- Latest available (Revised)
- Original (As made)
This is the original version (as it was originally made). UK Statutory Instruments are not carried in their revised form on this site.
26th November 1987
Laid before Parliament
4th December 1987
Coming into force
1st January 1988
In exercise of the powers conferred upon me by section 37 of the Data Protection Act 1984(1) and after consultation with the Data Protection Registrar in accordance with section 40(3) of that Act, I hereby make the following order:
1. This Order may be cited as the Data Protection (Functions of Designated Authority) Order 1987 and shall come into force on 1st January 1988.
2. The functions to be discharged by the Data Protection Registrar in his capacity as the designated authority in the United Kingdom for the purposes of Article 13 of the European Convention shall be those specified in the Schedule to this Order.
One of Her Majesty’s Principal Secretaries of State
26th November 1987
1.—(1) In this Schedule —
“the Act” means the Data Protection Act 1984;
“designated authority” means an authority designated for the purposes of Artice 13 of the European Convention by a party, other than the United Kingdom, which is bound by that Convention;
“request”, except in paragraph 2 below, means a request for assistance under Article 14 of the European Convention which states —
the name and address of the person making the request;
particulars which identify the personal data to which the request relates;
the rights under Article 8 of the European Convention to which the request relates;
the reasons why the request has been made,
and “requesting person” means a person making such a request.
(2) In this Schedule any reference to an article is a reference to an article in the European Convention and any reference to a section is a reference to a section of the Act.
2.—(1) The Registrar shall, at the request of a designated authority, furnish to that authority information relating to any of the following matters —
(a)the procedures followed by him in discharging his functions under the Act;
(b)entries made by him in the register under section 4(1) of the Act which are specified in the request;
(c)the data protection legislation in force in the United Kingdom at the time the request is made;
(d)the codes of practice, if any, disseminated by trade associations, or other bodies representing data users, to their members for guidance in complying with the data protection principles.
(2) The Registrar shall, at the request of a designated authority, take appropriate measures, as required by Article 13(3)(b), for furnishing to that Authority information relating to the processing of data in the United Kingdom.
(3) The Registrar may request a designated authority to furnish to him, or, as the case may be, to take appropriate measures for furnishing to him, the information referred to in Article 13(3).
3.—(1) This paragraph applies where a requesting person resident outside the United Kingdom makes a request to the Registrar which is forwarded to him through the Secretary of State or designated authority seeking assistance in exercising any of the rights referred to in Part III of the Act.
(2) If the request —
(a)seeks assistance in exercising the right under section 21 (right of access to personal data); and
(b)does not indicate that the data user has failed, contrary to section 21, to comply with the same request on a previous occasion,
the Registrar shall notify the requesting person of the data user’s address for the receipt of requests from data subjects for access to data and of such other information as the Registrar considers necessary to enable that person to exercise his right under section 21.
(3) If the request indicates that a data protection principle has been contravened by a data user the Registrar shall either —
(a)notify the requesting person of the rights of data subjects and the remedies available to them under Part III of the Act together with such particulars as are contained in the data user’s entry in the register as are necessary to enable the requesting person to avail himself of those remedies; or
(b)if the Registrar considers that notification in accordance with sub-paragraph (a) would not assist the requesting person or would, for any other reason, be inappropriate, treat the request as if it were a complaint which falls to be dealt with under section 36(2).
(4) The Registrar shall not be required, in response to any request referred to in paragraphs (2) and (3) above, to supply to the requesting person a duly certified copy in writing of the particulars contained in the entry made in the register in pursuance of any application for registration other than on payment of such fee as is prescribed for the purposes of section 9(2).
4.—(1) Where a request for assistance in exercising any of the rights referred to in Article 8 in a country or territory (other than the United Kingdom) specified in the request is made by a person resident in the United Kingdom and submitted through the Registrar under Article 14(2), the Registrar shall, if he is satisfied that the request is addressed to the appropriate person, send it to the designated authority in the specified country or territory.
(2) If the Registrar decides that he is not required by sub-paragraph (1) to render assistance to the requesting person he shall, where practicable, notify that person of the reasons for his decision.
5. Where the Registrar receives information from a designated authority as a result of either —
(a)a request made by him under paragraph 2(2) above; or
(b)a request received by him under paragraph 3 above,
the Registrar shall use that information only for the purposes specified in the request.
(This note is not part of the Order)
Section 37 of the Data Protection Act 1984 provides that the Data Protection Registrar (“the Registrar”) shall be the designated authority in the United Kingdom for the purposes of Article 13 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981 (“the European Convention”). It also provides that the Secretary of State may by Order make provision as to the functions to be discharged by the Registrar in that capacity.
This Order specifies those functions. In particular, paragraph 2 of the Schedule requires the Registrar to furnish certain information to the designated authorities in other Convention countries and also provides that he may request such authorities to furnish him with information. Paragraph 3 requires the Registrar to assist the persons resident outside the United Kingdom in exercising their right of access to personal data under the Act. It also requires him to notify a resident outside the United Kingdom of the rights and remedies available under Part III of the Act and in certain circumstances to treat any request made to him by such a resident as a complaint to be dealt with under section 36(2) of the Act. Paragraph 4 provides that if a request for assistance in exercising rights of access to personal data in a Convention country is made by a person resident in the United Kingdom and submitted to the Registrar, the Registrar shall send the request to the designated authority in that country.
The European Convention is published by the Council of Europe, Strasbourg, France and is available from Her Majesty’s Stationery Office. It enters into force in respect of the United Kingdom on 1st December 1987.
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made):The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.