Data Protection Act 1998 |
1998 Chapter 29 - continued |
|
back to
previous text |
|
|
|
PART II |
|
RIGHTS OF DATA SUBJECTS AND
OTHERS |
Right of access to personal data. |
7. - (1)
Subject to the following provisions of this section and to sections 8 and
9, an individual is entitled- |
|
(a) to be informed by any data controller whether personal data of
which that individual is the data subject are being processed by or on
behalf of that data controller, |
|
(b) if that is the case, to be given by the data controller a
description of- |
|
(i) the personal data of which that individual is the data
subject, |
|
(ii) the purposes for which they are being or are to be processed,
and |
|
(iii) the recipients or classes of recipients to whom they are or
may be disclosed, |
|
(c) to have communicated to him in an intelligible form- |
|
(i) the information constituting any personal data of which that
individual is the data subject, and |
|
(ii) any information available to the data controller as to the
source of those data, and |
|
(d) where the processing by automatic means of personal data of
which that individual is the data subject for the purpose of evaluating
matters relating to him such as, for example, his performance at work,
his creditworthiness, his reliability or his conduct, has constituted or
is likely to constitute the sole basis for any decision significantly
affecting him, to be informed by the data controller of the logic
involved in that decision-taking. |
|
(2) A data controller is not
obliged to supply any information under subsection (1) unless he has
received- |
|
(a) a request in writing, and |
|
(b) except in prescribed cases, such fee (not exceeding the
prescribed maximum) as he may require. |
|
(3) A data controller is not
obliged to comply with a request under this section unless he is supplied
with such information as he may reasonably require in order to satisfy
himself as to the identity of the person making the request and to locate
the information which that person seeks. |
|
(4) Where a data controller cannot
comply with the request without disclosing information relating to another
individual who can be identified from that information, he is not obliged
to comply with the request unless- |
|
(a) the other individual has consented to the disclosure of the
information to the person making the request, or |
|
(b) it is reasonable in all the circumstances to comply with the
request without the consent of the other individual. |
|
(5) In subsection (4) the reference
to information relating to another individual includes a reference to
information identifying that individual as the source of the information
sought by the request; and that subsection is not to be construed as
excusing a data controller from communicating so much of the information
sought by the request as can be communicated without disclosing the
identity of the other individual concerned, whether by the omission of
names or other identifying particulars or otherwise. |
|
(6) In determining for the purposes
of subsection (4)(b) whether it is reasonable in all the circumstances to
comply with the request without the consent of the other individual
concerned, regard shall be had, in particular, to- |
|
(a) any duty of confidentiality owed to the other
individual, |
|
(b) any steps taken by the data controller with a view to seeking
the consent of the other individual, |
|
(c) whether the other individual is capable of giving consent,
and |
|
(d) any express refusal of consent by the other individual. |
|
(7) An individual making a request
under this section may, in such cases as may be prescribed, specify that
his request is limited to personal data of any prescribed
description. |
|
(8) Subject to subsection (4), a
data controller shall comply with a request under this section promptly
and in any event before the end of the prescribed period beginning with
the relevant day. |
|
(9) If a court is satisfied on the
application of any person who has made a request under the foregoing
provisions of this section that the data controller in question has failed
to comply with the request in contravention of those provisions, the court
may order him to comply with the request. |
|
(10) In this section-
|
|
"prescribed" means prescribed by the Secretary of State by
regulations; |
|
"the prescribed maximum" means such amount as may be
prescribed; |
|
"the prescribed period" means forty days or such other period as may
be prescribed; |
|
"the relevant day", in relation to a request under this section,
means the day on which the data controller receives the request or, if
later, the first day on which the data controller has both the required
fee and the information referred to in subsection (3). |
|
(11) Different amounts or periods
may be prescribed under this section in relation to different
cases. |
Provisions supplementary to section
7. |
8. - (1) The
Secretary of State may by regulations provide that, in such cases as may
be prescribed, a request for information under any provision of subsection
(1) of section 7 is to be treated as extending also to information under
other provisions of that subsection. |
|
(2) The obligation imposed by
section 7(1)(c)(i) must be complied with by supplying the data subject
with a copy of the information in permanent form unless- |
|
(a) the supply of such a copy is not possible or would involve
disproportionate effort, or |
|
(b) the data subject agrees otherwise; |
|
and where any of the information referred to in section
7(1)(c)(i) is expressed in terms which are not intelligible without
explanation the copy must be accompanied by an explanation of those
terms. |
|
(3) Where a data controller has
previously complied with a request made under section 7 by an individual,
the data controller is not obliged to comply with a subsequent identical
or similar request under that section by that individual unless a
reasonable interval has elapsed between compliance with the previous
request and the making of the current request. |
|
(4) In determining for the purposes
of subsection (3) whether requests under section 7 are made at reasonable
intervals, regard shall be had to the nature of the data, the purpose for
which the data are processed and the frequency with which the data are
altered. |
|
(5) Section 7(1)(d) is not to be
regarded as requiring the provision of information as to the logic
involved in any decision-taking if, and to the extent that, the
information constitutes a trade secret. |
|
(6) The information to be supplied
pursuant to a request under section 7 must be supplied by reference to the
data in question at the time when the request is received, except that it
may take account of any amendment or deletion made between that time and
the time when the information is supplied, being an amendment or deletion
that would have been made regardless of the receipt of the
request. |
|
(7) For the purposes of section
7(4) and (5) another individual can be identified from the information
being disclosed if he can be identified from that information, or from
that and any other information which, in the reasonable belief of the data
controller, is likely to be in, or to come into, the possession of the
data subject making the request. |
Application of section 7 where data controller
is credit reference agency. |
9. - (1) Where
the data controller is a credit reference agency, section 7 has effect
subject to the provisions of this section. |
|
(2) An individual making a request
under section 7 may limit his request to personal data relevant to his
financial standing, and shall be taken to have so limited his request
unless the request shows a contrary intention. |
|
(3) Where the data controller
receives a request under section 7 in a case where personal data of which
the individual making the request is the data subject are being processed
by or on behalf of the data controller, the obligation to supply
information under that section includes an obligation to give the
individual making the request a statement, in such form as may be
prescribed by the Secretary of State by regulations, of the individual's
rights- |
|
(a) under section 159 of the Consumer Credit Act 1974 , and |
|
(b) to the extent required by the prescribed form, under this
Act. |
Right to prevent processing likely to cause
damage or distress. |
10. - (1)
Subject to subsection (2), an individual is entitled at any time by notice
in writing to a data controller to require the data controller at the end
of such period as is reasonable in the circumstances to cease, or not to
begin, processing, or processing for a specified purpose or in a specified
manner, any personal data in respect of which he is the data subject, on
the ground that, for specified reasons- |
|
(a) the processing of those data or their processing for that
purpose or in that manner is causing or is likely to cause substantial
damage or substantial distress to him or to another, and |
|
(b) that damage or distress is or would be unwarranted. |
|
(2) Subsection (1) does not apply-
|
|
(a) in a case where any of the conditions in paragraphs 1 to 4 of
Schedule 2 is met, or |
|
(b) in such other cases as may be prescribed by the Secretary of
State by order. |
|
(3) The data controller must within
twenty-one days of receiving a notice under subsection (1) ("the data
subject notice") give the individual who gave it a written notice-
|
|
(a) stating that he has complied or intends to comply with the data
subject notice, or |
|
(b) stating his reasons for regarding the data subject notice as to
any extent unjustified and the extent (if any) to which he has complied
or intends to comply with it. |
|
(4) If a court is satisfied, on the
application of any person who has given a notice under subsection (1)
which appears to the court to be justified (or to be justified to any
extent), that the data controller in question has failed to comply with
the notice, the court may order him to take such steps for complying with
the notice (or for complying with it to that extent) as the court thinks
fit. |
|
(5) The failure by a data subject
to exercise the right conferred by subsection (1) or section 11(1) does
not affect any other right conferred on him by this Part. |
Right to prevent processing for purposes of
direct marketing. |
11. - (1) An
individual is entitled at any time by notice in writing to a data
controller to require the data controller at the end of such period as is
reasonable in the circumstances to cease, or not to begin, processing for
the purposes of direct marketing personal data in respect of which he is
the data subject. |
|
(2) If the court is satisfied, on
the application of any person who has given a notice under subsection (1),
that the data controller has failed to comply with the notice, the court
may order him to take such steps for complying with the notice as the
court thinks fit. |
|
(3) In this section "direct
marketing" means the communication (by whatever means) of any advertising
or marketing material which is directed to particular
individuals. |
Rights in relation to automated
decision-taking. |
12. - (1) An
individual is entitled at any time, by notice in writing to any data
controller, to require the data controller to ensure that no decision
taken by or on behalf of the data controller which significantly affects
that individual is based solely on the processing by automatic means of
personal data in respect of which that individual is the data subject for
the purpose of evaluating matters relating to him such as, for example,
his performance at work, his creditworthiness, his reliability or his
conduct. |
|
(2) Where, in a case where no
notice under subsection (1) has effect, a decision which significantly
affects an individual is based solely on such processing as is mentioned
in subsection (1)- |
|
(a) the data controller must as soon as reasonably practicable
notify the individual that the decision was taken on that basis,
and |
|
(b) the individual is entitled, within twenty-one days of receiving
that notification from the data controller, by notice in writing to
require the data controller to reconsider the decision or to take a new
decision otherwise than on that basis. |
|
(3) The data controller must,
within twenty-one days of receiving a notice under subsection (2)(b) ("the
data subject notice") give the individual a written notice specifying the
steps that he intends to take to comply with the data subject
notice. |
|
(4) A notice under subsection (1)
does not have effect in relation to an exempt decision; and nothing in
subsection (2) applies to an exempt decision. |
|
(5) In subsection (4) "exempt
decision" means any decision- |
|
(a) in respect of which the condition in subsection (6) and the
condition in subsection (7) are met, or |
|
(b) which is made in such other circumstances as may be prescribed
by the Secretary of State by order. |
|
(6) The condition in this
subsection is that the decision- |
|
(a) is taken in the course of steps taken- |
|
(i) for the purpose of considering whether to enter into a
contract with the data subject, |
|
(ii) with a view to entering into such a contract, or |
|
(iii) in the course of performing such a contract, or |
|
(b) is authorised or required by or under any enactment. |
|
(7) The condition in this
subsection is that either- |
|
(a) the effect of the decision is to grant a request of the data
subject, or |
|
(b) steps have been taken to safeguard the legitimate interests of
the data subject (for example, by allowing him to make
representations). |
|
(8) If a court is satisfied on the
application of a data subject that a person taking a decision in respect
of him ("the responsible person") has failed to comply with subsection (1)
or (2)(b), the court may order the responsible person to reconsider the
decision, or to take a new decision which is not based solely on such
processing as is mentioned in subsection (1). |
|
(9) An order under subsection (8)
shall not affect the rights of any person other than the data subject and
the responsible person. |
Compensation for failure to comply with
certain requirements. |
13. - (1) An
individual who suffers damage by reason of any contravention by a data
controller of any of the requirements of this Act is entitled to
compensation from the data controller for that damage. |
|
(2) An individual who suffers
distress by reason of any contravention by a data controller of any of the
requirements of this Act is entitled to compensation from the data
controller for that distress if- |
|
(a) the individual also suffers damage by reason of the
contravention, or |
|
(b) the contravention relates to the processing of personal data for
the special purposes. |
|
(3) In proceedings brought against
a person by virtue of this section it is a defence to prove that he had
taken such care as in all the circumstances was reasonably required to
comply with the requirement concerned. |
Rectification, blocking, erasure and
destruction. |
14. - (1) If
a court is satisfied on the application of a data subject that personal
data of which the applicant is the subject are inaccurate, the court may
order the data controller to rectify, block, erase or destroy those data
and any other personal data in respect of which he is the data controller
and which contain an expression of opinion which appears to the court to
be based on the inaccurate data. |
|
(2) Subsection (1) applies whether
or not the data accurately record information received or obtained by the
data controller from the data subject or a third party but where the data
accurately record such information, then- |
|
(a) if the requirements mentioned in paragraph 7 of Part II of
Schedule 1 have been complied with, the court may, instead of making an
order under subsection (1), make an order requiring the data to be
supplemented by such statement of the true facts relating to the matters
dealt with by the data as the court may approve, and |
|
(b) if all or any of those requirements have not been complied with,
the court may, instead of making an order under that subsection, make
such order as it thinks fit for securing compliance with those
requirements with or without a further order requiring the data to be
supplemented by such a statement as is mentioned in paragraph
(a). |
|
(3) Where the court-
|
|
(a) makes an order under subsection (1), or |
|
(b) is satisfied on the application of a data subject that personal
data of which he was the data subject and which have been rectified,
blocked, erased or destroyed were inaccurate, |
|
it may, where it considers it reasonably practicable, order
the data controller to notify third parties to whom the data have been
disclosed of the rectification, blocking, erasure or
destruction. |
|
(4) If a court is satisfied on the
application of a data subject- |
|
(a) that he has suffered damage by reason of any contravention by a
data controller of any of the requirements of this Act in respect of any
personal data, in circumstances entitling him to compensation under
section 13, and |
|
(b) that there is a substantial risk of further contravention in
respect of those data in such circumstances, |
|
the court may order the rectification, blocking, erasure or
destruction of any of those data. |
|
(5) Where the court makes an order
under subsection (4) it may, where it considers it reasonably practicable,
order the data controller to notify third parties to whom the data have
been disclosed of the rectification, blocking, erasure or
destruction. |
|
(6) In determining whether it is
reasonably practicable to require such notification as is mentioned in
subsection (3) or (5) the court shall have regard, in particular, to the
number of persons who would have to be notified. |
Jurisdiction and procedure. |
15. - (1) The
jurisdiction conferred by sections 7 to 14 is exercisable by the High
Court or a county court or, in Scotland, by the Court of Session or the
sheriff. |
|
(2) For the purpose of determining
any question whether an applicant under subsection (9) of section 7 is
entitled to the information which he seeks (including any question whether
any relevant data are exempt from that section by virtue of Part IV) a
court may require the information constituting any data processed by or on
behalf of the data controller and any information as to the logic involved
in any decision-taking as mentioned in section 7(1)(d) to be made
available for its own inspection but shall not, pending the determination
of that question in the applicant's favour, require the information sought
by the applicant to be disclosed to him or his representatives whether by
discovery (or, in Scotland, recovery) or otherwise. |
|
|
|
|
|
|
Other UK
Acts | Home | Scotland
Legislation | Wales
Legislation | Northern
Ireland Legislation | Her
Majesty's Stationery Office |
|