Data Protection Act 1998

Section 1 - Basic interpretative provisions.

(1) In this Act, unless the context otherwise requires "data" means information which—

• (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
• (b) is recorded with the intention that it should be processed by means of such equipment,
• (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
• (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68;
• (e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d);

"data controller" means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

"data processor", in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;

"data subject" means an individual who is the subject of personal data;

"personal data" means data which relate to a living individual who can be identified—

• (a) from those data, or
• (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

"processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—

• (a) organisation, adaptation or alteration of the information or data,
• (b) retrieval, consultation or use of the information or data,
• (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
• (d) alignment, combination, blocking, erasure or destruction of the information or data;

"public authority" means a public authority as defined by the Freedom of Information Act 2000 or a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002;

"relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

(2) In this Act, unless the context otherwise requires—

• (a) "obtaining" or "recording", in relation to personal data, includes obtaining or recording the information to be contained in the data, and
• (b) "using" or "disclosing", in relation to personal data, includes using or disclosing the information contained in the data.

(3)In determining for the purposes of this Act whether any information is recorded with the intention—

• (a) that it should be processed by means of equipment operating automatically in response to instructions given for that purpose, or
• (b) that it should form part of a relevant filing system,

it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area.

(4) Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.

(5) In paragraph (e) of the definition of “data” in subsection (1), the reference to information “held” by a public authority shall be construed in accordance with section 3(2) of the Freedom of Information Act 2000 [F5or section 3(2), (4) and (5) of the Freedom of Information (Scotland) Act 2002.

(6) Where

• (a) section 7 of the Freedom of Information Act 2000 prevents Parts I to V of that Act or
• (b) section 7(1) of the Freedom of Information (Scotland) Act 2002 prevents that Act,

from applying to certain information held by a public authority, that information is not to be treated for the purposes of paragraph (e) of the definition of "data" in subsection (1) as held by a public authority.

---

Section 10 - Right to prevent processing likely to cause damage or distress.

(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—

• (a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
• (b) that damage or distress is or would be unwarranted.

(2)Subsection (1) does not apply—

• (a) in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or
• (b) in such other cases as may be prescribed by the Secretary of State by order.

(3) The data controller must within twenty-one days of receiving a notice under subsection (1) (“the data subject notice”) give the individual who gave it a written notice—

• (a) stating that he has complied or intends to comply with the data subject notice, or
• (b) stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.

(4) If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(5) The failure by a data subject to exercise the right conferred by subsection (1) or section 11(1) does not affect any other right conferred on him by this Part.

---

Section 21 - Offences.

(1) If section 17(1) is contravened, the data controller is guilty of an offence.

(2) Any person who fails to comply with the duty imposed by notification regulations made by virtue of section 20(1) is guilty of an offence.

(3) It shall be a defence for a person charged with an offence under subsection (2) to show that he exercised all due diligence to comply with the duty.

---

Section 22 - Preliminary assessment by Commissioner.

(1) In this section “assessable processing” means processing which is of a description specified in an order made by the Secretary of State as appearing to him to be particularly likely—

• (a) to cause substantial damage or substantial distress to data subjects, or
• (b) otherwise significantly to prejudice the rights and freedoms of data subjects.

(2) On receiving notification from any data controller under section 18 or under notification regulations made by virtue of section 20 the Commissioner shall consider—

• (a) whether any of the processing to which the notification relates is assessable processing, and
• (b) if so, whether the assessable processing is likely to comply with the provisions of this Act.

(3) Subject to subsection (4), the Commissioner shall, within the period of twenty-eight days beginning with the day on which he receives a notification which relates to assessable processing, give a notice to the data controller stating the extent to which the Commissioner is of the opinion that the processing is likely or unlikely to comply with the provisions of this Act.

(4) Before the end of the period referred to in subsection (3) the Commissioner may, by reason of special circumstances, extend that period on one occasion only by notice to the data controller by such further period not exceeding fourteen days as the Commissioner may specify in the notice.

(5) No assessable processing in respect of which a notification has been given to the Commissioner as mentioned in subsection (2) shall be carried on unless either—

• (a) the period of twenty-eight days beginning with the day on which the notification is received by the Commissioner (or, in a case falling within subsection (4), that period as extended under that subsection) has elapsed, or
• (b) before the end of that period (or that period as so extended) the data controller has received a notice from the Commissioner under subsection (3) in respect of the processing.

(6) Where subsection (5) is contravened, the data controller is guilty of an offence.

(7) The Secretary of State may by order amend subsections (3), (4) and (5) by substituting for the number of days for the time being specified there a different number specified in the order.

---

Section 40 - Enforcement notices.

(1) If the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may serve him with a notice (in this Act referred to as “an enforcement notice”) requiring him, for complying with the principle or principles in question, to do either or both of the following—

• (a) to take within such time as may be specified in the notice, or to refrain from taking after such time as may be so specified, such steps as are so specified, or
• (b) to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified.

(2) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.

p>(3) An enforcement notice in respect of a contravention of the fourth data protection principle which requires the data controller to rectify, block, erase or destroy any inaccurate data may also require the data controller to rectify, block, erase or destroy any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data.

(4) An enforcement notice in respect of a contravention of the fourth data protection principle, in the case of data which accurately record information received or obtained by the data controller from the data subject or a third party, may require the data controller either—

• (a) to rectify, block, erase or destroy any inaccurate data and any other data held by him and containing an expression of opinion as mentioned in subsection (3), or
• (b) to take such steps as are specified in the notice for securing compliance with the requirements specified in paragraph 7 of Part II of Schedule 1 and, if the Commissioner thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Commissioner may approve.

(5) Where—

• (a) an enforcement notice requires the data controller to rectify, block, erase or destroy any personal data, or
• (b) the Commissioner is satisfied that personal data which have been rectified, blocked, erased or destroyed had been processed in contravention of any of the data protection principles,

an enforcement notice may, if reasonably practicable, require the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction; and in determining whether it is reasonably practicable to require such notification regard shall be had, in particular, to the number of persons who would have to be notified.

(6) An enforcement notice must contain—

• (a) a statement of the data protection principle or principles which the Commissioner is satisfied have been or are being contravened and his reasons for reaching that conclusion, and
• (b) particulars of the rights of appeal conferred by section 48.

(7) Subject to subsection (8), an enforcement notice must not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.

(8) If by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (7) shall not apply but the notice must not require the provisions of the notice to be complied with before the end of the period of seven days beginning with the day on which the notice is served.

(9) Notification regulations (as defined by section 16(2)) may make provision as to the effect of the service of an enforcement notice on any entry in the register maintained under section 19 which relates to the person on whom the notice is served.

(10) This section has effect subject to section 46(1).

---

Section 55 - Unlawful obtaining etc. of personal data.

(1) A person must not knowingly or recklessly, without the consent of the data controller—

• (a) obtain or disclose personal data or the information contained in personal data, or
• (b) procure the disclosure to another person of the information contained in personal data.

(2) Subsection (1) does not apply to a person who shows—

• (a) that the obtaining, disclosing or procuring—
• (i) was necessary for the purpose of preventing or detecting crime, or
• (ii) was required or authorised by or under any enactment, by any rule of law or by the order of a court,
• (b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,
• (c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or
• (d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

(3) A person who contravenes subsection (1) is guilty of an offence.

(4) A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).

(5) A person who offers to sell personal data is guilty of an offence if—

• (a) he has obtained the data in contravention of subsection (1), or
• (b) he subsequently obtains the data in contravention of that subsection.

(6) For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

(7) Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.

(8) References in this section to personal data do not include references to personal data which by virtue of section 28 [1or 33A] are exempt from this section.

---

Section 55A - Power of Commissioner to impose monetary penalty.

(1) The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—

• (a) there has been a serious contravention of section 4(4) by the data controller,
• (b) the contravention was of a kind likely to cause substantial damage or substantial distress, and
• (c) subsection (2) or (3) applies.

(2) This subsection applies if the contravention was deliberate.

(3) This subsection applies if the data controller—

• (a) knew or ought to have known —
• (i) that there was a risk that the contravention would occur, and
• (ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but
• (b) failed to take reasonable steps to prevent the contravention.

(3A) The Commissioner may not be satisfied as mentioned in subsection (1) by virtue of any matter which comes to the Commissioner's attention as a result of anything done in pursuance of—

• (a) an assessment notice;
• (b) an assessment under section 51(7).

(4) A monetary penalty notice is a notice requiring the data controller to pay to the Commissioner a monetary penalty of an amount determined by the Commissioner and specified in the notice.

(5) The amount determined by the Commissioner must not exceed the prescribed amount.

(6) The monetary penalty must be paid to the Commissioner within the period specified in the notice.

(7) The notice must contain such information as may be prescribed.

(8)Any sum received by the Commissioner by virtue of this section must be paid into the Consolidated Fund.

In this section—

• "data controller" does not include the Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3);
• "prescribed" means prescribed by regulations made by the Secretary of State.

---

Section 55B - Monetary penalty notices: procedural rights.

(1) Before serving a monetary penalty notice, the Commissioner must serve the data controller with a notice of intent.

(2) A notice of intent is a notice that the Commissioner proposes to serve a monetary penalty notice.

(3) A notice of intent must—

• (a) inform the data controller that he may make written representations in relation to the Commissioner's proposal within a period specified in the notice, and
• (b) contain such other information as may be prescribed.

(4) The Commissioner may not serve a monetary penalty notice until the time within which the data controller may make representations has expired.

(5) A person on whom a monetary penalty notice is served may appeal to the Tribunal against—

• (a)the issue of the monetary penalty notice;
• (b)the amount of the penalty specified in the notice.

(6)In this section, “prescribed” means prescribed by regulations made by the Secretary of State.

---

Section 55C - Guidance about monetary penalty notices.

(1) The Commissioner must prepare and issue guidance on how he proposes to exercise his functions under sections 55A and 55B.

(2)The guidance must, in particular, deal with—

• (a) the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and
• (b) how he will determine the amount of the penalty.

(3) The Commissioner may alter or replace the guidance.

(4) If the guidance is altered or replaced, the Commissioner must issue the altered or replacement guidance.

(5) The Commissioner must consult the Secretary of State before issuing any guidance under this section.

(6) The Commissioner must lay any guidance issued under this section before each House of Parliament.

(7) The Commissioner must arrange for the publication of any guidance issued under this section in such form and manner as he considers appropriate.

(8) In subsections (5) to (7), “ guidance ” includes altered or replacement guidance.

---

Section 55D - Monetary penalty notices: enforcement.

(1) This section applies in relation to any penalty payable to the Commissioner by virtue of section 55A.

(2) In England and Wales, the penalty is recoverable—

• (a) if the county court so orders, as if it were payable under an order of that court;
• (b) if the High Court so orders, as if it were payable under an order of that court.

(3) In Scotland, the penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.

(4) In Northern Ireland, the penalty is recoverable—

• (a) if a county court so orders, as if it were payable under an order of that court;
• (b) if the High Court so orders, as if it were payable under an order of that court.

---

Section 55E - Notices under sections 55A and 55B: supplemental.

(1) The Secretary of State may by order make further provision in connection with monetary penalty notices and notices of intent.

(2) An order under this section may in particular—

• (a) provide that a monetary penalty notice may not be served on a data controller with respect to the processing of personal data for the special purposes except in circumstances specified in the order;
• (b) make provision for the cancellation or variation of monetary penalty notices;
• (c) confer rights of appeal to the Tribunal against decisions of the Commissioner in relation to the cancellation or variation of such notices;
• (d)
• (e) make provision for the determination of appeals made by virtue of paragraph (c);
• (e)

(3) An order under this section may apply any provision of this Act with such modifications as may be specified in the order.

(4) An order under this section may amend this Act.

---

Section 60 - Prosecutions and penalties.

(1) No proceedings for an offence under this Act shall be instituted—

• (a) in England or Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;
• (b) in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.

(2) A person guilty of an offence under any provision of this Act other than section 54A and paragraph 12 of Schedule 9 is liable—

• (a) on summary conviction, to a fine not exceeding the statutory maximum, or
• (b) on conviction on indictment, to a fine.

(3) A person guilty of an offence under section 54A and paragraph 12 of Schedule 9 is liable on summary conviction to a fine not exceeding level 5 on the standard scale.

(4) Subject to subsection (5), the court by or before which a person is convicted of—

• (a) an offence under section 21(1), 22(6), 55 or 56,
• (b) an offence under section 21(2) relating to processing which is assessable processing for the purposes of section 22, or
• (c) an offence under section 47(1) relating to an enforcement notice,

may order any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.

(5) The court shall not make an order under subsection (4) in relation to any material where a person (other than the offender) claiming to be the owner of or otherwise interested in the material applies to be heard by the court, unless an opportunity is given to him to show cause why the order should not be made.