Data Protection Act 1998

1998 Chapter 29
An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. [16th July 1998] BE IT ENACTED by the Queen's most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows

ARRANGEMENT OF SECTIONS

PART I. PRELIMINARY
Section
1. Basic interpretative provisions

1. In this Act, unless the context otherwise requires-“data” means information which:
a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
b) is recorded with the intention that it should be processed by means of such equipment,
c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68;
“data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;
“data subject” means an individual who is the subject of personal data;
“personal data” means data which relate to a living individual who can be identified:
a) from those data, or
b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
“processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
a) organisation, adaptation or alteration of the information or data,
b) retrieval, consultation or use of the information or data,
c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
d) alignment, combination, blocking, erasure or destruction of the information or data;
“relevant filing system” means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

2. In this Act, unless the context otherwise requires:
a) “obtaining” or “recording”, in relation to personal data, includes obtaining or recording the information to be contained in the data, and
b) “using” or “disclosing”, in relation to personal data, includes using or disclosing the information contained in the data.

3. In determining for the purposes of this Act whether any information is recorded with the intention:
a) that it should be processed by means of equipment operating automatically in response to instructions given for that purpose, or
b) that it should form part of a relevant filing system,
it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area.

4. Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.

2. Sensitive personal data.

In this Act “sensitive personal data” means personal data consisting of information as to:
a) the racial or ethnic origin of the data subject,
b) his political opinions,
c) his religious beliefs or other beliefs of a similar nature,
d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
e) his physical or mental health or condition,
f) his sexual life,
g) the commission or alleged commission by him of any offence, or
h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

3. The special purposes.
In this Act “the special purposes” means any one or more of the following:
a) the purposes of journalism,
b) artistic purposes, and
c) literary purposes.

4. The data protection principles

1. References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1.
2. Those principles are to be interpreted in accordance with Part II of Schedule 1.
3. Schedule 2 (which applies to all personal data) and Schedule 3 (which applies only to sensitive personal data) set out conditions applying for the purposes of the first principle; and Schedule 4 sets out cases in which the eighth principle does not apply.
4. Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.

5. Application of Act.

1. Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if:
a) the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or
b) the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.

2. A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom.

3. For the purposes of subsections (1) and (2), each of the following is to be treated as established in the United Kingdom-
a) an individual who is ordinarily resident in the United Kingdom,
b) a body incorporated under the law of, or of any part of, the United Kingdom,
c) a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and
d) any person who does not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom-
I) an office, branch or agency through which he carries on any activity, or
II) a regular practice; and the reference to establishment in any other EEA State has a corresponding meaning.

6. The Commissioner and the Tribunal

1. The office originally established by section 3(1)(a) of the Data Protection Act 1984 as the office of Data Protection Registrar shall continue to exist for the purposes of this Act but shall be known as the office of Data Protection Commissioner; and in this Act the Data Protection Commissioner is referred to as “the Commissioner”.

2.  The Commissioner shall be appointed by Her Majesty by Letters Patent.

3.  For the purposes of this Act there shall continue to be a Data Protection Tribunal (in this Act referred to as “the Tribunal”).

4.  The Tribunal shall consist of-
a) a chairman appointed by the Lord Chancellor after consultation with the Lord Advocate,
b) such number of deputy chairmen so appointed as the Lord Chancellor may determine, and
c) such number of other members appointed by the Secretary of State as he may determine.

5. The members of the Tribunal appointed under subsection (4)(a) and (b) shall be-
a) persons who have a 7 year general qualification, within the meaning of section 71 of the Courts and Legal Services Act 1990,
b) advocates or solicitors in Scotland of at least 7 years' standing, or
c) members of the bar of Northern Ireland or solicitors of the Supreme Court of Northern Ireland of at least 7 years' standing.

6. The members of the Tribunal appointed under subsection (4)© shall be-
a) persons to represent the interests of data subjects, and
b) persons to represent the interests of data controllers.

7. Schedule 5 has effect in relation to the Commissioner and the Tribunal.

PART II. RIGHTS OF DATA SUBJECTS AND OTHERS
Section
7. Right of access to personal data
8. Provisions supplementary to section 7
9. Application of section 7 where data controller is credit reference agency
10. Right to prevent processing likely to cause damage or distress.
11. Right to prevent processing for purposes of direct marketing
12. Rights in relation to automated decision-taking
13. Compensation for failure to comply with certain requirements.
14. Rectification, blocking, erasure and destruction
15. Jurisdiction and procedure

PART III. NOTIFICATION BY DATA CONTROLLERS
Section
16. Preliminary.
17. Prohibition on processing without registration
18. Notification by data controllers
19. Register of notifications
20. Duty to notify changes
21. Offences.
22. Preliminary assessment by Commissioner
23. Power to make provision for appointment of data protection supervisors
24. Duty of certain data controllers to make certain information available
25. Functions of Commissioner in relation to making of notification regulations
26. Fees regulations

PART IV. EXEMPTIONS
Section
27. Preliminary.
28. National security.
29. Crime and taxation
30. Health, education and social work
31. Regulatory activity
32. Journalism, literature and art.
33. Research, history and statistics.
34. Information available to the public by or under enactment
35. Disclosures required by law or made in connection with legal proceedings etc
36. Domestic purposes
37. Miscellaneous exemptions
38. Powers to make further exemptions by order
39. Transitional relief

PART V. ENFORCEMENT
Section
40. Enforcement notices
41. Cancellation of enforcement notice
42. Request for assessment.
43. Information notices
44. Special information notices
45. Determination by Commissioner as to the special purposes
46. Restriction on enforcement in case of processing for the special purposes
47. Failure to comply with notice
48. Rights of appeal.
49. Determination of appeals
50. Powers of entry and inspection

PART VI. MISCELLANEOUS AND GENERAL
Functions of Commissioner
51. General duties of Commissioner.
52.  Ports and codes of practice to be laid before Parliament.
53. Assistance by Commissioner in cases involving processing for the special purposes.
54. International co-operation.

Unlawful obtaining etc. of personal data
55. Unlawful obtaining etc. of personal data.

Records obtained under data subject’s right of access
56.  Prohibition of requirement as to production of certain records.
57.  Avoidance of certain contractual terms relating to health records

Information provided to Commissioner or Tribunal
58. Disclosure of information
59. Confidentiality of information
60. Prosecuions and penalties
61. Liability of directors etc.Amendments of Consumer Credit Act 1974
62.  Amendments of Consumer Credit Act 1974General

General provisions relating to offences
63. Application to Crown
64. Transmisión of notices etc. By electronic or other means
65. Service of notices by Commissioner
66. Exercise of rights in Scotland by children
67. Orders, regulations and rules
68. Meaning of “accessible record”
69. Meaning of “health professional”
70. Supplementary definitions
71. Index of definend expressions
72. Modifications of Act

73. Transational provisions and savings
74. Minor and consequential amendments and repeals and revocations
75. Short title, commencement and extent
 
SCHEDULES:
Schedule 1. The data protection principles
Part I The principles
Part II Interpretation of the principples in Part I

Schedule 2. Conditions relevant for purposes of the first principle: processing of any personal data

Schedule 3. Conditions relevant for purposes of the first principle: processing of sensitive personal data

Schedule 4. Cases where the eight principle does not apply

Schedule 5. The Data Protection Commissioner and the Data Protection Tribunal
Part I. The Commissioner
Part II The Tribunal
Part III. Transitional provisions

Schedule 6. Appeal proceedings

Schedule 7. Miscellaneous exemptions

Schedule 8. Transitional relief
Part I. Interpretation of Schedule
Part II. Exemptions available before 24th. October 2001
Part III. Exemptions available after 23rd October 2001 but before 24th October
Part IV. Exemptions after 23rd October 2001 for historical research
Part V. Exemption from section 22

Schedule 9. Powers of entry and inspection

Schedule 10. Further provisions relating to assistance under section 53

Schedule 11. Educational records

Schedule 12. Accessible public records

Schedule 13. Modifications of Act having effect before 24th October 2007

Schedule 14. Transational provisions and savings

Schedule  15. Minor and consequential amendments

Schedule 16. Repeals and revocations
Part I Repeals
Part II. Revocations

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.