- Latest available (Revised)
- Original (As enacted)
There are outstanding changes not yet made by the legislation.gov.uk editorial team to Data Protection Act 1998. Any changes that have already been made by the team appear in the content and are referenced with annotations.
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
This section lists the changes and effects yet to be applied to the whole Act, associated Parts and Chapters where applicable. This includes any insertions of whole new Parts, Chapters or provisions yet to be inserted into this Act. These effects are included in this view as they may be (but won’t necessarily be) relevant to the specific provision that you are viewing.
This section lists the commencement orders yet to be applied to the whole Act. These effects are included in this view as they may be (but won’t necessarily be) relevant to the specific provision that you are viewing. Where applicable the commencement orders are listed under two headings, firstly those that bring some part of the Act you are viewing into force and secondly, those that bring into force legislation that affects some part of the legislation you are viewing. If you are viewing a prospective version or there is a prospective version available there may be commencement orders listed here that are relevant to the provision you are viewing.
(1)In this Part “the registrable particulars”, in relation to a data controller, means—
(a)his name and address,
(b)if he has nominated a representative for the purposes of this Act, the name and address of the representative,
(c)a description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which they relate,
(d)a description of the purpose or purposes for which the data are being or are to be processed,
(e)a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data,
(f)the names, or a description of, any countries or territories outside the European Economic Area to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data,
[F1(ff)where the data controller is a public authority, a statement of that fact,]. . .
(g)in any case where—
(i)personal data are being, or are intended to be, processed in circumstances in which the prohibition in subsection (1) of section 17 is excluded by subsection (2) or (3) of that section, and
(ii)the notification does not extend to those data,
a statement of that fact.[F2, and
(h)such information about the data controller as may be prescribed under section 18(5A).]
(2)In this Part—
“fees regulations” means regulations made by the [F3 Secretary of State] under section 18(5) or 19(4) or (7);
“notification regulations” means regulations made by the [F3 Secretary of State] under the other provisions of this Part;
“prescribed”, except where used in relation to fees regulations, means prescribed by notification regulations.
(3)For the purposes of this Part, so far as it relates to the addresses of data controllers—
(a)the address of a registered company is that of its registered office, and
(b)the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the United Kingdom.
Annotations are used to give authority for changes and other effects on the legislation you are viewing and to convey editorial information. They appear at the foot of the relevant provision or under the associated heading. Annotations are categorised by annotation type, such as F-notes for textual amendments and I-notes for commencement information (a full list can be found in the Editorial Practice Guide). Each annotation is identified by a sequential reference number. For F-notes, M-notes and X-notes, the number also appears in bold superscript at the relevant location in the text. All annotations contain links to the affecting legislation.
(1)Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under section 19 (or is treated by notification regulations made by virtue of section 19(3) as being so included).
(2)Except where the processing is assessable processing for the purposes of section 22, subsection (1) does not apply in relation to personal data consisting of information which falls neither within paragraph (a) of the definition of “data” in section 1(1) nor within paragraph (b) of that definition.
(3)If it appears to the [F4 Secretary of State] that processing of a particular description is unlikely to prejudice the rights and freedoms of data subjects, notification regulations may provide that, in such cases as may be prescribed, subsection (1) is not to apply in relation to processing of that description.
(4)Subsection (1) does not apply in relation to any processing whose sole purpose is the maintenance of a public register.
Modifications etc. (not altering text)
(1)Any data controller who wishes to be included in the register maintained under section 19 shall give a notification to the Commissioner under this section.
(2)A notification under this section must specify in accordance with notification regulations—
(a)the registrable particulars, and
(b)a general description of measures to be taken for the purpose of complying with the seventh data protection principle.
(3)Notification regulations made by virtue of subsection (2) may provide for the determination by the Commissioner, in accordance with any requirements of the regulations, of the form in which the registrable particulars and the description mentioned in subsection (2)(b) are to be specified, including in particular the detail required for the purposes of section 16(1)(c), (d), (e) and (f) and subsection (2)(b).
(4)Notification regulations may make provision as to the giving of notification—
(a)by partnerships, or
(b)in other cases where two or more persons are the data controllers in respect of any personal data.
(5)The notification must be accompanied by such fee as may be prescribed by fees regulations.
[F5(5A)Notification regulations may prescribe the information about the data controller which is required for the purpose of verifying the fee payable under subsection (5).]
(6)Notification regulations may provide for any fee paid under subsection (5) or section 19(4) to be refunded in prescribed circumstances.
(1)The Commissioner shall—
(a)maintain a register of persons who have given notification under section 18, and
(b)make an entry in the register in pursuance of each notification received by him under that section from a person in respect of whom no entry as data controller was for the time being included in the register.
(2)Each entry in the register shall consist of—
(a)the registrable particulars notified under section 18 or, as the case requires, those particulars as amended in pursuance of section 20(4), and
(b)such other information as the Commissioner may be authorised or required by notification regulations to include in the register.
(3)Notification regulations may make provision as to the time as from which any entry in respect of a data controller is to be treated for the purposes of section 17 as having been made in the register.
(4)No entry shall be retained in the register for more than the relevant time except on payment of such fee as may be prescribed by fees regulations.
(5)In subsection (4) “the relevant time” means twelve months or such other period as may be prescribed by notification regulations; and different periods may be prescribed in relation to different cases.
(a)shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and
(b)may provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate.
(7)The Commissioner shall, on payment of such fee, if any, as may be prescribed by fees regulations, supply any member of the public with a duly certified copy in writing of the particulars contained in any entry made in the register.
[F6(8)Nothing in subsection (6) or (7) applies to information which is included in an entry in the register only by reason of it falling within section 16(1)(h).]
Modifications etc. (not altering text)
(1)For the purpose specified in subsection (2), notification regulations shall include provision imposing on every person in respect of whom an entry as a data controller is for the time being included in the register maintained under section 19 a duty to notify to the Commissioner, in such circumstances and at such time or times and in such form as may be prescribed, such matters relating to the registrable particulars and measures taken as mentioned in section 18(2)(b) as may be prescribed.
(2)The purpose referred to in subsection (1) is that of ensuring, so far as practicable, that at any time—
(a)the entries in the register maintained under section 19 contain current names and addresses and describe the current practice or intentions of the data controller with respect to the processing of personal data, and
(b)the Commissioner is provided with a general description of measures currently being taken as mentioned in section 18(2)(b).
(3)Subsection (3) of section 18 has effect in relation to notification regulations made by virtue of subsection (1) as it has effect in relation to notification regulations made by virtue of subsection (2) of that section.
(4)On receiving any notification under notification regulations made by virtue of subsection (1), the Commissioner shall make such amendments of the relevant entry in the register maintained under section 19 as are necessary to take account of the notification.
(1)If section 17(1) is contravened, the data controller is guilty of an offence.
(2)Any person who fails to comply with the duty imposed by notification regulations made by virtue of section 20(1) is guilty of an offence.
(3)It shall be a defence for a person charged with an offence under subsection (2) to show that he exercised all due diligence to comply with the duty.
(1)In this section “assessable processing” means processing which is of a description specified in an order made by the [F7 Secretary of State] as appearing to him to be particularly likely—
(a)to cause substantial damage or substantial distress to data subjects, or
(b)otherwise significantly to prejudice the rights and freedoms of data subjects.
(2)On receiving notification from any data controller under section 18 or under notification regulations made by virtue of section 20 the Commissioner shall consider—
(a)whether any of the processing to which the notification relates is assessable processing, and
(b)if so, whether the assessable processing is likely to comply with the provisions of this Act.
(3)Subject to subsection (4), the Commissioner shall, within the period of twenty-eight days beginning with the day on which he receives a notification which relates to assessable processing, give a notice to the data controller stating the extent to which the Commissioner is of the opinion that the processing is likely or unlikely to comply with the provisions of this Act.
(4)Before the end of the period referred to in subsection (3) the Commissioner may, by reason of special circumstances, extend that period on one occasion only by notice to the data controller by such further period not exceeding fourteen days as the Commissioner may specify in the notice.
(5)No assessable processing in respect of which a notification has been given to the Commissioner as mentioned in subsection (2) shall be carried on unless either—
(a)the period of twenty-eight days beginning with the day on which the notification is received by the Commissioner (or, in a case falling within subsection (4), that period as extended under that subsection) has elapsed, or
(b)before the end of that period (or that period as so extended) the data controller has received a notice from the Commissioner under subsection (3) in respect of the processing.
(6)Where subsection (5) is contravened, the data controller is guilty of an offence.
(7)The [F7 Secretary of State] may by order amend subsections (3), (4) and (5) by substituting for the number of days for the time being specified there a different number specified in the order.
(1)The [F8 Secretary of State] may by order—
(a)make provision under which a data controller may appoint a person to act as a data protection supervisor responsible in particular for monitoring in an independent manner the data controller’s compliance with the provisions of this Act, and
(b)provide that, in relation to any data controller who has appointed a data protection supervisor in accordance with the provisions of the order and who complies with such conditions as may be specified in the order, the provisions of this Part are to have effect subject to such exemptions or other modifications as may be specified in the order.
(2)An order under this section may—
(a)impose duties on data protection supervisors in relation to the Commissioner, and
(b)confer functions on the Commissioner in relation to data protection supervisors.
(1)Subject to subsection (3), where personal data are processed in a case where—
(a)by virtue of subsection (2) or (3) of section 17, subsection (1) of that section does not apply to the processing, and
(b)the data controller has not notified the relevant particulars in respect of that processing under section 18,
the data controller must, within twenty-one days of receiving a written request from any person, make the relevant particulars available to that person in writing free of charge.
(2)In this section “the relevant particulars” means the particulars referred to in paragraphs (a) to (f) of section 16(1).
(3)This section has effect subject to any exemption conferred for the purposes of this section by notification regulations.
(4)Any data controller who fails to comply with the duty imposed by subsection (1) is guilty of an offence.
(5)It shall be a defence for a person charged with an offence under subsection (4) to show that he exercised all due diligence to comply with the duty.
(1)As soon as practicable after the passing of this Act, the Commissioner shall submit to the Secretary of State proposals as to the provisions to be included in the first notification regulations.
(2)The Commissioner shall keep under review the working of notification regulations and may from time to time submit to the [F9 Secretary of State] proposals as to amendments to be made to the regulations.
(3)The [F9 Secretary of State] may from time to time require the Commissioner to consider any matter relating to notification regulations and to submit to him proposals as to amendments to be made to the regulations in connection with that matter.
(4)Before making any notification regulations, the [F9 Secretary of State] shall—
(a)consider any proposals made to him by the Commissioner under [F10subsection (2) or (3)], and
(b)consult the Commissioner.
(1)Fees regulations prescribing fees for the purposes of any provision of this Part may provide for different fees to be payable in different cases.
(2)In making any fees regulations, the [F11 Secretary of State] shall have regard to the desirability of securing that the fees payable to the Commissioner are sufficient to offset—
[F12(a)the expenses incurred by the Commissioner in discharging his functions under this Act and any expenses of the Secretary of State in respect of the Commissioner so far as attributable to those functions; and]
(b)to the extent that the Secretary of State considers appropriate—
(i)any deficit previously incurred (whether before or after the passing of this Act) in respect of the expenses mentioned in paragraph (a), and
(ii)expenses incurred or to be incurred by the Secretary of State in respect of the inclusion of any officers or staff of the Commissioner in any scheme under section 1 of the M1Superannuation Act 1972.
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made):The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include: