principal office; or

(ii)by addressing it to the proper officer of the body and leaving it at that office.

(2)In subsection (1)(b) above " principal office ", in relation to a registered company, means its registered office and " proper officer ", in relation to any body, means the secretary or other executive officer charged with the conduct of its general affairs.

(3)This section is without prejudice to any other lawful method of serving or giving a notice or notification.

19Prosecutions and penalties

(1)No proceedings for an offence under this Act shall be instituted—

(a)in England or Wales except by the Registrar or by or with the consent of the Director of Public Prosecutions ;

(b)in Northern Ireland except by the Registrar or by or with the consent of the Director of Public Prosecutions for Northern Ireland.

(2)A person guilty of an offence under any provision of this Act other than section 6 or paragraph 12 of Schedule 4 shall be liable—

(a)on conviction on indictment, to a fine; or

(b)on summary conviction, to a fine not exceeding the statutory maximum (as defined in section 74 of the Criminal Justice Act 1982).

(3)A person guilty of an offence under section 6 above or the said paragraph 12 shall be liable on summary conviction to a fine not exceeding the fifth level on the standard scale (as defined in section 75 of the said Act of 1982).

(4)Subject to subsection (5) below, the court by or before which a person is convicted of an offence under section 5, 10, 12 or 15 above may order any data material appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.

(5)The court shall not make an order under subsection (4) above in relation to any material where a person (other than the offender) claiming to be the owner or otherwise interested in it applies to be heard by the court unless an opportunity is given to him to show cause why the order should not be made.

20Liability of directors etc.

(1)Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.

(2)Where the affairs of a body corporate are managed by its members subsection (1) above shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.

Part IIIRights of Data Subjects

21Right of access to personal data

(1)Subject to the provisions of this section, an individual shall be entitled—

(a)to be informed by any data user whether the data held by him include personal data of which that individual is the data subject; and

(b)to be supplied by any data user with a copy of the information constituting any such personal data held by him;

and where any of the information referred to in paragraph (b) above is expressed in terms which are not intelligible without explanation the information shall be accompanied by an explanation of those terms.

(2)A data user shall not be obliged to supply any information under subsection (1) above except in response to a request in writing and on payment of such fee (not exceeding the prescribed maximum) as he may require ; but a request for information under both paragraphs of that subsection shall be treated as a single request and a request for information under paragraph (a) shall, in the absence of any indication to the contrary, be treated as extending also to information under paragraph (b).

(3)In the case of a data user having separate entries in the register in respect of data held for different purposes a separate request must be made and a separate fee paid under this section in respect of the data to which each entry relates.

(4)A data user shall not be obliged to comply with a request under this section—

(a)unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which he seeks ; and

(b)if he cannot comply with the request without disclosing information relating to another individual who can be identified from that information, unless he is satisfied that the other individual has consented to the disclosure of the information to the person making the request.

(5)In paragraph (b) of subsection (4) above the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that paragraph shall not be construed as excusing a data user from supplying so much of the information sought by the request as can be supplied without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(6)A data user shall comply with a request under this section within forty days of receiving the request or, if later, receiving the information referred to in paragraph (a) of subsection (4) above and, in a case where it is required, the consent referred to in paragraph (b) of that subsection.

(7)The information to be supplied pursuant to a request under this section shall be supplied by reference to the data in question at the time when the request is received except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

(8)If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data user in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request; but a court shall not make an order under this subsection if it considers that it would in all the circumstances be unreasonable to do so, whether because of the frequency with which the applicant has made requests to the data user under those provisions or for any other reason.

(9)The Secretary of State may by order provide for enabling a request under this section to be made on behalf of any individual who is incapable by reason of mental disorder of managing his own affairs.

22Compensation for inaccuracy

(1)An individual who is the subject of personal data held by a data user and who suffers damage by reason of the inaccuracy of the data shall be entitled to compensation from the data user for that damage and for any distress which the individual has suffered by reason of the inaccuracy.

(2)In the case of data which accurately record information received or obtained by the data user from the data subject or a third party, subsection (1) above does not apply if the following requirements have been complied with—

(a)the data indicate that the information was received or obtained as aforesaid or the information has not been extracted from the data except in a form which includes an indication to that effect; and

(b)if the data subject has notified the data user that he regards the information as incorrect or misleading, an indication to that effect has been included in the data or the information has not been extracted from the data except in a form which includes an indication to that effect.

(3)In proceedings brought against any person by virtue of this section it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to ensure the accuracy of the data at the material time.

(4)Data are inaccurate for the purposes of this section if incorrect or misleading as to any matter of fact.

23Compensation for loss or unauthorised disclosure

(1)An individual who is the subject of personal data held by a data user or in respect of which services are provided by a person carrying on a computer bureau and who suffers damage by reason of—

(a)the loss of the data ;

(b)the destruction of the data without the authority of the data user or, as the case may be, of the person carrying on the bureau; or

(c)subject to subsection (2) below, the disclosure of the data, or access having been obtained to the data, without such authority as aforesaid,

shall be entitled to compensation from the data user or, as the case may be, the person carrying on the bureau for that damage and for any distress which the individual has suffered by reason of the loss, destruction, disclosure or access.

(2)In the case of a registered data user, subsection (1)(c) above does not apply to disclosure to, or access by, any person falling within a description specified pursuant to section 4(3)(d) above in an entry in the register relating to that data user.

(3)In proceedings brought against any person by virtue of this section it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to prevent the loss, destruction, disclosure or access in question.

24Rectification and erasure

(1)If a court is satisfied on the application of a data subject that personal data held by a data user of which the applicant is the subject are inaccurate within the meaning of section 22 above, the court may order the rectification or erasure of the data and of any data held by the data user and containing an expression of opinion which appears to the court to be based on the inaccurate data.

(2)Subsection (1) above applies whether or not the data accurately record information received or obtained by the data user from the data subject or a third party but where the data accurately record such information, then—

(a)if the requirements mentioned in section 22(2) above have been complied with, the court may, instead of making an order under subsection (1) above, make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve ; and

(b)if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a) above.

(3)If a court is satisfied on the application of a data subject—

(a)that he has suffered damage by reason of the disclosure of personal data, or of access having been obtained to personal data, in circumstances entitling him to compensation under section 23 above ; and

(b)that there is a substantial risk of further disclosure of or access to the data without such authority as is mentioned in that section,

the court may order the erasure of the data; but, in the case of data in respect of which services were being provided by a person carrying on a computer bureau, the court shall not make such an order unless such steps as are reasonably practicable have been taken for notifying the person for whom those services were provided and giving him an opportunity to be heard.

25Jurisdiction and procedure

(1)The jurisdiction conferred by sections 21 and 24 above shall be exercisable by the High Court or a county court or, in Scotland, by the Court of Session or the sheriff.

(2)For the purpose of determining any question whether an applicant under subsection (8) of section 21 above is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV of this Act) a court may require the information constituting any data held by the data user to be made available for its own inspection but shall not, pending the determination of that question in the applicant's favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery (or, in Scotland, recovery) or otherwise.

Part IVExemptions

26Preliminary

(1)References in any provision of Part II or III of this Act to personal data do not include references to data which by virtue of this Part of this Act are exempt from that provision.

(2)In this Part of this Act " the subject access provisions " means—

(a)section 21 above; and

(b)any provision of Part II of this Act conferring a power on the Registrar to the extent to which it is exercisable by reference to paragraph (a) of the seventh data protection principle.

(3)In this Part of this Act " the non-disclosure provisions " means—

(a)sections 5(2)(d) and 15 above; and

(b)any provision of Part II of this Act conferring a power on the Registrar to the extent to which it is exercisable by reference to any data protection principle inconsistent with the disclosure in question.

(4)Except as provided by this Part of this Act the subject access provisions shall apply notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

27National security

(1)Personal data are exempt from the provisions of Part II of this Act and of sections 21 to 24 above if the exemption is required for the purpose of safeguarding national security.

(2)Any question whether the exemption mentioned in subsection (1) above is or at any time was required for the purpose there mentioned in respect of any personal data shall be determined by a Minister of the Crown ; and a certificate signed by a Minister of the Crown certifying that the exemption is or at any time was so required shall be conclusive evidence of that fact.

(3)Personal data which are not exempt under subsection (1) above are exempt from the non-disclosure provisions in any case in which the disclosure of the data is for the purpose of safeguarding national security.

(4)For the purposes of subsection (3) above a certificate signed by a Minister of the Crown certifying that personal data are or have been disclosed for the purpose mentioned in that subsection shall be conclusive evidence of that fact.

(5)A document purporting to be such a certificate as is mentioned in this section shall be received in evidence and deemed to be such a certificate unless the contrary is proved.

(6)The powers conferred by this section on a Minister of the Crown shall not be exercisable except by a Minister who is a member of the Cabinet or by the Attorney General or the Lord Advocate.

28Crime and taxation

(1)Personal data held for any of the following purposes—

(a)the prevention or detection of crime ;

(b)the apprehension or prosecution of offenders ; or

(c)the assessment or collection of any tax or duty,

are exempt from the subject access provisions in any case in which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.

(2)Personal data which—

(a)are held for the purpose of discharging statutory functions ; and

(b)consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1) above,

are exempt from the subject access provisions to the same extent as personal data held for any of the purposes mentioned in that subsection.

(3)Personal data are exempt from the non-disclosure provisions in any case in which—

(a)the disclosure is for any of the purposes mentioned in subsection (1) above ; and

(b)the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection ;

and in proceedings against any person for contravening a provision mentioned in section 26(3)(a) above it shall be a defence to prove that he had reasonable grounds for believing that failure to make the disclosure in question would have been likely to prejudice any of those matters.

(4)Personal data are exempt from the provisions of Part II of this Act conferring powers on the Registrar, to the extent to which they are exercisable by reference to the first data protection principle, in any case in which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in subsection (1) above.

29Health and social work

(1)The Secretary of State may by order exempt from the subject access provisions, or modify those provisions in relation to, personal data consisting of information as to the physical or mental health of the data subject.

(2)The Secretary of State may by order exempt from the subject access provisions, or modify those provisions in relation to, personal data of such other descriptions as may be specified in the order, being information—

(a)held by government departments or local authorities or by voluntary organisations or other bodies designated by or under the order ; and

(b)appearing to him to be held for, or acquired in the course of, carrying out social work in relation to the data subject or other individuals ;

but the Secretary of State shall not under this subsection confer any exemption or make any modification except so far as he considers that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work.

(3)An order under this section may make different provision in relation to data consisting of information of different descriptions.

30Regulation of financial services etc.

(1)Personal data held for the purpose of discharging statutory functions to which this section applies are exempt from the subject access provisions in any case in which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.

(2)This section applies to any functions designated for the purposes of this section by an order made by the Secretary of State, being functions conferred by or under any enactment appearing to him to be designed for protecting members of the public against financial loss due to dishonesty, incompetence or malpractice by persons concerned in the provision of banking,' insurance, investment or other financial services or in the management of companies or to the conduct of discharged or undischarged bankrupts.

31Judicial appointments and legal professional privilege

(1)Personal data held by a government department are exempt from the subject access provisions if the data consist of information which has been received from a third party and is held as information relevant to the making of judicial appointments.

(2)Personal data are exempt from the subject access provisions if the data consist of information in respect of which a claim to legal professional privilege (or, in Scotland, to confidentiality as between client and professional legal adviser) could be maintained in legal proceedings.

32Payrolls and accounts

(1)Subject to subsection (2) below, personal data held by a data user only for one or more of the following purposes—

(a)calculating amounts payable by way of remuneration or pensions in respect of service in any employment or office or making payments of, or of sums deducted from, such remuneration or pensions ; or

(b)keeping accounts relating to any business or other activity carried on by the data user or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments are made by or to him in respect of those transactions or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity,

are exempt from the provisions of Part II of this Act and of sections 21 to 24 above.

(2)It shall be a condition of the exemption of any data under this section that the data are not used for any purpose other than the purpose or purposes for which they are held and are not disclosed except as permitted by subsections (3) and (4) below; but the exemption shall not be lost by any use or disclosure in breach of that condition if the data user shows that he had taken such care to prevent it as in all the circumstances was reasonably required.

(3)Data held only for one or more of the purposes mentioned in subsection (1)(a) above may be disclosed—

(a)to any person, other than the data user, by whom the remuneration or pensions in question are payable ;

(b)for the purpose of obtaining actuarial advice;

(c)for the purpose of giving information as to the persons in any employment or office for use in medical research into the health of, or injuries suffered by, persons engaged in particular occupations or working in particular places or areas;

(d)if the data subject (or a person acting on his behalf) has requested or consented to the disclosure of the data either generally or in the circumstances in which the disclosure in question is made ; or

(e)if the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (d) above.

(4)Data held for any of the purposes mentioned in subsection (1) above may be disclosed—

(a)for the purpose of audit or where the disclosure is for the purpose only of giving information about the data user's financial affairs ; or

(b)in any case in which disclosure would be permitted by any other provision of this Part of this Act if subsection (2) above were included among the nondisclosure provisions.

(5)In this section " remuneration " includes remuneration in kind and " pensions " includes gratuities or similar benefits.

33Domestic or other limited purposes

(1)Personal data held by an individual and concerned only with the management of his personal, family or household affairs or held by him only for recreational purposes are exempt from the provisions of Part II of this Act and of sections 21 to 24 above.

(2)Subject to subsections (3) and (4) below—

(a)personal data held by an unincorporated members' club and relating only to the members of the club ; and

(b)personal data held by a data user only for the purpose of distributing, or recording the distribution of, articles or information to the data subjects and consisting only of their names, addresses or other particulars necessary for effecting the distribution,

are exempt from the provisions of Part II of this Act and of sections 21 to 24 above.

(3)Neither paragraph (a) nor paragraph (b) of subsection (2) above applies to personal data relating to any data subject unless he has been asked by the club or data user whether he objects to the data relating to him being held as mentioned in that paragraph and has not objected.

(4)It shall be a condition of the exemption of any data under paragraph (b) of subsection (2) above that the data are not used for any purpose other than that for which they are held and of the exemption of any data under either paragraph of that subsection that the data are not disclosed except as permitted by subsection (5) below ; but the first exemption shall not be lost by any use, and neither exemption shall be lost by any disclosure, in breach of that condition if the data user shows that he had taken such care to prevent it as in all the circumstances "was reasonably required.

(5)Data to which subsection (4) above applies may be disclosed—

(a)if the data subject (or a person acting on his behalf) has requested or consented to the disclosure of the data either generally or in the circumstances in which the disclosure in question is made ;

(b)if the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a) above ; or

(c)in any case in which disclosure would be permitted by any other provision of this Part of this Act if subsection (4) above were included among the non-disclosure provisions.

(6)Personal data held only for—

(a)preparing statistics ; or

(b)carrying out research,

are exempt from the subject access provisions ; but it shall be a condition of that exemption that the data are not used or disclosed for any other purpose and that the resulting statistics or the results of the research are not made available in a form which identifies the data subjects or any of them.

34Other exemptions

(1)Personal data held by any person are exempt from the provisions of Part II of this Act and of sections 21 to 24 above if the data consist of information which that person is required by or under any enactment to make available to the public, whether by publishing it, making it available for inspection or otherwise and whether gratuitously or on payment of a fee.

(2)The Secretary of State may by order exempt from the subject access provisions personal data consisting of information the disclosure of which is prohibited or restricted by or under any enactment if he considers that the prohibition or restriction ought to prevail over those provisions in the interests of the data subject or of any other individual.

(3)Where all the personal data relating to a data subject held by a data user (or all such data in respect of which a data user has a separate entry in the register) consist of information in respect of which the data subject is entitled to make a request to the data user under section 158 of the Consumer Credit Act 1974 (files of credit reference agencies)—

(a)the data are exempt from the subject access provisions ;

and

(b)any request in respect of the data under section 21 above shall be treated for all purposes as if it were a request under the said section 158.

(4)Personal data are exempt from; the subject access provisions if the data are kept only for the purpose of replacing other data in the event of the latter being lost, destroyed or impaired.

(5)Personal data are exempt from the non-disclosure provisions in any case in which the disclosure is—

(a)required by or under any enactment, by any rule of law or by the order of a court; or

(b)made for the purpose of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.

(6)Personal data are exempt from the non-disclosure provisions in any case in which—

(a)the disclosure is to the data subject or a person acting on his behalf ; or

(b)the data subject or any such person has requested or consented to the particular disclosure in question ; or

(c)the disclosure is by a data user or a person carrying on a computer bureau to his servant or agent for the purpose of enabling the servant or agent to perform his functions as such ; or

(d)the person making the disclosure has reasonable grounds for believing that the disclosure falls within any of the foregoing paragraphs of this subsection.

(7)Section 4(3)(d) above does not apply to any disclosure falling within paragraph (a), (b) or (c) of subsection (6) above; and that subsection shall apply to the restriction on disclosure in section 33(6) above as it applies to the non-disclosure provisions.

(8)Personal data are exempt from the non-disclosure provisions in any case in which the disclosure is urgently required for preventing injury or other damage to the health of any person or persons; and in proceedings against any person for contravening a provision mentioned in section 26(3)(a) above it shall be a defence to prove that he had reasonable grounds for believing that the disclosure in question was urgently required for that purpose.

(9)A person need not comply with a notice, request or order under the subject access provisions if compliance would expose him to proceedings for any offence other than an offence under this Act; and information disclosed by any person in compliance with such a notice, request or order shall not be admissible against him in proceedings for an offence under this Act.

35Examination marks

(1)Section 21 above shall have effect subject to the provisions of this section in the case of personal data consisting of marks or other information held by a data user—

(a)for the purpose of determining the results of an academic, professional or other examination or of enabling the results of any such examination to be determined ; or

(b)in consequence of the determination of any such results.

(2)Where the period mentioned in subsection (6) of section 21 begins before the results of the examination are announced that period shall be extended until—

(a)the end of five months from the beginning of that period; or

(b)the end of forty days after the date of the announcement,

whichever is the earlier.

(3)Where by virtue of subsection (2) above a request is complied with more than forty days after the beginning of the period mentioned in subsection (6) of section 21, the information to be supplied pursuant to the request shall be supplied both by reference to the data in question at the time when the request is received and (if different) by reference to the data as from time to time held in the period beginning when the request is received and ending when it is complied with.

(4)For the purposes of this section the results of an examination shall be treated as announced when they are first published or (if not published) when they are first made available or communicated to the candidate in question.

(5)In this section " examination " includes any process for determining the knowledge, intelligence, skill or ability of a candidate by reference to his performance in any test, work or other activity.

Part VGeneral

36General duties of Registrar

(1)It shall be the duty of the Registrar so to perform his functions under this Act as to promote the observance of the data protection principles by data users and persons carrying on computer bureaux.

(2)The Registrar may consider any complaint that any of the data protection principles or any provision of this Act has been or is being contravened and shall do so if the complaint appears to him to raise a matter of substance and to have been made without undue delay by a person directly affected; and where the Registrar considers any such complaint he shall notify the complainant of the result of his consideration and of any action which he proposes to take.

(3)The Registrar shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act and other matters within the scope of his functions under this Act and may give advice to any person as to any of those matters.

(4)It shall be the duty of the Registrar, where he considers it appropriate to do so, to encourage trade associations or other bodies representing data users to prepare, and to disseminate to their members, codes of practice for guidance in complying with the data protection principles.

(5)The Registrar shall annually lay before each House of Parliament a general report on the performance of his functions under this Act and may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.

37Co-operation between parties to Convention

The Registrar shall be the designated authority in the United Kingdom for the purposes of Article 13 of the European Convention; and the Secretary of State may by order make provision as to the functions to be discharged by the Registrar in that capacity.

38Application to government departments and police

(1)Except as provided in subsection (2) below, a government department shall be subject to the same obligations and liabilities under this Act as a private person; and for the purposes of this Act each government department shall be treated as a person separate from any other government department and a person in the public service of the Crown shall be treated as a servant of the government department to which his responsibilities or duties relate.

(2)A government department shall not be liable to prosecution under this Act but—

(a)sections 5(3) and 15(2) above (and, so far as relating to those provisions, sections 5(5) and 15(3) above) shall apply to any person who by virtue of this section falls to be treated as a servant of the government department in question; and

(b)section 6(6) above and paragraph 12 of Schedule 4 to this Act shall apply to a person in the public service of the Crown as they apply to any other person.

(3)For the purposes of this Act—

(a)the constables under the direction and control of a chief officer of police shall be treated as his servants ; and

(b)the members of any body of constables maintained otherwise than by a police authority shall be treated as the servants—

(i)of the authority or person by whom that body is maintained, and

(ii)in the case of any members of such a body who are under the direction and control of a chief officer, of that officer.

(4)In the application of subsection (3) above to Scotland, for the reference to a chief officer of police there shall be substituted a reference to a chief constable.

(5)In the application of subsection (3) above to Northern Ireland, for the reference to a chief officer of police there shall be substituted a reference to the Chief Constable of the Royal Ulster Constabulary and for the reference to a police authority there shall be substituted a reference to the Police Authority for Northern Ireland.

39Data held, and services provided, outside the United Kingdom

(1)Subject to the following provisions of this section, this Act does not apply to a data user in respect of data held, or to a person carrying on a computer bureau in respect of services provided, outside the United Kingdom.

(2)For the purposes of subsection (1) above—

(a)data shall be treated as held where the data user exercises the control referred to in subsection (5)(b) of section 1 above in relation to the data; and

(b)services shall be treated as provided where the person carrying on the computer bureau does any of the things referred to in subsection (6)(a) or (b) of that section.

(3)Where a person who is not resident in the United Kingdom—

(a)exercises the control mentioned in paragraph (a) of subsection (2) above ; or

(b)does any of the things mentioned in paragraph (b) of that subsection,

through a servant or agent in the United Kingdom, this Act shall apply as if that control were exercised or, as the case may be, those things were done in the United Kingdom by the servant or agent acting on his own account and not on behalf of the person whose servant or agent he is.

(4)Where by virtue of subsection (3) above a servant or agent is treated as a data user or as a person carrying on a computer bureau he may be described for the purposes of registration by the position or office which he holds; and any such description in an entry in the register shall be treated as applying to the person for the time being holding the position or office in question.

(5)This Act does not apply to data processed wholly outside the United Kingdom unless the data are used or intended to be used in the United Kingdom.

(6)Sections 4(3)(e) and 5(2)(e) and subsection (1) of section 12 above do not apply to the transfer of data which are already outside the United Kingdom; but references in the said section 12 to a contravention of the data protection principles include references to anything that would constitute such contravention if it occurred in relation to the data when held in the United Kingdom.

40Regulations, rules and orders

(1)Any power conferred by this Act to make regulations, rules or orders shall be exercisable by statutory instrument.

(2)Without prejudice to sections 2(6) and 29(3) above, regulations, rules or orders under this Act may make different provision for different cases or circumstances.

(3)Before making an order under any of the foregoing provisions of this Act the Secretary of State shall consult the Registrar.

(4)No order shall be made under section 2(3), 4(8), 29, 30 or 34(2) above unless a draft of the order has been laid before and approved by a resolution of each House of Parliament.

(5)A statutory instrument containing an order under section 21(9) or 37 above or rules under paragraph 4 of Schedule 3 to this Act shall be subject to annulment in pursuance of a resolution of either House of Parliament.

(6)Regulations prescribing fees for the purposes of any provision of this Act or the period mentioned in section 8(2) above shall be laid before Parliament after being made.

(7)Regulations prescribing fees payable to the Registrar under this Act or the period mentioned in section 8(2) above shall be made after consultation with the Registrar and with the approval of the Treasury; and in making any such regulations the Secretary of State shall have regard to the desirability of securing that those fees are sufficient to offset the expenses incurred by the Registrar and the Tribunal in discharging their functions under this Act and any expenses of the Secretary of State in respect of the Tribunal.

41General interpretation

In addition to the provisions of sections 1 and 2 above, the following provisions shall have effect for the interpretation of this Act—

  • " business " includes any trade or profession ;

  • "data equipment" means equipment for the automatic processing of data or for recording information so that it can be automatically processed;

  • " data material" means any document or other material used in connection with data equipment;

  • " a de-registration notice " means a notice under section 11 above;

  • " enactment " includes an enactment passed after this Act;

  • " an enforcement notice " means a notice under section 10 above;

  • "the European Convention" means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981 ;

  • "government department" includes a Northern Ireland department and any body or authority exercising statutory functions on behalf of the Crown ;

  • " prescribed " means prescribed by regulations made by the Secretary of State;

  • " the Registrar " means the Data Protection Registrar ;

  • " the register ", except where the reference is to the register of companies, means the register maintained under section 4 above and (except where the reference is to a registered company, to the registered office of a company or to registered post) references to registration shall be construed accordingly ;

  • " registered company " means a company registered under the enactments relating to companies for the time being in force in any part of the United Kingdom;

  • " a transfer prohibition notice " means a notice under section 12 above;

  • " the Tribunal " means the Data Protection Tribunal.

42Commencement and transitional provisions

(1)No application for registration shall be made until such day as the Secretary of State may by order appoint, and sections 5 and 15 above shall not apply until the end of the period of six months beginning with that day.

(2)Until the end of the period of two years beginning with the day appointed under subsection (1) above the Registrar shall not have power—

(a)to refuse an application made in accordance with section 6 above except on the ground mentioned in section 7(2)(a) above; or

(b)to serve an enforcement notice imposing requirements to be complied with, a de-registration notice expiring, or a transfer prohibition notice imposing a prohibition taking effect, before the end of that period.

(3)Where the Registrar proposes to serve any person with an enforcement notice before the end of the period mentioned in subsection (2) above he shall, in determining the time by which the requirements of the notice are to be complied with, have regard to the probable cost to that person of complying with those requirements.

(4)Section 21 above and paragraph 1(b) of Schedule 4 to this Act shall not apply until the end of the period mentioned in subsection (2) above.

(5)Section 22 above shall not apply to damage suffered before the end of the period mentioned in subsection (1) above and in deciding whether to refuse an application or serve a notice under Part II of this Act the Registrar shall treat the provision about accuracy in the fifth data protection principle as inapplicable until the end of that period and as inapplicable thereafter to data shown to have been held by the data user in question since before the end of that period.

(6)Sections 23 and 24(3) above shall not apply to damage suffered before the end of the period of two months beginning with the date on which this Act is passed.

(7)Section 24(1) and (2) above shall not apply before the end of the period mentioned in subsection (1) above.

43Short title and extent

(1)This Act may be cited as the Data Protection Act 1984.

(2)This Act extends to Northern Ireland.

(3)Her Majesty may by Order in Council direct that this Act shall extend to any of the Channel Islands with such exceptions and modifications as may be specified in the Order.

Schedules

Schedule 1The Data Protection Principles

Part IThe Principles

Personal data held by data users

1The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.

2Personal data shall be held only for one or more specified and lawful purposes.

3Personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes.

4Personal data held for any purpose or purposes shall be adequate, relevant and not excessive in relation to that purpose or those purposes.

5Personal data shall be accurate and, where necessary, kept up to date.

6Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

7An individual shall be entitled—

(a)at reasonable intervals and without undue delay or expense—

(i)to be informed by any data user whether he holds personal data of which that individual is the subject; and

(ii)to access to any such data held by a data user ; and

(b)where appropriate, to have such data corrected or erased.

Personal data held by data users or in respect of which services are provided by persons carrying on computer bureaux

8Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.

Part IIInterpretation

The first principle

1(1)Subject to sub-paragraph (2) below, in determining whether information was obtained fairly regard shall be had to the method by which it was obtained, including in particular whether any person from whom it was obtained was deceived or misled as to the purpose or purposes for which it is to be held, used or disclosed.

(2)Information shall in any event be treated as obtained fairly if it is obtained from a person who—

(a)is authorised by or under any enactment to supply it; or

(b)is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom;

and in determining whether information was obtained fairly there shall be disregarded any disclosure of the information which is authorised or required by or under any enactment or required by any such convention or other instrument as aforesaid.

The second principle

2Personal data shall not be treated as held for a specified purpose unless that purpose is described in particulars registered under this Act in relation to the data.

The third principle

3Personal data shall not be treated as used or disclosed in contravention of this principle unless—

(a)used otherwise than for a purpose of a description registered under this Act in relation to the data ; or

(b)disclosed otherwise than to a person of a description so registered.

The fifth principle

4Any question whether or not personal data are accurate shall be determined as for the purposes of section 22 of this Act but, in the case of such data as are mentioned in subsection (2) of that section, this principle shall not be regarded as having been contravened by reason of any inaccuracy in the information there mentioned if the requirements specified in that subsection have been complied with.

The seventh principle

5(1)Paragraph (a) of this principle shall not be construed as conferring any rights inconsistent with section 21 of this Act.

(2)In determining whether access to personal data is sought at reasonable intervals regard shall be had to the nature of the data, the purpose for which the data are held and the frequency with which the data are altered.

(3)The correction or erasure of personal data is appropriate only where necessary for ensuring compliance with the other data protection principles.

The eighth principle

6Regard shall be had—

(a)to the nature of the personal data and the harm that would result from such access, alteration, disclosure, loss or destruction as are mentioned in this principle ; and

(b)to the place where the personal data are stored, to security measures programmed into the relevant equipment and to measures taken for ensuring the reliability of staff having access to the data.

Use for historical, statistical or research purposes

7Where personal data are held for historical, statistical or research purposes and not used in such a way that damage or distress is, or is likely to be, caused to any data subject—

(a)the information contained in the data shall not be regarded for the purposes of the first principle as obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained ; and

(b)the data may, notwithstanding the sixth principle, be kept indefinitely.

Schedule 2The Data Protection Registrar and the Data Protection Tribunal

Part IThe Registrar

Status

1(1)The Registrar shall be a corporation sole by the name of " The Data Protection Registrar ".

(2)Except as provided in section 17(2) of this Act, the Registrar and his officers and servants shall not be regarded as servants or agents of the Crown.

Tenure of office

2(1)Subject to the provisions of this paragraph, the Registrar shall hold office for five years.

(2)The Registrar may be relieved of his office by Her Majesty at his own request

(3)The Registrar may be removed from office by Her Majesty in pursuance of an Address from both Houses of Parliament.

(4)The Registrar shall in any case vacate his office on completing the year of service in which he attains the age of sixty-five years.

(5)Subject to sub-paragraph (4) above, a person who ceases to be Registrar on the expiration of his term of office shall be eligible for re-appointment.

Salary etc.

3(1)There shall be paid—

(a)to the Registrar such salary, and

(b)to or in respect of the Registrar such pension,

as may be specified by a resolution of the House of Commons.

(2)A resolution for the purposes of this paragraph may either specify the salary or pension or provide that it shall be the same as that payable to, or to or in respect of, a person employed in a specified office under, or in a specified capacity in the service of, the Crown.

(3)A resolution for the purposes of this paragraph may take effect from the date on which it is passed or from any earlier or later date specified in the resolution.

(4)Any salary or pension payable under this paragraph shall be charged on and issued out of the Consolidated Fund.

(5)In this paragraph "pension" includes an allowance or gratuity and any reference to the payment of a pension includes a reference to the making of payments towards the provision of a pension.

Officers and servants

4(1)The Registrar—

(a)shall appoint a deputy registrar ; and

(b)may appoint such number of other officers and servants as he may determine.

(2)The remuneration and other conditions of service of the persons appointed under this paragraph shall be determined by the Registrar.

(3)The Registrar may pay such pensions, allowances or gratuities to or in respect of the persons appointed under this paragraph, or make such payments towards the provision of such pensions, allowances or gratuities, as he may determine.

(4)The references in sub-paragraph (3) above to pensions, allowances or gratuities to or in respect of the persons appointed under this paragraph include references to pensions, allowances or gratuities by way of compensation to or in respect of any of those persons who suffer loss of office or employment.

(5)Any determination under sub-paragraph (1)(b), (2) or (3) above shall require the approval of the Secretary of State given with the consent of the Treasury.

5(1)The deputy registrar shall perform the functions conferred by this Act on the Registrar during any vacancy in that office or at any time when the Registrar is for any reason unable to act.

(2)Without prejudice to sub-paragraph (1) above, any functions of the Registrar under this Act may, to die extent authorised by him, be performed by any of his officers.

Receipts and expenses

6(1)All fees and other sums received by the Registrar in the exercise of his functions under this Act shall be paid by him into the Consolidated Fund.

(2)The Secretary of State shall out of moneys provided by Parliament pay to the Registrar such sums towards his expenses as the Secretary of State may with the approval of the Treasury determine.

Accounts

7(1)It shall be the duty of the Registrar—

(a)to keep proper accounts and other records in relation to the accounts;

(b)to prepare in respect of each financial year a statement of account in such form as the Secretary of State may direct with the approval of the Treasury ; and

(c)to send copies of that statement to the Comptroller and Auditor General on or before 31st August next following the end of the year to which the statement relates or on or before such earlier date after the end of that year as the Treasury may direct.

(2)The Comptroller and Auditor General shall examine and certify any statement sent to him under this paragraph and lay copies of it together with his report thereon before each House of Parliament

(3)In this paragraph "financial year" means a period of twelve months beginning with 1st April.

Part IIThe Tribunal

Tenure of office

8(1)A member of the Tribunal shall hold and vacate his office in accordance with the terms of his appointment and shall, on ceasing to hold office, be eligible for re-appointment.

(2)Any member of the Tribunal may at any time resign his office by notice in writing to the Lord Chancellor (in the case of the chairman or a deputy chairman) or to the Secretary of State (in the case of any other member).

Salary etc.

9The Secretary of State shall pay to the members of the Tribunal out of moneys provided by Parliament such remuneration and allowances as he may with the approval of the Treasury determine.

Officers and servants

10The Secretary of State may provide the Tribunal with such officers and servants as he thinks necessary for the proper discharge of its functions.

Expenses

11Such expenses of the Tribunal as the Secretary of State may with the approval of the Treasury determine shall be defrayed by the Secretary of State out of moneys provided by Parliament.

Part IIIGeneral

Parliamentary disqualification

12(1)In Part II of Schedule 1 to the House of Commons Disqualification Act 1975 (bodies whose members are disqualified) there shall be inserted at the appropriate place

The Data Protection Tribunal.

(2)In Part III of that Schedule (disqualifying offices) there shall be inserted at the appropriate place

The Data Protection Registrar.

(3)Corresponding amendments shall be made in Parts II and III of Schedule 1 to the Northern Ireland Assembly Disqualification Act 1975.

Supervision by Council on Tribunals

13The Tribunals and Inquiries Act 1971 shall be amended as follows—

(a)in section 8(2) after " paragraph" there shall be inserted

5A;

(b)in section 19(4) after " 46 " there shall be inserted the words

or the Data Protection Registrar referred to in paragraph 5A;

(c)in Schedule 1, after paragraph 5 there shall be inserted—

"Data protection.5A. (a) The Data Protection Registrar ; (b) The Data Protection Tribunal."

Public records

14In Part II of the Table in paragraph 3 of Schedule 1 to the Public Records Act 1958 there shall be inserted at the appropriate place

the Data Protection Registrar; and after paragraph 4(1)(n) of that Schedule there shall be inserted—

" (nn) records of the Data Protection Tribunal;

Schedule 3Appeal Proceedings

Hearing of appeals

1For the purpose of hearing and determining appeals or any matter preliminary or incidental to an appeal the Tribunal shall sit at such times and in such places as the chairman or a deputy chairman may direct and may sit in two or more divisions.

2(1)Subject to any rules made under paragraph 4 below, the Tribunal shall be duly constituted for an appeal under section 13(1) of this Act if it consists of—

(a)the chairman or a deputy chairman (who shall preside) ; and

(b)an equal number of the members appointed respectively in accordance with paragraphs (a) and (b) of section 3(5) of this Act.

(2)The members who are to constitute the Tribunal in accordance with sub-paragraph (1) above shall be nominated by the chairman or, if he is for any reason unable to act, by a deputy chairman.

(3)The determination of any question before the Tribunal when constituted in accordance with this paragraph shall be according to the opinion of the majority of the members hearing the appeal.

3Subject to any rules made under paragraph 4 below, the jurisdiction of the Tribunal in respect of an appeal under section 13(2) or (3) of this Act shall be exercised ex parte by the chairman or a deputy chairman sitting alone.

Rules of procedure

4(1)The Secretary of State may make rules for regulating the exercise of the rights of appeal conferred by section 13 of this Act and the practice and procedure of the Tribunal.

(2)Without prejudice to the generality of sub-paragraph (1) above, rules under this paragraph may in particular make provision—

(a)with respect to the period within which an appeal can be brought and the burden of proof on an appeal;

(b)for the summoning of witnesses and the administration of oaths;

(c)for securing the production of documents and data material;

(d)for the inspection, examination, operation and testing of data equipment and the testing of data material;

(e)for the hearing of an appeal wholly or partly in camera ;

(f)for hearing an appeal in the absence of the appellant or for determining an appeal without a hearing ;

(g)for enabling any matter preliminary or incidental to an appeal to be dealt with by the chairman or a deputy chairman ;

(h)for the awarding of costs ;

(i)for the publication of reports of the Tribunal's decisions ; and

(j)for conferring on the Tribunal such ancillary powers as the Secretary of State thinks necessary for the proper discharge of its functions.

Obstruction etc.

5(1)If any person is guilty of any act or omission in relation to proceedings before the Tribunal which, if those proceedings were proceedings before a court having power to commit for contempt, would constitute contempt of court, the Tribunal may certify the offence to the High Court or, in Scotland, the Court of Session.

(2)Where an offence is so certified, the court may inquire into the matter and, after hearing any witness who may be produced against or on behalf of the person charged with the offence, and after hearing any statement that may be offered in defence, deal with him in any manner in which it could deal with him if he had committed the like offence in relation to the court.

Schedule 4Powers of Entry and Inspection

Issue of warrants

1If a circuit judge is satisfied by information on oath supplied by the Registrar that there are reasonable grounds for suspecting—

(a)that an offence under this Act has been or is being committed ; or

(b)that any of the data protection principles have been or are being contravened by a registered person,

and that evidence of the commission of the offence or of the contravention is to be found on any premises specified in the information, he may, subject to paragraph 2 below, grant a warrant authorising the Registrar or any of his officers or servants at any time within seven days of the date of the warrant to enter those premises, to search them, to inspect, examine, operate and test any data equipment found there and to inspect and seize any documents or other material found there which may be such evidence as aforesaid.

2A judge shall not issue a warrant under this Schedule unless he is satisfied—

(a)that the Registrar has given seven days' notice in writing to the occupier of the premises in question demanding access to the premises ;

(b)that access was demanded at a reasonable hour and was unreasonably refused ; and

(c)that the occupier has, after the refusal, been notified by the Registrar of the application for the warrant and has had an opportunity of being heard by the judge on the question whether or not it should be issued ;

but the foregoing provisions of this paragraph shall not apply if the judge is satisfied that the case is one of urgency or that compliance with those provisions would defeat the object of the entry.

3A judge who issues a warrant under this Schedule shall also issue two copies of it and certify them clearly as copies.

Execution of warrants

4A person executing a warrant issued under this Schedule may use such reasonable force as may be necessary.

5A warrant issued under this Schedule shall be executed at a reasonable hour unless it appears to the person executing it that there are grounds for suspecting that the evidence in question would not be found if it were so executed.

6If the person who occupies the premises in respect of which a warrant is issued under this Schedule is present when the warrant is executed, he shall be shown the warrant and supplied with a copy of it; and if that person is not present a copy of the warrant shall be left in a prominent place on the premises.

7(1)A person seizing anything in pursuance of a warrant under this Schedule shall give a receipt for it if asked to do so.

(2)Anything so seized may be retained for so long as is necessary in all the circumstances but the person in occupation of the premises in question shall be given a copy of anything that is seized if he so requests and the person executing the warrant considers that it can be done without undue delay.

Matters exempt from inspection and seizure

8The powers of inspection and seizure conferred by a warrant issued under this Schedule shall not be exercisable in respect of personal data which are exempt from Part II of this Act.

9(1)Subject to the provisions of this paragraph, the powers of inspection and seizure conferred by a warrant issued under this Schedule shall not be exercisable in respect of—

(a)any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Act; or

(b)any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.

(2)Sub-paragraph (1) above applies also to—

(a)any copy or other record of any such communication as is there mentioned ; and

(b)any document or article enclosed with or referred to in any such communication if made in connection with the giving of any advice or, as the case may be, in connection with or in contemplation of and for the purposes of such proceedings as are there mentioned.

(3)This paragraph does not apply to anything in the possession of any person other than the professional legal adviser or his client or to anything held with the intention of furthering a criminal purpose.

(4)In this paragraph references to the client of a professional legal adviser include references to any person representing such a client.

10If the person in occupation of any premises in respect of which a warrant is issued under this Schedule objects to the inspection or seizure under the warrant of any material on the grounds that it consists partly of matters in respect of which those powers are not exercisable, he shall, if the person executing the warrant so requests, furnish that person with a copy of so much of the material as is not exempt from those powers.

Return of warrants

11A warrant issued under this Schedule shall be returned to the court from which it was issued—

(a)after being executed ; or

(b)if not executed within the time authorised for its execution ;

and the person by whom any such warrant is executed shall make an endorsement on it stating what powers have been exercised by him under the warrant.

Offences

12Any person who—

(a)intentionally obstructs a person in the execution of a warrant issued under this Schedule ; or

(b)fails without reasonable excuse to give any person executing such a warrant such assistance as he may reasonably require for the execution of the warrant,

shall be guilty of an offence.

Vessels, vehicles etc.

13In this Schedule " premises " includes any vessel, vehicle, aircraft or hovercraft, and references to the occupier of any premises include references to the person in charge of any vessel, vehicle, aircraft or hovercraft.

Scotland and Northern Ireland

14In the application of this Schedule to Scotland, for any reference to a circuit judge there shall be substituted a reference to the sheriff, for any reference to information on oath there shall be substituted a reference to evidence on oath and for the reference to the court from which the warrant was issued there shall be substituted a reference to the sheriff clerk.

15In the application of this Schedule to Northern Ireland, for any reference to a circuit judge there shall be substituted a reference to a county court judge and for any reference to information on oath there shall be substituted a reference to a complaint on oath.

Back to top

Options/Help

Print Options

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made):The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enactedversion that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources