CITY OF LONDON
You are in the section:
City of London > Services > Council and democracy > Data protection and freedom of information > Data protection act
Links in this section:
Access to information
City of London policies
Copyright - reusing public sector information
Data protection act
Freedom of Information - advice
Making enquiries
Summary
See also:
Residents change of circumstances

Data protection act

Data Protection Act 1998 - a summary

The purpose of this summary is to assist you in exercising your rights, by highlighting some of the areas of the Act which are of particular relevance. Please note that although every effort is made to ensure that the information provided is correct the City of London does not take responsibility for any inaccuracies.

The Act

The Data Protection Act 1998  came into force on 1 March 2000 and replaced the Data Protection Act 1984. It gives individuals (‘data subjects’) a general right of access to ‘personal data’ (ie personal information) about themselves held by ‘data controllers’ within the United Kingdom. It also lays down principles for the way personal data must be managed.

A ‘data controller’ is a person who determines the purposes of the processing of personal data, and the manner of the processing. The City of London is a data controller.

Until 1 January 2005, the Act applies to such data where it is held on computer and when it is held in very structured filing systems which are not computerised.

After 1 January 2005, for public authorities it applies to such data however it is held, although there are still some limitations with regard to filing systems which are not computerised.

Information Commissioner

The Information Commissioner  is responsible for ensuring compliance by public authorities with the Data Protection Act 1998 and the Freedom of Information Act 2000. This may involve monitoring, issuing guidance or taking formal steps to enforce compliance with the acts. The Information Commissioner is a Crown appointment, reporting directly to Parliament.

Information Tribunal

Where the Information Commissioner makes a formal decision about an alleged failure to comply with the Data Protection Act 1998 or the Freedom of Information Act 2000, with which any of the parties concerned is dissatisfied, appeal can be made to the Information Tribunal. The functions and operation of the Information Tribunal are described in the acts. The chairman is appointed by the Lord Chancellor.

Data Protection principles

The Data Protection Act 1998 establishes the following 8 principles in relation to the processing (ie management) of personal data

  1. Personal data should be processed fairly and lawfully.
  2. Data should only be obtained for specified purposes and should not be further processed in a manner incompatible with these purposes.
  3. Personal data should be adequate relevant and not excessive in relation to the purposes for which they were collected.
  4. Personal data should be accurate and where necessary kept up to date.
  5. Personal data should not be kept longer than is needed for its intended purpose.
  6. Personal data should be processed in accordance with the rights of the individual which the information concerns.
  7. Appropriate measures should be taken against unauthorised or unlawful processing or destruction of personal data.
  8. Personal data should not be transferred outside the European Economic Area (the EU states plus Liechtenstein, Iceland and Norway).

Lawful processing

In accordance with principle 1, any processing of personal data must be allowed by, or required by, statute or common law. Fair processing code Also in accordance with principle 1, any processing must be fair; that is, must be carried out without deception. The part of the Act which deals with this is now called the ‘Fair Processing Code’. So far as practicable, and subject to exemptions, data subjects should be provided with certain information at the time of collection or as soon as practicable thereafter, so that they understand why and how their data are being processed. This information is provided in a Fair Processing Notice.

Fair processing notice

The fair processing notice (also known by other names such as ‘data protection notice’) should include the following information

  • the identity of the data controller
  • the purposes for which the personal data are intended to be processed
  • to whom the personal data may be disclosed to, eg a government department or agency
  • and any further information regarding the processing, to enable processing in respect of the data subject to be fair

Further conditions for fair processing

In addition, personal data must not be processed unless one of the conditions listed in Schedule 2 of the Act is met; and in addition, in the case of sensitive personal data, one of the conditions listed in Schedule 3 is also met.

Schedule 2 - Conditions for processing personal data

One of the following conditions must be met for processing personal data

  • consent has been given by the data subject
  • it is for entering or performing a contract with the data subject
  • the data controller is under a legal obligation, other than under contract
  • it is to protect the vital interests of the data subject
  • it is for the administration of justice, exercising functions under an enactment, exercising of government functions, or the exercise of any other functions of a public nature in the public interest
  • it is for the pursuit of the legitimate interests of the data controller

The Secretary of State may also make an Order concerning other particular circumstances.

Schedule 3 - Conditions for processing sensitive personal data

For processing of sensitive personal data, one of the conditions listed in Schedule 2 must be met, and also one of the following conditions listed in Schedule 3 must be met

  • explicit consent has been given by the data subject
  • it is for the exercise of rights or obligations in connection with employment
  • it is to protect the vital interests of the data subject or anyone else
  • it is part of the legitimate activity of a not for profit organisation
  • the personal data have already been made public by the data subject
  • it forms part of legal proceedings, including obtaining legal advice, and exercising or defending legal rights
  • it is for the administration of justice, or exercising functions under an enactment, or exercising of government functions
  • it is for medical purposes
  • it is for the purpose of monitoring equality of opportunity

The Secretary of State may also make an Order concerning other particular circumstances.

‘Sensitive personal data’ consist of data relating to one or more of the following

  1. Racial or ethnic origin
  2. Political opinions
  3. Religious beliefs or other beliefs of a similar nature
  4. Trade Union membership
  5. Physical or mental health
  6. Sexual life
  7. Offences committed or alleged to have been committed
  8. Proceedings in relation to these, including the sentence of any court

Rights of data subjects and others

The Data Protection Act 1998 sets out a framework of general individual rights in relation to personal data. These are described in Part II of the Act, which concerns ‘Rights of Data Subjects and Others’. This is the section to which the 6th data protection principle largely relates.

The six general rights are

1. Right of access to personal data (section 7 of the Act).

There is a general right of access by a data subject to the personal data held about the data subject by the data controller. The process by which this right is exercised is called a ‘Subject Access Request’ (often abbreviated to SAR). The Act describes how the data controller must respond to such requests when an exemption does not apply. A data controller has 40 calendar days in which to provide the requested data, if no exemption applies.

Following a subject access request to a data controller by a data subject, and the data controller having failed to comply, the data subject can apply to court, which may support the Request and order the data controller to comply.

2. Right to prevent processing which causes substantial damage or distress (section 10 of the Act).

There is a right to require processing either to cease, or not to start, if it would cause the data subject, or anyone else, substantial unwarranted damage or distress. A data subject can issue a ‘Data Subject Notice’ to a data controller to prevent processing which he thinks is causing or likely to cause unwarranted damage or distress to the data subject or to another person, unless the data controller has met one of the first four conditions for processing stated in Schedule 2 of the Act (conditions for processing personal data). The data controller must respond within 21 days of receiving the notice, either complying or stating reasons why he is not complying. The data subject can apply to court, which may support the notice and order the data controller to comply.

3. Right to prevent direct marketing (section 11 of the Act).

A data subject can give a notice in writing to a data controller to cease or not begin processing for the purpose of direct marketing (in any medium) to the data subject. If the data controller does not comply, the data subject can apply to court, which may support the notice and order the data controller to comply.

The Act defines direct marketing as

the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals (s 11)

The Information Commissioner, in Data Protection Act 1998: Legal Guidance, has placed a broad interpretation on this definition. The Information Commissioner regards the term as

covering a wide range of activities which will apply not just to the offer for sale of goods or services, also the promotion of … aims and ideals.

4. Right in relation to automated decision-taking (section 12 of the Act).

A data subject can give a notice in writing to a data controller to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that data subject is based solely on processing by automatic means.

If the notice has no effect but a decision using automatic means is nevertheless taken, the data controller must, as soon as reasonably practicable, inform the data subject of the processing. The data subject then has 21 days in which to write to request reconsideration of the decision (a ‘data subject notice’). The data controller then has 21 days to respond specifying the steps he will take to comply. If he does not comply, the data subject can apply to court, which may support the notice and order the data controller to comply.

5. Right to compensation for damage and distress (section 13 of the Act).

A data subject who has suffered damage as a result of any contravention of the act by a data controller has a right to compensation. The right to compensation for distress exists if damage has also occurred.

6. Right to have inaccurate personal data rectified, blocked, erased or destroyed (section 14 of the Act).

If a court is satisfied that personal data being processed are inaccurate, it can order the data controller to rectify, block, erase or destroy the data. The court may also order third parties in receipt of the inaccurate data to be notified.

Subject access request

There is a general right of access to personal data. This is the right by a data subject to see the personal data held about the data subject by the data controller. The process by which this right is exercised is called a ‘subject access request’ (often abbreviated to SAR).

A data controller has 40 calendar days in which to provide the requested data, if no exemption applies. The data controller is allowed to ask for proofs of identity, and to charge an administration fee of £10. If proofs of identity are required and/or the fee is requested, the 40 days begins when the proofs and/or the fee are received.

If the data controller fails to comply with a subject access request, the data subject can apply to court, which may support the request and order the data controller to comply. There is no obligation on the data subject to state why he/she is making a subject access request.

The right of access to personal data is the key provision for the exercise of other rights under the Act. Unless data subjects can learn what data are held about them, their rights to correct or challenge it may become valueless.

Notification

Data controllers have to ‘notify’ the Information Commissioner of the purposes for which they process personal data by electronic means.

The notifications are stored as a register entry. The register is a Public Register of Data Controllers.

The City of London’s entry can be accessed on the register by typing in its Registration Number, which is Z5996206.

There are certain exemptions to notification (for example, the processing of personal data for personal, family or household affairs, including for recreational purposes, does not have to be notified).

It is a criminal offence to process personal data without notification, unless exempted from doing so.

Exemptions

Part III of the Data Protection Act 1998 concerns exemptions from aspects of the Act, particularly from certain basic aspects of the Act such as restrictions on providing personal data to third parties, and the right of access by data subjects to their personal data. There are very few exemptions from the entirety of the Act, although there are some exemptions from much of the Act.

Exemptions under the Act can appear complex. There are some exemptions to prohibitions on sharing personal data with third parties; and also some exemptions to disclosure to data subjects of the personal data held about them.

Exemptions to prohibitions on data sharing with third parties are where

  • the data subjects have given their consent
  • the sharing is for the prevention or detection of crime
  • the sharing is for the assessment of any tax or duty
  • the sharing is necessary to exercise a right or obligation conferred or imposed by law (other than an obligation imposed by contract)
  • the sharing is for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings)
  • the sharing is for the purpose of obtaining legal advice
  • the sharing is for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress)

There may be an exemption to access to personal data by data subjects where the personal data

  • are part of a confidential reference given by the data controller
  • are subject to a duty of confidentiality, eg confidential references provided to the data controller
  • are subject to legal professional privilege
  • are being used to investigate crime or detect fraud
  • are being used for management forecasting or planning
  • are part of negotiations which would be prejudiced if disclosed
  • are, in the opinion of the data controller or of independent professional advice, likely to cause serious harm to the physical or mental health of the data subject or another person
  • relate to health, education and social work, and are processed by a court and consists of information supplied in a report or other evidence to the court by a local authority
  • are processed for the purposes of assessing suitability for the conferring by the Crown of an honour

Complaint procedures

General right of complaint to the Information Commissioner

With regard to any data protection matter, complaint can be made by anyone to the Information Commissioner.

Request to the information commissioner for an assessment

In addition, a data subject (or anyone acting on his or her behalf) can request the Information Commissioner to assess if data processing is being carried out by a data controller in compliance with the Data Protection Act 1998. The time period for responding to an assessment request is determined by the Information Commissioner.

Enforcement procedures

Information notice

If a request under the Data Protection Act 1998 has been made of the Information Commissioner for an assessment of a data controller, or if anyone enquires as to whether a data controller is complying with the principles, the Information Commissioner can ask the data controller for further information, specifying the time within which to respond to the request. This is called an ‘information notice’.

There are rights of appeal to the Information Tribunal against an information notice. Thereafter, a person who fails to comply is guilty of an offence.

Enforcement Notice

When satisfied that a contravention has taken place under the Act, the Information Commissioner can issue an ‘enforcement notice’, specifying a time within which compliance must take place.

The Notice must state the data protection principles contravened; state that damage and distress is a key criteria; and, if principle 4 has been contravened, the Information Commissioner may request the data controller to rectify, block, erase or destroy the data. There may also be a request that, if practicable, third parties to whom the information has been made available, are informed of corrections.

There are rights of appeal to the Information Tribunal against an enforcement notice. Thereafter, a person who fails to comply is guilty of an offence.

Powers of entry and inspection

If a judge is satisfied by information supplied by the Information Commissioner that there are reasonable grounds for suspecting that a data controller

  • has contravened any of the data protection principles, or
  • a criminal offence under the Act has been committed

then the judge may grant the Commissioner a warrant giving powers to

  • enter and search premises
  • inspect and seize documents
  • inspect equipment in which personal data may be stored

Appeal procedures

Appeal to the Information Tribunal by data controllers

There are rights of appeal to the Information Tribunal against an information notice or enforcement notice.

Appeal from a decision of the Information Tribunal

Appeal from the decision of the Information Tribunal can be made only on a point of law. This appeal would be made to the High Court.

Civil proceedings

The Data Protection Act 1998 permits civil proceedings by data subjects against data controllers. This is in relation to the six rights described in the section on ‘Rights of data subjects and others’. The jurisdiction for civil proceedings is the High Court or a County Court. Should damages be awarded, the amount that may be awarded is unlimited.

Data Protection - useful external links

Information Commissioner’s Office (ICO)

ICO home page 

Data Protection 

Electronic Communications Regulations 2003 

Compliance with the Data Protection Act 1998, The Privacy and Electronic Communications (EC Directive) Regulations 2003, and the Freedom of Information Act 2000, is monitored by the Information Commissioner, a Crown appointment, reporting directly to Parliament.

On the Information Commissioner’s website can be found codes of practice and extensive other guidance on compliance with the Data Protection Act 1998. This includes

However, this is only a very small selection of the guidance available.

Department for Constitutional Affairs (DCA)

DCA home page 

Data Protection 

The Department for Constitutional Affairs is the government department which during 2003 superseded the Lord Chancellor’s Department. The department is the government department responsible for upholding justice, rights and democracy. This includes keeping the operation of the Freedom of Information Act 2000 and the Data Protection Act 1998 under review. The Department’s website contains guidance on issues in relation to these acts.

British Standards Institution (BSI)

BSI home page 

The BSI, in cooperation with the Information Commissioner, has published a series of standards in relation to compliance with the Data Protection Act 1998. The standards are prefixed with the code BIP 0012, and thereafter are numbered 1, 2, 3, (etc). They include

Data Protection, Part 7 - Guide to Subject Access

(BIP 0012-7, 3rd edition, August 2003, ISBN 0580 33329 9).

Her Majesty’s Stationery Office (HMSO)

HMSO home page 

Search page 
(this is useful for finding copies of Acts and Statutory Instruments)

The HMSO provides online viewing of Acts, Statutory Instruments, Explanatory Notes (to legislation), etc.

The Constitution Unit, University College London (UCL)

UCL home page 

The Constitution Unit is a UK independent research body on constitutional change. The Unit is based in the School of Policy at University College London and conducts a programme of research, training, consultancy and advice. It has developed a close interest in Data Protection and Freedom of Information, and its website and newsletter are a useful sources of information on these subjects.

Download help
Valid XHTML 1.0 Transitional