This Section reserves matters covered by certain United Kingdom and Community legislation concerning the protection of personal data.
Data protection concerns obtaining, holding, processing and disclosure of personal data (i.e. information about individuals) and the free movement of such data. Provision for this is currently made in the Data Protection Act 1998. The 1998 Act, which received Royal Assent on 16 July 1998, consolidated and repealed the Data Protection Act 1984. The 1998 Act is broader than the 1984 Act in two main respects. As required by Council Directive 95/46/EC, it extends data protection legislation to cover manually-held records as well as records held on computer. It also covers “accessible records” which are certain records in the social work, housing, health and education fields. Some parts of the 1998 Act did not come into force until 1 March 2000, but all of those matters are nevertheless reserved matters.
| Stage | Date | Column |
|---|---|---|
| CC | 30-Mar-98 | 958 |
| LC | 23-Jul-98 | 1070 |
| L3 | 9-Nov-98 | 607 |
The reservation of data protection is by reference to the subject-matter of the Data Protection Act 1998 and Council Directive 95/46/EC:
The Data Protection Act 1998. This regulates certain activities involving the obtaining, holding, processing and disclosure of personal data (i.e. data relating to an individual who can be identified from that information). It is in particular concerned with “data users” (i.e. persons who hold data which have been, or which are intended to be, processed by him or on his behalf) and “computer bureaux” (i.e. persons who process data on behalf of another person or allow that other person to use their equipment). It also covers manually held records and “accessible records” mentioned above.
The 1998 Act also deals with the office of the Data Protection Registrar. He or she is obliged to compile and maintain a register of data users and computer bureaux. This register is available for public inspection. Essentially, the entry for each data user on that register must describe, amongst other things, the personal data which he intends to hold, the purpose for which he intends to hold that data and a description of any persons to whom he intends or may wish to disclose the data. A data user may not, amongst other things, hold personal data of any description other than that specified in the entry, hold that data for any purpose other than the purpose so specified or disclose such data to any person who is not described in the entry. Similar provisions apply in respect of registered computer bureaux.
The 1998 Act also requires the Data Protection Registrar to promote the observance of the data protection principles by data users and computer bureaux. Those principles are set out in Part 1 of Schedule 1 to that Act. The purpose of the principles is to guide the use of data by data users and computer bureaux.
The interpretation part in the Section provides that where any provision of the 1998 Act is not in force on the principal appointed day (1 July 1999) it should be treated as if it were in force for the purpose of the reservation. This is necessary because some parts of the 1998 Act did not come into force until 1 March 2000.
Council Directive 95/46/EC. This is concerned with protection of individuals with regard to the processing of personal data and with the free movement of such data. It requires provision to be made which will:
extend to certain types of manually processed data;
set specific conditions of processing personal data;
set tighter conditions for processing sensitive data (for example about health, political opinions or religious beliefs);
provide certain exemptions for journalism;
allow individuals to object to processing in some circumstances; and
restrict some fully automated decision-making.
Most of these provisions have been implemented in the 1998 Act. However, the Directive contains some discretionary provisions which the UK has chosen to interpret in a certain way in the 1998 Act and it also sets out provisions establishing a Committee composed of representatives of the Member States. The reference to the Directive is therefore included to ensure that all of those matters are reserved matters.
The following functions have been included in the Scotland Act 1998 (Transfer of Functions to the Scottish Ministers etc.) Order 1999 (S.I. 1999/1750).
| The Data Protection Act 1984 (c.35), section 3(3)(a) and (b). | The function of the Secretary of State of being consulted by the Lord Chancellor on the appointment of chairman and deputy chairmen of the Data Protection Tribunal. |
| The Data Protection Act 1998 (c.29), section 6(4)(a) and (b). | The function of the Secretary of State of being consulted by the Lord Chancellor on appointments of the chairman and deputy chairmen of the Data Protection Tribunal. |