Data Protection Act 1998
1998 Chapter 29 - continued

back to previous text
 
  PART II
  RIGHTS OF DATA SUBJECTS AND OTHERS
Right of access to personal data.     7. - (1) Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled-
 
 
    (a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
 
    (b) if that is the case, to be given by the data controller a description of-
 
      (i) the personal data of which that individual is the data subject,
 
      (ii) the purposes for which they are being or are to be processed, and
 
      (iii) the recipients or classes of recipients to whom they are or may be disclosed,
 
    (c) to have communicated to him in an intelligible form-
 
      (i) the information constituting any personal data of which that individual is the data subject, and
 
      (ii) any information available to the data controller as to the source of those data, and
 
    (d) where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.
      (2) A data controller is not obliged to supply any information under subsection (1) unless he has received-
 
 
    (a) a request in writing, and
 
    (b) except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.
      (3) A data controller is not obliged to comply with a request under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks.
 
      (4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless-
 
 
    (a) the other individual has consented to the disclosure of the information to the person making the request, or
 
    (b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
      (5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
 
      (6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to-
 
 
    (a) any duty of confidentiality owed to the other individual,
 
    (b) any steps taken by the data controller with a view to seeking the consent of the other individual,
 
    (c) whether the other individual is capable of giving consent, and
 
    (d) any express refusal of consent by the other individual.
      (7) An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description.
 
      (8) Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.
 
      (9) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.
 
      (10) In this section-
 
 
    "prescribed" means prescribed by the Secretary of State by regulations;
 
    "the prescribed maximum" means such amount as may be prescribed;
 
    "the prescribed period" means forty days or such other period as may be prescribed;
 
    "the relevant day", in relation to a request under this section, means the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3).
      (11) Different amounts or periods may be prescribed under this section in relation to different cases.
 
Provisions supplementary to section 7.     8. - (1) The Secretary of State may by regulations provide that, in such cases as may be prescribed, a request for information under any provision of subsection (1) of section 7 is to be treated as extending also to information under other provisions of that subsection.
 
      (2) The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless-
 
 
    (a) the supply of such a copy is not possible or would involve disproportionate effort, or
 
    (b) the data subject agrees otherwise;
  and where any of the information referred to in section 7(1)(c)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.
 
      (3) Where a data controller has previously complied with a request made under section 7 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
 
      (4) In determining for the purposes of subsection (3) whether requests under section 7 are made at reasonable intervals, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.
 
      (5) Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.
 
      (6) The information to be supplied pursuant to a request under section 7 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.
 
      (7) For the purposes of section 7(4) and (5) another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.
 
Application of section 7 where data controller is credit reference agency.     9. - (1) Where the data controller is a credit reference agency, section 7 has effect subject to the provisions of this section.
 
      (2) An individual making a request under section 7 may limit his request to personal data relevant to his financial standing, and shall be taken to have so limited his request unless the request shows a contrary intention.
 
      (3) Where the data controller receives a request under section 7 in a case where personal data of which the individual making the request is the data subject are being processed by or on behalf of the data controller, the obligation to supply information under that section includes an obligation to give the individual making the request a statement, in such form as may be prescribed by the Secretary of State by regulations, of the individual's rights-
 
 
    (a) under section 159 of the Consumer Credit Act 1974 , and
 
    (b) to the extent required by the prescribed form, under this Act.
Right to prevent processing likely to cause damage or distress.     10. - (1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons-
 
 
    (a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
 
    (b) that damage or distress is or would be unwarranted.
      (2) Subsection (1) does not apply-
 
 
    (a) in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or
 
    (b) in such other cases as may be prescribed by the Secretary of State by order.
      (3) The data controller must within twenty-one days of receiving a notice under subsection (1) ("the data subject notice") give the individual who gave it a written notice-
 
 
    (a) stating that he has complied or intends to comply with the data subject notice, or
 
    (b) stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.
      (4) If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.
 
      (5) The failure by a data subject to exercise the right conferred by subsection (1) or section 11(1) does not affect any other right conferred on him by this Part.
 
Right to prevent processing for purposes of direct marketing.     11. - (1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
 
      (2) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
 
      (3) In this section "direct marketing" means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
 
Rights in relation to automated decision-taking.     12. - (1) An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.
 
      (2) Where, in a case where no notice under subsection (1) has effect, a decision which significantly affects an individual is based solely on such processing as is mentioned in subsection (1)-
 
 
    (a) the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis, and
 
    (b) the individual is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.
      (3) The data controller must, within twenty-one days of receiving a notice under subsection (2)(b) ("the data subject notice") give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice.
 
      (4) A notice under subsection (1) does not have effect in relation to an exempt decision; and nothing in subsection (2) applies to an exempt decision.
 
      (5) In subsection (4) "exempt decision" means any decision-
 
 
    (a) in respect of which the condition in subsection (6) and the condition in subsection (7) are met, or
 
    (b) which is made in such other circumstances as may be prescribed by the Secretary of State by order.
      (6) The condition in this subsection is that the decision-
 
 
    (a) is taken in the course of steps taken-
 
      (i) for the purpose of considering whether to enter into a contract with the data subject,
 
      (ii) with a view to entering into such a contract, or
 
      (iii) in the course of performing such a contract, or
 
    (b) is authorised or required by or under any enactment.
      (7) The condition in this subsection is that either-
 
 
    (a) the effect of the decision is to grant a request of the data subject, or
 
    (b) steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing him to make representations).
      (8) If a court is satisfied on the application of a data subject that a person taking a decision in respect of him ("the responsible person") has failed to comply with subsection (1) or (2)(b), the court may order the responsible person to reconsider the decision, or to take a new decision which is not based solely on such processing as is mentioned in subsection (1).
 
      (9) An order under subsection (8) shall not affect the rights of any person other than the data subject and the responsible person.
 
Compensation for failure to comply with certain requirements.     13. - (1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
 
      (2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if-
 
 
    (a) the individual also suffers damage by reason of the contravention, or
 
    (b) the contravention relates to the processing of personal data for the special purposes.
      (3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
 
Rectification, blocking, erasure and destruction.     14. - (1) If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.
 
      (2) Subsection (1) applies whether or not the data accurately record information received or obtained by the data controller from the data subject or a third party but where the data accurately record such information, then-
 
 
    (a) if the requirements mentioned in paragraph 7 of Part II of Schedule 1 have been complied with, the court may, instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve, and
 
    (b) if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a).
      (3) Where the court-
 
 
    (a) makes an order under subsection (1), or
 
    (b) is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate,
  it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.
 
      (4) If a court is satisfied on the application of a data subject-
 
 
    (a) that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 13, and
 
    (b) that there is a substantial risk of further contravention in respect of those data in such circumstances,
  the court may order the rectification, blocking, erasure or destruction of any of those data.
 
      (5) Where the court makes an order under subsection (4) it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.
 
      (6) In determining whether it is reasonably practicable to require such notification as is mentioned in subsection (3) or (5) the court shall have regard, in particular, to the number of persons who would have to be notified.
 
Jurisdiction and procedure.     15. - (1) The jurisdiction conferred by sections 7 to 14 is exercisable by the High Court or a county court or, in Scotland, by the Court of Session or the sheriff.
 
      (2) For the purpose of determining any question whether an applicant under subsection (9) of section 7 is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV) a court may require the information constituting any data processed by or on behalf of the data controller and any information as to the logic involved in any decision-taking as mentioned in section 7(1)(d) to be made available for its own inspection but shall not, pending the determination of that question in the applicant's favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery (or, in Scotland, recovery) or otherwise.
 
 
 
 
  continue previous section contents
  Other UK Acts |  Home |  Scotland Legislation |  Wales Legislation |  Northern Ireland Legislation |  Her Majesty's Stationery Office

We welcome your comments on this site
© Crown copyright 1998
Prepared 24 July 1998