data protection act 1998 case study

The International Forum for Responsible Media Blog

Table of Media Law Cases
About Inforrm
Search for: Search Button

Top 10 Privacy and Data Protection Cases of 2021: A selection – Suneet Sharma

Lloyd v Google LLC [2021] UKSC 50

In the most significant privacy law judgment of the year the UK Supreme Court considered whether a class action for breach of s4(4) Data Protection Act 1998 (“DPA”) could be brought against Google of its obligations as a data controller for its application of the “Safari Workaround”. The claim for compensation was made under s.13 DPA 1998. The amount claimed per person advanced in the letter of claim was £750. Collectively, with the number of people impacted by the processing, the potential liability of Google was estimated to exceed £3bn.

Lord Leggatt handed down the unanimous judgement in favour of the appellant Google LLC:

“the claim has no real prospect of success. That in turn is because, in the way the claim has been framed in order to try to bring it as a representative action, the claimant seeks damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by Google.”

The case has been heralded for its central importance in determining the viability of data protection class actions. The case drew wide coverage from Pinsent Masons , Hill Dickinson , Clifford Chance , Bindmans and Stewarts .

HRH The Duchess of Sussex v Associated Newspapers Limited [2021] EWHC 273 (Ch) and [2021] EWCA Civ 1810.

In February 2021 Meghan, Duchess of Sussex, won her application for summary judgment against the Mail on Sunday. Warby LJ said there were “compelling reasons” for it not to go to trial over its publication of extracts of a private letter to her estranged father, Thomas Markle. He entered judgment for the Duchess in misuse of private information and copyright. There was a news piece on Inforrm and a piece by Dominic Crossley .

Associated Newspapers was granted permission appeal and the appeal was heard on 9 and 11 November 2021 with judgment being handed down on 2 December 2021, The Court, Sir Geoffrey Vos MR, Sharp P and Bean LJ, unanimously dismissed the appeal on all grounds, stating:

“Essentially, whilst it might have been proportionate to disclose and publish a very small part of the Letter to rebut inaccuracies in the People Article, it was not necessary to deploy half the contents of the Letter as Associated Newspapers did. As the Articles themselves demonstrate, and as the judge found, the primary purpose of the Articles was not to publish Mr Markle’s responses to the inaccurate allegations against him in the People Article. The true purpose of the publication was, as the first 4 lines of the Articles said: to reveal for the first time [to the world] the “[t]he full content of a sensational letter written by [the Duchess] to her estranged father shortly after her wedding”. The contents of the Letter were private when it was written and when it was published, even if the claimant, it now appears, realised that her father might leak its contents to the media.” [106]

The case has been analysed on INFORRM by Brian Cathcart.

Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367

The Federal Court of Australia found that Google misled some users about the personal location data it collected through Android devices between January 2017 and December 2018.

The Court found that, in providing the option, “Don’t save my Location History in my Google Account”, represented to some reasonable consumers that they could prevent their location data being saved on their Google Account. In actual fact, users need to change an additional setting, separate, to stop their location data being saved to their Google Account.

Inforrm had a case comment.

Hájovský v. Slovakia [2021] ECHR 591

Mr Hájovský placed an anonymous advert in a national newspaper offering payment to a woman in return for giving birth to his child. An investigative reporter posed as a candidate interested in surrogacy, replied to the advert and secretly filmed the ensuing meetings. These were later complied into a documentary. A national tabloid also covered the story using stills of footage and taking a critical stance of the applicants’ actions. Both stories revealed the applicant’s identity. This prompted the applicant to bring an action against the media groups for violation of his privacy under Slovakian law.

The Slovakian courts dismissed the application on the basis that the article contributed to a matter of public interest- the debate around surrogacy for payment and in any event the publishing of the advert had brought a private matter, the applicant’s wish to have a child, into the public domain.The ECtHR found in favour of the applicant. In doing so it reiterated the well-established balancing approach vis a vi privacy and freedom of expression as per Von Hannover and Axel Springer. In this instance the court found that the applicants right to privacy had been violated and that the Slovakian courts has erred in their approach to balancing the competing rights. In doing so the court make key observations about the privacy implications of photographs.

Inforrm has a case comment .

Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)

This case concerned the viability of claims for breach of confidence and misuse of private information against data controllers who have suffered cyber-attacks. In dismissing the claims for breach of confidence and misuse of private information Saini J found that both causes require some form of “positive conduct” by the defendant that is lacking where the cause of the private information being leaked is a cyber-attack.

Inforrm had a case comment .

6 . ES v Shillington 2021 ABQB 739

In this case the Alberta Court of the Queen’s Bench awarded damages under new “public disclosure of private fact” tort. The case concerned the making public of images of the claimant engaging in sex acts with the defendant- these had been shared during a romantic relationship between 2005 to 2016 where the parties had two children together. The parties had a mutual understanding that the images would not be shared or published anywhere. However, the defendant then proceeded to share the images online, including those involving the sexual assault of the claimant.

Delivering judgment for the claimant, Inglis J accepted their submissions that a new “public disclosure of private information” tort should be recognised as a separate cause of action from existing common law statutes.

Hurbain v Belgium ( [2021] ECHR 544 )

A case in which an order to anonymise a newspaper’s electronic archive was found not to breach the applicant publisher’s right to freedom of expression. This case reflects an important application of the right to be forgotten under article 8 of the Convention. The applicant, Patrick Hurbain, is the president of the Rossel Group which owns one of Belgium’s leading French-language newspapers, Le Soir, of which he was previously Managing Editor. The article in question concerned a series of fatal car accidents and named one of the drivers, G, who had been convicted of a criminal offence for his involvement in the incidents. G made a successful application for rehabilitation in 2006.

However, Le Soir created a free, electronic, searchable version of its archives from 1989 onwards, including the article at issue. G relied on the fact that the article appeared in response to a search on his name on Le Soir’s internal search engine and on Google Search. He explained that its availability was damaging to his reputation, particularly in his work as a doctor. The newspaper refused the application by stated it had asked Google to delist/deindex the article.

In 2012 G sued Mr Hurbain as editor of Le Sior and was successful domestically. Mr Hurbain then lodged an application with the Strasbourg Court complaining that the anonymisation order was a breach of Article 10. In balancing the article 8 and 10 rights in the case the Strasbourg Court found in favour of G.

Informm had a case comment .

Peters v Attorney-General on behalf of Ministry of Social Development [2021] NZCA 355

The New Zealand Court of Appeal provided guidance in respect of the tort of invasion of privacy in this high-profile case. In 2017, the Ministry for Social Development (“MSD”) realised that Mr Peters, MP and leader of the New Zealand First Party, had overpaid New Zealand Superannuation (“NZS”). Due to errors NZS had been paid at the single rate when it should have been paid at the partner rate. Mr Peters immediately arranged for the overpaid amount to be repaid.

In August 2017 several reporters received anonymous calls in respect of the overpayment. To pre-empt any publicity, Mr Peters released a press statement addressing the incident. He also issued a claim for infringement of the tort of invasion of privacy against several MSD executives. The High Court found the MSD executives were proper recipients of information and thus the claim failed. The Court of Appeal dismissed Mr Peters’ appeal. For an invasion of privacy claim to succeed there is a two “limb” test:

the existence of facts in respect of which there was a reasonable expectation of privacy; and
that the publicity given to those private facts would be considered highly offensive to an objective reasonable person.

The Court agreed that limb one was met on the facts. However, the Court found that Mr Peters did not have a reasonable expectation of protection from disclosure of this information within MSD and from MSD to the relevant Ministers and select staff. As the claimant could not prove that any of defendants had released information to the media. The appeal was dismissed. The case affirmed the removal of the requirement for there to be widespread disclosure and the potential for the removal of the requirement that disclosure be highly offensive.

R (Open Rights Group and the 3 million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800,

A case concerning “the lawfulness” immigration exemption found in paragraph 4 of Schedule 2 of the Data Protection Act 2018. This exemption allows those processing personal data for immigration control purposes to refuse to comply with the data subject rights guaranteed by the GDPR to the extent that complying with those provisions would prejudice those purposes. The Court of Appeal found that this exemption was not compliant with Article 23 of the GDPR.

There was coverage from Hunton Andrews Kurth and 11KBW .

Biancardi v. Italy [2021] ECHR 972

The ECtHR found that an order that the editor of an online newspaper was liable for failing to de-index an article concerning criminal proceedings did not breach Article 10 of the Convention. The case concerned an application for the delisting of an article concerning a fight involving a stabbing in a restaurant which mentioned the names of the those involved including the applicant V.X.

Suneet Sharma is a junior legal professional with a particular interest and experience in media, information and privacy law. He is the editor of The Privacy Perspective blog.

Contact the Inforrm Blog

Inforrm can be contacted by email [email protected]

Email Subscription

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Email Address:

Sign me up!

Media Law Employment Opportunities

Edwards Duthie Shamash, Media Law Associate, 3 – 5 years PQE

Schillings Senior Associate

Schillings Associate

Good Law Practice, Defamation Lawyer

Brett Wilson, NQ – 4 years’ PQE solicitor

Mishcon de Reya, Associate Reputation Protection, 1-4 PQE

Slateford, NQ – 2 years’ PQE solicitor

Privacy rights: Children rescued at Dover and unlawful photographs - Zoe McCallum
Top 10 Defamation Cases 2022: a selection - Suneet Sharma
Law and Media Round Up - 20 May 2024
Is there is any difference between the public interest and the interest of the public? - Brian Cathcart
Top 10 Privacy and Data Protection Cases of 2021: A selection - Suneet Sharma

Recent Judgments

Artificial Intelligence
Broadcasting
Cybersecurity
Data Protection
Freedom of expression
Freedom of Information
Government and Policy
Human Rights
Intellectual Property
Leveson Inquiry
Media Regulation
New Zealand
Northern Ireland
Open Justice
Philippines
Phone Hacking
Social Media
South Africa
Surveillance
Uncategorized
United States

Search Inforrm’s Blog

Alternative Leveson 2 Project
Blog Law Online
Brett Wilson Media Law Blog
Canadian Advertising and Marketing Law
Carter-Ruck's News and Insights
Cearta.ie – The Irish for Rights
Centre for Internet and Society – Stanford (US)
Clean up the Internet
Cyberlaw Clinic Blog
Cyberleagle
Czech Defamation Law
David Banks Media Consultancy
Defamation Update
Defamation Watch Blog (Aus)
Droit et Technologies d'Information (France)
Fei Chang Dao – Free Speech in China
Guardian Media Law Page
Hacked Off Blog
Information Law and Policy Centre Blog
Internet & Jurisdiction
Internet Cases (US)
Internet Policy Review
Journlaw (Aus)
LSE Media Policy Project
Media Reform Coalition Blog
Media Report (Dutch)
Michael Geist – Internet and e-commerce law (Can)
Musings on Media (South Africa)
Paul Bernal's Blog
Press Gazette Media Law
Scandalous! Field Fisher Defamation Law Blog
Simon Dawes: Media Theory, History and Regulation
Social Media Law Bulletin (Norton Rose Fulbright)
Strasbourg Observers
Transparency Project
UK Constitutional Law Association Blog
Zelo Street

Blogs about Privacy and Data Protection

Canadian Privacy Law Blog
Data Matters
Data protection and privacy global insights – pwc
DLA Piper Privacy Matters
Données personnelles (French)
Europe Data Protection Digest
Mass Privatel
Norton Rose Fulbright Data Protection Report
Panopticon Blog
Privacy and Data Security Law – Dentons
Privacy and Information Security Law Blog – Hunton Andrews Kurth
Privacy Europe Blog
Privacy International Blog
Privacy Lives
Privacy News – Pogo was right
RPC Privacy Blog
The Privacy Perspective

Blogs about the Media

British Journalism Review
Jon Slattery – Freelance Journalist
Martin Moore's Blog
Photo Archive News

Blogs and Websites: General Legal issues

Carter-Ruck Legal Analysis Blog
Human Rights in Ireland
Human Rights Info
ICLR Case Commentary
Joshua Rozenberg Facebook
Law and Other Things (India)
Letters Blogatory
Mills and Reeve Technology Law Blog
Open Rights Group Blog
RPC's IP Hub
RPC's Tech Hub
SCOTUS Blog
The Court (Canadian SC)
The Justice Gap
UK Human Rights Blog
UK Supreme Court Blog

Data Protection Authorities

Agencia Española de Protección de Datos (in Spanish)
BfDI (Federal Commissioner for Data Protection)(in German)
CNIL (France)
Danish Data Protection Agency
Data Protection Authority (Belgium)
Data Protection Commission (Ireland)
Dutch Data Protection Authority
Information Commissioner's Office
Italian Data Protection Authority
Scottish Information Commissioner
Swedish Data Protection Authority

Freedom of Information Blogs and Sites

All About Information (Can)
Campaign for Freedom of Information
David Higgerson
FreedomInfo.org
Open and Shut (Aus)
Open Knowledge Foundation Blog
The Art of Access (US)
The FOIA Blog (US)
The Information Tribunal
UCL Constitution Unit – FOI Resources
US Immigration, Freedom of Information Act and Privacy Act Facts
Veritas – Zimbabwe
Whatdotheyknow.com

Inactive and Less Active Blogs and Sites

#pressreform
Aaronovitch Watch
Atomic Spin
Bad Science
Banksy's Blog
Brown Moses Blog – The Hackgate Files
California Defamation Law Blog (US)
CYB3RCRIM3 – Observations on technology, law and lawlessness.
Data Privacy Alert
Defamation Lawyer – Dozier Internet Law
DemocracyFail
Entertainment & Media Law Signal (Canada)
Forty Shades of Grey
Greenslade Blog (Guardian)
Head of Legal
Heather Brooke
IBA Media Law and Freedom of Expression Blog
Information and Access (Aus)
Informationoverlord
ISP Liability
IT Law in Ireland
Journalism.co.uk
Korean Media Law
Legal Research Plus
Lex Ferenda
Media Law Journal (NZ)
Media Pal@LSE
Media Power and Plurality Blog
Media Standards Trust
Nied Law Blog
No Sleep 'til Brooklands
Press Not Sorry
Primly Stable
Responsabilidad En Internet (Spanish)
Socially Aware
Story Curve
Straight Statistics
Tabloid Watch
The IT Lawyer
The Louse and The Flea
The Media Blog
The Public Privacy
The Sun – Tabloid Lies
The Unruly of Law
UK FOIA Requests – Spy Blog
UK Freedom of Information Blog

Journalism and Media Websites

Campaign for Press and Broadcasting Freedom
Centre for Law, Justice and Journalism
Committee to Protect Journalists
Council of Europe – Platform to promote the protection of journalism and safety of journalists
ECREA Communication Law and Policy
Electronic Privacy Information Centre
Ethical Journalism Network
European Journalism Centre
European Journalism Observatory
Frontline Club
Hold the Front Page
International Federation of Journalists
Journalism in the Americas
Media Wise Trust
New Model Journalism – reporting the media funding revolution
Reporters Committee for Freedom of the Press
Reuters Institute for the Study of Journalism
Society of Editors
Sports Journalists Association
Spy Report – Media News (Australia)
The Hoot – the Media in the Sub-Continent

Law and Media Tweets

1stamendment
DanielSolove
David Rolph
FirstAmendmentCenter
Guardian Media
Heather Brooke (newsbrooke)
humanrightslaw
Internetlaw
jonslattery
Kyu Ho Youm's Media Law Tweets
Leanne O'Donnell
Media Law Blog Twitter
Media Law Podcast
Siobhain Butterworth

Media Law Blogs and Websites

5RB Media Case Reports
Ad IDEM – Canadian Media Lawyers Association
Entertainment and Sports Law Journal (ESLJ)
Gazette of Law and Journalism (Australia)
International Media Lawyers Association
Legalis.Net – Jurisprudence actualite, droit internet
Office of Special Rapporteur on Freedom of Expression – Inter American Commission on Human Rights
One Brick Court Cases
Out-law.com
EthicNet – collection of codes of journalism ethics in Europe
Handbook of Reuters Journalism
House of Commons Select Committee for Culture Media and Sport memoranda on press standards, privacy and libel

US Law Blogs and Websites

Above the Law
ACLU – Blog of Rights
Blog Law Blog (US)
Chilling Effects Weather Reports (US)
Citizen Media Law Project
Courthousenews
Entertainment and Law (US)
Entertainment Litigation Blog
First Amendment Center
First Amendment Coalition (US)
Free Expression Network (US)
Internet Cases – a blog about law and technology
Jurist – Legal News and Research
Legal As She Is Spoke
Media Law Prof Blog
Media Legal Defence Initiative
Newsroom Law Blog
Shear on Social Media Law
Student Press Law Center
Technology and Marketing Law Blog
The Hollywood Reporter
The Public Participation Project (Anti-SLAPP)
The Thomas Jefferson Centre for the Protection of Free Expression
The Volokh Conspiracy

US Media Blogs and Websites

ABA Media and Communications
Accuracy in Media Blog
Columbia Journalism Review
County Fair – a blog from Media Matters (US)
Fact Check.org
Media Gazer
Media Law – a blog about freedom of the press
Media Matters for America
Media Nation
Nieman Journalism Lab
Pew Research Center's Project for Excellence in Journalism
Regret the Error
Reynolds Journalism Institute Blog
Stinky Journalism.org
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
February 2010
January 2010
Media (1,608)
Legal (1,606)
Libel (983)
Privacy (961)
Freedom of expression (781)
The Conversation (450)
Weekly Round Up (414)
Brian Cathcart (190)
Old Bailey Trial (172)
Columbia Global Freedom of Expression (157)
2024 (82)
2023 (225)
2022 (254)
2021 (337)
2020 (372)

Theme by Anders Norén — Up ↑

Discover more from Inforrm's Blog

Subscribe now to keep reading and get access to the full archive.

Type your email…

Send an email
+44(0)207 549 7888

Data Protection Breaches - Recent Cases

In a recent case, Plymouth Hospital NHS Trust was ordered to pay compensation to a patient after one of its employees unlawfully gained access to the man’s medical records. The nurse who accessed the data was the man’s partner at the time. The patient claimed that the breach of the Data Protection Act 1998 (DPA) and the way his subsequent complaint regarding the matter was handled had made worse a pre-existing paranoid personality disorder and prevented him from working. He was awarded damages of £12,500 for exacerbation of his pre-existing medical condition and £4,800 for loss of earnings. In a second case, a former health worker at the Royal Liverpool University Hospital pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family so that she could obtain their new telephone numbers. The matter came to light when a man contacted the hospital after receiving nuisance calls which he suspected had been made by his former daughter-in-law. He had previously changed his phone number following unwanted calls from her and was immediately concerned that there had been a breach of patient confidentiality. Checks by the hospital revealed that none of the patients whose details had been compromised were at any time under the woman’s care and she had no work-related reasons to access their records. She had accessed the information for her own purposes without the consent of her employer and was fined £500 for breach of the DPA and also ordered to pay £1,000 towards prosecution costs and a £15 victim surcharge. Meanwhile, the European Commission has announced proposals for significant reform of data protection legislation. The Information Commissioner’s initial response to the proposals can be found on the website of the Information Commissioner's Office.

Search site

Contact our office

Make an enquiry

GDPR Consulting
GDPR SME Support

GAP Analysis
GDPR Compliance
Outsourced DPO
DPIA Impact Assessment

Data Reform Bill 2022
Marketing Legislation
GDPR Training Courses
Specialist DPO Training

Data Breach
Mergers and Acquisitions
Supplier Due Diligence
Facial Recognition
Knowledge Hub

Data Protection Act 1998 – A Summary of the 8 Guiding Principles

Data Protection Act 1998 –…

The Data Protection Act 1998 was an act of Parliament designed to protect personal data stored on computers or in organised paper filing systems. It enacted the EU Data Protection Directive, 1995’s provisions on the protection, processing and movement of personal data.

The 8 principles of the Act guided its purpose and the data protection policies of organisations.

The Data Protection Act 1998 replaced the Data Protection Act, 1984 which barely covered digital media and computers. The DPA 1998 was enforceable until 25th May, 2018, when it was superseded by the Data Protection Act 2018

At its core, the DPA 1998 has eight principles which were used by organisations to design their own data protection policies. Complying with these was essential for organisations to meet their obligations.

Data Protection Act 1998 principles

The 8 guiding principles of the Act are as follows;

Principle 1 – Fair and Lawful

Principle 2 – Purposes

Principle 3 – Adequacy

Principle 4 – Accuracy

Principle 5 – Retention

Principle 6 – Rights

Principle 7 – Security

Principle 8 – International transfers

We will take a closer look at what they mean below.

Personal data should be controlled and processed lawfully and fairly in relation to individuals. A Fair Processing Notice is included in the Act, which requires the controller to notify the subject of the following information:

The identity of the data controller
The purposes for which the personal data are intended to be processed
To whom the personal data may be disclosed to.

The first data protection principle gave individuals the right for their personal data to be processed fairly and lawfully by any organisation.

Personal data should only be obtained if it will be used for a lawful purpose. It should not be processed for any means incompatible with the purpose.

The second data protection principle placed a specific obligation on the controller to only use personal data for a lawful and justifiable purpose.

Personal data should only be adequate to the purpose it will be used for. It must not be excessive to the purpose it will be used.

The third data protection principle placed an obligation on the controller to only collect the minimum amount of information required.

Personal data should be accurate and up to date. If personal data becomes inaccurate, it can no longer be used for the purpose.

The fourth data protection principle demanded the controller only collect, store and keep accurate information on the individual.

Personal data should not be kept longer than it is needed for. Personal data cannot be stored indefinitely until such a time it may serve a purpose.

The fifth data protection principle placed a limit on the amount of time the controller can keep personal information on the individual.

Personal data should be processed in accordance with the rights of individuals. The following rights are mentioned in the legislation:

Access to personal data
Preventing process likely to cause damage or distress
Prevent direct marketing
Automated decision making
Correcting inaccurate personal data
Compensation

The sixth data protection principle gave individuals the right to choose how their personal data would be used. People now had a say in how organisations who held data about them used that data in their activities.

Personal data should be protected using reasonable and practical means to maintain its integrity and people’s rights and freedoms. The Act specifically states that controllers must adopt measures to prevent the following:

Unauthorised processing of personal data
Unlawful processing of personal data
Accidental destruction, damage or loss to personal data

The seventh data protection principle placed a legal obligation on the controller to secure data against unauthorised or unlawful processing and against accidental loss or destruction.

Personal data should not be transferred outside the EU unless the country it is being transferred to can ensure adequate protection of the data in order to maintain the rights and freedoms of data subjects and their personal data.

The eighth data protection principle requires the controller to inform the individual of their intent to transfer their data overseas and to ensure the country it is being transferred to can adequately protect the data under their own laws.

Comparing these guiding principles with the DPA 2018’s

Now that the Data Protection Act 1998 has been replaced by the Data Protection Act 2018, a comparison can be made between the two Acts.

The new principles are as follows:

Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Storage limitation
Integrity and confidentiality (security)
Accountability

There’s seven principles now, with ‘international transfers’ and ‘security’ being covered separately in legislation. A new accountability principle features here, making it the legal obligation of the organisation to comply with the other principles – and being able to prove this compliance through the creation of documented policies that must be produced on demand. This is one of the biggest differences between the two Acts.

As you can see, the principles are markedly similar to those of the Data Protection Act 1998, although the legislation behind them is very different and individuals rights around the processing of their data being enhanced. Perhaps the biggest difference is the Information Commissioner’s Office (ICO) now has the power to fine both the controller and processor. Under the DPA 1998, they only had powers to pursue the controller for infringement.

So there we have it, a summary of the 8 guiding principles of the now defunct Data Protection Act 1998. Many of the Act’s nuances live on in the Data Protection Act 2018, but any data protection policy based on the DPA 1998 will need updating to be compliant with the GDPR. Organisations who don’t do this now risk the effects of non-compliance, whether that be the loss of business if unable to produce appropriate policies, or action from the ICO.

Sustainability
Client Login

Built Environment
Energy & Natural Resources
Financial Services
Government & Public Sector
Technology, Media & Communications

Legal Services

Commercial, Regulatory & Data
Dispute Resolution
Employment and Pensions
Finance and Restructuring
Real Estate
Tax & Private Capital
India Group

Legal Operations

Contracts Management
Cyber Incident Services
Legal Analytics
Legal Operations & Consulting
Litigation and Investigations

Business Services

Claims Management & Adjusting
Corporate Governance & Compliance
DWF Chambers
Regulatory Consulting
Class Actions
Economic Crime & Fraud Hub
Sustainable Business & ESG
Data Protection and Cyber Security
News and Insights
Reports and Publications
News and Press
DWF onDemand
Brave New Law
DWF Link: Business leaders of the future
Consumer Duty Hub
Morrisons vindicated

Morrisons vindicated: A landmark judgment in data protection and vicarious liability

DWF acted for Wm Morrison Supermarkets in their successful defence of a group action for vicarious liability arising out of a mass employee data theft perpetrated by a rogue employee. It is the first mass data breach claim of its kind before the Courts.

The claim for direct fault-based liability was successfully defended at the original trial. Morrisons was found to have met all the relevant statutory data protection standards and did not foresee, nor could they reasonably have foreseen, the covert criminal enterprise their rogue employee had embarked upon. However, Morrisons was found liable for no-fault vicarious liability as employer. In Morrisons' successful appeal, the Supreme Court has clarified how the law of vicarious liability should be applied and in so doing reversed the High Court and Court of Appeal decisions against Morrisons.

Register for our webinar to understand what this means for your business

Hear from the team who worked on this ground-breaking case as we discuss what the outcome means for businesses. Our employment, data protection and commercial litigation specialists will be answering your questions live.

Tuesday 21 April at 11am

Register for our webinar >

Summary of the case .

In November 2013, Morrisons gave one of its senior internal auditors, Andrew Skelton, access to its payroll data for around 126,000 individuals so he could provide it securely to Morrisons' external auditors during the statutory audit process. In March 2014, Morrisons became aware that the payroll data of 100,000 of its current and former employees from that database had been put online and sent to three newspapers under the guise of an anonymous concerned person. Morrisons promptly had the data removed from the websites on which it appeared, informed the ICO, the police and other agencies, and launched its own enquires. Morrisons wrote to all 126,000 individuals and everyone who had been employed since then to inform them whether their personal data was affected, and of ID protection which Morrisons arranged at huge cost to be available to them.

Following a police investigation which identified Skelton as the culprit, Skelton was charged with a number of offences and at his criminal trial was convicted and sentenced to a lengthy prison term of 8 years. The trial established that Skelton, who was skilled in IT, had devised his criminal plan out of a desire to harm Morrisons, against whom he bore an irrational grudge following a minor and unrelated disciplinary incident some months earlier, which resulted in him receiving a verbal warning. Significantly, having taken an unauthorised copy of the payroll data, Skelton sought to conceal his identity and distance himself from his employer: (i) he effected the online disclosure at home, (ii) he used a 'burner' phone, (iii) he set up an email account with credentials which pointed to a colleague against whom he also bore a grudge for the colleague's role in the earlier disciplinary matter, (iv) he used the 'The Onion Router' web browser to conceal his computer, and (v) he wrote anonymously to the newspapers posing as a concerned individual who had found the data online. A Group Action was launched against Morrisons for direct liability under the Data Protection Act 1998, the tort of misuse of private information and the equitable remedy of breach of confidence. In the alternative, it was claimed that Morrisons was vicariously liable for the unlawful acts of Skelton. Whilst over 9,000 affected individuals joined the group action, the greater significance lay in the potential for any and all of the 100,000 affected employees to rely on the Court's finding against Morrisons whether they joined the group or not, and seek damages.

The claim if successful would have been hugely costly, and for most lesser companies, bodies, charities and local authorities who employ large numbers, such a claim would be potentially ruinous. Hence the claim was closely watched by industry and insurers alike.

The claims of direct fault-based liability were dismissed at the trial. The ICO, to whom Morrisons had promptly reported the incident, following investigations made no adverse finding against Morrisons.

Take away points from the Supreme Court

The mere fact that an employee's employment provides the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability; and
regard must be had to whether the employee was engaged, however misguidedly, in furthering his employer’s business, or whether the employee was engaged solely in pursuing his own interests: in the time-honoured phrase, on a ‘frolic of his own’.

The Supreme Court explored these points. Here is a summary of how the conclusions were reached.

1. The field of activities

The Supreme Court held that, contrary to the lower courts, the disclosure did not fall within the field of Skelton's employed activities. It was true that he had been asked to disclose the data to the statutory auditors, but his criminal act of copying the data and disclosing it deliberately to harm Morrisons was not within, or sufficiently closely connected to, his authorised duties.

2. Close connection test

The lower courts relied heavily on Lord Toulson's judgment in one of the leading cases, Mohamud v WM Morrison Supermarkets [2016] (note the irony there). They emphasised the seamless chain of events starting with entrusting the data to Skelton, leading ultimately to his criminal disclosure of it. Lord Toulson had set out how an employer may be vicariously liable for an employee's actions if there is a "seamless and continuous sequence of events … an unbroken chain" between the employee's conduct and their employment. The Supreme Court found that the lower courts had misunderstood and misapplied Lord Toulsons' judgment. "[A]lthough there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to [the external auditors] and his disclosing it on the Internet, a temporal or causal connection does not in itself satisfy the close connection test." The Court distinguished between cases where the employment merely offered the opportunity, and where the wrong itself was perpetrated in the context of the employee doing their job.

The lower courts had rejected Morrisons' argument that it would be perverse for the Courts to visit liability on Morrisons, the intended victim of the crime, so that it could compensate the other collateral victims of Skelton (none of whom had claimed to suffer actual financial loss). The trial judge confessed to being troubled at the prospect of the Court furthering the criminal wrongdoer's goal. However, Lord Toulson had commented in Mohamud that "motive was irrelevant". The Supreme Court found that Lord Toulsons' judgment had been misapplied: the reason why Skelton "acted wrongfully was not irrelevant: on the contrary, whether he was acting on his employer’s business or for purely personal reasons was highly material" and it was "abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. In those circumstances […..] Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment." The Supreme Court clarified the principles of vicarious liability within its existing boundaries, and found, entirely contrary to the lower courts, that to impose vicarious liability on Morrisons would constitute "a major change in the law". No doubt welcome relief for data controllers everywhere.

Vicarious Liability within the data protection world

Whilst these issues apply to all vicarious liability cases, it is worth noting that this case revolves around data protection, the duties of a data controller, the rights of data subjects and the liability of an employer data controller for the activities of another data controller who happens to be its employee. In obiter remarks, the Supreme Court held that the principle of vicarious liability can be applied to claims under the Data Protection Act 1998 (and by extension the GDPR and Data Protection Act 2018).

The DWF team was Andrew Harris (consultant), Michelle Maher (senior associate), Nicole Burton (director) and Elinor Webster (solicitor).

Related Authors

Andrew Harris

Michelle Maher

Kirsty Rogers

Partner // Global Head of ESG

Stewart Room

Head of Technology, Media & Communications Sector

Related Sectors

Technology, Media & Communications

Related Services

Data Protection Risks

GDPR: Key cases so far

7 February 2019
Data Protection & GDPR

Loretta Maxfield

Google fined by national French data protection regulator

On 21 January, Google LLC (Google’s French arm) was fined €50million by the Commission Nationale de l’information et des Liberties (CNIL) for various failings under GDPR.

The main failing CNIL found was that individuals using Google’s services were not furnished with the requisite “fair processing information” (the information usually provided in privacy notices) by seemingly omitting to inform individuals about why Google processed their personal data how long their data was kept. The ruling also attacked the accessibility of the information saying that although most of the information was there, it was scattered around it site via various different “links”. The second key failing was not meeting the GDPR standard of “consent” when providing personalised advert content. Under GDPR, consent must be sufficiently informed, specific, unambiguous, granular and be gained through a form of active acceptance. In the first instance the CNIL did not consider the consent to be informed enough as it ruled users were not given enough information about what giving their consent would mean in terms of the ad personalisation services Google would then push. The fine was also imposed in light of Google not ensuring that consent met the GDPR threshold through using pre-ticked boxes and not separating out consents for advert personalisation from other processing by Google.

The takeaways for your organisation are to ensure it’s easy for your customers or service users to understand what you do with their data. Privacy notices should be clearly signposted, and be as accurate as possible about what data is collected and why it is used. It also reminds us of the strict threshold consents must reach before they are valid. Businesses are certainly becoming more savvy when it comes to making sure individuals an give consent for different purposes, but it’s not uncommon to still come across the pre-ticked box! If your organisation relies on consent and would like Thorntons to review how you use it, please get in touch and we can give advice on whether you are meeting the GDPR standard.

Marriot International suffer unprecedented data breach

On 19 November last year, Marriott International announced that the personal data of 500 million of its customers had been compromised. The group, which operates hotel chains under the brands W Hotels, Sheraton, and Le Méridien among many others, said that they had reason to believe that certain of their computer systems had been hacked in 2014 which has now led to this breach. The number of people affected, which data relates to customer bookings from 2014 onwards, has now been revised and whilst they still cannot state the exact number, it believes the number of customer records now totals around 383 million. This remains an extremely large number of affected customers, and the hackers were able to access personal details, passport numbers, and in some cases payment information.

Although a breach of this scale is rare, there are various pointers that all organisations can take from this case. Firstly, it’s a reminder to continuously monitor the technical and organisational security measures protecting personal data. Testing and monitoring of your organisation’s security should be subject to regular review. Secondly, it’s a reminder to have in place a practical guide for how to respond to a data breach. As well as having a clear process for how to report and assess breaches internally, your guide should be clear on what kind of breaches should be reported to the ICO, and perhaps statements to release to the media. Lastly, this case is a reminder of conducting regular audits of data held so that your organisation is always aware of how much data it actually holds. Marriott’s reduced forecast of the number of data subjects affected is based on the fact they have now discovered that many of the accounts compromised actually relate to the same individual. If Marriott had an up-to-date list of active customers it potentially could have been able to respond more quickly.

The ICO takes action against organisations for failing to pay the new data protection fee

At the end of September, the ICO announced that it had begun formal enforcement action against organisations for failing to pay the new data protection fee. Since 25th May when GDPR came into force, organisations which are classified as data controllers have been required by the Data Protection (Charges and Information) Regulations 2018 to register with the ICO, and pay the applicable fee. Whilst the specific organisations have not been named, the ICO has confirmed they have issued 900 notices of intent to fine organisations which span “the public and private sector including the NHS, recruitment, finance, government and accounting”. Of those 900, to-date 100 penalty notices have been issued which range from £400 to £4000, although the ICO has confirmed that the maximum could be £4350 depending on aggravating factors. If you are unsure whether your organisation is required to pay a fee, please get in touch and we can advise accordingly.

The ICO issues its first Enforcement Notice for a breach of GDPR

The ICO has issued its first formal notice under the GDPR to AggregateIQ Data Services Ltd (“AIQ”). AIQ, a Canadian company, was involved in targeting political advertising on social media to individuals whose information was supplied to them by various political parties and campaigns (such as Vote Leave, BeLeave, Veterans for Britain, and DUP Vote to Leave).

After an investigation by the ICO, AIQ was found not to have adequately complied with its obligations as a controller under the GDPR by: (1) not processing personal data in a way that the data subjects were aware of, (2) not processing personal data for purposes for which data subjects expected, (3) not having a lawful basis for processing, (4) not processing the personal data in a way in a way which was compatible with the reasons for which it was originally collected, and (5) not issuing the appropriate fair processing information to those individuals (commonly communicated through a privacy notice).

As well as those practical failings, the ICO also considered that it was likely that those individuals whose information was passed to AIQ and used for targeted advertising were likely to cause those individuals damage or distress through not being given the opportunity to understand how their personal information would be used.

The most interesting point about this case is that although the company is based in Canada, the ICO has still exercised its authority over those organisations which process data of those in the UK and ordered that AIQ must now erase all the personal data it holds on individuals in the UK. For a company which mainly deals in data and analytics, this could have a detrimental impact on its business operations in the UK. Although AIQ was passed the personal data from other organisations, this enforcement action demonstrates that it is still AIQ’s responsibility to ensure that their use of the data was not incompatible with any of the purposes for which it was originally intended, and still incumbent on them to ensure individuals were aware of what they were doing with it. In addition, whilst there has been and continues to be a lot of emphasis in the media of the risk of large fines under GDPR, it is notable that no monetary penalty has been issued by the ICO, although the ICO has reserved its ability to do so should AIQ not comply with this notice.

Morrisons held liable for the wrongful acts of its rogue employee by the Court of Appeal (England)

The circumstances of this interesting case centre around an employee whose rogue actions were still considered by the court to be attributable to the employer as a breach of the Data Protection Act 1998. The employee was employed by Morrisons Supermarkets as an internal IT auditor who in 2014, knowingly decided to copy the personal data of around 100,000 of Morrisons’ employees onto a USB stick. At home, the employee then posted the personal data, which included names, addresses and bank details, onto the internet under the name of another Morrisons employee in an attempt to cover his tracks.

In finding that Morrisons was vicariously liable for the actions of the rogue employee, the Court concluded that there was a sufficiently close link between the employee’s job role, and the wrongful action. That the wrongful event occurred outside the workplace was irrelevant, as the Court found that the employee in question was acting “within the field of activities assigned”. Because the employee had access to the compromised personal data in the course of carrying out his role in facilitating payroll, he was specifically entrusted with that kind of information in order to do his job, so the Court decided that there was a sufficient link between the job role and the wrongful disclosure.

The key, striking, message from this case is that it is possible for employers to be held liable for rogue actions taken by its employees. Although this particular employee was obviously not acting within the expected confines of his job role, it is interesting that the Court still determined that employers may be liable for acts that it would normally reasonably consider out of its control. Although this incident occurred in 2014 and therefore decided under the Data Protection Act 1998, this case demonstrates how vital it is that organisations put in place appropriate technical and organisational security measures adequate for the type of data that is being held and also taking into account the risk of disgruntled employees and what they may do with their access to the information. This case also acts as a reminder of ensuring your staff are trained and aware of data protection and the role they personally can play in the protection of data, not just focusing on technical computer security which a lot of organisations pay more attention to. As remarked in this judgment, it also serves as a reminder of having adequate insurance in place in the event of a major data breach.

The ICO receives notification of thousands of breaches

Although organisations could report data breaches to the ICO under the Data Protection Act 1998, you will be aware that under GDPR there is mandatory reporting of breaches to the ICO in cases where there is a “risk to the rights and freedoms of individuals”. The ICO has now reported that it has received notification of more than 8000 breaches in the 6 months since GDPR came into force. Last summer the ICO observed that many breaches that were being reported did not necessarily meet the threshold of risk, however they do welcome the honesty and transparency coming from organisations under legislation which is designed to strengthen rights for individuals.

With breaches requiring to be reported to the ICO within 72 hours of becoming aware, it is vital that mechanisms are in place internally for employees to understand how to report a breach and complete a risk assessment in the appropriate time-frame to assess whether it is reportable. If you would like any help compiling a data breach policy or risk assessment framework tailored to your organisation please get in touch.

Related services

Data Protection and GDPR

Stay updated

Receive the latest news, legal updates and event information straight to your inbox

About the author

Data Protection & GDPR, Intellectual Property

For more information, contact Loretta Maxfield on +44 1382 346814 .

Make an enquiry

Contact The DPO Centre
+44 (0)203 797 1289
[email protected]

GDPR & Data Protection Act Case Studies

At The DPO Centre, we understand that every organisation is different, as even organisations in the same industry may not have the same requirements. We offer help and tailored support to organisations across a wide variety of sectors , assisting them to comply with data protection laws such as the UK and EU GDPR. 

On this page, we’ve featured case studies from a cross section of our client base of over 900 organisations. These case studies feature clients from a range of industry sectors, including tech, consumer products and services, health and medical, life sciences and clinical trials, charities and education. They highlight our work with these clients where we’ve provided outsourced DPO consultancy, UK and EU Representation services, Data Subject Access Requests (DSARs) support , and staff training and awareness. 

Sector : Tech

Key Challenges : Complex Data Processes, Data Minimisation, Policies & Documentation

Services : Outsourced DPO

Reveal Media

Key Challenges : Data Minimisation, Large volumes of information, Transparency

Copleston High School

Sector : Education

Key Challenges : Data sharing agreements with external third parties, FOI request, Large number of complex DSARs

Services : DSAR support

Eaton House Schools

Key Challenges : Complex Application of Exemptions, DSAR Timeline, Extensive Data & Documentation

Sector : Medical & Health

Key Challenges : Complex Data Handling, Special category data

Sector : Charities & Not-For-Profits

Key Challenges : No Retention Policies in Place, Special category data

Birmingham & Solihull Mental Health NHS Foundation Trust

Sector : Government OrganisationsMedical & Health

Key Challenges : Complex DSAR, High number of data subjects, Large volumes of information

London Borough Barking & Dagenham Council

Sector : Government Organisations

Key Challenges : Complex DPIAs, Implementation of "Privacy by Design", Public Interest

Portman Dental Care

Key Challenges : Complex DSAR, Significant redaction, Special category data

Sector : Manufacturing & Engineering

Key Challenges : Complex records of processing activities (RoPA), Policies & Documentation, Staff upskilling

Sector : Professional Services

Key Challenges : Rapid business expansion, Staff upskilling

Services : Outsourced DPO, Staff Training & Awareness

Sector : Consumer Products & Services

Key Challenges : Complex Data Handling, Data security, Policies & Documentation, Unique Retail Environment

Services : Consultancy, Outsourced DPO

Key Challenges : Complex Data Processing Agreements, Implementation of "Privacy by Design", Staff upskilling

Key Challenges : Data subject rights requests, High number of data subjects, Large volumes of information

Services : Staff Training & Awareness

Clinisupplies

Key Challenges : Complex DPIAs, Data Processing Agreements, DSPT toolkit submission

Sector : Finance & Insurance

Key Challenges : Providing services in an FCA regulated industry, Rapid business expansion, Varying client size

Spencer Private Hospitals

Key Challenges : Complex records of processing activities (RoPA), DSPT toolkit submission, Special category data

Shard Capital

Key Challenges : Complex Data Handling, Large volumes of information, Rapid business expansion

Unbar Rothon

Key Challenges : Complex DSAR, Large volumes of information, Significant redaction

Services : Consultancy, DSAR support, Staff Training & Awareness

Key Challenges : Complex Data Handling, Data retention, Global Company

Key Challenges : EU Representation, Policies & Documentation, Special category data

Services : EU Representation, Staff Training & Awareness

NSPCC Fundraising

Key Challenges : Complex Data Handling, Handling sensitive data, Managing Consent, Special category data

NSPCC Children’s Services

Key Challenges : Complex Data Handling, Handling sensitive data, Special category data

Prostate Cancer Clinical Trials

Key Challenges : Clinical Trials, Complex Data Handling, Handling sensitive data, Special category data

Services : EU Representation

What our clients say about us

The DPO Centre’s Data Protection Officers are proud to have worked with all of our clients, but what do our clients think of working with us? The testimonials below have been provided by the organisations featured in our case studies. Our clients continue to emphasise our expertise, systematic , risk-based approach, pragmatic, solution-oriented advice and transparent communication. 

We are really pleased with our DPO from The DPO Centre, who understood our needs and was able to translate them into a workable plan that has greatly assisted our business’s compliance journey. The DPO Centre’s advice and support has assisted us in ensuring that our compliance level has remained high despite the challenges that rapid growth presents.

The DPO Centre’s help in dealing with a particularly complex DSAR that we received was invaluable. The support and advice that they provided throughout the entire process was extremely helpful… Overall, working with The DPO Centre greatly reduced the significant challenge of dealing with this DSAR

Professional Case Management

Jenifer mcintosh.

The DPO I had the pleasure of working with on that project is one of the best DPO/counsels I have worked with when it came to thoughtfully negotiating through a clinical trials-DPA, given his great working knowledge of the GDPR and the crossover with clinical trials regulations in both EU & UK.

Drew Davies

The DPO Centre’s team are always on hand to answer any queries we may have and to help us respond to any Data Subject Access Requests from any trial member across the EU.

Ufford Park

Josie hopps.

I cannot recommend The DPO Centre enough; from start to finish the process has been simple and the whole team here at Ufford Park Hotel have felt informed and supported with the suggested changes and improvements.

Hughes Electrical

Henrico doward.

We have had a positive working relationship with Rob and the team, from our first meeting and the insightful workshop – from review to implementation – the process has been straightforward and hassle-free.

MACC International Ltd

John morrison.

The work with our staff has been conducted in a thoroughly clear, concise and systematic way, with no stone left unturned.

West Suffolk College

Jules bridge.

With the excellent ongoing help, support and guidance from the DPO Centre team, we now have the comprehensive and prioritised action plan that we need to work toward and implement – meaning we feel we are GDPR ready.

Positive Steps PT

Kevin marshall.

It’s been really cost-effective for my business to enlist the help of the DPO Centre – not only was I able to get a full impact assessment of my business and resolutions to the issues identified but I have received training on so many aspects of the GDPR.

Data Protection Services

Do any of our case studies sound like your organisation? At The DPO Centre, we help organisations of all types to comply with UK and EU GDPR and the other UK, EU and global data protection laws. Our services will help your organisation to better understand your data and current level of compliance. We provide tailored advice, expertise and resources that are backed up by the support, shared best practices, and model documentation we’ve developed from working with over 900 organisations worldwide. If your organisation could benefit from these services, please get in touch using the form below.

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Qualitative Research and the Data Protection Act 1998

Qualitative Market Research

ISSN : 1352-2752

Article publication date: 1 March 2002

Beck, J. (2002), "Qualitative Research and the Data Protection Act 1998", Qualitative Market Research , Vol. 5 No. 1. https://doi.org/10.1108/qmr.2002.21605aaf.001

Emerald Group Publishing Limited

Introduction

The Data Protection Act 1998 is the UK's response to an EU Data Protection Directive designed to protect individual rights in the collection, processing and transferring of personal data. Similar responses are being produced all over Europe and they vary in severity from the relatively relaxed regimes proposed in Ireland and Sweden to the tough stance being taken by Italy and Greece.

The UK Act (the DPA) takes a minimalist approach and came fully into force on 23 October 2001. Like the Human Rights Act and market research codes of conduct, the DPA is principles-based and therefore open to interpretation. That interpretation is ultimately the responsibility of the Information Commission but has been influenced by direct and detailed discussions between the Commission and a market research industry taskforce in which the MRS (Market Research Society) and AQR (Association of Qualitative Research) were represented.

What we now have is an Act that underpins and gives weight to our codes of conduct and, as Information Commissioner, Elizabeth France said at the Market Research Society's Research 2001 Conference, "The Data Protection Act does not stop you sharing processed information, it doesn't stop you disclosing it. It doesn't stop you using it outside the exemption for research but it makes you do it in a way that respects individuals … ".

What the Act contains

The 1998 Act covers all data collection or processing that is in any sense organised – by electronic or other means – and this includes personal data recorded on audio or video-tape, so UK data protection is now extended to all research methodologies – quantitative and qualitative. Most qualitative researchers and recruiters will need to notify with (or register) with the Information Commission as they will be "controlling" personal data.

There are eight data protection principles enshrined in the Act that can be broadly summarised as:

Personal data must be processed fairly and lawfully.

Personal data can only be used for the specified and lawful purposes for which they were collected. (The specified purpose principle means that data cannot be processed after collection for any other purpose than that for which informed consent was given. So for example, qualitative tapes cannot be passed to clients unless specific consent was obtained for that at the time of the research.)

Personal data shall be adequate, relevant and not excessive.

Personal data shall be accurate and kept up to date.

Personal data must not be kept beyond fulfilling the purpose for which they were collected. (This should mean an end to hanging on to old tapes and recruitment questionnaires!).

Personal data shall be processed in accordance with the rights of data subjects.

Personal data must be kept secure.

Personal data shall not be transferred outside the EEA unless adequate protections are in place. (This is something that international researchers or researchers working on behalf of international clients need to be aware of. The EEA is assumed to have adequate protection but many territories do not.)

For market researchers, the guiding construct underpinning the 1998 Act is that of informed consent and this has two key components:

Transparency . Ensuring individuals have a very clear and unambiguous understanding of the purpose(s) of collecting the data and how it will be used.

Consent . At the time that the data is collected, individuals must give their consent to their data being collected, and also at that time, have the opportunity to opt out of any subsequent uses of the data.

What the Act means for qualitative research

The Act does carry new implications for every stage of qualitative research – from recruitment to handling primary data. It establishes respondents' rights as paramount and will require some changes to the way we do things. These will be reflected in revised MRS qualitative guidelines, covering the following.

Ensuring emotional wellbeing

At recruitment, respondents must be told (either verbally or through invitation):

the subject of the discussion;

that it is for market research purposes;

how long the session will last;

if it is to take place in viewing facilities;

if it is to be audio- or video-recorded.

They should also be told:

if the session is likely to be viewed;

that they have a right to withdraw and withhold.

When the topic is judged to be sensitive, the subject must be explicitly communicated and the content of the discussion should be disclosed.

During interviewing, researchers must obtain:

permission to record the session;

explicit permission to release the data to a third party, with the purpose and other details clearly stated.

Primary data

The DPA is based on the right of respondents to know how their personal data will be used. Researchers have a responsibility to inform respondents accordingly and to ensure that the data will only be used in the way that respondents have been told it will be used. This has significant implications for the way qualitative researchers (and their clients) handle primary data.

Primary qualitative data include recruitment questionnaires, audio tapes, video tapes, transcripts (where individuals may be recognised by their turn of phrase and the universe might be small), hand-written notes containing personal data, projective material, attendance lists/signature lists, etc.

Respondents must give their informed consent in writing at some time during the research for any primary data to be handed to a third party. They must be told:

explicitly to whom the data will be passed;

who will see them;

what they will be used for.

Respondents must also give consent where data are to leave the country and must be told where they will be going. Researchers must ensure that any country to which personal data are transferred has adequate data protection measures in place. This is particularly important outside the EEA where countries have weak data protection regimes. For example, data (including tapes and recruitment questionnaires) cannot be transferred to the USA unless:

data protection is safeguarded in the contract between client and researcher;

the US organisation involved has signed up to a Safe Harbour agreement; or

all respondents have given explicit written consent for the transfer to take place.

Getting full consent, during the research, is important because it is difficult (and potentially unlawful) to get permissions changed after the research has been completed.

Primary data collected in a market research project can only ever be used for market research purposes.

Primary data must be labelled with appropriate restrictions when handed over to a third party.

Researchers must ensure that the recipients, viewers, readers and listeners of the primary data are aware of the requirements of the DPA.

In order to comply with the new Act, qualitative researchers need to take some practical steps, including:

identifying someone responsible for data protection policy;

notifying with the Commission and making sure that notification is as comprehensive as possible;

reviewing all information supplied to respondents on paper or verbally – including invitations, introductions, consent forms, data release forms etc. – to make sure that they meet all the requirements for transparency and consent;

reviewing contracts and terms of business to make sure that researcher and client roles, responsibilities and access to primary data are specified;

ensuring that everyone involved – employees, suppliers, clients, etc. – knows what their data protection responsibilities are;

checking and improving data security.

A consultative draft containing these and more detailed guidance on issues like recruitment, observation of qualitative research, client anonymity and observational research is available from the Market Research Society or on the Code page of www.mrs.org.uk . There you will also find downloadable copies of The Data Protection Act 1998 and Market Research: Guidance for MRS Members. This also contains advice on notification.

This is a further step towards improving the professionalism of the UK qualitative research industry and the increasing emphasis on research by informed consent can only benefit the quality and authority of qualitative work.

Jennie Beck Chair of the MRS Professional Standards Committee, Beck Consultancy, Muswell Hill, London [email protected]

We’re listening — tell us what you think, something didn’t work….

Report bugs here

All feedback is valuable

Please share your general feedback

Join us on our journey

Platform update page.

Visit emeraldpublishing.com/platformupdate to discover the latest news and updates

Questions & More Information

Answers to the most commonly asked questions here

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Publications
Account settings

Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .

Advanced Search
Journal List
v.321(7265); 2000 Oct 7

Data protection legislation: interpretation and barriers to research

Judith strobl.

a Prescribing Research Group, Department of Pharmacology and Therapeutics, University of Liverpool, Liverpool L69 3GE, b Centre For Professional Ethics, University of Central Lancashire, Preston PR1 2HE

Research has been described as “a powerful means of achieving” the objectives of the Department of Health, namely “to improve the health and well-being of the population and to secure high quality care.” 1 There is, however, a need to find a balance between facilitating important research and protecting the confidentiality of patients. As the capabilities of information technology grow, legal frameworks and professional guidance need to be created or refined to safeguard the rights of patients.

Some areas of the common law duty of confidentiality and the new Data Protection Act 1998 (box, p 891), which constitutes the United Kingdom's implementation of the relevant European Union directive, 2 are causing difficulties of interpretation within the NHS. With few exceptions, broad debate about the implications of the new act is lacking, particularly in the context of epidemiological research that uses patients' records. 6 – 8 Questions of consent, anonymisation of data for research, and access to medical notes for research purposes (rather than audit) have been addressed in a range of literature. 9 – 13 Some of these documents are being updated; this may indicate that there are uncertainties about the legal issues involved in implementing the act. Local variations in interpretation may cause particular difficulties for researchers conducting multicentre epidemiological studies, as the case study that will be described in this article shows.

In the meantime, those who must make decisions about confidentiality are still confused. This confusion exists for several reasons. Firstly, there is the interpretation of the act (and to an extent the common law duty of confidentiality). The interpretation is subject to debate, and no case law exists which might clarify the interpretation. Secondly, there is a dearth of up to date and clear policy guidance. Thirdly, the new system of “Caldicott guardians” (box) is untried, and guardians as well as others are only beginning to learn to exercise their new responsibilities. Fourthly, clarification is needed about the role that research ethics committees should have in data protection and confidentiality. Guidance recently issued by the NHS should help clarify some of these areas. 14 We highlight issues for future discussion that have arisen in a case study of a multicentre epidemiological project that sought to use patients' records.

Summary points

The interpretation of the Data Protection Act 1998 and how it affects the NHS, healthcare, and epidemiological research is riddled with uncertainties
Clarification is needed to determine how the common law duty of confidentiality affects the health sector in terms of using patients' data for research
Different interpretations of the act and the duty of confidentiality may adversely affect the ability of researchers to conduct multicentre studies

Regional NHS sources funded our department in collaboration with clinicians from five NHS trusts to undertake a retrospective pragmatic study of the effectiveness and cost effectiveness of a new drug treatment. In the initial phase it was expected that a registered nurse employed by the university would extract data on treatment and on the utilisation of health services from the routine records of patients seen in collaborating trusts.

The relevant multicentre research ethics committee approved the study but advised the researchers that the question of whether explicit consent was needed from patients to allow the researchers to have access to the medical records needed to be clarified with data protection officers at the five hospital trusts. The responses to this request are shown in the box (p 891). The trusts' decisions varied considerably and usually involved complex internal discussions and consultation; consequently, this led to delays.

Does the diversity in the outcomes mean that some trusts made erroneous judgments or that the law is ambiguous, or can the situations in individual trusts be sufficiently different for them to reach contrary decisions? Although the latter case seems unlikely, there are individual circumstances under which trusts may arrive at a different decision about the same project. One such condition may involve cases in which trusts have in place routine mechanisms to obtain consent from patients for the use of their personal data for future research, a procedure which would be subject to the approval of a research ethics committee.

Explanation of terms

Data Protection Act 1998 —This brings into UK law European Directive 95/46/EC on the processing of personal data. It came into effect on 1 March 2000, and in comparison with the 1984 act (which it replaces) it is concerned with both records on paper and records held on computers. The act is based on eight principles the first of which stipulates that “personal data shall be processed fairly and lawfully.” Interpretation of the phrase “fairly and lawfully” may give rise to different opinions about implementation.

Common Law Duty of Confidentiality —This legal duty applies to information entrusted to someone in confidence. The duty of confidentiality applies independently of the Data Protection Act. The Department of Health acknowledges that there are conflicting legal views on applying this duty and is trying to interpret it for the health sector. 3 In particular, the issue of consent and the conditions under which consent can be implied or waived need to be clarified.

Caldicott guardian —In 1997 the Caldicott Committee reported on its review of information that identifies NHS patients. 4 In keeping with the report's main recommendations each health authority, trust, and primary care group in the United Kingdom appointed a “Caldicott guardian.” One key responsibility of the guardians is to agree and review internal protocols for the protection and use of identifiable information obtained from patients. 5

Trusts' decisions on whether patients needed to give explicit consent

Trust 1 —This trust decided that the researcher could have access to patients' records without explicit consent from patients as long as no identifiable information was removed from the hospital (for example, the researcher could extract information from records and retain it in coded form but the key for decoding would be kept at the hospital). (Time to decision: <3 weeks.)

Trust 2 —The Caldicott guardian decided that consent from patients was required. This decision was later revised after the trust sought legal advice, and the researcher was then permitted to have access to patients' records because the Data Protection Act 1998 only came into force after the start of the study (1 March 2000). (Time to decision: 4-5 months.)

Trust 3 —The data protection officer and the Caldicott guardian advised the researcher to obtain explicit consent from patients because the researcher was not a staff member of the trust and no explicit consent exists from patients to permit the use of their data for research (for example, no agreements are signed by patients when they are first seen). (Time to decision: 6 weeks.)

Trust 4 —The data protection officer immediately decided that the proposed study required explicit consent from patients since only staff with a duty of care to the patient are permitted to have access to that patient's medical records, and, unlike audit, research is not seen as part of the healthcare process. (Time to decision: immediate.)

Trust 5 —The data protection officer made a formal decision only about records held on the computer. The outsider status of the researcher was problematic. The case of deceased patients (which is not covered by the Data Protection Act) would have to be decided by the research ethics committee. (Time to decision: no formal decision at 7 weeks.)

As a result of the trusts' decisions there seemed to be three options available to the researchers: abandon the project entirely, seek explicit consent from patients who have been treated in the trusts that demand explicit consent, or alter the design of the study so that only anonymised data are used.

Issues of consent, anonymisation, and access to patients' records for research need to be more widely discussed and evaluated in terms of the 1998 act and the Common Law Duty of Confidentiality. Well meaning clinicians may be passing anonymised or non-anonymised data to researchers without realising the legal implications.

It is not easy to answer questions about data protection requirements for particular research projects, and many individuals within trusts who are responsible for tackling these questions face difficulties in answering them. Because of the current uncertainty, insurmountable problems may arise in cases in which researchers hope to conduct their studies at a variety of centres, especially since they may have to comply with conflicting interpretations of the existing law and conflicting guidance from various bodies. This situation has created inconsistencies in the access to routine NHS data allowed to researchers. Additionally, the appropriate interactions between the new Caldicott guardians, the data protection officers in each trust, clinicians, and research ethics committees has not yet been fully clarified; however, a revision of the guidance for local research ethics committees is expected to be published later in the year and may partially address this problem. 15 Also, anxieties about the requirements for consent have increased as a result of the exposure of cases in which organs were retained for research and medical research procedures were performed on children. 16 , 17

One of the options for resolving the issue of consent in our case study was to use anonymous data. A High Court decision in May 1999 increased uncertainty in the healthcare and medical research communities about the legality of processing even fully anonymised data without consent 18 : in this case the judge held that confidentiality can be breached even when anonymisation is used if the patient has not consented and the research is not in the public interest (in this case, data were being sold by pharmacists indirectly to the pharmaceutical industry). The Court of Appeal overturned the judge's decision in December 1999, ruling that as a reasonable pharmacist's conscience would not be troubled by the proposed use of the information any claim for breach of confidentiality was unlikely to be successful. 19 Unfortunately this aspect of the law remains unresolved because leave may be given to appeal to the House of Lords.

The view of the data protection commissioner is that any personal data which has been encoded remains personal data in the sense of the Data Protection Act 1998 provided that the key for decoding it remains in existence. Thus, coded data falls within the scope of the Data Protection Act even if the key for decoding it is not accessible to the researcher. The new NHS number being assigned to patients is an example of such a code, and chronic disease registers and reporting systems or postmarketing surveillance systems of new drug treatments might use codes that can be linked to individuals. Much epidemiological research and research into health economics would simply be impossible to conduct if completely anonymous data had to be used because updating, linking, or validating data is impossible without using codes.

The processing of coded personal data (sometimes called “pseudonymised” data to distinguish it from fully anonymised data) for research does not necessarily contravene the act. However, in considering whether data processing is “fair and lawful” routine mechanisms to merely inform patients in advance about the potential use of their personal data for future research (for example, through form letters or notices posted in waiting rooms) may not be seen as constituting sufficient consent. It is also unclear whether patients who do not register their refusal can be said to have consented. Neither the Data Protection Act 1998 nor the confidentiality law give sufficient guidance as to what constitutes explicit and implied consent and when each ought to be used.

Strict, clear criteria are urgently needed to determine under which limited situations such consent requirements for research using patient data might be waived; these must take into account the degree of anonymisation. The Department of Health's proposal to set up a national confidentiality and security advisory body, which was announced on 15 March, is welcome. 20 This new body should have the potential to provide the necessary clear guidance for research, similar to the guidance in the United States on disclosure of individually identifiable health data for research under specified conditions. 21

Researchers performing epidemiological studies in the United Kingdom need clear guidance in several areas. Firstly, the definition of explicit consent and the situations in which it is required need further explanation. Secondly, there is an unacceptable amount of uncertainty over when consent can be considered to have been implied or when it may be waived on grounds of public interest. Research ethics committees may be asked to advise on whether processing identifiable data without consent is in the public interest. This is an onerous responsibility, especially in light of the uncertainties described in this paper. The Department of Health's ongoing review of guidelines for local research ethics committees will help illuminate this situation. The legal responsibility lies ultimately with the trust, and any decision regarding disclosure must be able to be justified as being in the public interest. Thirdly, anonymisation and its effects need to be clarified especially taking into account the court case described earlier. Fourthly, issues of access to confidential data must be resolved. The effect of a contract between the NHS and outside research staff also needs to be clarified (for example, in cases in which research staff are funded by the NHS itself or when they have an NHS contract with some, but not all, of the trusts involved in a multicentre research study). Ultimately, the legality of any guidance or decision can only be determined by the courts.

An external file that holds a picture, illustration, etc.
Object name is strj2450.f1.jpg

In the meantime, a workable solution that respects patients' rights may be to ensure that data are fully anonymised whenever possible. In this case, the data is not personal and does not fall within the scope of the Data Protection Act. If full anonymisation is not possible or the design of the study does not permit it, the use of pseudonymous data (created using codes and carefully restricting access to them) should be considered, bearing in mind that it is still seen by the data protection registrar as personal data. To facilitate future research, trusts need to ensure that sufficient mechanisms are in place to inform patients about any potential use of their data for research and to obtain consent when necessary. Finally, researchers should agree their project design with those responsible for data protection well in advance.

Competing interests: None declared.

Funding: JS is funded by the NHS Executive North West. At the time of writing this paper, EC was funded by the Liverpool, Manchester, Preston Ethics Training Project (LiMPET), a collaborative venture between the Universities of Central Lancashire, Manchester, and Liverpool, funded by the NHS Executive North West.

Skip to main content
Skip to navigation

legislation.gov.uk

Browse Legislation
New Legislation
Coronavirus Legislation
Changes To Legislation

Search Legislation

Data protection act 1998, you are here:.

UK Public General Acts
Table of Contents

Print Options

What version.

Latest available (Revised)
Point in Time (24/10/2007)
Original (As enacted)

Advanced Features

Show Geographical Extent (e.g. E ngland, W ales, S cotland and N orthern I reland)
Show Timeline of Changes

Opening Options

Open whole Act
Open Act without Schedules
Open Schedules only

More Resources

Original: King's Printer Version

Changes over time for: Data Protection Act 1998

Version Superseded: 01/04/2008

Alternative versions:

24/10/2007 - Amendment
24/10/2007 Point in time
31/01/2012 - Amendment
01/08/2012 - Amendment
10/09/2012 - Amendment
01/12/2012 - Amendment
01/04/2013 - Amendment
29/04/2013 - Amendment
25/06/2013 - Amendment
01/09/2013 - Amendment
07/10/2013 - Amendment
01/04/2014 - Amendment
22/04/2014 - Amendment
03/12/2014 - Amendment
10/03/2015 - Amendment
16/03/2015 - Amendment
06/04/2015 - Amendment
01/01/2016 - Amendment
30/03/2016 - Amendment
12/04/2016 - Amendment
06/06/2016 - Amendment
22/07/2016 - Amendment
01/04/2017 - Amendment
27/04/2017 - Amendment
27/06/2017 - Amendment
29/06/2017 - Amendment
03/07/2017 - Amendment
31/07/2017 - Amendment
31/10/2017 - Amendment
03/01/2018 - Amendment
01/04/2018 - Amendment
25/05/2018 - Amendment
17/12/2018 - Amendment
02/12/2019 - Amendment

Not valid for this point in time generally means that a provision was not in force for the point in time you have selected to view it on.

Changes to legislation:

Changes to legislation.

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

1998 CHAPTER 29

An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.

[16th July 1998]

Be it enacted by the Queen’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—

Modifications etc. (not altering text)

C1 Act: power to amend conferred (8.5.2008) by virtue of Criminal Justice and Immigration Act 2008 (c. 4) , ss. 77(5) , 153

C2 Act: Crown status for the purposes of the Act extended (6.5.1999) by S.I. 1999/677 , art. 7(3)

Act applied (1.4.2000) by 1999 c. 28 , s. 19(2) (with s. 38 ); S.I. 2000/1066 , art. 2

Act excluded (1.3.2000) by S.I. 2000/416 , art. 2 , Sch.

Act: functions of the Secretary of State transferred to the Lord Chancellor (26.11.2001) by S.I. 2001/3500 , arts. 3 , 4 , Sch. 1 para. 11

Act applied by S.I. 1993/1813 , art. 4(2) (as substituted by S.I. 2001/1544 , art. 3(5)(6) ) (the amendment coming into force in accordance with art. 1(2) of S.I. 2001/1544 )

C3 Act (except ss. 6(4)(a)(b), 28, Sch. 5 para. 12(2) for certain purposes and Sch. 6 paras. 2, 3): functions of the Lord Chancellor transferred to the Secretary of State, and all property, rights and liabilities to which the Lord Chancellor is entitled or subject to in connection with any such function transferred to the Secretary of State for Constitutional Affairs (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , arts. 4 , 5 , Sch. 1 (with art. 6 )

Act restricted by The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818) , art. {8(2)} (the amendment coming into force in accordance with art. 1(2) of the amending S.I.)

Act modified by The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818) , art. {11(4)} (the amendment coming into force in accordance with art. 1(2) of the amending S.I.)

Act modified by The National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118) , art. 5 (the amendment comming into force in accordance with art. 1(2) of the amending S.I.)

Part I U.K. Preliminary

1 basic interpretative provisions. u.k..

(1) In this Act, unless the context otherwise requires—

“ data ” means information which—

is being processed by means of equipment operating automatically in response to instructions given for that purpose,

is recorded with the intention that it should be processed by means of such equipment,

is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, F1 . . .

does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68; [ F2 or

is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d); ]

“ data controller ” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

“ data processor ”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;

“ data subject ” means an individual who is the subject of personal data;

“ personal data ” means data which relate to a living individual who can be identified—

from those data, or

from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

“ processing ”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—

organisation, adaptation or alteration of the information or data,

retrieval, consultation or use of the information or data,

disclosure of the information or data by transmission, dissemination or otherwise making available, or

alignment, combination, blocking, erasure or destruction of the information or data;

[ F3 “ public authority ” means a public authority as defined by the Freedom of Information Act 2000 or a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002; ]

“ relevant filing system ” means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

(2) In this Act, unless the context otherwise requires—

(a) “ obtaining ” or “ recording ”, in relation to personal data, includes obtaining or recording the information to be contained in the data, and

(b) “ using ” or “ disclosing ”, in relation to personal data, includes using or disclosing the information contained in the data.

(3) In determining for the purposes of this Act whether any information is recorded with the intention—

(a) that it should be processed by means of equipment operating automatically in response to instructions given for that purpose, or

(b) that it should form part of a relevant filing system,

it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area.

(4) Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.

[ F4 (5) In paragraph (e) of the definition of “ data ” in subsection (1), the reference to information “ held ” by a public authority shall be construed in accordance with section 3(2) of the Freedom of Information Act 2000 [ F5 or section 3(2), (4) and (5) of the Freedom of Information (Scotland) Act 2002. ]

(6) Where

(a) ] section 7 of the Freedom of Information Act 2000 prevents Parts I to V of that Act [ F6 or ]

[ F6 (b) section 7(1) of the Freedom of Information (Scotland) Act 2002 prevents that Act, ]

from applying to certain information held by a public authority, that information is not to be treated for the purposes of paragraph (e) of the definition of “ data ” in subsection (1) as held by a public authority.

Textual Amendments

F1 In s. 1(1) in definition of "data" word repealed (1.1.2005) by 2000 c. 36 , ss. 68(2)(a) , 86 , 87(3) , Sch. 8 Pt. III (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

F2 In s. 1(1) in definition of "data" paragraph (e) and preceding word inserted (1.1.2005) by 2000 c. 36 , ss. 68(2)(a) , 87(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

F3 In s. 1(1) definition of "public authority" inserted (1.1.2005) by 2000 c. 36 , ss. 68(2)(b) , 87(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2 ; and this same definition substituted (1.1.2005) by The Freedom of Information (Scotland) Act 2002 (Consequential Modifications) Order 2004 (S.I. 2004/3089) , art. 2(2)(a)

F4 S. 1(5)(6) inserted (1.1.2005) by 2000 c. 36 , ss. 68(3) , 87(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

F5 Words in s. 1(5) inserted (1.1.2005) by The Freedom of Information (Scotland) Act 2002 (Consequential Modifications) Order 2004 (S.I. 2004/3089) , art. 2(2)(b)

F6 S. 1(6)(b) and preceding word inserted (1.1.2005) by The Freedom of Information (Scotland) Act 2002 (Consequential Modifications) Order 2004 (S.I. 2004/3089) , art. 2(2)(c)

2 Sensitive personal data. U.K.

In this Act “ sensitive personal data ” means personal data consisting of information as to—

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(d) whether he is a member of a trade union (within the meaning of the M1 Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Marginal Citations

M1 1992 c. 52 .

3 The special purposes. U.K.

In this Act “ the special purposes ” means any one or more of the following—

(a) the purposes of journalism,

(b) artistic purposes, and

4 The data protection principles. U.K.

(1) References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1.

(2) Those principles are to be interpreted in accordance with Part II of Schedule 1.

(3) Schedule 2 (which applies to all personal data) and Schedule 3 (which applies only to sensitive personal data) set out conditions applying for the purposes of the first principle; and Schedule 4 sets out cases in which the eighth principle does not apply.

(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.

5 Application of Act. U.K.

(1) Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if—

(a) the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or

(b) the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.

(2) A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom.

(3) For the purposes of subsections (1) and (2), each of the following is to be treated as established in the United Kingdom—

(a) an individual who is ordinarily resident in the United Kingdom,

(b) a body incorporated under the law of, or of any part of, the United Kingdom,

(d) any person who does not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom—

(i) an office, branch or agency through which he carries on any activity, or

(ii) a regular practice;

and the reference to establishment in any other EEA State has a corresponding meaning.

C4 S. 5 modified by S.I. 1993/1813 , art. 4(2) (as substituted (coming into force in accordance with art. 1(2) of the amending S.I.) by S.I. 2001/1544 , art. 3(5)(6) )

6 The Commissioner and the Tribunal. U.K.

[ F7 (1) For the purposes of this Act and of the Freedom of Information Act 2000 there shall be an officer known as the Information Commissioner (in this Act referred to as “ the Commissioner ”). ]

(2) The Commissioner shall be appointed by Her Majesty by Letters Patent.

[ F8 (3) For the purposes of this Act and of the Freedom of Information Act 2000 there shall be a tribunal known as the Information Tribunal (in this Act referred to as “ the Tribunal ”). ]

(4) The Tribunal shall consist of—

(a) a chairman appointed by the Lord Chancellor after consultation with the Lord Advocate,

(b) such number of deputy chairmen so appointed as the Lord Chancellor may determine, and

(5) The members of the Tribunal appointed under subsection (4)(a) and (b) shall be—

(a) persons who have a 7 year general qualification, within the meaning of section 71 of the M2 Courts and Legal Services Act 1990,

(b) advocates or solicitors in Scotland of at least 7 years’ standing, or

(c) members of the bar of Northern Ireland or solicitors of the Supreme Court of Northern Ireland of at least 7 years’ standing.

(6) The members of the Tribunal appointed under subsection (4)(c) shall be—

(a) persons to represent the interests of data subjects,

[ F10 (aa) persons to represent the interests of those who make requests for information under the Freedom of Information Act 2000, ]

(b) persons to represent the interests of data controllers [ F11 and

(bb) persons to represent the interests of public authorities. ]

(7) Schedule 5 has effect in relation to the Commissioner and the Tribunal.

F7 S. 6(1) substituted (30.1.2001) by 2000 c. 36 , ss. 18(4) , 87(2)(c) , Sch. 2 Pt. I para. 13(2) (with ss. 7(1)(7) , 56 , 78 )

F8 S. 6(3) substituted (14.5.2001) by 2000 c. 36 , s. 18(2) , Sch. 2 Pt. I para. 13(3) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2001/1637 , art. 2(b)

F9 Words in s. 6(4)(c) substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

F10 S. 6(6)(aa) substituted for word in s. 6(6)(a) (14.5.2001) by 2000 c. 36 , s. 18(4) , Sch. 2 Pt. II para. 16(a) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2001/1637 , art. 2(b)

F11 S. 6(6)(bb) and the preceding word inserted (14.5.2001) by 2000 c. 36 , s. 18(4) , Sch. 2 Pt. II para. 16(b) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2001/1637 , art. 2(b)

C5 S. 6(4)(a)(b) : transfer of certain functions (1.7.1999) by 1999/1750, arts. 1, 2, Sch. 1 (with art. 7); S.I. 1998/3178 , art. 3

S. 6(4)(a)(b) modified (30.6.1999) by S.I. 1999/1748 , art. 3 , Sch. 1 para. 20

C6 S. 6(4)(a) : functions of the Lord Advocate transferred to the Secretary of State, and all property, rights and liabilities to which the Lord Advocate is entitled or subject in connection with any such function transferred to the Secretary of State for Scotland (19.5.1999) by S.I. 1999/678 , arts. 2 , 3 , Sch. (with art. 7 )

M2 1990 c. 41 .

Part II U.K. Rights of data subjects and others

7 right of access to personal data. u.k..

(1) Subject to the following provisions of this section and to [ F12 sections 8, 9 and 9A ] , an individual is entitled—

(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

(b) if that is the case, to be given by the data controller a description of—

(i) the personal data of which that individual is the data subject,

(ii) the purposes for which they are being or are to be processed, and

(iii) the recipients or classes of recipients to whom they are or may be disclosed,

(i) the information constituting any personal data of which that individual is the data subject, and

(ii) any information available to the data controller as to the source of those data, and

(d) where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.

(2) A data controller is not obliged to supply any information under subsection (1) unless he has received—

(a) a request in writing, and

(b) except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.

[ F13 (3) Where a data controller—

(a) reasonably requires further information in order to satisfy himself as to the identity of the person making a request under this section and to locate the information which that person seeks, and

(b) has informed him of that requirement,

the data controller is not obliged to comply with the request unless he is supplied with that further information. ]

(4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless—

(a) the other individual has consented to the disclosure of the information to the person making the request, or

(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

(5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to—

(a) any duty of confidentiality owed to the other individual,

(b) any steps taken by the data controller with a view to seeking the consent of the other individual,

(d) any express refusal of consent by the other individual.

(7) An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description.

(8) Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.

(9) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.

(10) In this section—

“ prescribed ” means prescribed by the [ F14 Secretary of State ] by regulations;

“ the prescribed maximum ” means such amount as may be prescribed;

“ the prescribed period ” means forty days or such other period as may be prescribed;

“ the relevant day ”, in relation to a request under this section, means the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3).

(11) Different amounts or periods may be prescribed under this section in relation to different cases.

F12 Words in s. 7(1) substituted (30.11.2000 for certain purposes and otherwise 1.1.2005) by 2000 c. 36 , ss. 69(1) , 87(1)(3) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

F13 S. 7(3) substituted (14.5.2001) by 2000 c. 36 , s. 73 , Sch. 6 para. 1 (with ss. 56 , 78 ); S.I. 2001/1637 , art. 2(d)

F14 Words in s. 7 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

C7 S. 7 excluded (1.3.2000) by S.I. 2000/414 , art. 5(1)

S. 7 modified (1.3.2000) by S.I. 2000/414 , art. 6

S. 7 modified (1.3.2000) by S.I. 2000/191 , reg. 4(1)

S. 7 excluded (1.3.2000) by S.I. 2000/413 , art. 5(1)

S. 7 modified (1.3.2000) by S.I. 2000/413 , arts. 6(1) , 7(3)

S. 7 modified (1.3.2000) by S.I. 2000/415 , art. 6

C8 S. 7 excluded (1.3.2000) by The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419) , art. 2 Sch. (as amended (1.10.2009) by S.I. 2009/1892 , art. 3 , Sch. 3 para. 1 )

C9 S. 7 modified (1.3.2000) by virtue of The Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414) , art. 7(1)(a)(2)

C10 S. 7(12) modified (1.3.2000) by virtue of The Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415) , art. 7 (2 (as amended (7.3.2005) by The Data Protection (Subject Access Modification) (Social Work) (Amendment) Order 2005 (S.I. 2005/467) , art. 4 ; (1.4.2011) by The Data Protection (Subject Access Modification) (Social Work) (Amendment) Order 2011 (S.I. 2011/1034) , art. 4 and (E.W.) (6.4.2011) by The Family Procedure (Modification of Enactments) Order 2011( S.I. 2011/1045 ), {art. 23})

C11 S. 7(1) extended (1.3.2000) by S.I. 2000/191 , reg. 2(2)

C12 S. 7(1)(a)(b)(c) extended (1.3.2000) by S.I. 2000/191 , reg. 2(1)

C13 S. 7(1)(b)-(d) excluded (1.3.2000) by S.I. 2000/415 , art. 5(1)

C14 S. 7(4)(9) modified (1.3.2000) by S.I. 2000/413 , art. 8(a)(b)

S. 7(4)(9) modified (1.3.2000) by S.I. 2000/414 , art. 7(1)(a)(b)

S. 7(4)(9) modified (1.3.2000) by S.I. 2000/415 , art. 7(1)(a)(b)

Commencement Information

I1 S. 7 wholly in force at 1.3.2000; s. 7 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 7 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

8 Provisions supplementary to section 7. U.K.

(1) The [ F15 Secretary of State ] may by regulations provide that, in such cases as may be prescribed, a request for information under any provision of subsection (1) of section 7 is to be treated as extending also to information under other provisions of that subsection.

(2) The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless—

(a) the supply of such a copy is not possible or would involve disproportionate effort, or

(b) the data subject agrees otherwise;

and where any of the information referred to in section 7(1)(c)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.

(3) Where a data controller has previously complied with a request made under section 7 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.

(4) In determining for the purposes of subsection (3) whether requests under section 7 are made at reasonable intervals, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.

(5) Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.

(6) The information to be supplied pursuant to a request under section 7 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

(7) For the purposes of section 7(4) and (5) another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.

F15 Words in s. 8 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I2 S. 8 wholly in force at 1.3.2000; s. 8 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 8 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

9 Application of section 7 where data controller is credit reference agency. U.K.

(1) Where the data controller is a credit reference agency, section 7 has effect subject to the provisions of this section.

(2) An individual making a request under section 7 may limit his request to personal data relevant to his financial standing, and shall be taken to have so limited his request unless the request shows a contrary intention.

(3) Where the data controller receives a request under section 7 in a case where personal data of which the individual making the request is the data subject are being processed by or on behalf of the data controller, the obligation to supply information under that section includes an obligation to give the individual making the request a statement, in such form as may be prescribed by the [ F16 Secretary of State ] by regulations, of the individual’s rights—

(a) under section 159 of the M3 Consumer Credit Act 1974 , and

(b) to the extent required by the prescribed form, under this Act.

F16 Words in s. 9 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I3 S. 9 wholly in force at 1.3.2000; s. 9 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 9 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

M3 1974 c. 39 .

[ F17 9A Unstructured personal data held by public authorities. U.K.

(1) In this section “ unstructured personal data ” means any personal data falling within paragraph (e) of the definition of “data” in section 1(1), other than information which is recorded as part of, or with the intention that it should form part of, any set of information relating to individuals to the extent that the set is structured by reference to individuals or by reference to criteria relating to individuals.

(2) A public authority is not obliged to comply with subsection (1) of section 7 in relation to any unstructured personal data unless the request under that section contains a description of the data.

(3) Even if the data are described by the data subject in his request, a public authority is not obliged to comply with subsection (1) of section 7 in relation to unstructured personal data if the authority estimates that the cost of complying with the request so far as relating to those data would exceed the appropriate limit.

(4) Subsection (3) does not exempt the public authority from its obligation to comply with paragraph (a) of section 7(1) in relation to the unstructured personal data unless the estimated cost of complying with that paragraph alone in relation to those data would exceed the appropriate limit.

(5) In subsections (3) and (4) “ the appropriate limit ” means such amount as may be prescribed by the [ F18 Secretary of State ] by regulations, and different amounts may be prescribed in relation to different cases.

(6) Any estimate for the purposes of this section must be made in accordance with regulations under section 12(5) of the Freedom of Information Act 2000. ]

F17 S. 9A inserted (30.11.2000 for certain purposes and otherwise 1.1.2005) by 2000 c. 36 , ss. 69(2) , 87(1)(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2 ( s. 69(2) of the amending Act was itself amended (19.8.2003) by S.I. 2003/1887 , art. 9 , Sch. 2 para. 12(1)(b) )

F18 Words in s. 9A substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 paras. 9(1)(a) , 12(1)(b)

10 Right to prevent processing likely to cause damage or distress. U.K.

(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b) that damage or distress is or would be unwarranted.

(2) Subsection (1) does not apply—

(a) in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or

(b) in such other cases as may be prescribed by the [ F19 Secretary of State ] by order.

(3) The data controller must within twenty-one days of receiving a notice under subsection (1) (“ the data subject notice ”) give the individual who gave it a written notice—

(a) stating that he has complied or intends to comply with the data subject notice, or

(b) stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.

(4) If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(5) The failure by a data subject to exercise the right conferred by subsection (1) or section 11(1) does not affect any other right conferred on him by this Part.

F19 Words in s. 10 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I4 S. 10 wholly in force at 1.3.2000; s. 10 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 10 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

11 Right to prevent processing for purposes of direct marketing. U.K.

(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

(2) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.

[ F20 (2A) This section shall not apply in relation to the processing of such data as are mentioned in paragraph (1) of regulation 8 of the Telecommunications (Data Protection and Privacy) Regulations 1999 (processing of telecommunications billing data for certain marketing purposes) for the purposes mentioned in paragraph (2) of that regulation. ]

(3) In this section “ direct marketing ” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.

F20 S. 11(2A) inserted (1.3.2000) by S.I. 1999/2093 , reg. 3(3) , Sch. 1 Pt. II para. 3

12 Rights in relation to automated decision-taking. U.K.

(1) An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.

(2) Where, in a case where no notice under subsection (1) has effect, a decision which significantly affects an individual is based solely on such processing as is mentioned in subsection (1)—

(a) the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis, and

(b) the individual is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.

(3) The data controller must, within twenty-one days of receiving a notice under subsection (2)(b) (“ the data subject notice ”) give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice.

(4) A notice under subsection (1) does not have effect in relation to an exempt decision; and nothing in subsection (2) applies to an exempt decision.

(5) In subsection (4) “ exempt decision ” means any decision—

(a) in respect of which the condition in subsection (6) and the condition in subsection (7) are met, or

(b) which is made in such other circumstances as may be prescribed by the [ F21 Secretary of State ] by order.

(6) The condition in this subsection is that the decision—

(a) is taken in the course of steps taken—

(i) for the purpose of considering whether to enter into a contract with the data subject,

(ii) with a view to entering into such a contract, or

(iii) in the course of performing such a contract, or

(b) is authorised or required by or under any enactment.

(7) The condition in this subsection is that either—

(a) the effect of the decision is to grant a request of the data subject, or

(b) steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing him to make representations).

(8) If a court is satisfied on the application of a data subject that a person taking a decision in respect of him (“ the responsible person ”) has failed to comply with subsection (1) or (2)(b), the court may order the responsible person to reconsider the decision, or to take a new decision which is not based solely on such processing as is mentioned in subsection (1).

(9) An order under subsection (8) shall not affect the rights of any person other than the data subject and the responsible person.

F21 Words in s. 12 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I5 S. 12 wholly in force at 1.3.2000; s. 12 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 12 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

[ F22 12A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13 compensation for failure to comply with certain requirements. u.k..

(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a) the individual also suffers damage by reason of the contravention, or

(b) the contravention relates to the processing of personal data for the special purposes.

(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.

14 Rectification, blocking, erasure and destruction. U.K.

(1) If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.

(2) Subsection (1) applies whether or not the data accurately record information received or obtained by the data controller from the data subject or a third party but where the data accurately record such information, then—

(a) if the requirements mentioned in paragraph 7 of Part II of Schedule 1 have been complied with, the court may, instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve, and

(b) if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a).

(3) Where the court—

(a) makes an order under subsection (1), or

(b) is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate,

it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(4) If a court is satisfied on the application of a data subject—

(a) that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 13, and

(b) that there is a substantial risk of further contravention in respect of those data in such circumstances,

the court may order the rectification, blocking, erasure or destruction of any of those data.

(5) Where the court makes an order under subsection (4) it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(6) In determining whether it is reasonably practicable to require such notification as is mentioned in subsection (3) or (5) the court shall have regard, in particular, to the number of persons who would have to be notified.

15 Jurisdiction and procedure. U.K.

(1) The jurisdiction conferred by sections 7 to 14 is exercisable by the High Court or a county court or, in Scotland, by the Court of Session or the sheriff.

(2) For the purpose of determining any question whether an applicant under subsection (9) of section 7 is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV) a court may require the information constituting any data processed by or on behalf of the data controller and any information as to the logic involved in any decision-taking as mentioned in section 7(1)(d) to be made available for its own inspection but shall not, pending the determination of that question in the applicant’s favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery (or, in Scotland, recovery) or otherwise.

Part III U.K. Notification by data controllers

16 preliminary. u.k..

(1) In this Part “ the registrable particulars ”, in relation to a data controller, means—

(a) his name and address,

(b) if he has nominated a representative for the purposes of this Act, the name and address of the representative,

(c) a description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which they relate,

(d) a description of the purpose or purposes for which the data are being or are to be processed,

(e) a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data,

(f) the names, or a description of, any countries or territories outside the European Economic Area to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data,

[ F24 (ff) where the data controller is a public authority, a statement of that fact, ] and

(g) in any case where—

(i) personal data are being, or are intended to be, processed in circumstances in which the prohibition in subsection (1) of section 17 is excluded by subsection (2) or (3) of that section, and

(ii) the notification does not extend to those data,

a statement of that fact.

(2) In this Part—

“ fees regulations ” means regulations made by the [ F25 Secretary of State ] under section 18(5) or 19(4) or (7);

“ notification regulations ” means regulations made by the [ F25 Secretary of State ] under the other provisions of this Part;

“ prescribed ”, except where used in relation to fees regulations, means prescribed by notification regulations.

(3) For the purposes of this Part, so far as it relates to the addresses of data controllers—

(a) the address of a registered company is that of its registered office, and

(b) the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the United Kingdom.

F24 S. 16(1)(ff) inserted (1.1.2005) by 2000 c. 36 , ss. 71 , 87(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

F25 Words in s. 16 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I6 S. 16 wholly in force at 1.3.2000; s. 16 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 16 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

17 Prohibition on processing without registration. U.K.

(1) Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under section 19 (or is treated by notification regulations made by virtue of section 19(3) as being so included).

(2) Except where the processing is assessable processing for the purposes of section 22, subsection (1) does not apply in relation to personal data consisting of information which falls neither within paragraph (a) of the definition of “ data ” in section 1(1) nor within paragraph (b) of that definition.

(3) If it appears to the [ F26 Secretary of State ] that processing of a particular description is unlikely to prejudice the rights and freedoms of data subjects, notification regulations may provide that, in such cases as may be prescribed, subsection (1) is not to apply in relation to processing of that description.

(4) Subsection (1) does not apply in relation to any processing whose sole purpose is the maintenance of a public register.

F26 Words in s. 17 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

C15 S. 17(1) excluded (1.3.2000) by S.I. 2000/188 , reg. 3

18 Notification by data controllers. U.K.

(1) Any data controller who wishes to be included in the register maintained under section 19 shall give a notification to the Commissioner under this section.

(2) A notification under this section must specify in accordance with notification regulations—

(a) the registrable particulars, and

(b) a general description of measures to be taken for the purpose of complying with the seventh data protection principle.

(3) Notification regulations made by virtue of subsection (2) may provide for the determination by the Commissioner, in accordance with any requirements of the regulations, of the form in which the registrable particulars and the description mentioned in subsection (2)(b) are to be specified, including in particular the detail required for the purposes of section 16(1)(c), (d), (e) and (f) and subsection (2)(b).

(4) Notification regulations may make provision as to the giving of notification—

(a) by partnerships, or

(b) in other cases where two or more persons are the data controllers in respect of any personal data.

(5) The notification must be accompanied by such fee as may be prescribed by fees regulations.

(6) Notification regulations may provide for any fee paid under subsection (5) or section 19(4) to be refunded in prescribed circumstances.

I7 S. 18 wholly in force at 1.3.2000; s. 18 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 18 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

19 Register of notifications. U.K.

(1) The Commissioner shall—

(a) maintain a register of persons who have given notification under section 18, and

(b) make an entry in the register in pursuance of each notification received by him under that section from a person in respect of whom no entry as data controller was for the time being included in the register.

(2) Each entry in the register shall consist of—

(a) the registrable particulars notified under section 18 or, as the case requires, those particulars as amended in pursuance of section 20(4), and

(b) such other information as the Commissioner may be authorised or required by notification regulations to include in the register.

(3) Notification regulations may make provision as to the time as from which any entry in respect of a data controller is to be treated for the purposes of section 17 as having been made in the register.

(4) No entry shall be retained in the register for more than the relevant time except on payment of such fee as may be prescribed by fees regulations.

(5) In subsection (4) “ the relevant time ” means twelve months or such other period as may be prescribed by notification regulations; and different periods may be prescribed in relation to different cases.

(6) The Commissioner—

(a) shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and

(b) may provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate.

(7) The Commissioner shall, on payment of such fee, if any, as may be prescribed by fees regulations, supply any member of the public with a duly certified copy in writing of the particulars contained in any entry made in the register.

C16 S. 19(4) applied (with modifications) (1.3.2000) by S.I. 2000/188 , reg. 15(2)(3) (as amended by S.I. 2001/3214 , reg. 2(2) )

C17 S. 19(5) applied (with modifications) (1.3.2000) by S.I. 2000/188 , reg. 15(2)(3)

I8 S. 19 wholly in force at 1.3.2000; s. 19 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 19 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

20 Duty to notify changes. U.K.

(1) For the purpose specified in subsection (2), notification regulations shall include provision imposing on every person in respect of whom an entry as a data controller is for the time being included in the register maintained under section 19 a duty to notify to the Commissioner, in such circumstances and at such time or times and in such form as may be prescribed, such matters relating to the registrable particulars and measures taken as mentioned in section 18(2)(b) as may be prescribed.

(2) The purpose referred to in subsection (1) is that of ensuring, so far as practicable, that at any time—

(a) the entries in the register maintained under section 19 contain current names and addresses and describe the current practice or intentions of the data controller with respect to the processing of personal data, and

(b) the Commissioner is provided with a general description of measures currently being taken as mentioned in section 18(2)(b).

(3) Subsection (3) of section 18 has effect in relation to notification regulations made by virtue of subsection (1) as it has effect in relation to notification regulations made by virtue of subsection (2) of that section.

(4) On receiving any notification under notification regulations made by virtue of subsection (1), the Commissioner shall make such amendments of the relevant entry in the register maintained under section 19 as are necessary to take account of the notification.

21 Offences. U.K.

(1) If section 17(1) is contravened, the data controller is guilty of an offence.

(2) Any person who fails to comply with the duty imposed by notification regulations made by virtue of section 20(1) is guilty of an offence.

(3) It shall be a defence for a person charged with an offence under subsection (2) to show that he exercised all due diligence to comply with the duty.

22 Preliminary assessment by Commissioner. U.K.

(1) In this section “ assessable processing ” means processing which is of a description specified in an order made by the [ F27 Secretary of State ] as appearing to him to be particularly likely—

(a) to cause substantial damage or substantial distress to data subjects, or

(b) otherwise significantly to prejudice the rights and freedoms of data subjects.

(2) On receiving notification from any data controller under section 18 or under notification regulations made by virtue of section 20 the Commissioner shall consider—

(a) whether any of the processing to which the notification relates is assessable processing, and

(b) if so, whether the assessable processing is likely to comply with the provisions of this Act.

(3) Subject to subsection (4), the Commissioner shall, within the period of twenty-eight days beginning with the day on which he receives a notification which relates to assessable processing, give a notice to the data controller stating the extent to which the Commissioner is of the opinion that the processing is likely or unlikely to comply with the provisions of this Act.

(4) Before the end of the period referred to in subsection (3) the Commissioner may, by reason of special circumstances, extend that period on one occasion only by notice to the data controller by such further period not exceeding fourteen days as the Commissioner may specify in the notice.

(5) No assessable processing in respect of which a notification has been given to the Commissioner as mentioned in subsection (2) shall be carried on unless either—

(a) the period of twenty-eight days beginning with the day on which the notification is received by the Commissioner (or, in a case falling within subsection (4), that period as extended under that subsection) has elapsed, or

(b) before the end of that period (or that period as so extended) the data controller has received a notice from the Commissioner under subsection (3) in respect of the processing.

(6) Where subsection (5) is contravened, the data controller is guilty of an offence.

(7) The [ F27 Secretary of State ] may by order amend subsections (3), (4) and (5) by substituting for the number of days for the time being specified there a different number specified in the order.

F27 Words in s. 22 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I9 S. 22 wholly in force at 1.3.2000; s. 22 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 22 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

23 Power to make provision for appointment of data protection supervisors. U.K.

(1) The [ F28 Secretary of State ] may by order—

(a) make provision under which a data controller may appoint a person to act as a data protection supervisor responsible in particular for monitoring in an independent manner the data controller’s compliance with the provisions of this Act, and

(b) provide that, in relation to any data controller who has appointed a data protection supervisor in accordance with the provisions of the order and who complies with such conditions as may be specified in the order, the provisions of this Part are to have effect subject to such exemptions or other modifications as may be specified in the order.

(2) An order under this section may—

(a) impose duties on data protection supervisors in relation to the Commissioner, and

(b) confer functions on the Commissioner in relation to data protection supervisors.

F28 Words in s. 23 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I10 S. 23 wholly in force at 1.3.2000; s. 23 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 23 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

24 Duty of certain data controllers to make certain information available. U.K.

(1) Subject to subsection (3), where personal data are processed in a case where—

(a) by virtue of subsection (2) or (3) of section 17, subsection (1) of that section does not apply to the processing, and

(b) the data controller has not notified the relevant particulars in respect of that processing under section 18,

the data controller must, within twenty-one days of receiving a written request from any person, make the relevant particulars available to that person in writing free of charge.

(2) In this section “ the relevant particulars ” means the particulars referred to in paragraphs (a) to (f) of section 16(1).

(3) This section has effect subject to any exemption conferred for the purposes of this section by notification regulations.

(4) Any data controller who fails to comply with the duty imposed by subsection (1) is guilty of an offence.

(5) It shall be a defence for a person charged with an offence under subsection (4) to show that he exercised all due diligence to comply with the duty.

25 Functions of Commissioner in relation to making of notification regulations. U.K.

(1) As soon as practicable after the passing of this Act, the Commissioner shall submit to the Secretary of State proposals as to the provisions to be included in the first notification regulations.

(2) The Commissioner shall keep under review the working of notification regulations and may from time to time submit to the [ F29 Secretary of State ] proposals as to amendments to be made to the regulations.

(3) The [ F29 Secretary of State ] may from time to time require the Commissioner to consider any matter relating to notification regulations and to submit to him proposals as to amendments to be made to the regulations in connection with that matter.

(4) Before making any notification regulations, the [ F29 Secretary of State ] shall—

(a) consider any proposals made to him by the Commissioner under [ F30 subsection (2) or (3) ] , and

(b) consult the Commissioner.

F29 Words in s. 25 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

F30 Words in s. 25(4)(a) substituted (26.11.2001) by S.I. 2001/3500 , art. 8 , Sch. 2 Pt. I para. 6(2)

I11 S. 25 wholly in force at 1.3.2000; s. 25(1)(4) in force at Royal Assent see s. 75(2)(i) ; s. 25 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

26 Fees regulations. U.K.

(1) Fees regulations prescribing fees for the purposes of any provision of this Part may provide for different fees to be payable in different cases.

(2) In making any fees regulations, the [ F31 Secretary of State ] shall have regard to the desirability of securing that the fees payable to the Commissioner are sufficient to offset—

(a) the expenses incurred by the Commissioner and the Tribunal in discharging their functions [ F32 under this Act ] and any expenses of the Secretary of State in respect of the Commissioner or the Tribunal [ F33 so far as attributable to their functions under this Act ] , and

(b) to the extent that the Secretary of State considers appropriate—

(i) any deficit previously incurred (whether before or after the passing of this Act) in respect of the expenses mentioned in paragraph (a), and

(ii) expenses incurred or to be incurred by the Secretary of State in respect of the inclusion of any officers or staff of the Commissioner in any scheme under section 1 of the M4 Superannuation Act 1972.

F31 Words in s. 26 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

F32 Words in s. 26(2)(a) inserted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 17 (with ss. 7(1)(7) , 56 , 78 )

F33 Words in s. 26(2)(a) inserted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 17 (with ss. 7(1)(7) , 56 , 78 )

M4 1972 c. 11 .

Part IV U.K. Exemptions

27 preliminary. u.k..

(1) References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.

(2) In this Part “ the subject information provisions ” means—

(a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1, and

(b) section 7.

(3) In this Part “ the non-disclosure provisions ” means the provisions specified in subsection (4) to the extent to which they are inconsistent with the disclosure in question.

(4) The provisions referred to in subsection (3) are—

(a) the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3,

(b) the second, third, fourth and fifth data protection principles, and

(5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

28 National security. U.K.

(1) Personal data are exempt from any of the provisions of—

(a) the data protection principles,

(b) Parts II, III and V, and

if the exemption from that provision is required for the purpose of safeguarding national security.

(2) Subject to subsection (4), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in subsection (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact.

(3) A certificate under subsection (2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.

(4) Any person directly affected by the issuing of a certificate under subsection (2) may appeal to the Tribunal against the certificate.

(5) If on an appeal under subsection (4), the Tribunal finds that, applying the principles applied by the court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may allow the appeal and quash the certificate.

(6) Where in any proceedings under or by virtue of this Act it is claimed by a data controller that a certificate under subsection (2) which identifies the personal data to which it applies by means of a general description applies to any personal data, any other party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question and, subject to any determination under subsection (7), the certificate shall be conclusively presumed so to apply.

(7) On any appeal under subsection (6), the Tribunal may determine that the certificate does not so apply.

(8) A document purporting to be a certificate under subsection (2) shall be received in evidence and deemed to be such a certificate unless the contrary is proved.

(9) A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (2) shall in any legal proceedings be evidence (or, in Scotland, sufficient evidence) of that certificate.

(10) The power conferred by subsection (2) on a Minister of the Crown shall not be exercisable except by a Minister who is a member of the Cabinet or by the Attorney General or the Lord Advocate.

(11) No power conferred by any provision of Part V may be exercised in relation to personal data which by virtue of this section are exempt from that provision.

(12) Schedule 6 shall have effect in relation to appeals under subsection (4) or (6) and the proceedings of the Tribunal in respect of any such appeal.

F34 Words in s. 28(1)(c) substituted (26.4.2004) by Crime (International Co-operation) Act 2003 (c. 32) , ss. 91 , 94 , Sch. 5 para. 69 ; S.I. 2004/786 , art. 3

C18 S. 28(8)(9)(10)(12) applied (with modifications) (1.3.2000) by S.I. 1999/2093 , reg. 32(8)(a)

S. 28(8)(9)(10)(12) applied (11.12.2003) by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (2003/2426), {reg. 28(8)(b)} (with regs. 4, 15(3), 28, 29)

C19 S. 28(10) : functions of the Lord Advocate transferred to the Advocate General for Scotland, and all property, rights and liabilities to which the Lord Advocate is entitled or subject in connection with any such function transferred to the Advocate General for Scotland (20.5.1999) by S.I. 1999/679 , arts. 2 , 3 , Sch ; S.I. 1998/3178 , art. 2(2) , Sch. 4

29 Crime and taxation. U.K.

(1) Personal data processed for any of the following purposes—

(a) the prevention or detection of crime,

(b) the apprehension or prosecution of offenders, or

are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3) and section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.

(2) Personal data which—

(a) are processed for the purpose of discharging statutory functions, and

(b) consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1),

are exempt from the subject information provisions to the same extent as personal data processed for any of the purposes mentioned in that subsection.

(3) Personal data are exempt from the non-disclosure provisions in any case in which—

(a) the disclosure is for any of the purposes mentioned in subsection (1), and

(b) the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection.

(4) Personal data in respect of which the data controller is a relevant authority and which—

(a) consist of a classification applied to the data subject as part of a system of risk assessment which is operated by that authority for either of the following purposes—

(i) the assessment or collection of any tax or duty or any imposition of a similar nature, or

(ii) the prevention or detection of crime, or apprehension or prosecution of offenders, where the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds, and

(b) are processed for either of those purposes,

are exempt from section 7 to the extent to which the exemption is required in the interests of the operation of the system.

(5) In subsection (4)— “ public funds ” includes funds provided by any Community institution; “ relevant authority ” means—

(a) a government department,

(b) a local authority, or

30 Health, education and social work. U.K.

(1) The [ F35 Secretary of State ] may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data consisting of information as to the physical or mental health or condition of the data subject.

(2) The [ F35 Secretary of State ] may by order exempt from the subject information provisions, or modify those provisions in relation to—

(a) personal data in respect of which the data controller is the proprietor of, or a teacher at, a school, and which consist of information relating to persons who are or have been pupils at the school, or

(b) personal data in respect of which the data controller is an education authority in Scotland, and which consist of information relating to persons who are receiving, or have received, further education provided by the authority.

(3) The [ F35 Secretary of State ] may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data of such other descriptions as may be specified in the order, being information—

(a) processed by government departments or local authorities or by voluntary organisations or other bodies designated by or under the order, and

(b) appearing to him to be processed in the course of, or for the purposes of, carrying out social work in relation to the data subject or other individuals;

but the [ F35 Secretary of State ] shall not under this subsection confer any exemption or make any modification except so far as he considers that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work.

(4) An order under this section may make different provision in relation to data consisting of information of different descriptions.

(5) In this section—

“ education authority ” and “ further education ” have the same meaning as in the M5 Education (Scotland) Act 1980 (“ the 1980 Act ”), and

“ proprietor ”—

in relation to a school in England or Wales, has the same meaning as in the M6 Education Act 1996,

in relation to a school in Scotland, means—

[ F36 in the case of a self-governing school, the board of management within the meaning of the M7 Self-Governing Schools etc. (Scotland) Act 1989, ]

in the case of an independent school, the proprietor within the meaning of the 1980 Act,

in the case of a grant-aided school, the managers within the meaning of the 1980 Act, and

in the case of a public school, the education authority within the meaning of the 1980 Act, and

in relation to a school in Northern Ireland, has the same meaning as in the M8 Education and Libraries (Northern Ireland) Order 1986 and includes, in the case of a controlled school, the Board of Governors of the school.

F35 Words in s. 30 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 {Sch. 2 para. 9(1)(a)}

F36 S. 30(5)(b)(i) repealed (S.) (31.12.2004) by 2000 asp 6 , ss. 60(2) , 61(2) , Sch. 3 ; S.S.I. 2004/528 , art. 2

C20 S. 30 : transfer of functions (1.7.1999) by S.I. 1999/672 , arts. 2 , 3 , Sch. 1

C21 S. 30(3) extended (2.12.1999) by S.I. 1999/3145 , arts. 1 , 9(3)(a) ; S.I. 1999/3208 , art. 2

I12 S. 30 wholly in force at 1.3.2000; s. 30 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 30 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

M5 1980 c. 44 .

M6 1996 c. 56 .

M7 1989 c. 39 .

M8 S.I. 1986/594 (N.I.3) .

31 Regulatory activity. U.K.

(1) Personal data processed for the purposes of discharging functions to which this subsection applies are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.

(2) Subsection (1) applies to any relevant function which is designed—

(a) for protecting members of the public against—

(i) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate,

(ii) financial loss due to the conduct of discharged or undischarged bankrupts, or

(iii) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity,

(b) for protecting charities [ F37 or community interest companies ] against misconduct or mismanagement (whether by trustees [ F38 , directors ] or other persons) in their administration,

(d) for the recovery of the property of charities [ F37 or community interest companies ] ,

(e) for securing the health, safety and welfare of persons at work, or

(f) for protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work.

(3) In subsection (2) “ relevant function ” means—

(a) any function conferred on any person by or under any enactment,

(b) any function of the Crown, a Minister of the Crown or a government department, or

(4) Personal data processed for the purpose of discharging any function which—

(a) is conferred by or under any enactment on—

(i) the Parliamentary Commissioner for Administration,

(ii) the Commission for Local Administration in England [ F39 [ F40 or ] , the Commission for Local Administration in Wales ] F41 . . . ,

(iii) the Health Service Commissioner for England [ F42 [ F43 or ] , the Health Service Commissioner for Wales ] F44 . . . ,

[ F45 (iv) the Public Services Ombudsman for Wales, ]

(v) the Assembly Ombudsman for Northern Ireland, F46 . . .

(vi) the Northern Ireland Commissioner for Complaints, [ F47 or ]

[ F48 (vii) the Scottish Public Services Ombudsman, and ]

(b) is designed for protecting members of the public against—

(i) maladministration by public bodies,

(ii) failures in services provided by public bodies, or

(iii) a failure of a public body to provide a service which it was a function of the body to provide,

are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.

[ F49 (4A) Personal data processed for the purpose of discharging any function which is conferred by or under Part XVI of the Financial Services and Markets Act 2000 on the body established by the Financial Services Authority for the purposes of that Part are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of the function. ]

(5) Personal data processed for the purpose of discharging any function which—

(a) is conferred by or under any enactment on the [ F50 the Office of Fair Trading ] , and

(b) is designed—

(i) for protecting members of the public against conduct which may adversely affect their interests by persons carrying on a business,

(ii) for regulating agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or

(iii) for regulating conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market,

[ F51 (5A) Personal data processed by a CPC enforcer for the purpose of discharging any function conferred on such a body by or under the CPC Regulation are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.

(5B) In subsection (5A)—

(a) “ CPC enforcer ” has the meaning given to it in section 213(5A) of the Enterprise Act 2002 but does not include the Office of Fair Trading;

(b) “ CPC Regulation ” has the meaning given to it in section 235A of that Act. ]

[ F52 (6) Personal data processed for the purpose of the function of considering a complaint under section 113(1) or (2) or 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003, or section 24D, 26 F53 . . . or 26ZB of the Children Act 1989, are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function. ]

F37 Words in s. 31(2)(b)(c)(d) inserted (1.7.2005) by Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27) , ss. 59(3)(a) , 65 ; S.I. 2004/3322 , art. 2(3) , Sch. 3 (subject to arts. 3-13 )

F38 Words in s. 31(2)(b) inserted (1.7.2005) by Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27) , ss. 59(3)(b) , 65 ; S.I. 2004/3322 , art. 2(3) , Sch. 3 (subject to arts. 3-13 )

F39 Words in s. 31(4)(a)(ii) repealed (1.4.2006 for W) by Public Services Ombudsman (Wales) Act 2005 (c. 10) , ss. 39 , 40 , Sch. 6 para. 60(a) , Sch. 7 ; S.I. 2005/2800 , art. 5

F40 Word in s. 31(4)(a)(ii) inserted (14.7.2004) by The Scottish Public Services Ombudsman Act 2002 (Consequential Provisions and Modifications) Order 2004 (S.I. 2004/1823) , art. 19(a)(i)

F41 Words in s. 31(4)(a)(ii) omitted (14.7.2004) by virtue of The Scottish Public Services Ombudsman Act 2002 (Consequential Provisions and Modifications) Order 2004 (S.I. 2004/1823) , art. 19(a)(ii)

F42 Words in s. 31(4)(a)(iii) repealed (1.4.2006 for W.) by Public Services Ombudsman (Wales) Act 2005 (c. 10) , ss. 39 , 40 , Sch. 6 para. 60(b) , Sch. 7 ; S.I. 2005/2800 , art. 5

F43 Word in s. 31(4)(a)(iii) inserted (14.7.2004) by The Scottish Public Services Ombudsman Act 2002 (Consequential Provisions and Modifications) Order 2004 (S.I. 2004/1823) , art. 19(b)(i)

F44 Words in s. 31(4)(a)(iii) omitted (14.7.2004) by virtue of The Scottish Public Services Ombudsman Act 2002 (Consequential Provisions and Modifications) Order 2004 (S.I. 2004/1823) , art. 19(b)(ii)

F45 S. 31(4)(a)(iv) substituted (1.4.2006 for W.) by Public Services Ombudsman (Wales) Act 2005 (c. 10) , ss. 39 , 40 , Sch. 6 para. 60(c) , Sch. 7 ; S.I. 2005/2800 , art. 5

F46 Word in s. 31(4)(a)(v) omitted (14.7.2004) by virtue of The Scottish Public Services Ombudsman Act 2002 (Consequential Provisions and Modifications) Order 2004 (S.I. 2004/1823) , art. 19(c)

F47 Word in s. 31(4)(a)(vi) substituted (14.7.2004) by The Scottish Public Services Ombudsman Act 2002 (Consequential Provisions and Modifications) Order 2004 (S.I. 2004/1823) , art. 19(d)

F48 S. 31(4)(a)(vii) inserted (14.7.2004) by The Scottish Public Services Ombudsman Act 2002 (Consequential Provisions and Modifications) Order 2004 (S.I. 2004/1823) , art. 19(e)

F49 S. 31(4A) inserted (1.12.2001) by 2000 c. 8 , s. 233 ; S.I. 2001/3538 , art. 2(1)

F50 Words in s. 31(5)(a) substituted (1.4.2003) by Enterprise Act 2002 (c. 40) , ss. 278(1) , 279 , Sch. 25 para. 37 ; S.I. 2003/766 , art. 2 , Sch. (with art. 3 )

F51 S. 31(5A)(5B) inserted (8.1.2007) by The Enterprise Act 2002 (Amendment) Regulations 2006 (S.I. 2006/3363) , reg. 29

F52 S. 31(6) inserted (1.6.2004) by Health and Social Care (Community Health and Standards) Act 2003 (c. 43) , ss. 119 , 199 ; S.I. 2004/759 , art. 8

F53 Words in s. 31(6) repealed (1.4.2007) by Education and Inspections Act 2006 (c. 40) , ss. 157 , 184 , 188 , Sch. 14 para. 32 , Sch. 18 Pt. 5 ; S.I. 2007/935 , art. 5(gg)(ii)

C22 S. 31 extended (2.12.1999) by S.I. 1999/3145 , arts. 1 , 9(3)(b) ; S.I. 1999/3208 , art. 2

32 Journalism, literature and art. U.K.

(1) Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

(2) Subsection (1) relates to the provisions of—

(a) the data protection principles except the seventh data protection principle,

(b) section 7,

(d) section 12, and

(e) section 14(1) to (3).

(3) In considering for the purposes of subsection (1)(b) whether the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to his compliance with any code of practice which—

(a) is relevant to the publication in question, and

(b) is designated by the [ F54 Secretary of State ] by order for the purposes of this subsection.

(4) Where at any time (“ the relevant time ”) in any proceedings against a data controller under section 7(9), 10(4), 12(8) or 14 or by virtue of section 13 the data controller claims, or it appears to the court, that any personal data to which the proceedings relate are being processed—

(a) only for the special purposes, and

(b) with a view to the publication by any person of any journalistic, literary or artistic material which, at the time twenty-four hours immediately before the relevant time, had not previously been published by the data controller,

the court shall stay the proceedings until either of the conditions in subsection (5) is met.

(5) Those conditions are—

(a) that a determination of the Commissioner under section 45 with respect to the data in question takes effect, or

(b) in a case where the proceedings were stayed on the making of a claim, that the claim is withdrawn.

(6) For the purposes of this Act “ publish ”, in relation to journalistic, literary or artistic material, means make available to the public or any section of the public.

F54 Words in s. 32 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I13 S. 32 wholly in force at 1.3.2000; s. 32 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 32 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

33 Research, history and statistics. U.K.

(1) In this section— “ research purposes ” includes statistical or historical purposes; “ the relevant conditions ”, in relation to any processing of personal data, means the conditions—

(a) that the data are not processed to support measures or decisions with respect to particular individuals, and

(b) that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

(2) For the purposes of the second data protection principle, the further processing of personal data only for research purposes in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which they were obtained.

(3) Personal data which are processed only for research purposes in compliance with the relevant conditions may, notwithstanding the fifth data protection principle, be kept indefinitely.

(4) Personal data which are processed only for research purposes are exempt from section 7 if—

(a) they are processed in compliance with the relevant conditions, and

(b) the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them.

(5) For the purposes of subsections (2) to (4) personal data are not to be treated as processed otherwise than for research purposes merely because the data are disclosed—

(a) to any person, for research purposes only,

(b) to the data subject or a person acting on his behalf,

(d) in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), (b) or (c).

[ F55 33A Manual data held by public authorities. U.K.

(1) Personal data falling within paragraph (e) of the definition of “data” in section 1(1) are exempt from—

(a) the first, second, third, fifth, seventh and eighth data protection principles,

(b) the sixth data protection principle except so far as it relates to the rights conferred on data subjects by sections 7 and 14,

(d) section 13, except so far as it relates to damage caused by a contravention of section 7 or of the fourth data protection principle and to any distress which is also suffered by reason of that contravention,

(e) Part III, and

(f) section 55.

(2) Personal data which fall within paragraph (e) of the definition of “data” in section 1(1) and relate to appointments or removals, pay, discipline, superannuation or other personnel matters, in relation to—

(a) service in any of the armed forces of the Crown,

(b) service in any office or employment under the Crown or under any public authority, or

(c) service in any office or employment, or under any contract for services, in respect of which power to take action, or to determine or approve the action taken, in such matters is vested in Her Majesty, any Minister of the Crown, the National Assembly for Wales, any Northern Ireland Minister (within the meaning of the Freedom of Information Act 2000) or any public authority,

are also exempt from the remaining data protection principles and the remaining provisions of Part II. ]

F55 S. 33A inserted (1.1.2005) by 2000 c. 36 , ss. 70(1) , 87(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

34 Information available to the public by or under enactment. U.K.

Personal data are exempt from—

(a) the subject information provisions,

(b) the fourth data protection principle and section 14(1) to (3), and

if the data consist of information which the data controller is obliged by or under any enactment [ F56 other than an enactment contained in the Freedom of Information Act 2000 ] to make available to the public, whether by publishing it, by making it available for inspection, or otherwise and whether gratuitously or on payment of a fee.

F56 Words in s. 34 inserted (30.11.2002) by 2000 c. 36 , ss. 72 , 87(3) (with ss. 56 , 78 ); S.I. 2002/2812 , art. 2

35 Disclosures required by law or made in connection with legal proceedings etc. U.K.

(1) Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

(2) Personal data are exempt from the non-disclosure provisions where the disclosure is necessary—

(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

(b) for the purpose of obtaining legal advice,

or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

[ F57 35A Parliamentary privilege. U.K.

Personal data are exempt from—

(b) the second, third, fourth and fifth data protection principles,

(d) sections 10 and 14(1) to (3),

if the exemption is required for the purpose of avoiding an infringement of the privileges of either House of Parliament. ]

F57 S. 35A inserted (1.1.2005) by 2000 c. 36 , ss. 73 , 87(3) , Sch. 6 para. 2 (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

36 Domestic purposes. U.K.

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.

37 Miscellaneous exemptions. U.K.

Schedule 7 (which confers further miscellaneous exemptions) has effect.

38 Powers to make further exemptions by order. U.K.

(1) The [ F58 Secretary of State ] may by order exempt from the subject information provisions personal data consisting of information the disclosure of which is prohibited or restricted by or under any enactment if and to the extent that he considers it necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual that the prohibition or restriction ought to prevail over those provisions.

(2) The [ F58 Secretary of State ] may by order exempt from the non-disclosure provisions any disclosures of personal data made in circumstances specified in the order, if he considers the exemption is necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual.

F58 Words in s. 38 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I14 S. 38 wholly in force at 1.3.2000; s. 38 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 38 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

39 Transitional relief. U.K.

Schedule 8 (which confers transitional exemptions) has effect.

Part V U.K. Enforcement

C23 Pt. V applied (with modifications) (1.3.2000) by S.I. 1999/2093 , reg. 36(1) , Sch. 4

Pt. V applied (with modifications) (1.3.2000) by S.I. 2000/190 , art. 5(2)

C24 Pt. V extended (with modifications) (11.12.2003) by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) , reg. 31 , Sch. 1 (with regs. 4 , 15(3) , 28 , 29 )

40 Enforcement notices. U.K.

(1) If the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may serve him with a notice (in this Act referred to as “ an enforcement notice ”) requiring him, for complying with the principle or principles in question, to do either or both of the following—

(a) to take within such time as may be specified in the notice, or to refrain from taking after such time as may be so specified, such steps as are so specified, or

(b) to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified.

(2) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.

(3) An enforcement notice in respect of a contravention of the fourth data protection principle which requires the data controller to rectify, block, erase or destroy any inaccurate data may also require the data controller to rectify, block, erase or destroy any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data.

(4) An enforcement notice in respect of a contravention of the fourth data protection principle, in the case of data which accurately record information received or obtained by the data controller from the data subject or a third party, may require the data controller either—

(a) to rectify, block, erase or destroy any inaccurate data and any other data held by him and containing an expression of opinion as mentioned in subsection (3), or

(b) to take such steps as are specified in the notice for securing compliance with the requirements specified in paragraph 7 of Part II of Schedule 1 and, if the Commissioner thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Commissioner may approve.

(5) Where—

(a) an enforcement notice requires the data controller to rectify, block, erase or destroy any personal data, or

(b) the Commissioner is satisfied that personal data which have been rectified, blocked, erased or destroyed had been processed in contravention of any of the data protection principles,

an enforcement notice may, if reasonably practicable, require the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction; and in determining whether it is reasonably practicable to require such notification regard shall be had, in particular, to the number of persons who would have to be notified.

(6) An enforcement notice must contain—

(a) a statement of the data protection principle or principles which the Commissioner is satisfied have been or are being contravened and his reasons for reaching that conclusion, and

(b) particulars of the rights of appeal conferred by section 48.

(7) Subject to subsection (8), an enforcement notice must not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.

(8) If by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (7) shall not apply but the notice must not require the provisions of the notice to be complied with before the end of the period of seven days beginning with the day on which the notice is served.

(9) Notification regulations (as defined by section 16(2)) may make provision as to the effect of the service of an enforcement notice on any entry in the register maintained under section 19 which relates to the person on whom the notice is served.

(10) This section has effect subject to section 46(1).

C25 S. 40 applied (30.6.1999) by 1999 c. iv , s. 6(15) (with s.6(16)(4))

S. 40 extended (1.3.2000) by S.I. 1999/2093 , reg. 34 , Sch. 3 para. 4

Ss. 40 , 41 , 43 extended (with modifications) (1.3.2000) by S.I. 1999/2093 , reg.34 , Sch. 3 para. 5(2)

I15 S. 40 wholly in force at 1.3.2000; s. 40 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 40 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

41 Cancellation of enforcement notice. U.K.

(1) If the Commissioner considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection principle or principles to which it relates, he may cancel or vary the notice by written notice to the person on whom it was served.

(2) A person on whom an enforcement notice has been served may, at any time after the expiry of the period during which an appeal can be brought against that notice, apply in writing to the Commissioner for the cancellation or variation of that notice on the ground that, by reason of a change of circumstances, all or any of the provisions of that notice need not be complied with in order to ensure compliance with the data protection principle or principles to which that notice relates.

C26 Ss. 40 , 41 , 43 extended (with modifications) (1.3.2000) by S.I. 1999/2093 , reg. 34 , Sch. 3 para. 5(2)

Valid from 06/04/2010

[ F59 41A Assessment notices U.K.

(1) The Commissioner may serve a data controller within subsection (2) with a notice (in this Act referred to as an “ assessment notice ”) for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles.

(2) A data controller is within this subsection if the data controller is—

(b) a public authority designated for the purposes of this section by an order made by the Secretary of State, or

(3) An assessment notice is a notice which requires the data controller to do all or any of the following—

(a) permit the Commissioner to enter any specified premises;

(b) direct the Commissioner to any documents on the premises that are of a specified description;

(c) assist the Commissioner to view any information of a specified description that is capable of being viewed using equipment on the premises;

(d) comply with any request from the Commissioner for—

(i) a copy of any of the documents to which the Commissioner is directed;

(ii) a copy (in such form as may be requested) of any of the information which the Commissioner is assisted to view;

(e) direct the Commissioner to any equipment or other material on the premises which is of a specified description;

(f) permit the Commissioner to inspect or examine any of the documents, information, equipment or material to which the Commissioner is directed or which the Commissioner is assisted to view;

(g) permit the Commissioner to observe the processing of any personal data that takes place on the premises;

(h) make available for interview by the Commissioner a specified number of persons of a specified description who process personal data on behalf of the data controller (or such number as are willing to be interviewed).

(4) In subsection (3) references to the Commissioner include references to the Commissioner's officers and staff.

(5) An assessment notice must, in relation to each requirement imposed by the notice, specify—

(a) the time at which the requirement is to be complied with, or

(b) the period during which the requirement is to be complied with.

(6) An assessment notice must also contain particulars of the rights of appeal conferred by section 48.

(7) The Commissioner may cancel an assessment notice by written notice to the data controller on whom it was served.

(8) Where a public authority has been designated by an order under subsection (2)(b) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be appropriate for the authority to be designated.

(9) The Secretary of State may not make an order under subsection (2)(c) which designates a description of persons unless—

(a) the Commissioner has made a recommendation that the description be designated, and

(b) the Secretary of State has consulted—

(i) such persons as appear to the Secretary of State to represent the interests of those that meet the description;

(ii) such other persons as the Secretary of State considers appropriate.

(10) The Secretary of State may not make an order under subsection (2)(c), and the Commissioner may not make a recommendation under subsection (9)(a), unless the Secretary of State or (as the case may be) the Commissioner is satisfied that it is necessary for the description of persons in question to be designated having regard to—

(a) the nature and quantity of data under the control of such persons, and

(b) any damage or distress which may be caused by a contravention by such persons of the data protection principles.

(11) Where a description of persons has been designated by an order under subsection (2)(c) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be necessary for the description to be designated having regard to the matters mentioned in subsection (10).

(12) In this section—

“ public authority ” includes any body, office-holder or other person in respect of which—

an order may be made under section 4 or 5 of the Freedom of Information Act 2000, or

an order may be made under section 4 or 5 of the Freedom of Information (Scotland) Act 2002;

“ specified ” means specified in an assessment notice.

F59 Ss. 41A-41C inserted (1.2.2010 as regards s. 41C and 6.4.2010 as regards ss. 41A, 41B) by Coroners and Justice Act 2009 (c. 25) , ss. 173 , 182 (with s. 180 ); S.I. 2010/145 , art. 2 , Sch. para. 15 ; S.I. 2010/816 , art. 2 , Sch. para. 12

41B Assessment notices: limitations U.K.

(1) A time specified in an assessment notice under section 41A(5) in relation to a requirement must not fall, and a period so specified must not begin, before the end of the period within which an appeal can be brought against the notice, and if such an appeal is brought the requirement need not be complied with pending the determination or withdrawal of the appeal.

(2) If by reason of special circumstances the Commissioner considers that it is necessary for the data controller to comply with a requirement in an assessment notice as a matter of urgency, the Commissioner may include in the notice a statement to that effect and a statement of the reasons for that conclusion; and in that event subsection (1) applies in relation to the requirement as if for the words from “within” to the end there were substituted of 7 days beginning with the day on which the notice is served.

(3) A requirement imposed by an assessment notice does not have effect in so far as compliance with it would result in the disclosure of—

(a) any communication between a professional legal adviser and the adviser's client in connection with the giving of legal advice with respect to the client's obligations, liabilities or rights under this Act, or

(b) any communication between a professional legal adviser and the adviser's client, or between such an adviser or the adviser's client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.

(4) In subsection (3) references to the client of a professional legal adviser include references to any person representing such a client.

(5) Nothing in section 41A authorises the Commissioner to serve an assessment notice on—

(a) a judge,

(b) a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or

(c) the Office for Standards in Education, Children's Services and Skills in so far as it is a data controller in respect of information processed for the purposes of functions exercisable by Her Majesty's Chief Inspector of Eduction, Children's Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.

(6) In this section “ judge ” includes —

(a) a justice of the peace (or, in Northern Ireland, a lay magistrate),

(b) a member of a tribunal, and

and in this subsection “ tribunal ” means any tribunal in which legal proceedings may be brought.

Valid from 01/02/2010

41C Code of practice about assessment notices U.K.

(1) The Commissioner must prepare and issue a code of practice as to the manner in which the Commissioner's functions under and in connection with section 41A are to be exercised.

(2) The code must in particular—

(a) specify factors to be considered in determining whether to serve an assessment notice on a data controller;

(b) specify descriptions of documents and information that—

(i) are not to be examined or inspected in pursuance of an assessment notice, or

(ii) are to be so examined or inspected only by persons of a description specified in the code;

(d) deal with the nature of interviews carried out in pursuance of an assessment notice;

(e) deal with the preparation, issuing and publication by the Commissioner of assessment reports in respect of data controllers that have been served with assessment notices.

(3) The provisions of the code made by virtue of subsection (2)(b) must, in particular, include provisions that relate to—

(a) documents and information concerning an individual's physical or mental health;

(b) documents and information concerning the provision of social care for an individual.

(4) An assessment report is a report which contains—

(a) a determination as to whether a data controller has complied or is complying with the data protection principles,

(b) recommendations as to any steps which the data controller ought to take, or refrain from taking, to ensure compliance with any of those principles, and

(5) The Commissioner may alter or replace the code.

(6) If the code is altered or replaced, the Commissioner must issue the altered or replacement code.

(7) The Commissioner may not issue the code (or an altered or replacement code) without the approval of the Secretary of State.

(8) The Commissioner must arrange for the publication of the code (and any altered or replacement code) issued under this section in such form and manner as the Commissioner considers appropriate.

(9) In this section “ social care ” has the same meaning as in Part 1 of the Health and Social Care Act 2008 (see section 9(3) of that Act). ]

42 Request for assessment. U.K.

(1) A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act.

(2) On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to—

(a) satisfy himself as to the identity of the person making the request, and

(b) enable him to identify the processing in question.

(3) The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include—

(a) the extent to which the request appears to him to raise a matter of substance,

(b) any undue delay in making the request, and

(c) whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.

(4) Where the Commissioner has received a request under this section he shall notify the person who made the request—

(a) whether he has made an assessment as a result of the request, and

(b) to the extent that he considers appropriate, having regard in particular to any exemption from section 7 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request.

43 Information notices. U.K.

(1) If the Commissioner—

(a) has received a request under section 42 in respect of any processing of personal data, or

(b) reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles,

he may serve the data controller with a notice (in this Act referred to as “ an information notice ”) requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information relating to the request or to compliance with the principles as is so specified.

(2) An information notice must contain—

(a) in a case falling within subsection (1)(a), a statement that the Commissioner has received a request under section 42 in relation to the specified processing, or

(b) in a case falling within subsection (1)(b), a statement that the Commissioner regards the specified information as relevant for the purpose of determining whether the data controller has complied, or is complying, with the data protection principles and his reasons for regarding it as relevant for that purpose.

(3) An information notice must also contain particulars of the rights of appeal conferred by section 48.

(4) Subject to subsection (5), the time specified in an information notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.

(5) If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (4) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served.

(6) A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of—

(a) any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Act, or

(b) any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.

(7) In subsection (6) references to the client of a professional legal adviser include references to any person representing such a client.

(8) A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence.

(9) The Commissioner may cancel an information notice by written notice to the person on whom it was served.

(10) This section has effect subject to section 46(3).

C27 Ss. 40 , 41 , 43 extended (with modifications) (1.3.2000) by S.I. 1999/2093 , reg. 34 , Sch. 3 para. 5(2)

44 Special information notices. U.K.

(b) has reasonable grounds for suspecting that, in a case in which proceedings have been stayed under section 32, the personal data to which the proceedings relate—

(i) are not being processed only for the special purposes, or

(ii) are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,

he may serve the data controller with a notice (in this Act referred to as a “ special information notice ”) requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information as is so specified for the purpose specified in subsection (2).

(2) That purpose is the purpose of ascertaining—

(a) whether the personal data are being processed only for the special purposes, or

(b) whether they are being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller.

(3) A special information notice must contain—

(a) in a case falling within paragraph (a) of subsection (1), a statement that the Commissioner has received a request under section 42 in relation to the specified processing, or

(b) in a case falling within paragraph (b) of that subsection, a statement of the Commissioner’s grounds for suspecting that the personal data are not being processed as mentioned in that paragraph.

(4) A special information notice must also contain particulars of the rights of appeal conferred by section 48.

(5) Subject to subsection (6), the time specified in a special information notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.

(6) If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (5) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served.

(7) A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of—

(8) In subsection (7) references to the client of a professional legal adviser include references to any person representing such a client.

(9) A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence.

(10) The Commissioner may cancel a special information notice by written notice to the person on whom it was served.

45 Determination by Commissioner as to the special purposes. U.K.

(1) Where at any time it appears to the Commissioner (whether as a result of the service of a special information notice or otherwise) that any personal data—

(a) are not being processed only for the special purposes, or

(b) are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,

he may make a determination in writing to that effect.

(2) Notice of the determination shall be given to the data controller; and the notice must contain particulars of the right of appeal conferred by section 48.

(3) A determination under subsection (1) shall not take effect until the end of the period within which an appeal can be brought and, where an appeal is brought, shall not take effect pending the determination or withdrawal of the appeal.

46 Restriction on enforcement in case of processing for the special purposes. U.K.

(1) The Commissioner may not at any time serve an enforcement notice on a data controller with respect to the processing of personal data for the special purposes unless—

(a) a determination under section 45(1) with respect to those data has taken effect, and

(b) the court has granted leave for the notice to be served.

(2) The court shall not grant leave for the purposes of subsection (1)(b) unless it is satisfied—

(a) that the Commissioner has reason to suspect a contravention of the data protection principles which is of substantial public importance, and

(b) except where the case is one of urgency, that the data controller has been given notice, in accordance with rules of court, of the application for leave.

(3) The Commissioner may not serve an information notice on a data controller with respect to the processing of personal data for the special purposes unless a determination under section 45(1) with respect to those data has taken effect.

47 Failure to comply with notice. U.K.

(1) A person who fails to comply with an enforcement notice, an information notice or a special information notice is guilty of an offence.

(2) A person who, in purported compliance with an information notice or a special information notice—

(a) makes a statement which he knows to be false in a material respect, or

(b) recklessly makes a statement which is false in a material respect,

is guilty of an offence.

(3) It is a defence for a person charged with an offence under subsection (1) to prove that he exercised all due diligence to comply with the notice in question.

48 Rights of appeal. U.K.

(1) A person on whom an enforcement notice, an information notice or a special information notice has been served may appeal to the Tribunal against the notice.

(2) A person on whom an enforcement notice has been served may appeal to the Tribunal against the refusal of an application under section 41(2) for cancellation or variation of the notice.

(3) Where an enforcement notice, an information notice or a special information notice contains a statement by the Commissioner in accordance with section 40(8), 43(5) or 44(6) then, whether or not the person appeals against the notice, he may appeal against—

(a) the Commissioner’s decision to include the statement in the notice, or

(b) the effect of the inclusion of the statement as respects any part of the notice.

(4) A data controller in respect of whom a determination has been made under section 45 may appeal to the Tribunal against the determination.

(5) Schedule 6 has effect in relation to appeals under this section and the proceedings of the Tribunal in respect of any such appeal.

49 Determination of appeals. U.K.

(1) If on an appeal under section 48(1) the Tribunal considers—

(a) that the notice against which the appeal is brought is not in accordance with the law, or

(b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently,

the Tribunal shall allow the appeal or substitute such other notice or decision as could have been served or made by the Commissioner; and in any other case the Tribunal shall dismiss the appeal.

(2) On such an appeal, the Tribunal may review any determination of fact on which the notice in question was based.

(3) If on an appeal under section 48(2) the Tribunal considers that the enforcement notice ought to be cancelled or varied by reason of a change in circumstances, the Tribunal shall cancel or vary the notice.

(4) On an appeal under subsection (3) of section 48 the Tribunal may direct—

(a) that the notice in question shall have effect as if it did not contain any such statement as is mentioned in that subsection, or

(b) that the inclusion of the statement shall not have effect in relation to any part of the notice,

and may make such modifications in the notice as may be required for giving effect to the direction.

(5) On an appeal under section 48(4), the Tribunal may cancel the determination of the Commissioner.

(6) Any party to an appeal to the Tribunal under section 48 may appeal from the decision of the Tribunal on a point of law to the appropriate court; and that court shall be—

(a) the High Court of Justice in England if the address of the person who was the appellant before the Tribunal is in England or Wales,

(b) the Court of Session if that address is in Scotland, and

(7) For the purposes of subsection (6)—

50 Powers of entry and inspection. U.K.

Schedule 9 (powers of entry and inspection) has effect.

Part VI U.K. Miscellaneous and General

Functions of commissioner f60 u.k..

F60 S. 54A inserted (26.4.2004) by Crime (International Co-operation) Act 2003 (c. 32) , ss. 81 , 94 ; S.I. 2004/786 , art. 3

51 General duties of Commissioner. U.K.

(1) It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers.

(2) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act, and may give advice to any person as to any of those matters.

(3) Where—

(a) the [ F61 Secretary of State ] so directs by order, or

(b) the Commissioner considers it appropriate to do so,

the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice.

(4) The Commissioner shall also—

(a) where he considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, such codes of practice, and

(b) where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice.

(5) An order under subsection (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.

(6) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of—

(a) any Community finding as defined by paragraph 15(2) of Part II of Schedule 1,

(b) any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, which is made for the purposes of Article 26(3) or (4) of the Directive, and

(c) such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.

(7) The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.

(8) The Commissioner may charge such sums as he may with the consent of the [ F61 Secretary of State ] determine for any services provided by the Commissioner by virtue of this Part.

(9) In this section—

“ good practice ” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;

“ trade association ” includes any body representing data controllers.

F61 Words in s. 51 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I16 S. 51 wholly in force at 1.3.2000; s. 51 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 51 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

52 Reports and codes of practice to be laid before Parliament. U.K.

(1) The Commissioner shall lay annually before each House of Parliament a general report on the exercise of his functions under this Act.

(2) The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.

(3) The Commissioner shall lay before each House of Parliament any code of practice prepared under section 51(3) for complying with a direction of the [ F62 Secretary of State ] , unless the code is included in any report laid under subsection (1) or (2).

F62 Words in s. 52 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

[ F63 52A Data-sharing code U.K.

(1) The Commissioner must prepare a code of practice which contains—

(a) practical guidance in relation to the sharing of personal data in accordance with the requirements of this Act, and

(b) such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data.

(2) For this purpose “ good practice ” means such practice in the sharing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act.

(3) Before a code is prepared under this section, the Commissioner must consult such of the following as the Commissioner considers appropriate—

(a) trade associations (within the meaning of section 51);

(b) data subjects;

(4) In this section a reference to the sharing of personal data is to the disclosure of the data by transmission, dissemination or otherwise making it available.

F63 Ss. 52A-52E inserted (1.2.2010) by Coroners and Justice Act 2009 (c. 25) , ss. 174(1) , 175 , 182 (with s. 180 ); S.I. 2010/145 , art. 2 , Sch. para. 16

[ F63 52B Data-sharing code: procedure U.K.

(1) When a code is prepared under section 52A, it must be submitted to the Secretary of State for approval.

(2) Approval may be withheld only if it appears to the Secretary of State that the terms of the code could result in the United Kingdom being in breach of any of its Community obligations or any other international obligation.

(3) The Secretary of State must—

(a) if approval is withheld, publish details of the reasons for withholding it;

(b) if approval is granted, lay the code before Parliament.

(4) If, within the 40-day period, either House of Parliament resolves not to approve the code, the code is not to be issued by the Commissioner.

(5) If no such resolution is made within that period, the Commissioner must issue the code.

(6) Where—

(a) the Secretary of State withholds approval, or

(b) such a resolution is passed,

the Commissioner must prepare another code of practice under section 52A.

(7) Subsection (4) does not prevent a new code being laid before Parliament.

(8) A code comes into force at the end of the period of 21 days beginning with the day on which it is issued.

(9) A code may include transitional provision or savings.

(10) In this section “ the 40-day period ” means the period of 40 days beginning with the day on which the code is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the 2 days on which it is laid).

(11) In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days. ]

[ F63 52C Alteration or replacement of data-sharing code U.K.

(1) The Commissioner—

(a) must keep the data-sharing code under review, and

(b) may prepare an alteration to that code or a replacement code.

(2) Where, by virtue of a review under subsection (1)(a) or otherwise, the Commissioner becomes aware that the terms of the code could result in the United Kingdom being in breach of any of its Community obligations or any other international obligation, the Commissioner must exercise the power under subsection (1)(b) with a view to remedying the situation.

(3) Before an alteration or replacement code is prepared under subsection (1), the Commissioner must consult such of the following as the Commissioner considers appropriate—

(4) Section 52B (other than subsection (6)) applies to an alteration or replacement code prepared under this section as it applies to the code as first prepared under section 52A.

(5) In this section “ the data-sharing code ” means the code issued under section 52B(5) (as altered or replaced from time to time). ]

52D Publication of data-sharing code U.K.

(1) The Commissioner must publish the code (and any replacement code) issued under section 52B(5).

(2) Where an alteration is so issued, the Commissioner must publish either—

(a) the alteration, or

(b) the code or replacement code as altered by it.

52E Effect of data-sharing code U.K.

(1) A failure on the part of any person to act in accordance with any provision of the data-sharing code does not of itself render that person liable to any legal proceedings in any court or tribunal.

(2) The data-sharing code is admissible in evidence in any legal proceedings.

(3) If any provision of the data-sharing code appears to—

(a) the Tribunal or a court conducting any proceedings under this Act,

(b) a court or tribunal conducting any other legal proceedings, or

to be relevant to any question arising in the proceedings, or in connection with the exercise of that jurisdiction or the carrying out of those functions, in relation to any time when it was in force, that provision of the code must be taken into account in determining that question.

(4) In this section “ the data-sharing code ” means the code issued under section 52B(5) (as altered or replaced from time to time). ]

53 Assistance by Commissioner in cases involving processing for the special purposes. U.K.

(1) An individual who is an actual or prospective party to any proceedings under section 7(9), 10(4), 12(8) or 14 or by virtue of section 13 which relate to personal data processed for the special purposes may apply to the Commissioner for assistance in relation to those proceedings.

(2) The Commissioner shall, as soon as reasonably practicable after receiving an application under subsection (1), consider it and decide whether and to what extent to grant it, but he shall not grant the application unless, in his opinion, the case involves a matter of substantial public importance.

(3) If the Commissioner decides to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant, stating the extent of the assistance to be provided.

(4) If the Commissioner decides not to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant of his decision and, if he thinks fit, the reasons for it.

(a) references to “ proceedings ” include references to prospective proceedings, and

(b) “ applicant ”, in relation to assistance under this section, means an individual who applies for assistance.

(6) Schedule 10 has effect for supplementing this section.

54 International co-operation. U.K.

(a) shall continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Convention, and

(b) shall be the supervisory authority in the United Kingdom for the purposes of the Data Protection Directive.

(2) The [ F64 Secretary of State ] may by order make provision as to the functions to be discharged by the Commissioner as the designated authority in the United Kingdom for the purposes of Article 13 of the Convention.

(3) The [ F64 Secretary of State ] may by order make provision as to co-operation by the Commissioner with the European Commission and with supervisory authorities in other EEA States in connection with the performance of their respective duties and, in particular, as to—

(a) the exchange of information with supervisory authorities in other EEA States or with the European Commission, and

(b) the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases excluded by section 5 from the application of the other provisions of this Act, of functions of the Commissioner specified in the order.

(4) The Commissioner shall also carry out any data protection functions which the [ F64 Secretary of State ] may by order direct him to carry out for the purpose of enabling Her Majesty’s Government in the United Kingdom to give effect to any international obligations of the United Kingdom.

(5) The Commissioner shall, if so directed by the [ F64 Secretary of State ] , provide any authority exercising data protection functions under the law of a colony specified in the direction with such assistance in connection with the discharge of those functions as the [ F64 Secretary of State ] may direct or approve, on such terms (including terms as to payment) as the [ F64 Secretary of State ] may direct or approve.

(6) Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule.

(7) The Commissioner shall inform the European Commission and the supervisory authorities in other EEA States—

(a) of any approvals granted for the purposes of paragraph 8 of Schedule 4, and

(b) of any authorisations granted for the purposes of paragraph 9 of that Schedule.

(8) In this section—

“ the Convention ” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981;

“ data protection functions ” means functions relating to the protection of individuals with respect to the processing of personal information.

F64 Words in s. 54 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I17 S. 54 wholly in force at 1.3.2000; s. 54 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 54 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

[ F60 54A Inspection of overseas information systems U.K.

(1) The Commissioner may inspect any personal data recorded in—

(a) the Schengen information system,

(b) the Europol information system,

(2) The power conferred by subsection (1) is exercisable only for the purpose of assessing whether or not any processing of the data has been or is being carried out in compliance with this Act.

(3) The power includes power to inspect, operate and test equipment which is used for the processing of personal data.

(4) Before exercising the power, the Commissioner must give notice in writing of his intention to do so to the data controller.

(5) But subsection (4) does not apply if the Commissioner considers that the case is one of urgency.

(6) Any person who—

(a) intentionally obstructs a person exercising the power conferred by subsection (1), or

(b) fails without reasonable excuse to give any person exercising the power any assistance he may reasonably require,

is guilty of an offence.

(7) In this section—

“ the Customs information system ” means the information system established under Chapter II of the Convention on the Use of Information Technology for Customs Purposes,

“ the Europol information system ” means the information system established under Title II of the Convention on the Establishment of a European Police Office,

“ the Schengen information system ” means the information system established under Title IV of the Convention implementing the Schengen Agreement of 14th June 1985, or any system established in its place in pursuance of any Community obligation. ]

Unlawful obtaining etc. of personal data U.K.

55 unlawful obtaining etc. of personal data. u.k..

(1) A person must not knowingly or recklessly, without the consent of the data controller—

(a) obtain or disclose personal data or the information contained in personal data, or

(b) procure the disclosure to another person of the information contained in personal data.

(2) Subsection (1) does not apply to a person who shows—

(a) that the obtaining, disclosing or procuring—

(i) was necessary for the purpose of preventing or detecting crime, or

(ii) was required or authorised by or under any enactment, by any rule of law or by the order of a court,

(b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,

(c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or

(d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

(3) A person who contravenes subsection (1) is guilty of an offence.

(4) A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).

(5) A person who offers to sell personal data is guilty of an offence if—

(a) he has obtained the data in contravention of subsection (1), or

(b) he subsequently obtains the data in contravention of that subsection.

(6) For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

(7) Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “ personal data ” includes information extracted from personal data.

(8) References in this section to personal data do not include references to personal data which by virtue of section 28 [ F65 or 33A ] are exempt from this section.

F65 Words in s. 55(8) inserted (1.1.2005) by 2000 c. 36 , ss. 70(2) , 87(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

Valid from 01/10/2009

[ F66 Monetary penalties F67 F68 F69 ] U.K.

F66 Ss. 55A - 55E and cross-heading inserted (1.10.2009 for certain purposes and 1.4.2010 to the extent that it is not already in force) by Criminal Justice and Immigration Act 2008 (c. 4) , ss. 144(1) , 153 ; S.I. 2009/2606 , art. 2(n) ; S.I. 2010/712 , art. 4

F67 S. 55B inserted (1.10.2009 for certain purposes and 6.4.2010 to the extent that it is not already in force) by Criminal Justice and Immigration Act 2008 (c. 4) , ss. 144(1) , 153 ; S.I. 2009/2606 , art. 2(n) ; S.I. 2010/712 , art. 4

F68 S. 55C inserted (1.10.2009) by Criminal Justice and Immigration Act 2008 (c. 4) , ss. 144(1) , 153 ; S.I. 2009/2606 , art. 2(n)

F69 S. 55E inserted (1.10.2009) by Criminal Justice and Immigration Act 2008 (c. 4) , ss. 144(1) , 153 ; S.I. 2009/2606 , art. 2(n)

[ F70 55A Power of Commissioner to impose monetary penalty U.K.

(1) The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—

(a) there has been a serious contravention of section 4(4) by the data controller,

(b) the contravention was of a kind likely to cause substantial damage or substantial distress, and

(2) This subsection applies if the contravention was deliberate.

(3) This subsection applies if the data controller—

(a) knew or ought to have known —

(i) that there was a risk that the contravention would occur, and

(ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

(b) failed to take reasonable steps to prevent the contravention.

(4) A monetary penalty notice is a notice requiring the data controller to pay to the Commissioner a monetary penalty of an amount determined by the Commissioner and specified in the notice.

(5) The amount determined by the Commissioner must not exceed the prescribed amount.

(6) The monetary penalty must be paid to the Commissioner within the period specified in the notice.

(7) The notice must contain such information as may be prescribed.

(8) Any sum received by the Commissioner by virtue of this section must be paid into the Consolidated Fund.

“ data controller ” does not include the Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3);

“ prescribed ” means prescribed by regulations made by the Secretary of State. ]

F70 S. 55A inserted (1.10.2009 for certain purposes and 6.4.2010 to the extent that it is not already in force) by Criminal Justice and Immigration Act 2008 (c. 4) , ss. 144(1) , 153 ; S.I. 2009/2606 , art. 2(n) ; S.I. 2010/712 , art. 4

[ F67 55B Monetary penalty notices: procedural rights U.K.

(1) Before serving a monetary penalty notice, the Commissioner must serve the data controller with a notice of intent.

(2) A notice of intent is a notice that the Commissioner proposes to serve a monetary penalty notice.

(3) A notice of intent must—

(a) inform the data controller that he may make written representations in relation to the Commissioner's proposal within a period specified in the notice, and

(b) contain such other information as may be prescribed.

(4) The Commissioner may not serve a monetary penalty notice until the time within which the data controller may make representations has expired.

(5) A person on whom a monetary penalty notice is served may appeal to the Tribunal against—

(a) the issue of the monetary penalty notice;

(b) the amount of the penalty specified in the notice.

(6) In this section, “ prescribed ” means prescribed by regulations made by the Secretary of State. ]

[ F68 55C Guidance about monetary penalty notices U.K.

(1) The Commissioner must prepare and issue guidance on how he proposes to exercise his functions under sections 55A and 55B.

(2) The guidance must, in particular, deal with—

(a) the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and

(b) how he will determine the amount of the penalty.

(3) The Commissioner may alter or replace the guidance.

(4) If the guidance is altered or replaced, the Commissioner must issue the altered or replacement guidance.

(5) The Commissioner may not issue guidance under this section without the approval of the Secretary of State.

(6) The Commissioner must lay any guidance issued under this section before each House of Parliament.

(7) The Commissioner must arrange for the publication of any guidance issued under this section in such form and manner as he considers appropriate.

(8) In subsections (5) to (7), “ guidance ” includes altered or replacement guidance. ]

Valid from 01/04/2010

[ F71 55D Monetary penalty notices: enforcement U.K.

(1) This section applies in relation to any penalty payable to the Commissioner by virtue of section 55A.

(2) In England and Wales, the penalty is recoverable—

(a) if a county court so orders, as if it were payable under an order of that court;

(b) if the High Court so orders, as if it were payable under an order of that court.

(3) In Scotland, the penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.

(4) In Northern Ireland, the penalty is recoverable—

(b) if the High Court so orders, as if it were payable under an order of that court. ]

F71 S. 55D inserted (6.4.2010) by Criminal Justice and Immigration Act 2008 (c. 4) , ss. 144(1) , 153 ; S.I. 2010/712 , art. 4

[ F69 55E Notices under sections 55A and 55B: supplemental U.K.

(1) The Secretary of State may by order make further provision in connection with monetary penalty notices and notices of intent.

(2) An order under this section may in particular—

(a) provide that a monetary penalty notice may not be served on a data controller with respect to the processing of personal data for the special purposes except in circumstances specified in the order;

(b) make provision for the cancellation or variation of monetary penalty notices;

(c) confer rights of appeal to the Tribunal against decisions of the Commissioner in relation to the cancellation or variation of such notices;

(d) make provision for the proceedings of the Tribunal in respect of appeals under section 55B(5) or appeals made by virtue of paragraph (c);

(e) make provision for the determination of such appeals;

(f) confer rights of appeal against any decision of the Tribunal in relation to monetary penalty notices or their cancellation or variation.

(3) An order under this section may apply any provision of this Act with such modifications as may be specified in the order.

(4) An order under this section may amend this Act. ]

Records obtained under data subject’s right of access U.K.

56 prohibition of requirement as to production of certain records. u.k..

(1) A person must not, in connection with—

(a) the recruitment of another person as an employee,

(b) the continued employment of another person, or

require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.

(2) A person concerned with the provision (for payment or not) of goods, facilities or services to the public or a section of the public must not, as a condition of providing or offering to provide any goods, facilities or services to another person, require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.

(3) Subsections (1) and (2) do not apply to a person who shows—

(a) that the imposition of the requirement was required or authorised by or under any enactment, by any rule of law or by the order of a court, or

(b) that in the particular circumstances the imposition of the requirement was justified as being in the public interest.

(4) Having regard to the provisions of Part V of the M9 Police Act 1997 (certificates of criminal records etc.), the imposition of the requirement referred to in subsection (1) or (2) is not to be regarded as being justified as being in the public interest on the ground that it would assist in the prevention or detection of crime.

(5) A person who contravenes subsection (1) or (2) is guilty of an offence.

(6) In this section “ a relevant record ” means any record which—

(a) has been or is to be obtained by a data subject from any data controller specified in the first column of the Table below in the exercise of the right conferred by section 7, and

(b) contains information relating to any matter specified in relation to that data controller in the second column,

and includes a copy of such a record or a part of such a record.

[ F74 (6A) A record is not a relevant record to the extent that it relates, or is to relate, only to personal data falling within paragraph (e) of the definition of “data” in section 1(1). ]

(7) In the Table in subsection (6)—

“ caution ” means a caution given to any person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;

“ conviction ” has the same meaning as in the M10 Rehabilitation of Offenders Act 1974 or the M11 Rehabilitation of Offenders (Northern Ireland) Order 1978.

(8) The [ F75 Secretary of State ] may by order amend—

(a) the Table in subsection (6), and

(b) subsection (7).

(9) For the purposes of this section a record which states that a data controller is not processing any personal data relating to a particular matter shall be taken to be a record containing information relating to that matter.

(10) In this section “ employee ” means an individual who—

(a) works under a contract of employment, as defined by section 230(2) of the M12 Employment Rights Act 1996, or

(b) holds any office,

whether or not he is entitled to remuneration; and “ employment ” shall be construed accordingly.

F72 S. 56(6) Table: para. (d) in first entry substituted (1.4.2005) for paras. (d)(e) by Serious Organised Crime and Police Act 2005 (c. 15) , ss. 59 , 178 , Sch. 4 para. 112 ; S.I. 2006/378 , art. 4 , Sch.

F73 S. 56(6) Table: words in entry 2 substituted (25.8.2000) by 2000 c. 6 , ss. 165 , 168 , Sch. 9 para. 191

F74 S. 56(6A) inserted (1.1.2005) by 2000 c. 36 , ss. 68(4) , 87(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

F75 Words in s. 56 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I18 S. 56 partly in force; s. 56 in force for certain purposes at Royal Assent see s. 75(2)(i); s. 56 in force for specified purposes at 3.3.2011by S.I. 2011/601 , art. 2

M9 1997 c. 50 .

M10 1974 c. 53 .

M11 S.I. 1978/1908 (N.I.27)

M12 1996 c. 18 .

57 Avoidance of certain contractual terms relating to health records. U.K.

(1) Any term or condition of a contract is void in so far as it purports to require an individual—

(a) to supply any other person with a record to which this section applies, or with a copy of such a record or a part of such a record, or

(b) to produce to any other person such a record, copy or part.

(2) This section applies to any record which—

(a) has been or is to be obtained by a data subject in the exercise of the right conferred by section 7, and

(b) consists of the information contained in any health record as defined by section 68(2).

Information provided to Commissioner or Tribunal U.K.

58 disclosure of information. u.k..

No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude a person from furnishing the Commissioner or the Tribunal with any information necessary for the discharge of their functions under this Act [ F76 or the Freedom of Information Act 2000 ] .

F76 Words in s. 58 inserted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 18 (with ss. 7(1)(7) , 56 , 78 )

C28 S. 58 applied (with modifications) (1.3.2000) by S.I. 1999/2093 . reg. 32(8)(b)

S. 58 applied (with modifications) (11.12.2003) by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) , reg. 28(8)(c) (with regs. 4 , 15(3) , 28 , 29 )

59 Confidentiality of information. U.K.

(1) No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which—

(a) has been obtained by, or furnished to, the Commissioner under or for the purposes of [ F77 the information Acts ] ,

(b) relates to an identified or identifiable individual or business, and

unless the disclosure is made with lawful authority.

(2) For the purposes of subsection (1) a disclosure of information is made with lawful authority only if, and to the extent that—

(a) the disclosure is made with the consent of the individual or of the person for the time being carrying on the business,

(b) the information was provided for the purpose of its being made available to the public (in whatever manner) under any provision of [ F77 the information Acts ] ,

(i) any functions under [ F77 the information Acts ] , or

(ii) any Community obligation,

(d) the disclosure is made for the purposes of any proceedings, whether criminal or civil and whether arising under, or by virtue of, [ F77 the information Acts ] or otherwise, or

(e) having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest.

(3) Any person who knowingly or recklessly discloses information in contravention of subsection (1) is guilty of an offence.

[ F78 (4) In this section “ the information Acts ” means this Act and the Freedom of Information Act 2000. ]

F77 Words in s. 59(1)(a)(2)(b)(c)(i)(d) substituted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 19(2) (with ss. 7(1)(7) , 56 , 78 )

F78 S. 59(4) inserted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 19(3) (with ss. 7(1)(7) , 56 , 78 )

C29 S. 59(1) : disclosure powers extended (14.12.2001) by 2001 c. 24 , ss. 17 , 127(2)(a) , Sch. 4 Pt. I para. 42

General provisions relating to offences U.K.

60 prosecutions and penalties. u.k..

(1) No proceedings for an offence under this Act shall be instituted—

(a) in England or Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;

(b) in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.

(2) A person guilty of an offence under any provision of this Act other than [ F79 section 54A and ] paragraph 12 of Schedule 9 is liable—

(a) on summary conviction, to a fine not exceeding the statutory maximum, or

(b) on conviction on indictment, to a fine.

(3) A person guilty of an offence under [ F80 section 54A and ] paragraph 12 of Schedule 9 is liable on summary conviction to a fine not exceeding level 5 on the standard scale.

(4) Subject to subsection (5), the court by or before which a person is convicted of—

(a) an offence under section 21(1), 22(6), 55 or 56,

(b) an offence under section 21(2) relating to processing which is assessable processing for the purposes of section 22, or

may order any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.

(5) The court shall not make an order under subsection (4) in relation to any material where a person (other than the offender) claiming to be the owner of or otherwise interested in the material applies to be heard by the court, unless an opportunity is given to him to show cause why the order should not be made.

F79 Words in s. 60(2)(3) inserted (26.4.2004) by Crime (International Co-operation) Act 2003 (c. 32) , ss. 91 , 94 , Sch. 5 para. 70 , S.I . 2004/786, {art. 3}

F80 Words in s. 60(2)(3) inserted (26.4.2004) by Crime (International Co-operation) Act 2003 (c. 32) , ss. 91 , 94 , Sch. 5 para. 70 , S.I . 2004/786, {art. 3}

61 Liability of directors etc. U.K.

(1) Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.

(2) Where the affairs of a body corporate are managed by its members subsection (1) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.

(3) Where an offence under this Act has been committed by a Scottish partnership and the contravention in question is proved to have occurred with the consent or connivance of, or to be attributable to any neglect on the part of, a partner, he as well as the partnership shall be guilty of that offence and shall be liable to be proceeded against and punished accordingly.

Amendments of Consumer Credit Act 1974 U.K.

62 amendments of consumer credit act 1974. u.k..

(1) In section 158 of the M13 Consumer Credit Act 1974 (duty of agency to disclose filed information)—

(a) in subsection (1)—

(i) in paragraph (a) for “individual” there is substituted “ partnership or other unincorporated body of persons not consisting entirely of bodies corporate ” , and

(ii) for “him” there is substituted “ it ” ,

(b) in subsection (2), for “his” there is substituted “ the consumer’s ” , and

(2) In section 159 of that Act (correction of wrong information) for subsection (1) there is substituted—

“ (1) Any individual (the “ objector ”) given—

(a) information under section 7 of the Data Protection Act 1998 by a credit reference agency, or

(b) information under section 158,

who considers that an entry in his file is incorrect, and that if it is not corrected he is likely to be prejudiced, may give notice to the agency requiring it either to remove the entry from the file or amend it. ”

(3) In subsections (2) to (6) of that section—

(a) for “consumer”, wherever occurring, there is substituted “ objector ” , and

(b) for “Director”, wherever occurring, there is substituted “ the relevant authority ” .

(4) After subsection (6) of that section there is inserted—

“ (7) The Data Protection Commissioner may vary or revoke any order made by him under this section.

(8) In this section “ the relevant authority ” means—

(a) where the objector is a partnership or other unincorporated body of persons, the Director, and

(b) in any other case, the Data Protection Commissioner. ”

(5) In section 160 of that Act (alternative procedure for business consumers)—

(a) in subsection (4)—

(i) for “him” there is substituted “ to the consumer ” , and

(ii) in paragraphs (a) and (b) for “he” there is substituted “ the consumer ” and for “his” there is substituted “ the consumer’s ” , and

(b) after subsection (6) there is inserted—

“ (7) In this section “ consumer ” has the same meaning as in section 158. ”

M13 1974 c. 39 .

General U.K.

63 application to crown. u.k..

(1) This Act binds the Crown.

(2) For the purposes of this Act each government department shall be treated as a person separate from any other government department.

(3) Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by any person acting on behalf of the Royal Household, the Duchy of Lancaster or the Duchy of Cornwall, the data controller in respect of those data for the purposes of this Act shall be—

(a) in relation to the Royal Household, the Keeper of the Privy Purse,

(b) in relation to the Duchy of Lancaster, such person as the Chancellor of the Duchy appoints, and

(c) in relation to the Duchy of Cornwall, such person as the Duke of Cornwall, or the possessor for the time being of the Duchy of Cornwall, appoints.

(4) Different persons may be appointed under subsection (3)(b) or (c) for different purposes.

(5) Neither a government department nor a person who is a data controller by virtue of subsection (3) shall be liable to prosecution under this Act, but [ F81 sections 54A and ] 55 and paragraph 12 of Schedule 9 shall apply to a person in the service of the Crown as they apply to any other person.

F81 Words in s. 63(5) inserted (26.4.2004) by Crime (International Co-operation) Act 2003 (c. 32) , ss. 91 , 94 , Sch. 5 para. 71 ; S.I. 2004/786 , art. 3

C30 S. 63 extended (2.12.1999) by S.I. 1999/3145 , arts. 1 , 9(3)(c) ; S.I. 1999/3208 , art. 2

[ F82 63A Application to Parliament. U.K.

(1) Subject to the following provisions of this section and to section 35A, this Act applies to the processing of personal data by or on behalf of either House of Parliament as it applies to the processing of personal data by other persons.

(2) Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by or on behalf of the House of Commons, the data controller in respect of those data for the purposes of this Act shall be the Corporate Officer of that House.

(3) Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by or on behalf of the House of Lords, the data controller in respect of those data for the purposes of this Act shall be the Corporate Officer of that House.

(4) Nothing in subsection (2) or (3) is to be taken to render the Corporate Officer of the House of Commons or the Corporate Officer of the House of Lords liable to prosecution under this Act, but section 55 and paragraph 12 of Schedule 9 shall apply to a person acting on behalf of either House as they apply to any other person. ]

F82 S. 63A inserted (1.1.2005) by 2000 c. 36 , ss. 73 , 87(3) , Sch. 6 para. 3 (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

64 Transmission of notices etc. by electronic or other means. U.K.

(1) This section applies to—

(a) a notice or request under any provision of Part II,

(b) a notice under subsection (1) of section 24 or particulars made available under that subsection, or

but does not apply to anything which is required to be served in accordance with rules of court.

(2) The requirement that any notice, request, particulars or application to which this section applies should be in writing is satisfied where the text of the notice, request, particulars or application—

(a) is transmitted by electronic means,

(b) is received in legible form, and

(3) The [ F83 Secretary of State ] may by regulations provide that any requirement that any notice, request, particulars or application to which this section applies should be in writing is not to apply in such circumstances as may be prescribed by the regulations.

F83 Words in s. 64 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

I19 S. 64 wholly in force at 1.3.2000; s. 64 in force for certain purposes at Royal Assent see s. 75(2)(i) ; s. 64 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

65 Service of notices by Commissioner. U.K.

(1) Any notice authorised or required by this Act to be served on or given to any person by the Commissioner may—

(a) if that person is an individual, be served on him—

(i) by delivering it to him, or

(ii) by sending it to him by post addressed to him at his usual or last-known place of residence or business, or

(iii) by leaving it for him at that place;

(b) if that person is a body corporate or unincorporate, be served on that body—

(i) by sending it by post to the proper officer of the body at its principal office, or

(ii) by addressing it to the proper officer of the body and leaving it at that office;

(i) by sending it by post to the principal office of the partnership, or

(ii) by addressing it to that partnership and leaving it at that office.

(2) In subsection (1)(b) “ principal office ”, in relation to a registered company, means its registered office and “ proper officer ”, in relation to any body, means the secretary or other executive officer charged with the conduct of its general affairs.

(3) This section is without prejudice to any other lawful method of serving or giving a notice.

66 Exercise of rights in Scotland by children. U.K.

(1) Where a question falls to be determined in Scotland as to the legal capacity of a person under the age of sixteen years to exercise any right conferred by any provision of this Act, that person shall be taken to have that capacity where he has a general understanding of what it means to exercise that right.

(2) Without prejudice to the generality of subsection (1), a person of twelve years of age or more shall be presumed to be of sufficient age and maturity to have such understanding as is mentioned in that subsection.

67 Orders, regulations and rules. U.K.

(1) Any power conferred by this Act on the [ F84 Secretary of State ] to make an order, regulations or rules shall be exercisable by statutory instrument.

(2) Any order, regulations or rules made by the [ F84 Secretary of State ] under this Act may—

(a) make different provision for different cases, and

(b) make such supplemental, incidental, consequential or transitional provision or savings as the [ F84 Secretary of State ] considers appropriate;

and nothing in section 7(11), 19(5), 26(1) or 30(4) limits the generality of paragraph (a).

(3) Before making—

(a) an order under any provision of this Act other than section 75(3),

(b) any regulations under this Act other than notification regulations (as defined by section 16(2)),

the [ F84 Secretary of State ] shall consult the Commissioner.

(4) A statutory instrument containing (whether alone or with other provisions) an order under—

section 10(2)(b),

section 12(5)(b),

section 22(1),

section 30,

section 32(3),

section 38,

section 56(8),

paragraph 10 of Schedule 3, or

paragraph 4 of Schedule 7,

shall not be made unless a draft of the instrument has been laid before and approved by a resolution of each House of Parliament.

(5) A statutory instrument which contains (whether alone or with other provisions)—

(a) an order under—

section 22(7),

section 23,

section 51(3),

section 54(2), (3) or (4),

paragraph 3, 4 or 14 of Part II of Schedule 1,

paragraph 6 of Schedule 2,

paragraph 2, 7 or 9 of Schedule 3,

paragraph 4 of Schedule 4,

paragraph 6 of Schedule 7,

(b) regulations under section 7 which—

(i) prescribe cases for the purposes of subsection (2)(b),

(ii) are made by virtue of subsection (7), or

(iii) relate to the definition of “ the prescribed period ”,

(d) regulations under section 64,

(e) notification regulations (as defined by section 16(2)), or

(f) rules under paragraph 7 of Schedule 6,

and which is not subject to the requirement in subsection (4) that a draft of the instrument be laid before and approved by a resolution of each House of Parliament, shall be subject to annulment in pursuance of a resolution of either House of Parliament.

(6) A statutory instrument which contains only—

(a) regulations prescribing fees for the purposes of any provision of this Act, or

(b) regulations under section 7 prescribing fees for the purposes of any other enactment,

shall be laid before Parliament after being made.

F84 Words in s. 67 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

F85 Words in s. 67(5)(c) substituted (30.11.2000 for certain purposes and otherwise 1.1.2005) by 2000 c. 36 , ss. 69(3) , 87(1)(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

C31 S. 67(1)(2)(5)(f) applied (with modifications) (11.12.2003) by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) , reg. 28(8)(d) (with regs. 4 , 15(3) , 28 , 29 )

68 Meaning of “accessible record”. U.K.

(1) In this Act “ accessible record ” means—

(a) a health record as defined by subsection (2),

(b) an educational record as defined by Schedule 11, or

(2) In subsection (1)(a) “ health record ” means any record which—

(a) consists of information relating to the physical or mental health or condition of an individual, and

(b) has been made by or on behalf of a health professional in connection with the care of that individual.

69 Meaning of “health professional”. U.K.

(1) In this Act “ health professional ” means any of the following—

(a) a registered medical practitioner,

(b) a registered dentist as defined by section 53(1) of the M14 Dentists Act 1984,

[ F86 (c) a registered dispensing optician or a registered optometrist within the meaning of the Opticians Act 1989, ]

(d) [ F87 a registered pharmacist or registered pharmacy technician within the meaning of the Pharmacists and Pharmacy Technicians Order 2007 ] or a registered person as defined by Article 2(2) of the M15 Pharmacy (Northern Ireland) Order 1976,

[ F88 (e) a registered nurse or midwife ]

(f) a registered osteopath as defined by section 41 of the M16 Osteopaths Act 1993,

(g) a registered chiropractor as defined by section 43 of the M17 Chiropractors Act 1994,

(h) any person who is registered as a member of a profession to which [ F89 the Health Professions Order 2001 ] for the time being extends,

(i) a clinical psychologist [ F90 or child psychotherapist ] ,

(j) F91 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(k) a scientist employed by such a body as head of a department.

(2) In subsection (1)(a) “ registered medical practitioner ” includes any person who is provisionally registered under section 15 or 21 of the M18 Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of that section.

(3) In subsection (1) “ health service body ” means—

(a) a [ F92 Strategic Health Authority ] [ F93 established under section 13 of the National Health Service Act 2006 ] ,

(b) a Special Health Authority established under [ F94 section 28 of that Act, or section 22 of the National Health Service (Wales) Act 2006 ] ,

[ F95 (bb) a Primary Care Trust established under [ F96 section 18 of the National Health Service Act 2006 ] , ]

[ F97 (bbb) a Local Health Board established under [ F98 section 11 of the National Health Service (Wales) Act 2006 ] , ]

(d) a Special Health Board within the meaning of that Act,

(e) the managers of a State Hospital provided under section 102 of that Act,

(f) a National Health Service trust first established under section 5 of the M20 National Health Service and Community Care Act 1990 [ F99 , section 25 of the National Health Service Act 2006, section 18 of the National Health Service (Wales) Act 2006 ] or section 12A of the National Health Service (Scotland) Act 1978,

[ F100 (fa) an NHS foundation trust; ]

(g) a Health and Social Services Board established under Article 16 of the M21 Health and Personal Social Services (Northern Ireland) Order 1972,

(h) a special health and social services agency established under the M22 Health and Personal Social Services (Special Agencies) (Northern Ireland) Order 1990, or

(i) a Health and Social Services trust established under Article 10 of the M23 Health and Personal Social Services (Northern Ireland) Order 1991.

F86 S. 69(1)(c) substituted by The Opticians Act 1989 (Amendment) Order 2005 (S.I. 2005/848) , art. 28 , Sch. 1 para. 12 (with art. 29 , Sch. 2 ) (the amendment coming into force in accordance with art. 1(2)-(6))

F87 Words in s. 69(1)(d) substituted (and coming into force in accordance with art. 1(2)(3)) by The Pharmacists and Pharmacy Technicians Order 2007 (S.I. 2007/289) , art. 67 , Sch. 1 para. 7

F88 S. 69(1)(e) substituted by The Nursing and Midwifery Order 2001 (S.I. 2002/253) , art. 54(3) , Sch. 5 para. 14 (with art. 3(18) ) (the amendment coming into force in accordance with art. 1(2)(3) of the amending S.I.)

F89 Words in s. 69(1)(h) substituted by The Health Professions Order 2001 (S.I. 2002/254) , art. 48(3) , Sch. 4 para. 7 (with art. 3(19) ) (the amendment coming into force in accordance with art. 1(2)(3) of the amending S.I.)

F90 Words in s. 69(1)(i) substituted (9.7.2003) by The Health Professions Order 2001 (Consequential Amendments) Order 2003 (S.I. 2003/1590) , art. 3 , Sch. para. 1(a)

F91 S. 69(1)(j) omitted (9.7.2003) by virtue of The Health Professions Order 2001 (Consequential Amendments) Order 2003 (S.I. 2003/1590) , art. 3 , Sch. para. 1(b)

F92 Words in s. 69(3)(a) inserted (1.10.2002) by The National Health Service Reform and Health Care Professions Act 2002 (Supplementary, Consequential etc. Provisions) Regulations 2002 (S.I. 2002/2469) , reg. 4 , Sch. 1 para. 24

F93 Words in s. 69(3)(a) substituted (1.3.2007) by National Health Service (Consequential Provisions) Act 2006 (c. 43) , ss. 2 , 8 , Sch. 1 para. 191(a)

F94 Words in s. 69(3)(b) substituted (1.3.2007) by National Health Service (Consequential Provisions) Act 2006 (c. 43) , ss. 2 , 8 , Sch. 1 para. 191(b)

F95 S. 69(3)(bb) inserted (8.2.2000) by S.I. 2000/90 , art. 3(1) , Sch. 1 para. 33

F96 Words in s. 69(3)(bb) substituted (1.3.2007) by National Health Service (Consequential Provisions) Act 2006 (c. 43) , ss. 2 , 8 , Sch. 1 para. 191(c)

F97 S. 69(3)(bbb) inserted (10.10.2002 for W. and 1.3.2007 otherwise for E.W.) by National Health Service Reform and Health Care Professions Act 2002 (c. 17) , ss. 6(2) , 42(3) , Sch. 5 para. 41 ; S.I. 2002/2532 , art. 2 , Sch. ; S.I. 2006/1407 , arts. 1 , 2 , Sch. 1 Pt. 2 para. 12

F98 Words in s. 69(3)(bbb) substituted (1.3.2007) by National Health Service (Consequential Provisions) Act 2006 (c. 43) , ss. 2 , 8 , Sch. 1 para. 191(d)

F99 Words in s. 69(3)(f) inserted (1.3.2007) by National Health Service (Consequential Provisions) Act 2006 (c. 43) , ss. 2 , 8 , Sch. 1 para. 191(e)

F100 S. 69(3)(fa) inserted (1.4.2004) by Health and Social Care (Community Health and Standards) Act 2003 (c. 43) , ss. 34 , 199 , Sch. 4 para. 107 ; S.I. 2004/759 , art. 2

M14 1984 c. 24 .

M15 S.I. 1976/1213 (N.I.22) .

M16 1993 c. 21 .

M17 1994 c. 17 .

M18 1983 c. 54 .

M19 1978 c. 29 .

M20 1990 c. 19 .

M21 S.I. 1972/1265 (N.I.14) .

M22 S.I. 1990/247 (N.I.3) .

M23 S.I. 1991/194 (N.I.1) .

70 Supplementary definitions. U.K.

“ business ” includes any trade or profession;

“ the Commissioner ” means [ F101 the Information Commissioner ] ;

“ credit reference agency ” has the same meaning as in the M24 Consumer Credit Act 1974;

“ the Data Protection Directive ” means Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

“ EEA State ” means a State which is a contracting party to the Agreement on the European Economic Area signed at Oporto on 2nd May 1992 as adjusted by the Protocol signed at Brussels on 17th March 1993;

“ enactment ” includes an enactment passed after this Act [ F102 and any enactment comprised in, or in any instrument made under, an Act of the Scottish Parliament ] ;

“ government department ” includes a Northern Ireland department and any body or authority exercising statutory functions on behalf of the Crown;

“ Minister of the Crown ” has the same meaning as in the Ministers of the M25 Crown Act 1975;

“ public register ” means any register which pursuant to a requirement imposed—

by or under any enactment, or

in pursuance of any international agreement,

is open to public inspection or open to inspection by any person having a legitimate interest;

“ pupil ”—

in relation to a school in England and Wales, means a registered pupil within the meaning of the M26 Education Act 1996,

in relation to a school in Scotland, means a pupil within the meaning of the M27 Education (Scotland) Act 1980, and

in relation to a school in Northern Ireland, means a registered pupil within the meaning of the M28 Education and Libraries (Northern Ireland) Order 1986;

“ recipient ”, in relation to any personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law;

“ registered company ” means a company registered under the enactments relating to companies for the time being in force in the United Kingdom;

“ school ”—

in relation to England and Wales, has the same meaning as in the Education Act 1996,

in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980, and

in relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986;

“ teacher ” includes—

in Great Britain, head teacher, and

in Northern Ireland, the principal of a school;

“ third party ”, in relation to personal data, means any person other than—

the data subject,

the data controller, or

any data processor or other person authorised to process data for the data controller or processor;

“ the Tribunal ” means [ F103 the Information Tribunal ] ..

(2) For the purposes of this Act data are inaccurate if they are incorrect or misleading as to any matter of fact.

F101 Words in s. 70(1) substituted (30.1.2001) by 2000 c. 36 , ss. 18(4) , 87(2)(c) , Sch. 2 Pt. I para. 14(a) (with ss. 7(1)(7) , 56 , 78 )

F102 Words inserted (1.7.1999) in definition of “enactment” in s. 70(1) by S.I. 1999/1820 , arts. 1(2) , 4 , Sch. 2 Pt. I para. 133 ; S.I. 1999/3178 , art. 3

F103 Words in s. 70(1) substituted (14.5.2001) by 2000 c. 36 , s. 18(4) , Sch. 2 Pt. I para. 14(b) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2001/1637 , art. 2(b)

M24 1974 c. 39 .

M25 1975 c. 26 .

M26 1996 c. 56 .

M27 1980 c. 44 .

M28 S.I. 1986/594 (N.I.3) .

71 Index of defined expressions. U.K.

The following Table shows provisions defining or otherwise explaining expressions used in this Act (other than provisions defining or explaining an expression only used in the same section or Schedule)—

F104 S. 71 Table: entry inserted (1.1.2005) by 2000 c. 36 , ss. 68(5) , 87(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

72 Modifications of Act. U.K.

During the period beginning with the commencement of this section and ending with 23rd October 2007, the provisions of this Act shall have effect subject to the modifications set out in Schedule 13.

73 Transitional provisions and savings. U.K.

Schedule 14 (which contains transitional provisions and savings) has effect.

74 Minor and consequential amendments and repeals and revocations. U.K.

(1) Schedule 15 (which contains minor and consequential amendments) has effect.

(2) The enactments and instruments specified in Schedule 16 are repealed or revoked to the extent specified.

75 Short title, commencement and extent. U.K.

(1) This Act may be cited as the Data Protection Act 1998.

(2) The following provisions of this Act—

(a) sections 1 to 3,

(b) section 25(1) and (4),

(d) sections 67 to 71,

(e) this section,

(f) paragraph 17 of Schedule 5,

(g) Schedule 11,

(h) Schedule 12, and

(i) so much of any other provision of this Act as confers any power to make subordinate legislation,

shall come into force on the day on which this Act is passed.

(3) The remaining provisions of this Act shall come into force on such day as the [ F105 Secretary of State ] may by order appoint; and different days may be appointed for different purposes.

(4) The day appointed under subsection (3) for the coming into force of section 56 must not be earlier than the first day on which sections 112, 113 and 115 of the M29 Police Act 1997 (which provide for the issue by the Secretary of State of criminal conviction certificates, criminal record certificates and enhanced criminal record certificates) are all in force.

(5) Subject to subsection (6), this Act extends to Northern Ireland.

(6) Any amendment, repeal or revocation made by Schedule 15 or 16 has the same extent as that of the enactment or instrument to which it relates.

Subordinate Legislation Made

P1 S. 75(3) power partly exercised:

1.3.2000 appointed by S.I. 2000/183 , art. 2(1) (with art. 2(2) )

7.7.2008 appointed by S.I. 2008/1592 , art. 2

3.3.2011 appointed by S.I. 2011/601 , art. 2

F105 Words in s. 75 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(a)

M29 1997 c. 50 .

Section 4(1) and (2).

SCHEDULE 1 U.K. The data protection principles

Part i u.k. the principles.

1 U.K. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2 U.K. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3 U.K. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4 U.K. Personal data shall be accurate and, where necessary, kept up to date.

5 U.K. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6 U.K. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7 U.K. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8 U.K. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Part II U.K. Interpretation of the principles in Part I

The first principle u.k..

1 (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed. U.K.

(2) Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who—

(a) is authorised by or under any enactment to supply it, or

(b) is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom.

2 (1) Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless— U.K.

(a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and

(b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3).

(2) In sub-paragraph (1)(b) “ the relevant time ” means—

(a) the time when the data controller first processes the data, or

(b) in a case where at that time disclosure to a third party within a reasonable period is envisaged—

(i) if the data are in fact disclosed to such a person within that period, the time when the data are first disclosed,

(ii) if within that period the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to such a person within that period, the time when the data controller does become, or ought to become, so aware, or

(iii) in any other case, the end of that period.

(3) The information referred to in sub-paragraph (1) is as follows, namely—

(a) the identity of the data controller,

(b) if he has nominated a representative for the purposes of this Act, the identity of that representative,

(d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

3 (1) Paragraph 2(1)(b) does not apply where either of the primary conditions in sub-paragraph (2), together with such further conditions as may be prescribed by the [ F106 Secretary of State ] by order, are met. U.K.

(2) The primary conditions referred to in sub-paragraph (1) are—

(a) that the provision of that information would involve a disproportionate effort, or

(b) that the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

F106 Words in Sch. 1 Pt. 2 para. 3 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(b)

I20 Sch. 1 Pt. II para. 3 wholly in force at 1.3.2000; Sch. 1 Pt. II para. 3 in force for certain purposes at Royal Assent see s. 75(2)(i); Sch. 1 Pt. II para. 3 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

4 (1) Personal data which contain a general identifier falling within a description prescribed by the [ F107 Secretary of State ] by order are not to be treated as processed fairly and lawfully unless they are processed in compliance with any conditions so prescribed in relation to general identifiers of that description. U.K.

(2) In sub-paragraph (1) “ a general identifier ” means any identifier (such as, for example, a number or code used for identification purposes) which—

(a) relates to an individual, and

(b) forms part of a set of similar identifiers which is of general application.

F107 Words in Sch. 1 Pt. 2 para. 4 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(b)

I21 Sch. 1 Pt. II para. 4 wholly in force at 1.3.2000; Sch. 1 Pt. II para. 4 in force for certain purposes at Royal Assent see s. 75(2)(i); Sch. 1 Pt. II para. 4 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

The second principle U.K.

5 U.K. The purpose or purposes for which personal data are obtained may in particular be specified—

(a) in a notice given for the purposes of paragraph 2 by the data controller to the data subject, or

(b) in a notification given to the Commissioner under Part III of this Act.

6 U.K. In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.

The fourth principle U.K.

7 U.K. The fourth principle is not to be regarded as being contravened by reason of any inaccuracy in personal data which accurately record information obtained by the data controller from the data subject or a third party in a case where—

(a) having regard to the purpose or purposes for which the data were obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the data, and

(b) if the data subject has notified the data controller of the data subject’s view that the data are inaccurate, the data indicate that fact.

The sixth principle U.K.

8 U.K. A person is to be regarded as contravening the sixth principle if, but only if—

(a) he contravenes section 7 by failing to supply information in accordance with that section,

(b) he contravenes section 10 by failing to comply with a notice given under subsection (1) of that section to the extent that the notice is justified or by failing to give a notice under subsection (3) of that section,

(d) he contravenes section 12 by failing to comply with a notice given under subsection (1) or (2)(b) of that section or by failing to give a notification under subsection (2)(a) of that section or a notice under subsection (3) of that section.

The seventh principle U.K.

9 U.K. Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—

(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b) the nature of the data to be protected.

10 U.K. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11 U.K. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.

12 U.K. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a) the processing is carried out under a contract—

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

The eighth principle U.K.

13 U.K. An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to—

(a) the nature of the personal data,

(b) the country or territory of origin of the information contained in the data,

(d) the purposes for which and period during which the data are intended to be processed,

(e) the law in force in the country or territory in question,

(f) the international obligations of that country or territory,

(g) any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and

(h) any security measures taken in respect of the data in that country or territory.

14 U.K. The eighth principle does not apply to a transfer falling within any paragraph of Schedule 4, except in such circumstances and to such extent as the [ F108 Secretary of State ] may by order provide.

F108 Words in Sch. 1 Pt. 2 para. 14 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(b)

I22 Sch. 1 Pt. II para. 14 wholly in force at 1.3.2000; Sch. 1 Pt. II para. 14 in force for certain purposes at Royal Assent see s. 75(2)(i); Sch. 1 Pt. II para. 14 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

15 (1) Where— U.K.

(a) in any proceedings under this Act any question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the European Economic Area, and

(b) a Community finding has been made in relation to transfers of the kind in question,

that question is to be determined in accordance with that finding.

(2) In sub-paragraph (1) “ Community finding ” means a finding of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, that a country or territory outside the European Economic Area does, or does not, ensure an adequate level of protection within the meaning of Article 25(2) of the Directive.

Section 4(3).

SCHEDULE 2 U.K. Conditions relevant for purposes of the first principle: processing of any personal data

1 U.K. The data subject has given his consent to the processing.

2 U.K. The processing is necessary—

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3 U.K. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4 U.K. The processing is necessary in order to protect the vital interests of the data subject.

5 U.K. The processing is necessary—

(a) for the administration of justice,

[ F109 (aa) for the exercise of any functions of either House of Parliament, ]

(b) for the exercise of any functions conferred on any person by or under any enactment,

(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

F109 Sch. 2 para. 5(aa) inserted (1.1.2005) by 2000 c. 36 , ss. 73 , 87(3) , Sch. 6 para. 4 (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

C32 Sch. 2 para. 5 extended (2.12.1999) by S.I. 1999/3145 , arts. 1 , 9(3)(b) ; S.I. 1999/3208 , art. 2

6 (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. U.K.

(2) The [ F110 Secretary of State ] may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.

F110 Words in Sch. 2 para. 6 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(b)

I23 Sch. 2 para. 6 wholly in force at 1.3.2000; Sch. 2 para. 6 in force for certain purposes at Royal Assent see s. 75(2)(i) ; Sch. 2 para. 6 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

SCHEDULE 3 U.K. Conditions relevant for purposes of the first principle: processing of sensitive personal data

1 U.K. The data subject has given his explicit consent to the processing of the personal data.

2 (1) The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. U.K.

(2) The [ F111 Secretary of State ] may by order—

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

F111 Words in Sch. 3 para. 2 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(b)

I24 Sch. 3 para. 2 wholly in force at 1.3.2000; Sch. 3 para. 2 in force for certain purposes at Royal Assent see s. 75(2)(i) ; Sch. 3 para. 2 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

3 U.K. The processing is necessary—

(a) in order to protect the vital interests of the data subject or another person, in a case where—

(i) consent cannot be given by or on behalf of the data subject, or

(ii) the data controller cannot reasonably be expected to obtain the consent of the data subject, or

(b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

4 U.K. The processing—

(a) is carried out in the course of its legitimate activities by any body or association which—

(i) is not established or conducted for profit, and

(ii) exists for political, philosophical, religious or trade-union purposes,

(b) is carried out with appropriate safeguards for the rights and freedoms of data subjects,

(c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and

(d) does not involve disclosure of the personal data to a third party without the consent of the data subject.

5 U.K. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

6 U.K. The processing—

(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

7 (1) The processing is necessary— U.K.

[ F112 (aa) for the exercise of any functions of either House of Parliament, ]

(b) for the exercise of any functions conferred on any person by or under an enactment, or

(2) The [ F113 Secretary of State ] may by order—

F112 Sch. 3 para. 7(1)(aa) inserted (1.1.2005) by 2000 c. 36 , ss. 73 , 87(3) , Sch. 6 para. 4 (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

F113 Words in Sch. 3 para. 7 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(b)

C33 Sch. 3 para. 7 extended (2.12.1999) by S.I. 1999/3145 , arts. 1 , 9(3)(b) ; S.I. 1999/3208 , art. 2

I25 Sch. 3 para. 7 wholly in force at 1.3.2000; Sch. 3 para. 7 in force for certain purposes at Royal Assent see s. 75(2)(i) ; Sch. 3 para. 7 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

Valid from 01/10/2008

[ F114 7A (1) The processing— U.K.

(a) is either—

(i) the disclosure of sensitive personal data by a person as a member of an anti-fraud organisation or otherwise in accordance with any arrangements made by such an organisation; or

(ii) any other processing by that person or another person of sensitive personal data so disclosed; and

(b) is necessary for the purposes of preventing fraud or a particular kind of fraud.

(2) In this paragraph “ an anti-fraud organisation ” means any unincorporated association, body corporate or other person which enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has any of these functions as its purpose or one of its purposes. ]

F114 Sch. 3 para. 7A inserted (1.10.2008) by Serious Crime Act 2007 (c. 27) , ss. 72 , 94 ; S.I. 2008/2504 , art. 2(e)

8 (1) The processing is necessary for medical purposes and is undertaken by— U.K.

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2) In this paragraph “ medical purposes ” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

9 (1) The processing— U.K.

(a) is of sensitive personal data consisting of information as to racial or ethnic origin,

(b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and

(2) The [ F115 Secretary of State ] may by order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.

F115 Words in Sch. 3 para. 9 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(b)

I26 Sch. 3 para. 9 wholly in force at 1.3.2000; Sch. 3 para. 9 in force for certain purposes at Royal Assent see s. 75(2)(i) ; Sch. 3 para. 9 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

10 U.K. The personal data are processed in circumstances specified in an order made by the [ F116 Secretary of State ] for the purposes of this paragraph.

F116 Words in Sch. 3 para. 10 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(b)

I27 Sch. 3 para. 10 wholly in force at 1.3.2000; Sch. 3 para. 10 in force for certain purposes at Royal Assent see s. 75(2)(i) ; Sch. 3 para. 10 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

SCHEDULE 4 U.K. Cases where the eighth principle does not apply

1 U.K. The data subject has given his consent to the transfer.

2 U.K. The transfer is necessary—

(a) for the performance of a contract between the data subject and the data controller, or

(b) for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller.

3 U.K. The transfer is necessary—

(a) for the conclusion of a contract between the data controller and a person other than the data subject which—

(i) is entered into at the request of the data subject, or

(ii) is in the interests of the data subject, or

(b) for the performance of such a contract.

4 (1) The transfer is necessary for reasons of substantial public interest. U.K.

(2) The [ F117 Secretary of State ] may by order specify—

(a) circumstances in which a transfer is to be taken for the purposes of sub-paragraph (1) to be necessary for reasons of substantial public interest, and

(b) circumstances in which a transfer which is not required by or under an enactment is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest.

F117 Words in Sch. 4 para. 4 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(b)

C34 Sch. 4 para. 4(1) modified (11.12.2000) by 1999 c. 33 , s. 13(4) ; S.I. 2000/3099 , art. 3 , Sch.

I28 Sch. 4 para. 4 wholly in force at 1.3.2000; Sch. 4 para. 4 in force for certain purposes at Royal Assent see s. 75(2)(i) ; Sch. 4 para. 4 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

5 U.K. The transfer—

6 U.K. The transfer is necessary in order to protect the vital interests of the data subject.

7 U.K. The transfer is of part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.

8 U.K. The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.

9 U.K. The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.

Section 6(7).

SCHEDULE 5 U.K. The Data Protection Commissioner and the Data Protection Tribunal

Part i u.k. the commissioner, status and capacity u.k..

1 (1) The corporation sole by the name of the Data Protection Registrar established by the M30 Data Protection Act 1984 shall continue in existence by the name of the [ F118 Information Commissioner ] . U.K.

(2) The Commissioner and his officers and staff are not to be regarded as servants or agents of the Crown.

F118 Words in Sch. 5 para. 1(2) substituted (30.1.2001) by 2000 c. 36 , ss. 18(4) , 87(2)(c) , Sch. 2 Pt. I para. 15(2) (with ss. 7(1)(7) , 56 , 78 )

M30 1984 c. 35 .

Tenure of office U.K.

2 (1) Subject to the provisions of this paragraph, the Commissioner shall hold office for such term not exceeding five years as may be determined at the time of his appointment. U.K.

(2) The Commissioner may be relieved of his office by Her Majesty at his own request.

(3) The Commissioner may be removed from office by Her Majesty in pursuance of an Address from both Houses of Parliament.

(4) The Commissioner shall in any case vacate his office—

(a) on completing the year of service in which he attains the age of sixty-five years, or

(b) if earlier, on completing his fifteenth year of service.

(5) Subject to sub-paragraph (4), a person who ceases to be Commissioner on the expiration of his term of office shall be eligible for re-appointment, but a person may not be re-appointed for a third or subsequent term as Commissioner unless, by reason of special circumstances, the person’s re-appointment for such a term is desirable in the public interest.

C35 Sch. 5 para. 2(4)(b) restricted (14.5.2001) by 2000 c. 36 , s. 18(7) , (with ss. 7(1)(7), 56, 78); S.I. 2001/1637 , art. 2(a)

Salary etc. U.K.

3 (1) There shall be paid— U.K.

(a) to the Commissioner such salary, and

(b) to or in respect of the Commissioner such pension,

as may be specified by a resolution of the House of Commons.

(2) A resolution for the purposes of this paragraph may—

(a) specify the salary or pension,

(b) provide that the salary or pension is to be the same as, or calculated on the same basis as, that payable to, or to or in respect of, a person employed in a specified office under, or in a specified capacity in the service of, the Crown, or

(c) specify the salary or pension and provide for it to be increased by reference to such variables as may be specified in the resolution.

(3) A resolution for the purposes of this paragraph may take effect from the date on which it is passed or from any earlier or later date specified in the resolution.

(4) A resolution for the purposes of this paragraph may make different provision in relation to the pension payable to or in respect of different holders of the office of Commissioner.

(5) Any salary or pension payable under this paragraph shall be charged on and issued out of the Consolidated Fund.

(6) In this paragraph “ pension ” includes an allowance or gratuity and any reference to the payment of a pension includes a reference to the making of payments towards the provision of a pension.

Officers and staff U.K.

4 (1) The Commissioner— U.K.

(a) shall appoint a deputy commissioner [ F119 or two deputy commissioners ] , and

(b) may appoint such number of other officers and staff as he may determine.

[ F120 (1A) The Commissioner shall, when appointing any second deputy commissioner, specify which of the Commissioner’s functions are to be performed, in the circumstances referred to in paragraph 5(1), by each of the deputy commissioners. ]

(2) The remuneration and other conditions of service of the persons appointed under this paragraph shall be determined by the Commissioner.

(3) The Commissioner may pay such pensions, allowances or gratuities to or in respect of the persons appointed under this paragraph, or make such payments towards the provision of such pensions, allowances or gratuities, as he may determine.

(4) The references in sub-paragraph (3) to pensions, allowances or gratuities to or in respect of the persons appointed under this paragraph include references to pensions, allowances or gratuities by way of compensation to or in respect of any of those persons who suffer loss of office or employment.

(5) Any determination under sub-paragraph (1)(b), (2) or (3) shall require the approval of the [ F121 Secretary of State ] .

(6) The M31 Employers’ Liability (Compulsory Insurance) Act 1969 shall not require insurance to be effected by the Commissioner.

F119 Words in Sch. 5 para. 4(1)(a) inserted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 20(2) (with ss. 7(1)(7) , 56 , 78 )

F120 Sch. 5 para. 4(1A) inserted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 20(3) (with s. 7(1)(7) , 56 , 78 )

F121 Words in Sch. 5 para. 4 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(c)

M31 1969 c. 57 .

5 (1) The deputy commissioner [ F122 or deputy commissioners ] shall perform the functions conferred by this Act [ F123 or the Freedom of Information Act 2000 ] on the Commissioner during any vacancy in that office or at any time when the Commissioner is for any reason unable to act. U.K.

(2) Without prejudice to sub-paragraph (1), any functions of the Commissioner under this Act [ F124 or the Freedom of Information Act 2000 ] may, to the extent authorised by him, be performed by any of his officers or staff.

F122 Words in Sch. 5 para. 5(1) inserted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 21(2)(a) (with ss. 7(1)(7) , 56 , 78 )

F123 Words in Sch. 5 para. 5(1) inserted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 21(2)(b) (with ss. 7(1)(7) , 56 , 78 )

F124 Words in Sch. 5 para. 5(2) inserted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 21(3) (with ss. 7(1)(7) , 56 , 78 )

Authentication of seal of the Commissioner U.K.

6 E+W+N.I. The application of the seal of the Commissioner shall be authenticated by his signature or by the signature of some other person authorised for the purpose.

Presumption of authenticity of documents issued by the Commissioner U.K.

7 E+W+N.I. Any document purporting to be an instrument issued by the Commissioner and to be duly executed under the Commissioner’s seal or to be signed by or on behalf of the Commissioner shall be received in evidence and shall be deemed to be such an instrument unless the contrary is shown.

8 U.K. The [ F125 Secretary of State ] may make payments to the Commissioner out of money provided by Parliament.

F125 Words in Sch. 5 para. 8 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(c)

9 (1) All fees and other sums received by the Commissioner in the exercise of his functions under this Act [ F126 , under section 159 of the Consumer Credit Act 1974 or under the Freedom of Information Act 2000 ] shall be paid by him to the [ F127 Secretary of State ] . U.K.

(2) Sub-paragraph (1) shall not apply where the [ F127 Secretary of State ] , with the consent of the Treasury, otherwise directs.

(3) Any sums received by the [ F127 Secretary of State ] under sub-paragraph (1) shall be paid into the Consolidated Fund.

F126 Words in Sch. 5 para. 9(1) substituted (30.11.2000) by 2000 c. 36 , ss. 18(4) , 87(1)(i) , Sch. 2 Pt. II para. 22 (with ss. 7(1)(7) , 56 , 78 )

F127 Words in Sch. 5 para. 9 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(c)

Accounts U.K.

10 (1) It shall be the duty of the Commissioner— U.K.

(a) to keep proper accounts and other records in relation to the accounts,

(b) to prepare in respect of each financial year a statement of account in such form as the [ F128 Secretary of State ] may direct, and

(c) to send copies of that statement to the Comptroller and Auditor General on or before 31st August next following the end of the year to which the statement relates or on or before such earlier date after the end of that year as the Treasury may direct.

(2) The Comptroller and Auditor General shall examine and certify any statement sent to him under this paragraph and lay copies of it together with his report thereon before each House of Parliament.

(3) In this paragraph “ financial year ” means a period of twelve months beginning with 1st April.

F128 Words in Sch. 5 para. 10 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(c)

Application of Part I in Scotland U.K.

11 U.K. Paragraphs 1(1), 6 and 7 do not extend to Scotland.

Part II U.K. The Tribunal

12 (1) Subject to the following provisions of this paragraph, a member of the Tribunal shall hold and vacate his office in accordance with the terms of his appointment and shall, on ceasing to hold office, be eligible for re-appointment.

(2) Any member of the Tribunal may at any time resign his office by notice in writing to the Lord Chancellor [ F129 (in the case of the chairman or a deputy chairman) or to the Secretary of State (in the case of any other member) ] .

(3) A person who is the chairman or deputy chairman of the Tribunal shall vacate his office on the day on which he attains the age of seventy years; but this sub-paragraph is subject to section 26(4) to (6) of the M32 Judicial Pensions and Retirement Act 1993 (power to authorise continuance in office up to the age of seventy-five years).

F129 Words in Sch. 5 para. 12(2) inserted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(2)

M32 1993 c. 8 .

13 The [ F130 Secretary of State ] shall pay to the members of the Tribunal out of money provided by Parliament such remuneration and allowances as he may determine.

F130 Words in Sch. 5 para. 13 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(c)

14 The [ F131 Secretary of State ] may provide the Tribunal with such officers and staff as he thinks necessary for the proper discharge of its functions.

F131 Words in Sch. 5 para. 14 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(c)

Expenses U.K.

15 Such expenses of the Tribunal as the [ F132 Secretary of State ] may determine shall be defrayed by the Secretary of State out of money provided by Parliament.

F132 Words in Sch. 5 para. 15 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(c)

[ F133 Part III ] U.K.

F133 Sch. 5 Pt. III (ss. 16-17) repealed (30.1.2001) by 2000 c. 36 , ss. 86 , 87(3) , Sch. 8 Pt. II (with ss. 56 , 78 )

Sections 28(12), 48(5).

SCHEDULE 6 U.K. Appeal proceedings

C36 Sch. 6 applied (with modifications) (1.3.2000) by S.I. 1999/2093 , reg. 32(8)(a)

Sch. 6 applied (30.11.2002) by 2000 c. 36 , ss. 61(2) , 87(3) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2002/2812 , art. 2

Sch. 6 applied (with modifications) (11.12.2003) by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) , reg. 28(8)(b) (with regs. 4 , 15(3) , 28 , 29 )

C37 Sch. 6 extended (with modifications) (11.12.2003) by the Privacy and Electronic Communications (EC Directive) Regulations ( S.I. 2003/2426 ), {reg. 31}, Sch. 1 (with regs. 4, 15(3), 28, 29) (Sch. 1 amended (26.5.2011) by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (S.I. 2011/1208) , reg. {14})

C38 Sch. 6 applied (6.4.2010) by The Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910) , art. 7

C39 Sch. 6 applied (with modifications) (26.5.2011) by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) , reg. 31B , Sch. 1 (reg. 31B being inserted and Sch. 1 amended (26.5.2011) by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (S.I. 2011/1208) , regs. {12}{14})

Hearing of appeals U.K.

1 For the purpose of hearing and determining appeals or any matter preliminary or incidental to an appeal the Tribunal shall sit at such times and in such places as the chairman or a deputy chairman may direct and may sit in two or more divisions.

Constitution of Tribunal in national security cases U.K.

2 (1) The Lord Chancellor shall from time to time designate, from among the chairman and deputy chairmen appointed by him under section 6(4)(a) and (b), those persons who are to be capable of hearing appeals under section 28(4) or (6) [ F134 or under section 60(1) or (4) of the Freedom of Information Act 2000 ] .

(2) A designation under sub-paragraph (1) may at any time be revoked by the Lord Chancellor.

[ F135 (3) The Lord Chancellor may make, or revoke, a designation under this paragraph only with the concurrence of all of the following—

(a) the Lord Chief Justice;

(b) the Lord President of the Court of Session;

(4) The Lord Chief Justice of England and Wales may nominate a judicial office holder (as defined in section 109(4) of the Constitutional Reform Act 2005) to exercise his functions under sub-paragraph (3) so far as they relate to a designation under this paragraph.

(5) The Lord President of the Court of Session may nominate a judge of the Court of Session who is a member of the First or Second Division of the Inner House of that Court to exercise his functions under sub-paragraph (3) so far as they relate to a designation under this paragraph.

(6) The Lord Chief Justice of Northern Ireland may nominate any of the following to exercise his functions under sub-paragraph (3) so far as they relate to a designation under this paragraph—

(a) the holder of one of the offices listed in Schedule 1 to the Justice (Northern Ireland) Act 2002;

(b) a Lord Justice of Appeal (as defined in section 88 of that Act). ]

F134 Words in Sch. 6 para. 2(1) inserted (14.5.2001) by 2000 c. 36 , s. 61(1) , Sch. 4 para. 1 (with ss. 7(1)(7) , 56 , 78 ); S.I. 2001/1637 , art. 2(c)

F135 Sch. 6 para. 2(3)-(6) inserted (3.4.2006) by Constitutional Reform Act 2005 (c. 4) , ss. 15 , 148 , Sch. 4 para. 275(2) ; S.I. 2006/1014 , art. 2 , Sch. 1 para. 11

[ F136 3 [ F137 (1) ] The Tribunal shall be duly constituted—

(a) for an appeal under section 28(4) or (6) in any case where the application of paragraph 6(1) is excluded by rules under paragraph 7, or

(b) for an appeal under section 60(1) or (4) of the Freedom of Information Act 2000,

if it consists of three of the persons designated under paragraph 2(1), of whom one shall be designated by the Lord Chancellor to preside.

[ F138 (2) The Lord Chancellor may designate a person to preside under this paragraph only with the concurrence of all of the following—

(a) the Lord Chief Justice of England and Wales;

(3) The Lord Chief Justice of England and Wales may nominate a judicial office holder (as defined in section 109(4) of the Constitutional Reform Act 2005) to exercise his functions under this paragraph.

(4) The Lord President of the Court of Session may nominate a judge of the Court of Session who is a member of the First or Second Division of the Inner House of that Court to exercise his functions under this paragraph.

(5) The Lord Chief Justice of Northern Ireland may nominate any of the following to exercise his functions under this paragraph—

(b) a Lord Justice of Appeal (as defined in section 88 of that Act). ] ]

F136 Sch. 6 para. 3 substituted (1.1.2005) by 2000 c. 36 , ss. 61(1) , 87(3) , Sch. 4 para. 2 (with ss. 7(1)(7) , 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

F137 Sch. 6 para. 3 renumbered (3.4.2006 with effect as mentioned in Sch. 4 para. 361 of the amending Act) as Sch. 6 para. 3(1) by Constitutional Reform Act 2005 (c. 4) , ss. 15 , 148 , Sch. 4 paras. 275(3)(a) , 406(2)(4) ; S.I. 2006/1014 , art. 2 , Sch. 1 para. 11

F138 Sch. 6 para. 3(2)-(5) inserted (3.4.2006 with effect as mentioned in Sch. 4 para. 361 of the amending Act) by Constitutional Reform Act 2005 (c. 4) , ss. 15 , 148 , Sch. 4 paras. 275(3)(b) , 406(3)(4) ; S.I. 2006/1014 , art. 2 , Sch. 1 para. 11

Constitution of Tribunal in other cases U.K.

4 (1) Subject to any rules made under paragraph 7, the Tribunal shall be duly constituted for an appeal under section 48(1), (2) or (4) if it consists of—

(a) the chairman or a deputy chairman (who shall preside), and

(b) an equal number of the members appointed respectively in accordance with paragraphs (a) and (b) of section 6(6).

[ F139 (1A) Subject to any rules made under paragraph 7, the Tribunal shall be duly constituted for an appeal under section 57(1) or (2) of the Freedom of Information Act 2000 if it consists of—

(b) an equal number of the members appointed respectively in accordance with paragraphs (aa) and (bb) of section 6(6). ]

(2) The members who are to constitute the Tribunal in accordance with sub-paragraph (1) [ F140 or (1A) ] shall be nominated by the chairman or, if he is for any reason unable to act, by a deputy chairman.

F139 Sch. 6 para. 4(1A) inserted (30.11.2002) by 2000 c. 36 , ss. 61(1) , 87(3) , Sch. 4 para. 3(2) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2002/2812 , art. 2

F140 Words in Sch. 6 para. 4(2) inserted (30.11.2002) by 2000 c. 36 , ss. 61(1) , 87(3) , Sch. 4 para. 3(3) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2002/2812 , art. 2

Determination of questions by full Tribunal U.K.

5 The determination of any question before the Tribunal when constituted in accordance with paragraph 3 or 4 shall be according to the opinion of the majority of the members hearing the appeal.

Ex parte proceedings U.K.

6 (1) Subject to any rules made under paragraph 7, the jurisdiction of the Tribunal in respect of an appeal under section 28(4) or (6) shall be exercised ex parte by one or more persons designated under paragraph 2(1).

(2) Subject to any rules made under paragraph 7, the jurisdiction of the Tribunal in respect of an appeal under section 48(3) shall be exercised ex parte by the chairman or a deputy chairman sitting alone.

Rules of procedure U.K.

7 (1) The [ F141 Secretary of State ] may make rules for [ F142 regulating—

(a) the exercise of the rights of appeal conferred—

(i) by sections 28(4) and (6) and 48, and

(ii) by sections 57(1) and (2) and section 60(1) and (4) of the Freedom of Information Act 2000, and

(b) the practice and procedure of the Tribunal. ]

(2) Rules under this paragraph may in particular make provision—

(a) with respect to the period within which an appeal can be brought and the burden of proof on an appeal,

[ F143 (aa) for the joinder of any other person as a party to any proceedings on an appeal under the Freedom of Information Act 2000,

(ab) for the hearing of an appeal under this Act with an appeal under the Freedom of Information Act 2000, ]

(b) for the summoning (or, in Scotland, citation) of witnesses and the administration of oaths,

(d) for the inspection, examination, operation and testing of any equipment or material used in connection with the processing of personal data,

(e) for the hearing of an appeal wholly or partly in camera,

(f) for hearing an appeal in the absence of the appellant or for determining an appeal without a hearing,

(g) for enabling an appeal under section 48(1) against an information notice to be determined by the chairman or a deputy chairman,

(h) for enabling any matter preliminary or incidental to an appeal to be dealt with by the chairman or a deputy chairman,

(i) for the awarding of costs or, in Scotland, expenses,

(j) for the publication of reports of the Tribunal’s decisions, and

(k) for conferring on the Tribunal such ancillary powers as the [ F141 Secretary of State ] thinks necessary for the proper discharge of its functions.

(3) In making rules under this paragraph which relate to appeals under section 28(4) or (6) the [ F141 Secretary of State ] shall have regard, in particular, to the need to secure that information is not disclosed contrary to the public interest.

F141 Words in Sch. 7 para. 4 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(d)

F142 Word and Sch. 6 para. 7(1)(a)(b) substituted for words in Sch. 6 para. 7(1) (14.5.2001) by 2000 c. 36 , s. 61(1) , Sch. 4 para. 4(2) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2001/1637 , art. 2(c)

F143 Sch. 6 para. 7(2)(aa)(ab) inserted (14.5.2001) by 2000 c. 36 , s. 61(1) , Sch. 4 para. 4(3) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2001/1637 , art. 2(c)

I29 Sch. 6 para. 7 wholly in force at 1.3.2000; Sch. 6 para. 7 in force for certain purposes at Royal Assent see s. 75(2)(i) ; Sch. 6 para. 7 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

Obstruction etc. U.K.

8 (1) If any person is guilty of any act or omission in relation to proceedings before the Tribunal which, if those proceedings were proceedings before a court having power to commit for contempt, would constitute contempt of court, the Tribunal may certify the offence to the High Court or, in Scotland, the Court of Session. U.K.

(2) Where an offence is so certified, the court may inquire into the matter and, after hearing any witness who may be produced against or on behalf of the person charged with the offence, and after hearing any statement that may be offered in defence, deal with him in any manner in which it could deal with him if he had committed the like offence in relation to the court.

Section 37.

SCHEDULE 7 U.K. Miscellaneous exemptions

Confidential references given by the data controller u.k..

1 U.K. Personal data are exempt from section 7 if they consist of a reference given or to be given in confidence by the data controller for the purposes of—

(a) the education, training or employment, or prospective education, training or employment, of the data subject,

(b) the appointment, or prospective appointment, of the data subject to any office, or

Armed forces U.K.

2 U.K. Personal data are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice the combat effectiveness of any of the armed forces of the Crown.

Judicial appointments and honours U.K.

3 U.K. Personal data processed for the purposes of—

(a) assessing any person’s suitability for judicial office or the office of Queen’s Counsel, or

(b) the conferring by the Crown of any honour [ F144 or dignity ] ,

are exempt from the subject information provisions.

F144 Words in Sch. 7 para. 3(b) inserted (14.5.2001) by 2000 c. 36 , s. 73 , Sch. 6 para. 6 (with ss. 56 , 78 ); S.I. 2001/1637 , art. 2(d)

Crown employment and Crown or Ministerial appointments U.K.

F145 4 (1) The [ F146 Secretary of State ] may by order exempt from the subject information provisions personal data processed for the purposes of assessing any person’s suitability for— U.K.

(a) employment by or under the Crown, or

(b) any office to which appointments are made by Her Majesty, by a Minister of the Crown or by a [ F147 Northern Ireland authority ] .

[ F148 (2) In this paragraph “ Northern Ireland authority ” means the First Minister, the deputy First Minister, a Northern Ireland Minister or a Northern Ireland department. ]

F145 Sch. 7 para. 4 renumbered as Sch. 7 para. 4(1) (2.12.1999) by 1998 c. 47 , s. 99 , Sch. 13 para. 21(1) (with s. 95 ); S.I. 1999/3209 , art. 2 , Sch.

F146 Words in Sch. 7 para. 4 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887) , art. 9 , Sch. 2 para. 9(1)(e)

F147 Words in Sch. 7 para. 4 substituted (2.12.1999) by 1998 c. 47 , s. 99 , Sch. 13 para. 21(1) (with s. 95 ); S.I. 1999/3209 , art. 2 , Sch.

F148 Sch. 7 para. 4(2) inserted (as renumbered) (2.12.1999) by 1998 c. 47 , s. 99 , Sch. 13 para. 21(2) (with s. 95 ); S.I. 1999/3209 , art. 2 , Sch.

C40 Sch. 7 para. 4 extended (2.12.1999) by S.I. 1999/3145 , arts. 1 , 9(3)(d) ; S.I. 1999/3208 , art. 2

I30 Sch. 7 para. 4 wholly in force at 1.3.2000; Sch. 7 para. 4 in force for certain purposes at Royal Assent see s. 75(2)(i) ; Sch. 7 para. 4 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

Management forecasts etc. U.K.

5 U.K. Personal data processed for the purposes of management forecasting or management planning to assist the data controller in the conduct of any business or other activity are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice the conduct of that business or other activity.

Corporate finance U.K.

6 (1) Where personal data are processed for the purposes of, or in connection with, a corporate finance service provided by a relevant person— U.K.

(a) the data are exempt from the subject information provisions in any case to the extent to which either—

(i) the application of those provisions to the data could affect the price of any instrument which is already in existence or is to be or may be created, or

(ii) the data controller reasonably believes that the application of those provisions to the data could affect the price of any such instrument, and

(b) to the extent that the data are not exempt from the subject information provisions by virtue of paragraph (a), they are exempt from those provisions if the exemption is required for the purpose of safeguarding an important economic or financial interest of the United Kingdom.

(2) For the purposes of sub-paragraph (1)(b) the [ F149 Secretary of State ] may by order specify—

(a) matters to be taken into account in determining whether exemption from the subject information provisions is required for the purpose of safeguarding an important economic or financial interest of the United Kingdom, or

(b) circumstances in which exemption from those provisions is, or is not, to be taken to be required for that purpose.

(3) In this paragraph—

“ corporate finance service ” means a service consisting in—

underwriting in respect of issues of, or the placing of issues of, any instrument,

advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings, or

services relating to such underwriting as is mentioned in paragraph (a);

“ instrument ” means any instrument listed in [ F150 section C of Annex I to Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments ] F151 . . . ;

“ price ” includes value;

“ relevant person ” means—

[ F152 any person who, by reason of any permission he has under Part IV of the Financial Services and Markets Act 2000, is ableto carry on a corporate finance service without contravening the general prohibition, within the meaning of section 19 of that Act;

an EEA firm of the kind mentioned in paragraph 5(a) or (b) of Schedule 3 to that Act which hasqualified for authorisation under paragraph 12 of that Schedule, and may lawfully carry on a corporate finance service;

any person who is exempt from the general prohibition in respect of any corporate finance service—

as a result of an exemption order made under section 38(1) of that Act, or

by reason of section 39(1) of that Act (appointed representatives);

any person, not falling within paragraph (a), (b) or (c) who may lawfully carry on acorporate finance service without contravening the general prohibition; ]

any person who, in the course of his employment, provides to his employer a service falling within paragraph (b) or (c) of the definition of “ corporate finance service ”, or

any partner who provides to other partners in the partnership a service falling within either of those paragraphs.

F149 Words in Sch. 7 para. 6 substituted (19.8.2003) by The Secretary of State for Constitutional Affairs Order 2003 S.I. 2003/1887 ), art. 9, {Sch. 2 para. 9(1)(e)}

F150 Words in Sch. 7 para. 6(3) substituted (1.4.2007 for certain purposes, 1.11.2007 in so far as not already in force) by The Financial Services and Markets Act 2000 (Markets in Financial Instruments) Regulations 2007 (S.I. 2007/126) , art. 3(6) , Sch. 6 para. 12

F151 Sch. 7 para. 6(3): words in definition of "instrument" omitted (3.7.2002) by virtue of The Financial Services and Markets Act 2000 (Consequential Amendments) Order 2002 (S.I. 2002/1555) , art. 25(2)

F152 Sch. 7 para. 6(3): in definition of "relevant person" paragraphs (a)-(cc) substituted (3.7.2002) for (a)-(c) by The Financial Services and Markets Act 2000 (Consequential Amendments) Order 2002 (S.I. 2002/1555) , art. 25(3)

I31 Sch. 7 para. 6 wholly in force at 1.3.2000; Sch. 7 para. 6 in force for certain purposes at Royal Assent see s. 75(2)(i); Sch. 7 para. 6 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

Negotiations U.K.

7 U.K. Personal data which consist of records of the intentions of the data controller in relation to any negotiations with the data subject are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice those negotiations.

Examination marks U.K.

8 (1) Section 7 shall have effect subject to the provisions of sub-paragraphs (2) to (4) in the case of personal data consisting of marks or other information processed by a data controller— U.K.

(a) for the purpose of determining the results of an academic, professional or other examination or of enabling the results of any such examination to be determined, or

(b) in consequence of the determination of any such results.

(2) Where the relevant day falls before the day on which the results of the examination are announced, the period mentioned in section 7(8) shall be extended until—

(a) the end of five months beginning with the relevant day, or

(b) the end of forty days beginning with the date of the announcement,

whichever is the earlier.

(3) Where by virtue of sub-paragraph (2) a period longer than the prescribed period elapses after the relevant day before the request is complied with, the information to be supplied pursuant to the request shall be supplied both by reference to the data in question at the time when the request is received and (if different) by reference to the data as from time to time held in the period beginning when the request is received and ending when it is complied with.

(4) For the purposes of this paragraph the results of an examination shall be treated as announced when they are first published or (if not published) when they are first made available or communicated to the candidate in question.

(5) In this paragraph— “ examination ” includes any process for determining the knowledge, intelligence, skill or ability of a candidate by reference to his performance in any test, work or other activity; “ the prescribed period ” means forty days or such other period as is for the time being prescribed under section 7 in relation to the personal data in question; “ relevant day ” has the same meaning as in section 7.

Examination scripts etc. U.K.

9 (1) Personal data consisting of information recorded by candidates during an academic, professional or other examination are exempt from section 7. U.K.

(2) In this paragraph “ examination ” has the same meaning as in paragraph 8.

Legal professional privilege U.K.

10 U.K. Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege [ F153 or, in Scotland, to confidentiality of communications ] could be maintained in legal proceedings.

F153 Words in Sch. 7 para. 10 substituted (14.5.2001) by 2000 c. 36 , s. 73 , Sch. 6 para. 7 (with ss. 56 , 78 ); S.I. 2001/1637 , art. 2(d)

Self-incrimination U.K.

11 (1) A person need not comply with any request or order under section 7 to the extent that compliance would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence.

(2) Information disclosed by any person in compliance with any request or order under section 7 shall not be admissible against him in proceedings for an offence under this Act.

Section 39.

SCHEDULE 8 U.K. Transitional relief

Part i u.k. interpretation of schedule.

1 (1) For the purposes of this Schedule, personal data are “ eligible data ” at any time if, and to the extent that, they are at that time subject to processing which was already under way immediately before 24th October 1998. U.K.

(2) In this Schedule— “ eligible automated data ” means eligible data which fall within paragraph (a) or (b) of the definition of “ data ” in section 1(1); “ eligible manual data ” means eligible data which are not eligible automated data; “ the first transitional period ” means the period beginning with the commencement of this Schedule and ending with 23rd October 2001; “ the second transitional period ” means the period beginning with 24th October 2001 and ending with 23rd October 2007.

Part II U.K. Exemptions available before 24th October 2001

Manual data u.k..

2 (1) Eligible manual data, other than data forming part of an accessible record, are exempt from the data protection principles and Parts II and III of this Act during the first transitional period. U.K.

(2) This paragraph does not apply to eligible manual data to which paragraph 4 applies.

3 (1) This paragraph applies to— U.K.

(a) eligible manual data forming part of an accessible record, and

(b) personal data which fall within paragraph (d) of the definition of “ data ” in section 1(1) but which, because they are not subject to processing which was already under way immediately before 24th October 1998, are not eligible data for the purposes of this Schedule.

(2) During the first transitional period, data to which this paragraph applies are exempt from—

(a) the data protection principles, except the sixth principle so far as relating to sections 7 and 12A,

(b) Part II of this Act, except—

(i) section 7 (as it has effect subject to section 8) and section 12A, and

(ii) section 15 so far as relating to those sections, and

4 (1) This paragraph applies to eligible manual data which consist of information relevant to the financial standing of the data subject and in respect of which the data controller is a credit reference agency. U.K.

(i) section 7 (as it has effect subject to sections 8 and 9) and section 12A, and

Processing otherwise than by reference to the data subject U.K.

5 U.K. During the first transitional period, for the purposes of this Act (apart from paragraph 1), eligible automated data are not to be regarded as being “ processed ” unless the processing is by reference to the data subject.

Payrolls and accounts U.K.

6 (1) Subject to sub-paragraph (2), eligible automated data processed by a data controller for one or more of the following purposes— U.K.

(a) calculating amounts payable by way of remuneration or pensions in respect of service in any employment or office or making payments of, or of sums deducted from, such remuneration or pensions, or

(b) keeping accounts relating to any business or other activity carried on by the data controller or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments are made by or to him in respect of those transactions or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity,

are exempt from the data protection principles and Parts II and III of this Act during the first transitional period.

(2) It shall be a condition of the exemption of any eligible automated data under this paragraph that the data are not processed for any other purpose, but the exemption is not lost by any processing of the eligible data for any other purpose if the data controller shows that he had taken such care to prevent it as in all the circumstances was reasonably required.

(3) Data processed only for one or more of the purposes mentioned in sub-paragraph (1)(a) may be disclosed—

(a) to any person, other than the data controller, by whom the remuneration or pensions in question are payable,

(b) for the purpose of obtaining actuarial advice,

(c) for the purpose of giving information as to the persons in any employment or office for use in medical research into the health of, or injuries suffered by, persons engaged in particular occupations or working in particular places or areas,

(d) if the data subject (or a person acting on his behalf) has requested or consented to the disclosure of the data either generally or in the circumstances in which the disclosure in question is made, or

(e) if the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (d).

(4) Data processed for any of the purposes mentioned in sub-paragraph (1) may be disclosed—

(a) for the purpose of audit or where the disclosure is for the purpose only of giving information about the data controller’s financial affairs, or

(b) in any case in which disclosure would be permitted by any other provision of this Part of this Act if sub-paragraph (2) were included among the non-disclosure provisions.

(5) In this paragraph “ remuneration ” includes remuneration in kind and “ pensions ” includes gratuities or similar benefits.

Unincorporated members’ clubs and mailing lists U.K.

7 U.K. Eligible automated data processed by an unincorporated members’ club and relating only to the members of the club are exempt from the data protection principles and Parts II and III of this Act during the first transitional period.

8 U.K. Eligible automated data processed by a data controller only for the purposes of distributing, or recording the distribution of, articles or information to the data subjects and consisting only of their names, addresses or other particulars necessary for effecting the distribution, are exempt from the data protection principles and Parts II and III of this Act during the first transitional period.

9 U.K. Neither paragraph 7 nor paragraph 8 applies to personal data relating to any data subject unless he has been asked by the club or data controller whether he objects to the data relating to him being processed as mentioned in that paragraph and has not objected.

10 U.K. It shall be a condition of the exemption of any data under paragraph 7 that the data are not disclosed except as permitted by paragraph 11 and of the exemption under paragraph 8 that the data are not processed for any purpose other than that mentioned in that paragraph or as permitted by paragraph 11, but—

(a) the exemption under paragraph 7 shall not be lost by any disclosure in breach of that condition, and

(b) the exemption under paragraph 8 shall not be lost by any processing in breach of that condition,

if the data controller shows that he had taken such care to prevent it as in all the circumstances was reasonably required.

11 U.K. Data to which paragraph 10 applies may be disclosed—

(a) if the data subject (or a person acting on his behalf) has requested or consented to the disclosure of the data either generally or in the circumstances in which the disclosure in question is made,

(b) if the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), or

(c) in any case in which disclosure would be permitted by any other provision of this Part of this Act if paragraph 8 were included among the non-disclosure provisions.

Back-up data U.K.

12 U.K. Eligible automated data which are processed only for the purpose of replacing other data in the event of the latter being lost, destroyed or impaired are exempt from section 7 during the first transitional period.

Exemption of all eligible automated data from certain requirements U.K.

13 (1) During the first transitional period, eligible automated data are exempt from the following provisions— U.K.

(a) the first data protection principle to the extent to which it requires compliance with—

(i) paragraph 2 of Part II of Schedule 1,

(ii) the conditions in Schedule 2, and

(iii) the conditions in Schedule 3,

(b) the seventh data protection principle to the extent to which it requires compliance with paragraph 12 of Part II of Schedule 1;

(d) in section 7(1), paragraphs (b), (c)(ii) and (d),

(e) sections 10 and 11,

(f) section 12, and

(g) section 13, except so far as relating to—

(i) any contravention of the fourth data protection principle,

(ii) any disclosure without the consent of the data controller,

(iii) loss or destruction of data without the consent of the data controller, or

(iv) processing for the special purposes.

(2) The specific exemptions conferred by sub-paragraph (1)(a), (c) and (e) do not limit the data controller’s general duty under the first data protection principle to ensure that processing is fair.

Part III U.K. Exemptions available after 23rd October 2001 but before 24th October 2007

C41 Sch. 8 Pt. III excluded (1.1.2005) by 2000 c. 36 , ss. 40(6) , 87(3) (with ss. 7(1)(7) , 56 , 78 ); S.I. 2004/3122 , art. 2

Sch. 8 Pt. III excluded (S.) (1.1.2005) by The Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520) , reg. 11(5) (with reg. 3 )

14 (1) This paragraph applies to— U.K.

(a) eligible manual data which were held immediately before 24th October 1998, and

(b) personal data which fall within paragraph (d) of the definition of “ data ” in section 1(1) but do not fall within paragraph (a) of this sub-paragraph,

but does not apply to eligible manual data to which the exemption in paragraph 16 applies.

(2) During the second transitional period, data to which this paragraph applies are exempt from the following provisions—

(a) the first data protection principle except to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1,

(b) the second, third, fourth and fifth data protection principles, and

[ F154 14A (1) This paragraph applies to personal data which fall within paragraph (e) of the definition of “data” in section 1(1) and do not fall within paragraph 14(1)(a), but does not apply to eligible manual data to which the exemption in paragraph 16 applies. U.K.

(2) During the second transitional period, data to which this paragraph applies are exempt from—

(a) the fourth data protection principle, and

(b) section 14(1) to (3). ]

F154 Sch. 8 Pt. III para. 14A inserted (1.1.2005) by 2000 c. 36 , ss. 70(3) , 87(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

Part IV U.K. Exemptions after 23rd October 2001 for historical research

15 U.K. In this Part of this Schedule “ the relevant conditions ” has the same meaning as in section 33.

16 (1) Eligible manual data which are processed only for the purpose of historical research in compliance with the relevant conditions are exempt from the provisions specified in sub-paragraph (2) after 23rd October 2001. U.K.

(2) The provisions referred to in sub-paragraph (1) are—

(a) the first data protection principle except in so far as it requires compliance with paragraph 2 of Part II of Schedule 1,

17 (1) After 23rd October 2001 eligible automated data which are processed only for the purpose of historical research in compliance with the relevant conditions are exempt from the first data protection principle to the extent to which it requires compliance with the conditions in Schedules 2 and 3. U.K.

(2) Eligible automated data which are processed—

(a) only for the purpose of historical research,

(b) in compliance with the relevant conditions, and

are also exempt from the provisions referred to in sub-paragraph (3) after 23rd October 2001.

(3) The provisions referred to in sub-paragraph (2) are—

18 U.K. For the purposes of this Part of this Schedule personal data are not to be treated as processed otherwise than for the purpose of historical research merely because the data are disclosed—

(a) to any person, for the purpose of historical research only,

(b) to the data subject or a person acting on his behalf,

(d) in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), (b) or (c).

Part V U.K. Exemption from section 22

19 U.K. Processing which was already under way immediately before 24th October 1998 is not assessable processing for the purposes of section 22.

Section 50.

SCHEDULE 9 U.K. Powers of entry and inspection

C42 Sch. 9 applied (with modifications) (1.3.2000) by S.I. 1999/2093 , reg. 34 , Sch. 3 para. 5(3)

C43 Sch. 9 extended (with modifications) (11.12.2003) by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) , reg. 31 , Sch. 1 (with regs. 4 , 15(3) , 28 , 29 )

Issue of warrants U.K.

1 (1) If a circuit judge [ F155 or a District Judge (Magistrates' Courts) ] is satisfied by information on oath supplied by the Commissioner that there are reasonable grounds for suspecting—

(a) that a data controller has contravened or is contravening any of the data protection principles, or

(b) that an offence under this Act has been or is being committed,

and that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information, he may, subject to sub-paragraph (2) and paragraph 2, grant a warrant to the Commissioner.

(2) A judge shall not issue a warrant under this Schedule in respect of any personal data processed for the special purposes unless a determination by the Commissioner under section 45 with respect to those data has taken effect.

(3) A warrant issued under sub-paragraph (1) shall authorise the Commissioner or any of his officers or staff at any time within seven days of the date of the warrant to enter the premises, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of personal data and to inspect and seize any documents or other material found there which may be such evidence as is mentioned in that sub-paragraph.

F155 Words in Sch. 9 para. 1(1) inserted (1.4.2005) by Courts Act 2003 (c. 39) , ss. 65 , 110 , Sch. 4 para. 8 ; S.I. 2005/910 , art. 3(u)

C44 Sch. 9 para. 1 : power of seizure extended (1.4.2003) by 2001 c. 16 , ss. 50 , 52-54 , 68 , 138(2)-(4) , Sch. 1 Pt. 1 para. 65 ; S.I. 2003/708 , art. 2

2 (1) A judge shall not issue a warrant under this Schedule unless he is satisfied—

(a) that the Commissioner has given seven days’ notice in writing to the occupier of the premises in question demanding access to the premises, and

(b) that either—

(i) access was demanded at a reasonable hour and was unreasonably refused, or

(ii) although entry to the premises was granted, the occupier unreasonably refused to comply with a request by the Commissioner or any of the Commissioner’s officers or staff to permit the Commissioner or the officer or member of staff to do any of the things referred to in paragraph 1(3), and

(c) that the occupier, has, after the refusal, been notified by the Commissioner of the application for the warrant and has had an opportunity of being heard by the judge on the question whether or not it should be issued.

(2) Sub-paragraph (1) shall not apply if the judge is satisfied that the case is one of urgency or that compliance with those provisions would defeat the object of the entry.

3 U.K. A judge who issues a warrant under this Schedule shall also issue two copies of it and certify them clearly as copies.

Execution of warrants U.K.

4 U.K. A person executing a warrant issued under this Schedule may use such reasonable force as may be necessary.

5 A warrant issued under this Schedule shall be executed at a reasonable hour unless it appears to the person executing it that there are grounds for suspecting that the evidence in question would not be found if it were so executed.

6 U.K. If the person who occupies the premises in respect of which a warrant is issued under this Schedule is present when the warrant is executed, he shall be shown the warrant and supplied with a copy of it; and if that person is not present a copy of the warrant shall be left in a prominent place on the premises.

7 (1) A person seizing anything in pursuance of a warrant under this Schedule shall give a receipt for it if asked to do so. U.K.

(2) Anything so seized may be retained for so long as is necessary in all the circumstances but the person in occupation of the premises in question shall be given a copy of anything that is seized if he so requests and the person executing the warrant considers that it can be done without undue delay.

C45 Sch. 9 para. 7(2) applied (1.4.2003) by 2001 c. 16 , ss. 57(1)(m) , 138(2) ; S.I. 2003/708 , art. 2

Matters exempt from inspection and seizure U.K.

8 U.K. The powers of inspection and seizure conferred by a warrant issued under this Schedule shall not be exercisable in respect of personal data which by virtue of section 28 are exempt from any of the provisions of this Act.

9 (1) Subject to the provisions of this paragraph, the powers of inspection and seizure conferred by a warrant issued under this Schedule shall not be exercisable in respect of— U.K.

(2) Sub-paragraph (1) applies also to—

(a) any copy or other record of any such communication as is there mentioned, and

(b) any document or article enclosed with or referred to in any such communication if made in connection with the giving of any advice or, as the case may be, in connection with or in contemplation of and for the purposes of such proceedings as are there mentioned.

(3) This paragraph does not apply to anything in the possession of any person other than the professional legal adviser or his client or to anything held with the intention of furthering a criminal purpose.

(4) In this paragraph references to the client of a professional legal adviser include references to any person representing such a client.

10 U.K. If the person in occupation of any premises in respect of which a warrant is issued under this Schedule objects to the inspection or seizure under the warrant of any material on the grounds that it consists partly of matters in respect of which those powers are not exercisable, he shall, if the person executing the warrant so requests, furnish that person with a copy of so much of the material as is not exempt from those powers.

Return of warrants U.K.

11 U.K. A warrant issued under this Schedule shall be returned to the court from which it was issued—

(a) after being executed, or

(b) if not executed within the time authorised for its execution;

and the person by whom any such warrant is executed shall make an endorsement on it stating what powers have been exercised by him under the warrant.

Offences U.K.

12 Any person who—

(a) intentionally obstructs a person in the execution of a warrant issued under this Schedule, or

(b) fails without reasonable excuse to give any person executing such a warrant such assistance as he may reasonably require for the execution of the warrant,

Vessels, vehicles etc. U.K.

13 U.K. In this Schedule “ premises ” includes any vessel, vehicle, aircraft or hovercraft, and references to the occupier of any premises include references to the person in charge of any vessel, vehicle, aircraft or hovercraft.

Scotland and Northern Ireland U.K.

14 U.K. In the application of this Schedule to Scotland—

(a) for any reference to a circuit judge there is substituted a reference to the sheriff,

(b) for any reference to information on oath there is substituted a reference to evidence on oath, and

(c) for the reference to the court from which the warrant was issued there is substituted a reference to the sheriff clerk.

15 U.K. In the application of this Schedule to Northern Ireland—

(a) for any reference to a circuit judge there is substituted a reference to a county court judge, and

(b) for any reference to information on oath there is substituted a reference to a complaint on oath.

[ F156 Self-incrimination U.K.

F156 Sch. 9 para. 16 and cross-heading inserted (6.4.2010) by Coroners and Justice Act 2009 (c. 25) , ss. 175 , 182 , Sch. 20 para. 14(7) (with s. 180 ); S.I. 2010/816 , art. 2 , Sch. para. 19

16 U.K. An explanation given, or information provided, by a person in response to a requirement under paragraph (e) or (f) of paragraph 1(3) may only be used in evidence against that person—

(a) on a prosecution for an offence under—

(i) paragraph 12,

(ii) section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),

(iii) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or

(iv) Article 10 of the Perjury (Northern Ireland) Order 1979 (false statutory declarations and other false unsworn statements), or

(b) on a prosecution for any other offence where—

(i) in giving evidence that person makes a statement inconsistent with that explanation or information, and

(ii) evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person's behalf. ]

Section 53(6).

SCHEDULE 10 U.K. Further provisions relating to assistance under section 53

1 U.K. In this Schedule “ applicant ” and “ proceedings ” have the same meaning as in section 53.

2 U.K. The assistance provided under section 53 may include the making of arrangements for, or for the Commissioner to bear the costs of—

(a) the giving of advice or assistance by a solicitor or counsel, and

(b) the representation of the applicant, or the provision to him of such assistance as is usually given by a solicitor or counsel—

(i) in steps preliminary or incidental to the proceedings, or

(ii) in arriving at or giving effect to a compromise to avoid or bring an end to the proceedings.

3 U.K. Where assistance is provided with respect to the conduct of proceedings—

(a) it shall include an agreement by the Commissioner to indemnify the applicant (subject only to any exceptions specified in the notification) in respect of any liability to pay costs or expenses arising by virtue of any judgment or order of the court in the proceedings,

(b) it may include an agreement by the Commissioner to indemnify the applicant in respect of any liability to pay costs or expenses arising by virtue of any compromise or settlement arrived at in order to avoid the proceedings or bring the proceedings to an end, and

(c) it may include an agreement by the Commissioner to indemnify the applicant in respect of any liability to pay damages pursuant to an undertaking given on the grant of interlocutory relief (in Scotland, an interim order) to the applicant.

4 U.K. Where the Commissioner provides assistance in relation to any proceedings, he shall do so on such terms, or make such other arrangements, as will secure that a person against whom the proceedings have been or are commenced is informed that assistance has been or is being provided by the Commissioner in relation to them.

5 U.K. In England and Wales or Northern Ireland, the recovery of expenses incurred by the Commissioner in providing an applicant with assistance (as taxed or assessed in such manner as may be prescribed by rules of court) shall constitute a first charge for the benefit of the Commissioner—

(a) on any costs which, by virtue of any judgment or order of the court, are payable to the applicant by any other person in respect of the matter in connection with which the assistance is provided, and

(b) on any sum payable to the applicant under a compromise or settlement arrived at in connection with that matter to avoid or bring to an end any proceedings.

6 U.K. In Scotland, the recovery of such expenses (as taxed or assessed in such manner as may be prescribed by rules of court) shall be paid to the Commissioner, in priority to other debts—

(a) out of any expenses which, by virtue of any judgment or order of the court, are payable to the applicant by any other person in respect of the matter in connection with which the assistance is provided, and

(b) out of any sum payable to the applicant under a compromise or settlement arrived at in connection with that matter to avoid or bring to an end any proceedings.

I32 Sch. 10 para. 6 wholly in force at 1.3.2000; Sch. 10 para. 6 in force for certain purposes at Royal Assent see s. 75(2)(i) ; Sch. 10 para. 6 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

Section 68(1)(6).

SCHEDULE 11 U.K. Educational records

Meaning of “educational record” u.k..

1 U.K. For the purposes of section 68 “ educational record ” means any record to which paragraph 2, 5 or 7 applies.

England and Wales U.K.

2 U.K. This paragraph applies to any record of information which—

(a) is processed by or on behalf of the governing body of, or a teacher at, any school in England and Wales specified in paragraph 3,

(b) relates to any person who is or has been a pupil at the school, and

other than information which is processed by a teacher solely for the teacher’s own use.

3 The schools referred to in paragraph 2(a) are—

(a) a school maintained by a local education authority, and

(b) a special school, as defined by section 6(2) of the M33 Education Act 1996, which is not so maintained.

M33 1996 c. 56 .

4 The persons referred to in paragraph 2(c) are—

(a) an employee of the local education authority which maintains the school,

(b) in the case of—

(i) a voluntary aided, foundation or foundation special school (within the meaning of the School Standards and Framework Act 1998), or

(ii) a special school which is not maintained by a local eduction authority,

a teacher or other employee at the school (including an educational psychologist engaged by the governing body under a contract for services),

(d) a parent, as defined by section 576(1) of the Education Act 1996, of that pupil.

Valid from 18/01/2010

[ F157 4A U.K. In paragraphs 3 and 4 “ local authority ” has the meaning given by section 579(1) of the Education Act 1996. ]

F157 Sch. 11 para. 4A inserted (5.5.2010) by The Local Education Authorities and Children's Services Authorities (Integration of Functions) Order 2010 (S.I. 2010/1158) , arts. 1 , 5(1) , Sch. 2 para. 42(3)

Scotland U.K.

5 U.K. This paragraph applies to any record of information which is processed—

(a) by an education authority in Scotland, and

(b) for the purpose of the relevant function of the authority,

6 U.K. For the purposes of paragraph 5—

(a) “ education authority ” means an education authority within the meaning of the M34 Education (Scotland) Act 1980 (“ the 1980 Act ”) [ F158 or, in relation to a self-governing school, the board of management within the meaning of the M35 Self-Governing Schools etc. (Scotland) Act 1989 (“ the 1989 Act ”) ] ,

(b) “ the relevant function ” means, in relation to each of those authorities, their function under section 1 of the 1980 Act and section 7(1) of the 1989 Act, and

(c) information processed by an education authority is processed for the purpose of the relevant function of the authority if the processing relates to the discharge of that function in respect of a person—

(i) who is or has been a pupil in a school provided by the authority, or

(ii) who receives, or has received, further education (within the meaning of the 1980 Act) so provided.

F158 Words in Sch. 11 para. 6(a) repealed (S.) (31.12.2004) by 2000 asp 6 , ss. 60(2) , 61(2) , Sch. 3 ; S.S.I. 2004/528 , art. 2

M34 1980 c. 44 .

M35 1989 c. 39 .

Northern Ireland U.K.

7 (1) This paragraph applies to any record of information which— U.K.

(a) is processed by or on behalf of the Board of Governors of, or a teacher at, any grant-aided school in Northern Ireland,

(2) In sub-paragraph (1) “ grant-aided school ” has the same meaning as in the M36 Education and Libraries (Northern Ireland) Order 1986.

M36 S.I. 1986/594 (N.I.3) .

8 U.K. The persons referred to in paragraph 7(1) are—

(a) a teacher at the school,

(b) an employee of an education and library board, other than such a teacher,

(d) a parent (as defined by Article 2(2) of the Education and Libraries (Northern Ireland) Order 1986) of that pupil.

England and Wales: transitory provisions U.K.

9 (1) Until the appointed day within the meaning of section 20 of the School Standards and Framework Act 1998, this Schedule shall have effect subject to the following modifications. U.K.

(2) Paragraph 3 shall have effect as if for paragraph (b) and the “and” immediately preceding it there were substituted—

“ (aa) a grant-maintained school, as defined by section 183(1) of the Education Act 1996,

(ab) a grant-maintained special school, as defined by section 337(4) of that Act, and

(b) a special school, as defined by section 6(2) of that Act, which is neither a maintained special school, as defined by section 337(3) of that Act, nor a grant-maintained special school. ”

(3) Paragraph 4(b)(i) shall have effect as if for the words from “foundation”, in the first place where it occurs, to “1998)” there were substituted “ or grant-maintained school ” .

Section 68(1)(c).

SCHEDULE 12 U.K. Accessible public records

Meaning of “accessible public record” u.k..

1 U.K. For the purposes of section 68 “ accessible public record ” means any record which is kept by an authority specified—

(a) as respects England and Wales, in the Table in paragraph 2,

(b) as respects Scotland, in the Table in paragraph 4, or

and is a record of information of a description specified in that Table in relation to that authority.

Housing and social services records: England and Wales U.K.

2 U.K. The following is the Table referred to in paragraph 1(a).

TABLE OF AUTHORITIES AND INFORMATION

3 (1) The following provisions apply for the interpretation of the Table in paragraph 2. U.K.

(2) Any authority which, by virtue of section 4(e) of the M37 Housing Act 1985, is a local authority for the purpose of any provision of that Act is a “ Housing Act local authority ” for the purposes of this Schedule, and so is any housing action trust established under Part III of the M38 Housing Act 1988.

(3) Information contained in records kept by a Housing Act local authority is “ held for the purpose of any of the authority’s tenancies ” if it is held for any purpose of the relationship of landlord and tenant of a dwelling which subsists, has subsisted or may subsist between the authority and any individual who is, has been or, as the case may be, has applied to be, a tenant of the authority.

(4) Any authority which, by virtue of section 1 or 12 of the M39 Local Authority Social Services Act 1970, is or is treated as a local authority for the purposes of that Act is a “ local social services authority ” for the purposes of this Schedule; and information contained in records kept by such an authority is “ held for any purpose of the authority’s social services functions ” if it is held for the purpose of any past, current or proposed exercise of such a function in any case.

(5) Any expression used in paragraph 2 or this paragraph and in Part II of the Housing Act 1985 or the Local Authority Social Services Act 1970 has the same meaning as in that Act.

M37 1985 c. 68 .

M38 1988 c. 50 .

M39 1970 c. 42 .

Housing and social services records: Scotland U.K.

4 U.K. The following is the Table referred to in paragraph 1(b).

5 (1) The following provisions apply for the interpretation of the Table in paragraph 4. U.K.

(2) “ Local authority ” means—

(a) a council constituted under section 2 of the M40 Local Government etc. (Scotland) Act 1994,

(b) a joint board or joint committee of two or more of those councils, or

(3) Information contained in records kept by a local authority or Scottish Homes is held for the purpose of any of their tenancies if it is held for any purpose of the relationship of landlord and tenant of a dwelling-house which subsists, has subsisted or may subsist between the authority or, as the case may be, Scottish Homes and any individual who is, has been or, as the case may be, has applied to be a tenant of theirs.

(4) “ Social work authority ” means a local authority for the purposes of the M41 Social Work (Scotland) Act 1968; and information contained in records kept by such an authority is held for any purpose of their functions if it is held for the purpose of any past, current or proposed exercise of such a function in any case.

M40 1994 c. 39 .

M41 1968 c. 49 .

Housing and social services records: Northern Ireland U.K.

6 U.K. The following is the Table referred to in paragraph 1(c).

7 (1) This paragraph applies for the interpretation of the Table in paragraph 6. U.K.

(2) Information contained in records kept by the Northern Ireland Housing Executive is “ held for the purpose of any of the Executive’s tenancies ” if it is held for any purpose of the relationship of landlord and tenant of a dwelling which subsists, has subsisted or may subsist between the Executive and any individual who is, has been or, as the case may be, has applied to be, a tenant of the Executive.

Section 72.

SCHEDULE 13 U.K. Modifications of Act having effect before 24th October 2007

1 U.K. After section 12 there is inserted—

“ 12A Rights of data subjects in relation to exempt manual data.

(1) A data subject is entitled at any time by notice in writing—

(a) to require the data controller to rectify, block, erase or destroy exempt manual data which are inaccurate or incomplete, or

(b) to require the data controller to cease holding exempt manual data in a way incompatible with the legitimate purposes pursued by the data controller.

(2) A notice under subsection (1)(a) or (b) must state the data subject’s reasons for believing that the data are inaccurate or incomplete or, as the case may be, his reasons for believing that they are held in a way incompatible with the legitimate purposes pursued by the data controller.

(3) If the court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent) that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(4) In this section “ exempt manual data ” means—

(a) in relation to the first transitional period, as defined by paragraph 1(2) of Schedule 8, data to which paragraph 3 or 4 of that Schedule applies, and

(b) in relation to the second transitional period, as so defined, data to which paragraph 14 [ F159 or 14A ] of that Schedule applies.

(5) For the purposes of this section personal data are incomplete if, and only if, the data, although not inaccurate, are such that their incompleteness would constitute a contravention of the third or fourth data protection principles, if those principles applied to the data. ”

F159 Words in Sch. 13 para. 1 inserted (1.1.2005) by 2000 c. 36 , ss. 70(4) , 87(3) (with ss. 56 , 78 ); S.I. 2004/1909 , art. 2 ; S.I. 2004/3122 , art. 2

2 U.K. In section 32—

(a) in subsection (2) after “section 12” there is inserted—

“ (dd) section 12A, ” , and

(b) in subsection (4) after “12(8)” there is inserted “ , 12A(3) ” .

3 U.K. In section 34 for “section 14(1) to (3)” there is substituted “ sections 12A and 14(1) to (3). ”

4 U.K. In section 53(1) after “12(8)” there is inserted “ , 12A(3) ” .

5 U.K. In paragraph 8 of Part II of Schedule 1, the word “or” at the end of paragraph (c) is omitted and after paragraph (d) there is inserted “ or

(e) he contravenes section 12A by failing to comply with a notice given under subsection (1) of that section to the extent that the notice is justified. ”

Section 73.

SCHEDULE 14 U.K. Transitional provisions and savings

Interpretation u.k..

1 U.K. In this Schedule— “ the 1984 Act ” means the M42 Data Protection Act 1984; “ the old principles ” means the data protection principles within the meaning of the 1984 Act; “ the new principles ” means the data protection principles within the meaning of this Act.

M42 1984 c. 35 .

Effect of registration under Part II of 1984 Act U.K.

2 (1) Subject to sub-paragraphs (4) and (5) any person who, immediately before the commencement of Part III of this Act— U.K.

(a) is registered as a data user under Part II of the 1984 Act, or

(b) is treated by virtue of section 7(6) of the 1984 Act as so registered,

is exempt from section 17(1) of this Act until the end of the registration period F160 . . ..

(2) In sub-paragraph (1) “ the registration period ”, in relation to a person, means—

(a) where there is a single entry in respect of that person as a data user, the period at the end of which, if section 8 of the 1984 Act had remained in force, that entry would have fallen to be removed unless renewed, and

(b) where there are two or more entries in respect of that person as a data user, the period at the end of which, if that section had remained in force, the last of those entries to expire would have fallen to be removed unless renewed.

(3) Any application for registration as a data user under Part II of the 1984 Act which is received by the Commissioner before the commencement of Part III of this Act (including any appeal against a refusal of registration) shall be determined in accordance with the old principles and the provisions of the 1984 Act.

(4) If a person falling within paragraph (b) of sub-paragraph (1) receives a notification under section 7(1) of the 1984 Act of the refusal of his application, sub-paragraph (1) shall cease to apply to him—

(a) if no appeal is brought, at the end of the period within which an appeal can be brought against the refusal, or

(b) on the withdrawal or dismissal of the appeal.

(5) If a data controller gives a notification under section 18(1) at a time when he is exempt from section 17(1) by virtue of sub-paragraph (1), he shall cease to be so exempt.

(6) The Commissioner shall include in the register maintained under section 19 an entry in respect of each person who is exempt from section 17(1) by virtue of sub-paragraph (1); and each entry shall consist of the particulars which, immediately before the commencement of Part III of this Act, were included (or treated as included) in respect of that person in the register maintained under section 4 of the 1984 Act.

(7) Notification regulations under Part III of this Act may make provision modifying the duty referred to in section 20(1) in its application to any person in respect of whom an entry in the register maintained under section 19 has been made under sub-paragraph (6).

(8) Notification regulations under Part III of this Act may make further transitional provision in connection with the substitution of Part III of this Act for Part II of the 1984 Act (registration), including provision modifying the application of provisions of Part III in transitional cases.

F160 Words in Sch. 14 para. 2(1) repealed (30.11.2000) by 2000 c. 36 , ss. 73 , 86 , 87(1)(k)(l) , Sch. 6 para. 8 , Sch. 8 Pt. I (with ss. 56 , 78 )

I33 Sch. 14 para. 2 wholly in force at 1.3.2000; Sch. 14 para. 2 in force for certain purposes at Royal Assent see s. 75(2)(i) ; Sch. 14 para. 2 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183 , art. 2(1)

Rights of data subjects U.K.

3 (1) The repeal of section 21 of the 1984 Act (right of access to personal data) does not affect the application of that section in any case in which the request (together with the information referred to in paragraph (a) of subsection (4) of that section and, in a case where it is required, the consent referred to in paragraph (b) of that subsection) was received before the day on which the repeal comes into force. U.K.

(2) Sub-paragraph (1) does not apply where the request is made by reference to this Act.

(3) Any fee paid for the purposes of section 21 of the 1984 Act before the commencement of section 7 in a case not falling within sub-paragraph (1) shall be taken to have been paid for the purposes of section 7.

4 U.K. The repeal of section 22 of the 1984 Act (compensation for inaccuracy) and the repeal of section 23 of that Act (compensation for loss or unauthorised disclosure) do not affect the application of those sections in relation to damage or distress suffered at any time by reason of anything done or omitted to be done before the commencement of the repeals.

5 U.K. The repeal of section 24 of the 1984 Act (rectification and erasure) does not affect any case in which the application to the court was made before the day on which the repeal comes into force.

6 U.K. Subsection (3)(b) of section 14 does not apply where the rectification, blocking, erasure or destruction occurred before the commencement of that section.

Enforcement and transfer prohibition notices served under Part V of 1984 Act U.K.

7 (1) If, immediately before the commencement of section 40— U.K.

(a) an enforcement notice under section 10 of the 1984 Act has effect, and

(b) either the time for appealing against the notice has expired or any appeal has been determined,

then, after that commencement, to the extent mentioned in sub-paragraph (3), the notice shall have effect for the purposes of sections 41 and 47 as if it were an enforcement notice under section 40.

(2) Where an enforcement notice has been served under section 10 of the 1984 Act before the commencement of section 40 and immediately before that commencement either—

(a) the time for appealing against the notice has not expired, or

(b) an appeal has not been determined,

the appeal shall be determined in accordance with the provisions of the 1984 Act and the old principles and, unless the notice is quashed on appeal, to the extent mentioned in sub-paragraph (3) the notice shall have effect for the purposes of sections 41 and 47 as if it were an enforcement notice under section 40.

(3) An enforcement notice under section 10 of the 1984 Act has the effect described in sub-paragraph (1) or (2) only to the extent that the steps specified in the notice for complying with the old principle or principles in question are steps which the data controller could be required by an enforcement notice under section 40 to take for complying with the new principles or any of them.

C46 Sch. 14 para. 7 excluded (1.3.2000) by S.I. 1999/2093 , reg. 34 , Sch. 3 para. 4(1)

8 (1) If, immediately before the commencement of section 40— U.K.

(a) a transfer prohibition notice under section 12 of the 1984 Act has effect, and

then, on and after that commencement, to the extent specified in sub-paragraph (3), the notice shall have effect for the purposes of sections 41 and 47 as if it were an enforcement notice under section 40.

(2) Where a transfer prohibition notice has been served under section 12 of the 1984 Act and immediately before the commencement of section 40 either—

(3) A transfer prohibition notice under section 12 of the 1984 Act has the effect described in sub-paragraph (1) or (2) only to the extent that the prohibition imposed by the notice is one which could be imposed by an enforcement notice under section 40 for complying with the new principles or any of them.

Notices under new law relating to matters in relation to which 1984 Act had effect U.K.

9 U.K. The Commissioner may serve an enforcement notice under section 40 on or after the day on which that section comes into force if he is satisfied that, before that day, the data controller contravened the old principles by reason of any act or omission which would also have constituted a contravention of the new principles if they had applied before that day.

10 U.K. Subsection (5)(b) of section 40 does not apply where the rectification, blocking, erasure or destruction occurred before the commencement of that section.

11 U.K. The Commissioner may serve an information notice under section 43 on or after the day on which that section comes into force if he has reasonable grounds for suspecting that, before that day, the data controller contravened the old principles by reason of any act or omission which would also have constituted a contravention of the new principles if they had applied before that day.

12 U.K. Where by virtue of paragraph 11 an information notice is served on the basis of anything done or omitted to be done before the day on which section 43 comes into force, subsection (2)(b) of that section shall have effect as if the reference to the data controller having complied, or complying, with the new principles were a reference to the data controller having contravened the old principles by reason of any such act or omission as is mentioned in paragraph 11.

Self-incrimination, etc. U.K.

13 (1) In section 43(8), section 44(9) and paragraph 11 of Schedule 7, any reference to an offence under this Act includes a reference to an offence under the 1984 Act. U.K.

(2) In section 34(9) of the 1984 Act, any reference to an offence under that Act includes a reference to an offence under this Act.

Warrants issued under 1984 Act U.K.

14 U.K. The repeal of Schedule 4 to the 1984 Act does not affect the application of that Schedule in any case where a warrant was issued under that Schedule before the commencement of the repeal.

Complaints under section 36(2) of 1984 Act and requests for assessment under section 42 U.K.

15 U.K. The repeal of section 36(2) of the 1984 Act does not affect the application of that provision in any case where the complaint was received by the Commissioner before the commencement of the repeal.

16 U.K. In dealing with a complaint under section 36(2) of the 1984 Act or a request for an assessment under section 42 of this Act, the Commissioner shall have regard to the provisions from time to time applicable to the processing, and accordingly—

(a) in section 36(2) of the 1984 Act, the reference to the old principles and the provisions of that Act includes, in relation to any time when the new principles and the provisions of this Act have effect, those principles and provisions, and

(b) in section 42 of this Act, the reference to the provisions of this Act includes, in relation to any time when the old principles and the provisions of the 1984 Act had effect, those principles and provisions.

Applications under Access to Health Records Act 1990 or corresponding Northern Ireland legislation U.K.

17 (1) The repeal of any provision of the M43 Access to Health Records Act 1990 does not affect— U.K.

(a) the application of section 3 or 6 of that Act in any case in which the application under that section was received before the day on which the repeal comes into force, or

(b) the application of section 8 of that Act in any case in which the application to the court was made before the day on which the repeal comes into force.

(2) Sub-paragraph (1)(a) does not apply in relation to an application for access to information which was made by reference to this Act.

M43 1990 c. 23 .

18 (1) The revocation of any provision of the M44 Access to Health Records (Northern Ireland) Order 1993 does not affect— U.K.

(a) the application of Article 5 or 8 of that Order in any case in which the application under that Article was received before the day on which the repeal comes into force, or

(b) the application of Article 10 of that Order in any case in which the application to the court was made before the day on which the repeal comes into force.

M44 S.I. 1993/1250 (N.I.4) .

Applications under regulations under Access to Personal Files Act 1987 or corresponding Northern Ireland legislation U.K.

19 (1) The repeal of the personal files enactments does not affect the application of regulations under those enactments in relation to— U.K.

(a) any request for information,

(b) any application for rectification or erasure, or

which was made before the day on which the repeal comes into force.

(2) Sub-paragraph (1)(a) does not apply in relation to a request for information which was made by reference to this Act.

(3) In sub-paragraph (1) “ the personal files enactments ” means—

(a) in relation to Great Britain, the M45 Access to Personal Files Act 1987, and

(b) in relation to Northern Ireland, Part II of the M46 Access to Personal Files and Medical Reports (Northern Ireland) Order 1991.

M45 1987 c. 37 .

M46 S.I. 1991/1707 (N.I.14) .

Applications under section 158 of Consumer Credit Act 1974 U.K.

20 U.K. Section 62 does not affect the application of section 158 of the M47 Consumer Credit Act 1974 in any case where the request was received before the commencement of section 62, unless the request is made by reference to this Act.

M47 1974 c. 39 .

Section 74(1).

SCHEDULE 15 U.K. Minor and consequential amendments

Public records act 1958 (c. 51) u.k..

1 F161 (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U.K.

F162 (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F162 (3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F161 Sch. 15 para. 1(1) repealed (30.1.2001) by 2000 c. 36 , ss. 86 , 87(2)(d) , Sch. 8 Pt. II (with ss. 56 , 78 )

F162 Sch. 15 para. 1(2)(3) repealed (1.1.2005) by 2000 c. 36 , ss. 86 , 87(3) , Sch. 8 Pt. III (with ss. 56 , 78 ); S.I. 2004/3122 , art. 2

Parliamentary Commissioner Act 1967 (c. 13) U.K.

F163 2 U.K. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F163 Sch. 15 para. 2 repealed (30.1.2001) by 2000 c. 36 , ss. 86 , 87(2)(d) , Sch. 8 Pt. II (with ss. 56 , 78 )

F164 3 U.K. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F164 Sch. 15 para. 3 repealed (1.1.2005) by 2000 c. 36 , ss. 86 , 87(3) , Sch. 8 Pt. III (with ss. 56 , 78 ); S.I. 2004/3122 , art. 2

Superannuation Act 1972 (c. 11) U.K.

F165 4 U.K. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F165 Sch. 15 para. 4 repealed (30.1.2001) by 2000 c. 36 , ss. 86 , 87(2)(d) , Sch. 8 Pt. II (with ss. 56 , 78 )

House of Commons Disqualification Act 1975 (c. 24) U.K.

5 F166 (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U.K.

F167 (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F166 Sch. 15 para. 5(1) repealed (1.1.2005) by 2000 c. 36 , ss. 86 , 87(3) , Sch. 8 Pt. III (with ss. 56 , 78 ); S.I. 2004/3122 , art. 2

F167 Sch. 15 para. 5(2) repealed (30.1.2001) by 2000 c. 36 , ss. 86 , 87(2)(d) , Sch. 8 Pt. II (with ss. 56 , 78 )

Northern Ireland Assembly Disqualification Act 1975 (c. 25) U.K.

6 F168 (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U.K.

F169 (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F168 Sch. 15 para. 6(1) repealed (1.1.2005) by 2000 c. 36 , ss. 86 , 87(3) , Sch. 8 Pt. III (with ss. 56 , 78 ); S.I. 2004/3122 , art. 2

F169 Sch. 15 para. 6(2) repealed (30.1.2001) by 2000 c. 36 , ss. 86 , 87(2)(d) , Sch. 8 Pt. II (with ss. 56 , 78 )

Representation of the People Act 1983 (c. 2) U.K.

7 U.K. In Schedule 2 of the Representation of the People Act 1983 (provisions which may be included in regulations as to registration etc ), in paragraph 11A(2)—

(a) for “data user” there is substituted “ data controller ” , and

(b) for “the Data Protection Act 1984” there is substituted “ the Data Protection Act 1998 ” .

Access to Medical Reports Act 1988 (c. 28) U.K.

8 U.K. In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), in the definition of “ health professional ”, for “the Data Protection (Subject Access Modification) Order 1987” there is substituted “ the Data Protection Act 1998 ” .

Football Spectators Act 1989 (c. 37) U.K.

9 U.K. F170 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F170 Sch. 15 para. 9 repealed (6.4.2007) by Violent Crime Reduction Act 2006 (c. 38) , ss. 65 , 66(2) , Sch. 5 ; S.I. 2007/858 , {art. (m)(n)(vii)}

Education (Student Loans) Act 1990 (c. 6) U.K.

10 U.K. Schedule 2 to the Education (Student Loans) Act 1990 (loans for students) so far as that Schedule continues in force shall have effect as if the reference in paragraph 4(2) to the Data Protection Act 1984 were a reference to this Act.

Access to Health Records Act 1990 (c. 23) U.K.

11 U.K. For section 2 of the Access to Health Records Act 1990 there is substituted—

“ 2 Health professionals.

In this Act “ health professional ” has the same meaning as in the Data Protection Act 1998. ”

12 U.K. In section 3(4) of that Act (cases where fee may be required) in paragraph (a), for “the maximum prescribed under section 21 of the Data Protection Act 1984” there is substituted “ such maximum as may be prescribed for the purposes of this section by regulations under section 7 of the Data Protection Act 1998 ” .

13 U.K. In section 5(3) of that Act (cases where right of access may be partially excluded) for the words from the beginning to “record” in the first place where it occurs there is substituted “ Access shall not be given under section 3(2) to any part of a health record ” .

Access to Personal Files and Medical Reports (Northern Ireland) Order 1991 (1991/1707 (N.I. 14)) U.K.

14 U.K. In Article 4 of the Access to Personal Files and Medical Reports (Northern Ireland) Order 1991 (obligation to give access), in paragraph (2) (exclusion of information to which individual entitled under section 21 of the Data Protection Act 1984) for “section 21 of the Data Protection Act 1984” there is substituted “ section 7 of the Data Protection Act 1998 ” .

15 U.K. In Article 6(1) of that Order (interpretation), in the definition of “ health professional ”, for “the Data Protection (Subject Access Modification) (Health) Order 1987” there is substituted “ the Data Protection Act 1998 ” .

Tribunals and Inquiries Act 1992 (c. 53) U.K.

16 U.K. In Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals under direct supervision of Council on Tribunals), for paragraph 14 there is substituted—

Access to Health Records (Northern Ireland) Order 1993 (1993/1250 (N.I. 4)) U.K.

17 U.K. For paragraphs (1) and (2) of Article 4 of the Access to Health Records (Northern Ireland) Order 1993 there is substituted—

“ (1) In this Order “ health professional ” has the same meaning as in the Data Protection Act 1998. ”

18 U.K. In Article 5(4) of that Order (cases where fee may be required) in sub-paragraph (a), for “the maximum prescribed under section 21 of the Data Protection Act 1984” there is substituted “ such maximum as may be prescribed for the purposes of this Article by regulations under section 7 of the Data Protection Act 1998 ” .

19 U.K. In Article 7 of that Order (cases where right of access may be partially excluded) for the words from the beginning to “record” in the first place where it occurs there is substituted “ Access shall not be given under Article 5(2) to any part of a health record ” .

Section 74(2).

SCHEDULE 16 U.K. Repeals and revocations

Part i u.k. repeals, part ii u.k. revocations.

Options/Help

Print the whole act.

PDF The Whole Act
Web page The Whole Act

You have chosen to open The Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

Continue to open

You have chosen to open The Whole Act as a PDF

The Whole Act you have selected contains over 200 provisions and might take some time to download.

You have chosen to open the Whole Act

Legislation is available in different versions:.

Latest Available (revised): The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.

See additional information alongside the content

Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Different options to open legislation in order to view more content on screen at once

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

the original print PDF of the as enacted version that was used for the print copy
lists of changes made by and/or affecting this legislation item
confers power and blanket amendment details
all formats of all associated documents
correction slips
links to related legislation and further information resources

Timeline of Changes

This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

Click 'View More' or select 'More Resources' tab for additional information including:

New site design
Accessibility
Privacy Notice

Annual Reports
Case studies
Contact us about a pre-GDPR issue
Breach Notification Guidance Under The Data Protection Acts 1988-2003
Publications

The following is a list of case studies, by year, as featured in Annual Reports published by this Office. These case studies provide an insight into some of the issues that this Office investigates on a day to day basis. For ease of reference, some of the case studies have been indexed by categories below.

Prosecution of Guerin Media Limited
Prosecution of AA Ireland Limited
The Dublin Mint Office Limited
Access Request made to NAMA
Disclosure of CCTV footage from a direct provision centre
The importance of data controllers having appropriate mechanisms in place to respond to access requests and document compliance

1) Case Study 1 : Prosecution of Guerin Media Limited

The DPC received unrelated complaints from three individuals about unsolicited marketing emails that they had received from Guerin Media Limited. In all cases, the complainants received the marketing emails to their work email addresses. None of the complainants had any previous business relationship with Guerin Media Limited. The marketing emails did not provide the recipients with an unsubscribe function or any other means to opt out of receiving such communications. Some of the complainants replied to the sender requesting that their email address be removed from the company’s marketing list. However, these requests were not actioned and the company continued to send the individuals further marketing emails. In one case, nine marketing emails were sent to an individual’s work email address after he had sent an email request to Guerin Media Limited to remove his email address from its mailing list.

The DPC’s investigation into these complaints established that Guerin Media Limited did not have the consent of any of the complainants to send them unsolicited marketing emails and that it had failed in all cases to include an opt-out mechanism in its marketing emails.

The DPC had previously received four similar complaints against Guerin Media Limited during 2013 and 2014 in which the company had also sent unsolicited marketing emails without having the consent of the recipients to receive such communications and where the emails in question did not contain an opt-out mechanism. On foot of the DPC’s investigations at that time, the DPC warned Guerin Media Limited that it would likely face prosecution by the DPC if there was a recurrence of such breaches of the E-Privacy Regulations. Taking account of the previous warning and the DPC’s findings in its current investigation, the DPC decided to prosecute Guerin Media Limited for 42 separate breaches of the E-Privacy Regulations.

The prosecutions came before Naas District Court on 5 February 2018 and the company pleaded guilty to four sample charges out of the total of 42 charges. Three of the sample charges related to breaches of Regulation 13(1) of the E-Privacy Regulations for sending unsolicited marketing emails to individuals without their consent. The fourth sample charge related to a breach of Regulation 13(12)(c) of the E-Privacy Regulations for failure to include an opt-out mechanism in the marketing emails. The Court convicted Guerin Media Limited on all four charges and imposed four fines each of €1,000, i.e. a total of €4,000. The company was given a period of six months in which to pay the fine. It also agreed to make a contribution towards the prosecution costs incurred by the DPC.

Marketing to work email addresses

There is a common misconception that the sending of email communications to individuals at a work email address is a form of business-to-business communication where consent of the individual is not required. The E-Privacy Regulations allow a carve out to the default rule (i.e. that the sending organisation must have the consent of the receiving individual) which allows for such communications to be sent to an email address that reasonably appears to be one used by a person in the context of their commercial or official activity. However, in order to rely on this exception to the general rule requiring consent, the sender must be able to show that the email sent related solely to the recipient’s commercial or official activity, in other words, that it was a genuine business-to-business communication. In effect, this means that marketing material that is directly relevant to the role of the recipient in the context of their commercial or official activity (i.e. within their workplace) may be sent by an organisation without the prior consent of the recipient. However, this was not the case in the circumstances at issue. Instead, the marketing communications sent by Guerin Media Limited related to attempts by that company to sell advertisement space in various publications and to sell stands at exhibitions. However, none of the individual complainants who received those communications had any role in relation to marketing related matters within their own workplaces.

While not directly applicable here, as the complainants were all individuals, organisations should also take note of a further rule in the E-Privacy Regulations concerning situations where the recipient of an unsolicited direct marketing communication is not an individual (e.g. the email address used is a solely company/corporate one and does not relate to the email account of an individual, whether at work or otherwise). In such a case where the company/ corporate recipient notifies the sender that it does not consent to receiving such emails, it is unlawful for the sender to subsequently send such emails.

This case is an important demonstration that any organisation engaging in electronic direct marketing activities should carefully establish the basis on which it considers that the primary default rule requiring a sending organisation to have the consent of the recipient does not apply to it in any given case, and how it can demonstrate this. The case also illustrates the importance of including an opt-out mechanism in each and every electronic direct marketing communication as failure to do so constitutes a separate offence, (in addition to any offences in relation to failure to obtain consent) in respect of each such email/ message.

2) Case Study 2: Prosecution of AA Ireland Limited

In December 2017 the DPC received a complaint from an individual who had received unsolicited marketing text messages from AA Ireland Limited. He informed the DPC that he had recently received his motor insurance renewal quotation from his current insurance provider and had decided to shop around to try to get a more competitive quotation. One of the companies he telephoned for a quotation was AA Ireland Limited. The complainant informed the DPC that he had expressly stated to the agent who answered his call that he wanted an assurance his details would not be used for marketing purposes and that he had been given that assurance by the agent. The phone call continued with the agent providing a quotation. The complainant noted that the quotation was higher than the renewal quotation from his current insurance provider and the complainant had indicated to the agent that he would not be proceeding with the quotation offered by AA Ireland Limited. The complainant informed the DPC that at his point in the call he had reiterated to the agent that he should not receive marketing material and he was once again assured by the agent that this would not happen.

The essence of the complainant’s complaint however was that the day after the phone call in question he had received a marketing text message from AA Ireland Limited offering him €50 off the quote provided. A further similar text message was sent to his mobile phone one day later. The complainant stated in his complaint that he felt that this action was a blatant breach of his very clear and precise instructions that he did not wish to receive any marketing communications.

During the course of our investigation, AA Ireland Limited confirmed that it had sent both text messages to the complainant and admitted that it had not obtained consent to send these messages to the complainant. The company acknowledged that the complainant had requested that he not receive marketing messages, that the complainant’s request should have been actioned and that his details should not have been used for marketing purposes. The company claimed that the incident arose as a result of human error. It explained that the correct process had not been followed by the agent so that the complainant’s details had been recorded with an opt-in for him to receive marketing messages therefore resulting in marketing text messages being sent to him.

As the DPC had previously issued a warning in separate circumstances to AA Ireland Limited in relation to unsolicited marketing communications, in this instance the DPC decided to initiate prosecute proceedings. At Dublin Metropolitan District Court on 14 May 2018 AA Ireland Limited entered a guilty plea to one offence. It also agreed to cover the prosecution costs incurred by the DPC. In lieu of a conviction and fine, the Court applied Section 1(1) of the Probation of Offenders Act.

3) Case Study 3: The Dublin Mint Office Limited

The DPC received a complaint on 13 October 2017 from an individual who had received two marketing telephone calls that same day, one targeted at him and one at his son, from The Dublin Mint Office Limited. The caller in each case had attempted to sell commemorative coins. In his complaint, the complainant explained that he had registered online a few months earlier with the company for an online offer on his own behalf and on behalf of his son, providing the same telephone contact number for both of them during the online registration process. The complainant stated that he ticked the marketing opt-out box during that online registration process.

During the course of the DPC’s investigation, The Dublin Mint Office Limited admitted that it had made the marketing telephone calls. It explained that when the complainant supplied his telephone number during the online application process in May 2017 the order form had only offered an opt-in option to receive marketing mails and emails. The company confirmed that the complainant had not selected the opt-in option and he was therefore marked as opt-out for marketing mails and emails only. The company explained that a gap in the system in place at the time only allowed for an opt-in to marketing mails and emails but that it was not an opt-out for telesales. As a result, the complainant’s details were included in a list for a follow-up telesales call. The company informed the DPC that it had written to the complainant to apologise for the inconvenience caused to him and to his son by its inadvertent mistake.

The DPC had previously issued a warning to The Dublin Mint Office Limited in September 2017 concerning other complaints which had been made to the DPC concerning unsolicited marketing communications by the company. The DPC therefore decided to prosecute The Dublin Mint Office Limited. At Dublin Metropolitan District Court on 14 May 2018 the company pleaded guilty to two charges in relation to both marketing telephone calls. It also agreed to cover the DPC’s prosecution costs. In lieu of a conviction and fine, the Court applied Section 1(1) of the Probation of Offenders Act.

4) Case Study 4: Access Request made to NAMA.

In February 2018, the DPC issued a decision on a complaint which had been made to it by two individuals against the National Asset Management Agency (NAMA). The complaint concerned allegations of non-compliance with a joint access request which had been made to NAMA in September 2014 by the complainants who were the directors and/or shareholders of a number of companies whose loans had transferred to NAMA. Certain personal loans of those individuals had also transferred to NAMA. The joint access request which had been made to NAMA expressly referenced personal data held by NAMA in connection with both the personal loans and the company loans.

NAMA responded to the complainants in October 2014, asking them to identify which of a number of categories of personal data (which NAMA itself had identified) that they wished to receive. The complainants replied, objecting to the manner in which NAMA’s response had sought to limit the scope of the request. NAMA subsequently provided the complainants with a copy of the personal data which it considered the complainants were entitled to but noted that it was not required to provide personal data which was subject to legal privilege, which comprised confidential expressions of opinion or which would prejudice the interests of NAMA in respect of a claim or which would prejudice the ability of NAMA to recover monies owed to the State. However, NAMA did not identify the personal data in respect of which it considered such exemptions from the right of access applied. While the personal data provided by NAMA to the complainants related to the personal loans of the complainants which had previously transferred to NAMA, it did not include personal data relating to the complainants as directors and/or shareholders in the companies whose loans had transferred to NAMA.

Complaint to the DPC

The data subjects subsequently made a complaint to the DPC which alleged:

that NAMA had failed to provide all of the complainants’ personal data to them;
that NAMA had incorrectly applied exemptions under the Data Protection Acts 1988 and 2003; and
that even if NAMA was entitled to rely on one or more exemptions, that it was obliged to provide the complainants with a description of the personal data so that they had a reasonable and fair opportunity to consider whether it did fall under an exemption; and
that NAMA had failed to conduct searches for personal data relating to ten additional categories of

information identified by the complainants.

NAMA’s position on the complaint

NAMA stated that it had fully complied with the access request. Following an exchange of correspondence with the DPC, NAMA contended:

that “corporate data”, i.e. information relating to the loans of the companies linked to the complainants did not fall within the definition of “personal data”;
that it was released from its obligations to provide access to personal data contained within the totality of the records held in relation to both the personal loans and the company loans, on the basis that conducting such searches would require ‘disproportionate effort’ on the part of NAMA to do so; and
that it was appropriate for NAMA to rely on statutory exemptions to the right of access, as provided under Sections 5(1)(a), 5(1)(f) and 5(1)(g) of the Data Protection Acts 1988 and 2003.

DPC Investigation

In a submission to the DPC, NAMA provided estimates of the number of relevant records it held, and the potential financial cost of completing a comprehensive search for all personal data requested. NAMA confirmed that it had not conducted searches for the complainants’ personal data held in relation to company loans.

In order to substantiate its position, NAMA agreed to conduct sample searches for personal data in respect of a particular two-month period. Authorised officers on behalf of the DPC conducted three on-site investigations at NAMA premises to corroborate NAMA’s position on issues relating to its searches. Following a review of the sample searches carried out, DPC officers were not satisfied that a comprehensive search would involve a disproportionate effort on the part of NAMA, or that information held by NAMA relating to the complainants’ company loans did not also contain personal data of the complainants.

Following engagement between the DPC and NAMA, additional personal data was released to the complainants. However, efforts to resolve this matter informally were to no avail. The DPC subsequently issued a lengthy statutory decision running to some 67 pages in relation to the complaint. This decision addressed the three core issues referred to above. The DPC’s findings on The Commissioner’s Decision each of these issues was as follows.

(1) The Corporate Data Issue

While NAMA acknowledged that the complainants’ names appeared in records relating to the company loans, reflecting that they were directors and/or shareholders of the companies in question and while NAMA accepted that the complainants’ names were their personal data, it contended that this did not make the other information in those records their personal data. The complainants’ position meanwhile was that there was no doubt but that information relating to a person in their capacity as a company director could constitute personal data. They also pointed to the fact that information referencing an assessment of their performance / conduct or the evaluation of their assets constituted personal data even it if was concerned with company loans or the business of those companies. The complainants also contended that while records in relation to the company loans and their personal loans were held separately, the reality was that all of NAMA’s dealings with them were interconnected.

The DPC in her decision noted that the mere fact of one of the complainant’s names appearing in records relating to the company loans (for example if they had simply signed a commercial agreement in their capacity as director of a company) was not sufficient in and of itself for other information in that agreement to constitute personal data. However, the records which had been identified through the sample searches bore out the complainants’ contentions that those records could not be assumed to contain no personal data at all. The DPC noted by way of example that it was clear from a document, the title of which referred to a NAMA board meeting, that while the board meeting had discussed and considered a business plan referable to one of the companies, there was information in that document relating to the financial assets of the complainants in their personal capacities. The DPC accepted the complainants’ position that the records held by NAMA regarding the company loans contained at least some personal data relating to them. Therefore the DPC considered that NAMA must at the very least, identify the records or types of records in which the complaints were identified by name or otherwise but which NAMA considered did not constitute personal data, and provide sufficient information for the complainants to understand why it was said that those records or types of records do not constitute or contain personal data.

(2) The Disproportionate Effort Issue

The DPC then considered whether the time and money costs involved in NAMA conducting searches of the records held in relation to the company loans would be disproportionate relative to the amount of personal data that might be found and disclosed to the complainants. The DPC noted that while there is no express obligation on a data controller to search for personal data in order to comply with a properly made access request, she accepted that there was an implied obligation on a data controller to undertake searches so as to identify what personal data it might hold on a requester. The question for consideration concerned the nature and extent of this implied duty. The DPC noted that the disproportionate effort obligation found in Section 4(9)(a) of the Data Protection Acts 1988 and 2003, on the face of that provision, applied only to limit the obligation to provide to the data constituting the personal day in permanent form. However, it did not limit the earlier steps in the process such as the obligation to search for the data. While the DPC referred to jurisprudence from the UK Courts which has established that the implied obligation to search for personal data is limited to a reasonable and proportionate search, she noted that she was not aware of any judicial authority in Ireland dealing with the nature or extent of a controller’s obligations to conduct searches in order to comply with Section 4 of the Data Protection Acts 1988 and 2003. While accepting that there was no obligation on her to recognise the principles established by the UK authorities, the DPC noted that one particularly pertinent decision to this effect (Deer v. University of Oxford) had previously been referenced by the Irish High Court (in the judgment of Coffey J. delivered on 26 February 2018 in the case of Nowak v. Data Protection Commissioner). The DPC considered that decision to be helpful in interpreting Sections 4(1) and 4(9) of the Data Protection Acts 1988 and 2003, particularly given its analysis of case law from the CJEU. On that basis the DPC therefore accepted NAMA’s contention that the obligation to search for personal data was not without limits but rather NAMA was required to undertake reasonable and proportionate searches to identify the personal data of the complainants which it held.

The DPC then went on to consider whether NAMA had discharged this obligation, by carrying out the type of balancing exercise which had been contemplated in the UK case law, between upholding the data subject’s right of access and the burden which it would impose on the data controller. In doing so, the DPC considered a number of factors bearing upon this balancing exercise, including the intrinsic significance of the personal data and its relative importance to the requesters. In this regard, the DPC noted that the personal data in question related to the business and financial interests of the complainants both personally and in respect of the companies of which they were directors and/ or shareholders. It was also considered relevant that (as evident from the correspondence seen by the DPC’s officers) that the complainants were trying to bring about a situation in which the company loans would be dealt with by NAMA in a way that would ensure the survival of the companies and preserve the complainants’ ability to retain some level of ownership or control in those companies. Consequently, the DPC considered the personal data held by NAMA to be of significant importance to the complainants.

The DPC then considered the countervailing points made by NAMA, including specific estimates (calculated on the basis of the results from the sample searches) provided to the DPC relating to the estimated number of hits produced if searches were to be carried out (approximately 62,000), the estimated number of relevant records which would be identified following a review of those hits (approximately 12,600) and the estimated time which it would take to review, assemble and redact the material for release to the complainants (over 2,700 hours). It was also noted by the DPC that while NAMA had referred to the potential for technical solutions to counteract the manual input required, that NAMA had stated it was not something which it had assessed and its view was that should such solutions exist, they would incur a disproportionate cost of implementation.

The DPC found NAMA’s estimates as regards the time and effort involved in carrying out the full period searched to be speculative in nature and lacking in specific detail, and that it had failed to discharge the burden of proof on it in this regard. This was particularly so in light of the fact that NAMA’s previous position (prior to the sample searches having been conducted) that there was no personal data of the complainants held in the records relating to the company loans, had not been borne out in fact by reference to the results of those sample searches. NAMA had, it was noted, originally agreed to conduct searches for the whole period during which it held the company loans if the sample searches had demonstrated that there was personal data of the complainants held in the records relating to the company loans. However, some 14 months later NAMA had changed its position and decided not to undertake any further searches at all despite the sample searches having shown the presence of personal data in the company loans records. The DPC also considered that NAMA’s claims (in the absence of an assessment to this effect) that (1) a technical solution would not be feasible and (2) its unparticularised claim that the disproportionate effort involved in carrying out the searches and providing the personal data identified would divert its resources away from its statutory remit, did not discharge the burden of proof to which it was subject in respect of its claims of disproportionate effort.

The DPC found that in refusing to conduct the searches NAMA had not sought to balance its rights against the complainants’ rights but had set them at nought. NAMA had not discharged its obligation by conducting reasonable and proportionate searches to find relevant personal data and supply it. The DPC was not satisfied on the basis of the arguments and evidence put forward by NAMA that by conducting the searches this would constitute disproportionate effort on its part.

(3) The Statutory Exemptions Issue

The sample searches which had been carried out by NAMA led to the identification of 14 hard copy documents containing the personal data of the complainants, drawn from NAMA’s records relating to both the company loans and the personal loans. However, NAMA withheld or redacted 3 of these documents on the basis of certain exemptions to the right of access. These exemptions related to Section 5(1)(g), Section 5(1)(f) and Section 5(1)(a) of the Data Protection Acts 1988 and 2003. As a preliminary matter the DPC found that NAMA must prove convincingly, and by evidence, meeting the civil standard of proof that each of the exemptions on which it sought to rely on did in fact apply in this case and operated to trump the complainants’ rights of access.

In the case of the legal privilege exemption which NAMA claimed applied to an internal email passing between solicitors employed at NAMA, the DPC noted that this document on its face was labelled as attracting litigation privilege. However given that no litigation was in being between the complainants and NAMA at the time of its creation (and in fact the only litigation now in being had only come into existence some 2 to 3 years later), the DPC was not satisfied that NAMA had discharged the burden of proof on it to show that litigation privilege applied to the personal data in question. However, the DPC then went on to consider whether legal advice privilege applied and concluded that it did because the content of the email in question set out the basis on which certain issues relating to the personal loans might be considered and addressed. The DPC was therefore satisfied that the email in question was privileged and exempt from release under Section 5(1)(g) of the Data Protection Acts 1988 and 2003.

With regard to two further documents, NAMA claimed that the exemption in Section 5(1)(a) applied. This provides that the right of access does not apply to personal data kept for the purposes of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or health board in any case in which granting access to the personal data would prejudice any such matters. The DPC applied the test for application of this exemption which had been set out in the UK judgment of Guriev & another v. Community Safety Development (UK) Limited [2016] EWHC 643. That case had concerned the equivalent exemption under the UK Data Protection Act 1998. The DPC found that NAMA had simply asserted that in the case of the two records in question, providing access to the personal data would have the effect of disclosing its strategy in dealing with liabilities. However NAMA had made no effort to explain the nature and effect of the prejudice that would be suffered if the personal data in question was released, how the release of it would lead to the prejudice, nor how applying the exemption was a necessary and proportionate interference with the complainants’ rights having regard to the gravity of the threat to the public interest. In light of this lack of evidence, the DPC decided that it was not open to NAMA to rely on this exemption.

The final exemption relied on by NAMA and considered by the DPC was Section 5(1)(f) which provides that the right of access does not apply to personal data consisting of an estimate or kept for the purposes of estimating the amount of liability of a data controller on foot of a claim in respect of damages or compensation where granting access would be likely to prejudice the interests of the data controller in relation to the claim. The DPC found that no evidence had been put forward by NAMA as to the factual basis for relying on the exemption. For example, NAMA had not identified the prejudice which it would suffer if it provided the personal data, or how or in what context the prejudice would arise. As NAMA had failed to discharge the burden of proof on it in relation to its claim to this exemption, the DPC found that it was not open to NAMA to rely on it.

Arising from the DPC’s findings, the DPC concluded that NAMA was in breach of its obligations under Section 4(1) (a) and Section 4(9) of the Data Protection Acts 1988 and 2003.

5) Case Study 5: Disclosure of CCTV footage from a direct provision centre.

We received a complaint from solicitors for a resident of a direct provision accommodation centre in relation to an alleged disclosure of CCTV footage capturing the complainant’s images. The accommodation centre in question is owned by the State (with responsibility for it resting with the Reception and Integration Agency (RIA) which sits within the Department of Justice and Equality). The centre is managed on a day-to-day basis by Aramark Ireland (Aramark). The alleged disclosure of the complainant’s personal data came to her attention during her participation in a radio programme. The subject matter of that radio show concerned a matter that had arisen between residents of the accommodation centre and its staff. During the course of the radio programme, the radio host claimed that he had a copy of CCTV footage, which was apparently taken from a room in the accommodation centre, which allegedly showed an altercation between the complainant and another resident of the direct provision centre.

The complainant subsequently made complaints to RIA, to Aramark and to the radio station which had aired the radio programme in question. An access request for a description of all recipients to whom the complainant’s personal data had been disclosed was also made on behalf of the complainant under Section 4 of the Data Protection Acts 1988 and 2003 to RIA. However, the complaint noted that RIA had not responded to that access request.

We commenced an investigation into the complaint seeking information from both Aramark and the RIA. The RIA informed us that it was liaising with Aramark and had requested a report from it. During the investigation, we established that Aramark was a data processor processing personal data on behalf of the RIA. Aramark submitted that CCTV is used for security purposes and to monitor health and safety within the accommodation centre. Aramark informed us that it processes personal data in line with the RIA’s instructions and that access to the storage medium within the accommodation centre was limited to specific authorised personnel, with accompanying user name and passwords requirements.

In relation to the specific allegation of disclosure of the CCTV footage, Aramark told us that CCTV footage of an altercation involving the complainant had been downloaded by authorised personnel from Aramark and transmitted to the RIA. The reason for the download and transmission were that the captured events related to security, and health and safety issues. According to Aramark, due to the size of the file in question, the employee had saved the footage to a Google link for onward transmission to the RIA.

Aramark informed us about a detailed forensic IT enquiry that had been conducted in relation to the complaint, across its IT systems to identify whether any other disclosure of the CCTV footage had taken place. It maintained on the basis of its own investigations that the link had not been sent from any Aramark email account to an outside party other than the RIA. Amongst other things, as part of the forensic enquiry, Aramark said that it had checked internet logs on the Aramark computer used at the accommodation centre, searched the mailboxes of Aramark staff who worked at the accommodation centre and searched for email correspondence inbound and outbound relating to the incident. A data recovery program had also been installed on the computer inquestion to review all deleted content on the computer. No activity indicating disclosure of the CCTV footage to any third party had been identified. Aramark further informed us that the Google link no longer existed and was therefore not accessible.

Aramark also maintained that the authorised personnel who had downloaded the footage had confirmed that the footage had not been disclosed to any third party and that it had been deleted following transmission to the RIA.

Separately the RIA confirmed to us during our investigation that the Google link to the CCTV footage which it had received, referenced the complainant and another resident. It stated that a copy of the footage had not been retained by the RIA.

In relation to the management of the CCTV system in the accommodation centre, the RIA furnished us with certain documentation including Aramark’s data protection and CCTV policies and a confidentiality agreement in place with Aramark. However, the RIA acknowledged during our investigation that there were no policies or practice documents in place for the management of CCTV operating in accommodation centres.

Ultimately neither Aramark nor the RIA were able to definitively confirm that CCTV footage in question had not been disclosed to the radio station. In relation to its non-compliance with the access request, the RIA’s position was that it was waiting on a detailed report from Aramark and that it could not respond to the access request until it had received that report.

In her decision, the DPC found that the RIA did not respond to the request by the complainant for a description under Section 4 of the Data Protection Acts 1988 and 2003 of all recipients to whom the personal data was disclosed, within the prescribed timeframe of 40 days. This was in direct contravention of RIA’s obligation under that provision.

In relation to the oversight of the processing carried out by Aramark as a processor for RIA, based on the submissions made by both the RIA and Aramark in the course of the DPC’s investigation, there was no evidence of a written contract in place which delineated the respective obligations applicable to the RIA and Aramark in relation to the processing of personal data by Aramark on the RIA’s behalf. This constituted a contravention by the RIA, as the data controller, of Section 2C(3) of the Data Protection Acts 1988 and 2003.

Although the DPC was unable to establish how the CCTV footage in question came to be in possession of a radio station, the DPC found that ultimately the complainant’s rights were infringed. In this regard both the RIA and Aramark failed in their duty of care to the complainant by failing to ensure that appropriate security measures were taken against the unauthorised disclosure as required by Section 2(1)(d). The DPC also decided that a contravention of Section 2C(2) of the Data Protection Acts 1988 and 2003 had occurred. This provision requires a controller to take reasonable measures to ensure that its employees and other persons at the place of work are aware of and comply with security measures. The lack of agreed procedures and in-depth policies in place between the RIA and Aramark relating to the transfer of personal data over a network led to this decision.

This case illustrates the unintended and unforeseen consequences which can result from an absence of clear, documented policies and procedures governing the transmission of personal data over a network. In this case, that failure was compounded by the further failure by the RIA to also have a written agreement in place which clearly set out the parameters of Aramark’s instructions to process personal data on behalf of the RIA. As this case demonstrates, such failures by a controller to comply with its data protection obligations are not just administrative or regulatory breaches but can result in grave incursions into an individual’s Charter protected right to protection of their personal data which otherwise should have been avoidable.

6) Case Study 6: The importance of data controllers having appropriate mechanisms in place to respond to access requests and document compliance.

We received a complaint from a data subject concerning the alleged failure of eir to comply in full with an access request. The complainant advised us that in response to his access request he had received from eir what he described as “a bundle of random pages of information without any explanation of content”.

In the course of our investigation we established that eir was in fact seeking to rely on certain statutory exemptions to the right of access. However in its response to the requester’s access request, it had not referred at all to the fact that it had withheld certain personal data. It was only in communications with eir, during the course of our investigation, some five months after eir’s receipt of the access request, that eir indicated that they were withholding personal data based on exemptions and outlined the details of the exemptions relied on by reference to an attached list.

In the course of our investigation it also became apparent that eir was unable to determine what personal data had actually been provided to the complainant as it had not retained a copy of the personal data which had been provided. As a consequence of the lack of records kept on the personal data which had been released, eir was also unable to identify what personal data had been withheld/ not provided either in reliance on an exemption under the Data Protection Acts 1988 and 2003, or otherwise.

We pointed out to eir that it would be difficult to see how eir would be in a position to provide clarification to us as to their purported application of any statutory exemption to this particular access request given that they were not clear on what personal data had been provided to the complainant in the first place. We accordingly directed eir to re-commence the process of responding to the access request afresh. We specified that in doing so, eir should:

Examine its systems, both manual and electronic and carry out a review of all the personal data held by it relating to the complainant in manual and electronic form;
Write to the complainant within a period of not more than fourteen days of the date of our request, responding to the substance of his access request in accordance with the provisions of Section 4 of the Acts. In so doing, we required that eir provide access to all personal data held or controlled by it, while also explaining to the requester the reason for the re-issue to him of personal data which had already been provided, i.e that eir was unable to determine what personal data had already issued to him. We also directed that in this response, eir also provide the requester with a statement of the reasons for the refusal to provide access to any personal data, identifying any statutory exemption relied on by eir and the basis on which eir contended that such exemption(s) applied in this case. Finally we required that eir’s letter to the requester should be copied to us.

While ultimately the complainant in this case withdrew his complaint against eir, the issues identified during the course of our investigation underline the critical importance of data controllers having adequate organisational and operational mechanisms to allow them to comply with their statutory obligations with regard to access requests. However, it is equally important that a data controller is able to post facto demonstrate (where required by the DPC, such as in the context of a complaint) compliance with its obligations. A data controller must be able to justify decisions it has taken to deny access to personal data in reliance on one or more statutory exemptions. As a basic starting point of being able to provide justification as to the position taken in relation to a request by a data subject to exercise a right, data controllers should have appropriate record keeping systems and processes in place. These mechanisms should allow them to track and produce copies of any correspondence exchanged with a data subject in relation to an access request or request to exercise any other data protection right.

This case study also underscores the fact that the right of an individual to access personal data held about them is not just about being provided with access to the data itself. Importantly it is also concerned with sufficient, meaningful information being given to the data subject so that they can understand, amongst other things, what personal data is processed about them, in what circumstances and for what purposes. In this case the provision of a bundle of unexplained documents in response to the access request failed to satisfy the minimum requirements applicable to eir as a data controller under Section 4 of the Data Protection Acts 1988 and 2003, ultimately causing confusion for the data subject and prompting a complaint to the DPC.

Right to be Forgotten
Prosecution of Eamon O’Mordha & Company Limited and one of Its Directors
Loss of sensitive personal data contained in an evidence file kept by An Garda Síochána
Use of CCTV footage in a disciplinary process.
Disclosure of sensitive personal data by a hospital to a third party
Publication of personal information - journalistic exemption
Compliance with a Subject Access Request & Disclosure of personal data / capture of images using CCTV
Failure to respond fully to an access request
Personal data of a third party withheld from an access request made by the parent of a minor

Disclosure of Personal Data via a Social Media App

Failure by the Department of Justice and Equality to impose the correct access restrictions on access to medical data of an employee
Virgin Media Ireland Limited
Sheldon Investments Limited (trading as River Medical)
Tumsteed Unlimited Company (trading as EZ Living Furniture)
Cunniffe Electric Limited
Argos Distributors (Ireland) Limited
Expert Ireland Retail Limited

1) Right to be Forgotten

We received a complaint from a Lithuanian national concerning articles about that individual which had been published by a number of Lithuanian news sources ten years earlier. Links to these articles were returned in search results when a search against the individual’s name was carried out using a particular search engine. The articles in question detailed the termination of the individual’s employment as an official in a municipal government department in connection with the individual’s involvement in potentially fraudulent activities. The article also detailed criminal charges which had been brought against the individual for allegedly accepting bribes in the context of their employment.

During the course of our investigation into this complaint, the search engine operator contended that the information detailed in the articles in question related to serious professional wrongdoing committed by an individual involved in public administration. It maintained that where such wrongdoing resulted in criminal sanctions that this was sufficiently serious for the information to be considered to be in the public interest and therefore any interference with the data subject’s rights was justified.

However in the course of our investigation the complainant provided us with official court documents which showed that they had been found not guilty of all the charges which had been referred to in the articles. The complainant also provided us with documents which showed that the termination of their employment with the municipal government department had been on a voluntary basis with the complainant having resigned due to personal reasons. We considered that this documentary information demonstrated that the complainant’s personal data, which was being processed by way of the search engine returning search results to the articles in question, was inaccurate, incomplete and out of date and on that basis we requested that the search engine operator delist the links to the webpages in question from search results which were returned from searches conducted against the complainant’s name. The search engine operator complied with our request and delisted the links in question.

This case illustrates that the onus is on a search engine, as the data controller, to satisfy itself to the appropriate level that the personal data to which search engine results provide links fully accords with the laws on data protection. In this case, it appeared that the search engine operator did not properly examine the complaint but simply took the approach of assuming that because the complainant had previously been employed in a public official role that the information in question was automatically in the public interest, regardless of whether it was in fact accurate, complete and up to date. The search engine operator had assumed, without apparently even checking the factual background, that the complainant had been convicted of the criminal charges

2) Prosecution of Eamon O’Mordha & Company Limited and one of Its Directors

The investigation of this case arose in the context of a wide-ranging investigation of the Private Investigator sector that commenced in 2016. As part of that investigation, the Special Investigations Unit obtained and examined copies of several private investigator reports written in 2014 and 2015 by Eamon O’Mordha & Company Limited (the company) for its clients in the insurance sector. The Special Investigations Unit became suspicious of the origin of some of the personal data in those reports and it immediately commenced an investigation involving the Department of Social Protection and An Garda Síochána.

The investigation subsequently uncovered access by the company to social welfare records held on databases in the Department of Social Protection. An official in that Department was interviewed by Authorised Officers of the Data Protection Commissioner. During the course of that interview, the official revealed that the two directors of the company were friends of hers and she admitted that one of the company directors met with her regularly and asked her to check information on the Department’s database. The official admitted that she carried out those checks and provided personal information to the company director.

Separately, the investigation uncovered access by the company to records held on the PULSE database of An Garda Síochána. Two serving members of An Garda Síochána (who are brothers and nephews of one of the directors of the company) were interviewed by Authorised Officers of the Data Protection Commissioner. During the course of those interviews, both Gardaí confirmed that they had been contacted by their aunt to obtain information from them in relation to individuals and vehicle registration numbers. They both admitted that they had accessed the Garda PULSE database and that they had subsequently passed on personal information to their aunt, the company director.

Eamon O’Mordha & Company Limited was charged with 37 counts of breaches of the Data Protection Acts, 1988 and 2003 (the Acts). All charges related to breaches of section 22 of the Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person. The personal data was kept by the Department of Social Protection and An Garda Síochána. The personal data was disclosed to entities in the insurance sector. Two directors of the company, Eamonn O’Mordha and his wife Ann O’Mordha were separately charged with thirty-seven counts of breaches of section 29 of the Acts for their part in the offences committed by the company. This section of the Acts provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of the company directors or other officers.

On 8 May, 2017 at Dublin Metropolitan District Court, guilty pleas on behalf of the company were entered to twelve charges for offences under section 22 of the Acts. The Court convicted the company on ten charges and it took the further two charges into account. It imposed ten fines of €1,000 on the company (totalling €10,000). All remaining charges were struck out. Company director Ms. Ann O’Mordha pleaded guilty to twelve charges for offences under section 29 of the Acts. The Court convicted Ms. O’Mordha on ten charges and it took the further two charges into account. It imposed ten fines of €1,000 on Ms. O’Mordha (totalling €10,000). All remaining charges were struck out. The charges against her husband, the other company director, were not proceeded with.

3) Loss of sensitive personal data contained in an evidence file kept by An Garda Síochána

We received a complaint from a couple against An Garda Síochána (AGS), concerning the loss of an evidence file that held, among other things, the couple’s sensitive personal data relating to details of medical treatment. We established that the couple had previously made a criminal complaint to AGS and had subsequently made an access request. However, in response to the access request, they were informed that the evidence file in relation to their complaint, which contained their original statements, a DVD and postal documents containing their sensitive personal data, had been misplaced while in the possession of AGS. The complainants requested that we conduct a formal investigation into the matter.

AGS informed us that upon identifying that the evidence file in question was missing, a comprehensive search had taken place of all files retained at local level in the District Office, and other relevant sections of AGS, in order to try to locate the file. Ultimately, however, the file had not been located.

During the course of our investigation, we studied the chain of custody supplied to us by AGS and established that the last known whereabouts of the file was in the investigating officer’s possession. That officer had been instructed by a superior to update the couple about the criminal complaint and to then return the file to the District Office for filing. However, the officer had failed to return the file to the District Office for filing. AGS informed us that the failure by the officer to return the file to the relevant location in the District Office was in contravention of its policy and procedures at the time and that consequently both an AGS internal investigation and a Garda Síochána Ombudsman Commission investigation had been conducted. Following the latter investigation, the officer in question had been disciplined and sanctioned for the contravention.

One of the central requirements of data protection law is that data controllers have an obligation to have appropriate security measures in place to ensure that personal data in their possession is kept safe and secure. This requires the controller to consider both technical and organisational measures and importantly, to take all reasonable steps to ensure that its employees, amongst others, are aware of and comply with the security measures. In her decision, the Commissioner found that AGS, as data controller, had infringed Section 2(1)(d) of the Data Protection Acts 1988 and 2003, as it failed to take appropriate security measures to ensure the safe storage of the complainants’ sensitive personal data which was contained on the evidence file in question.

This case demonstrates that the obligation on a data controller to maintain appropriate security measures goes beyond simply putting in place procedures regarding the storage and handling of personal data. Such procedures are only effective as a security control if they are consistently adhered to, so data controllers must monitor staff compliance with these measures and take meaningful steps (for example training, auditing and potentially disciplinary measures where non-compliance is identified) to ensure that staff systematically observe such procedures.

4) Use of CCTV footage in a disciplinary process.

We received a complaint from an individual regarding the use of CCTV footage by their employer in a disciplinary process against them. The complainant informed us that while employed as a security officer, their employer had used their personal data, in the form of CCTV footage, to discipline and ultimately dismiss them. The complainant stated that they had not been given prior notification that CCTV footage could be used in disciplinary proceedings.

In the course of our investigation, the employer informed us that the complainant had worked as a night officer assigned to client premises, and had been required to monitor the CCTV system for the premises from a control room. The employer’s position was that, upon being assigned to the client premises in question, the complainant had been asked to read a set of “Standing Operating Procedures” which indicated that CCTV footage could be used in an investigative process concerning an employee. The employee had also been asked to sign a certificate of understanding to confirm that he had read and understood his responsibilities. The employer maintained that the CCTV system in place at the client premises was not used for supervision of staff as there was a supervisor at the premises during office hours between Monday and Friday.

The employer informed our investigators that it was the complainant’s responsibility, as the sole night security officer on duty at the client premises, to monitor the CCTV system for the premises from the control room. The requirement to have a night security officer on duty in that control room for that purpose was a term of the employer’s contract with its client. The employer was also contractually obligated under its contract with its client to carry out routine audits of employee access cards (which were swiped by the holder to gain access to various locations in the client premises). The employer told us that during such an audit, it had discovered irregularities in data derived from the complainant’s access card which could not be the result of a technical glitch as those irregularities were not replicated in the access card data of the complainant’s fellow night officers. These irregularities suggested that the complainant had been absent from their assigned post in the control room for prolonged periods of time on a number of separate occasions. On the basis of the access card data irregularities and upon noting the apparent absence of the employee from the control room during prolonged periods, the employer had commenced an investigation into the employee’s conduct. During the course of this investigation, the complainant disputed the accuracy of the access card data, and had sought that the employer provide further evidence of his alleged prolonged absences from the control room. The employer had therefore obtained CCTV stills at times when the access card data suggested the complainant was away from their post in order to verify the location of the complainant. The employer maintained that because the CCTV system was independent of the access card data system, it was the only independent way to verify the access card data. The employer also provided us with minutes of a disciplinary meeting with the complainant where they had admitted to being away from the control room for long periods. The employer also informed us that the complainant had later admitted in an email, also provided to us, that the reason for these absences was that the complainant had gone into another room so that they could lie down on a hard surface in order to get relief from back pain arising from a back injury.

We queried with the employer what the legal basis was for processing the complainant’s personal data from the CCTV footage. The employer’s position was that as a result of its contractual obligations to its client (whose premises were being monitored), if an adverse incident occurred during a period of absence of the assigned security officer (the employee) from the control room, that would potentially expose the employer to a breach of contract action by its client which could lead to significant financial and reputational consequences for the employer. On this basis the employer contended that it had a legitimate interest in processing CCTV footage of the employee for the purpose of the disciplinary process. Under Section 2A(1)(d) a data controller may process an individual’s personal data, notwithstanding that the controller does not have the consent of the data subject, where the processing is necessary for the purposes of the legitimate interests pursued by the data controller. However, in order to rely on legitimate interests as a legal basis for processing, certain criteria have to be met as follows:

there must be a legitimate interest justifying the processing;
the processing of personal data must be necessary for the realisation of the legitimate interest; and
the legitimate interest must prevail over the rights and interests of the data subject.

Having considered the three step test above, the Commissioner was satisfied that the employer had a legitimate interest in investigating and verifying whether there was misconduct on the part of the employee (or whether there was a fault in the access card security system). Furthermore, the Commissioner considered that the use of the CCTV footage was necessary and proportionate to the objective pursued in light of the seriousness of the allegation because it was the only independent method of verifying the accuracy of the access card data. The Commissioner noted that the CCTV footage was used in a limited manner to verify other information and that the principle of data minimisation had been respected. Finally, given the potential risk of damage to the employer’s reputation and the need to ensure the security of its client’s premises, the Commissioner was satisfied that the use of CCTV footage for the purpose of investigating potential employee misconduct, which raised potential security issues at a client premises, in these circumstances took precedence over the complainant’s rights and freedoms as a data subject. On the issue of whether the controller had provided the complainant with notice of the fact that their personal data might be processed through the use of CCTV footage, the Commissioner was satisfied that there had been adequate notice of this by way of the SOP document which had been acknowledged by the complainant signing the certificate of understanding.

This Commissioner therefore formed the view that the employer had a legal basis for processing the complainant’s personal data contained in the CCTV footage under Section 2A(1)(d) of the Data Protection Acts 1988 and 2003.

This case demonstrates that the legal basis of legitimate interests will only be available to justify the processing of personal data where, in balancing the respective legitimate interests of the controller against the rights and freedoms of the data subject, the particular circumstances of the case are clearly weighted in favour of prioritising the legitimate interests of the controller. It is an essential that in order to justify reliance on this legal basis that the processing in question is proportionate and is necessary to the pursuit of the legitimate interests of the controller.

5) Disclosure of sensitive personal data by a hospital to a third party.

We received a complaint concerning the alleged unauthorised disclosure of a patient’s sensitive personal data by a hospital to a third party. The complainant had attended the hospital for medical procedures and informed us that the medical reports for these procedures were received to their home address in an envelope that had no postage stamp. The envelope had a hand-written address on it which included the name of a General Practitioner (GP) and also included the home address of the complainant’s neighbour. A hand-written amendment had been made to the address, stating that it was the wrong address. The complainant informed us that they had made enquiries with their neighbour in relation to the correspondence and the neighbour had stated that they had received the correspondence a number of days prior but that it had not been delivered by a postman. The neighbour further advised the complainant that they opened the envelope and viewed the contents in an effort to locate the correct recipient/address.

Following the initial complaint, the complainant provided us with correspondence which they subsequently received from the hospital apologising that correspondence containing the complainant’s medical results had been inadvertently sent to the wrong address. The hospital indicated that this appeared to have been due to a clerical error confusing part of the GP’s address and part of the complainant’s address. We commenced an investigation to establish how the error had happened, what procedures the hospital had in place at the time and what the hospital since had done to avoid repetition of this incident.

The hospital informed us that their normal procedure is to issue medical reports in batches to the relevant GP so that multiple sets of medical reports for different patients are placed in a windowed envelope, which shows the relevant GP’s address in the window. In this case however, the medical report was put in a nonwindowed envelope and the address was hand-written on the front. In doing so, the staff member who had addressed the envelope manually, erroneously intermixed the GP’s name, part of the GP’s address and part of the complainant’s address on the envelope. The hospital also informed us that the envelopes containing results to be dispatched to GPs are franked by the hospital post room. However, in this case because the envelope containing the complainant’s medical information was not franked, the hospital concluded that it was unlikely that it had been sent out directly from their post room and indicated that it could have been sent on via the relevant GP, although they acknowledged that they could not be certain about this this. We were unable to establish during the course of the investigation the precise manner in which the envelope containing the complainant’s medical reports came to be delivered to the complainant’s neighbour’s house. The hospital informed us that administrative staff had since been briefed on the correct procedure for issuing medical reports and that non-window envelopes would no longer be used for this purpose.

The complainant rejected the apology from the hospital made by way of an offer of amicable resolution and instead requested a formal decision from the Commissioner. In her decision, the Commissioner found that the hospital had contravened Section 2(1)(b) (requirement to keep personal data accurate, complete and up to date), Section 2(1)(d) (requirement to take appropriate security measures) and Section 2B(1) (requirement for a legal basis for processing sensitive personal data) of the Data Protection Acts 1988 and 2003 when it processed the complainant’s sensitive personal data by way of disclosing their personal data inadvertently to a third party.

This case illustrates how a seemingly innocuous deviation by a single staff member from a standard procedure for issuing correspondence can have significant consequences for the data subject concerned. In this case, highly personal medical information was accessed by a third party in circumstances which were entirely avoidable. If the hospital had had in place appropriate quality control and oversight mechanisms to ensure that all staff members rigidly adhere to its standard procedures it unlikely that this unauthorised disclosure of sensitive personal data would have occurred.

6) Publication of personal information - journalistic exemption.

We received a complaint concerning an article published in the Sunday World (in both newspaper and online news forms) which named the complainant and published their photograph. The focus of the article was official complaints made by Irish prisoners under the Prisons Act 2007 concerning their treatment in prison (known as “Category A” complaints) and it included details of the number of “Category A” complaints which had been made by the complainant. It was alleged by the complainant that the Sunday World had gained unauthorised access to their personal data from the Irish Prison Service.

The complainant provided us with a letter which they had written to the editor of the Sunday World asserting that the information contained in the article was inaccurate and violated their right to privacy and requesting that the link to the online article be removed. We were also provided with a previous decision of the Press Ombudsman which dealt with various alleged breaches of the Code of Practice of the Press Council of Ireland (the Code) by the Sunday World, including allegations of breaches arising from the article in question. The Press Ombudsman had decided that there had been a breach of Principle 5 of the Code concerning privacy and that the article could have been written without publishing the complainant’s name or photograph. The position taken by the Press Ombudsman was that as “Category A” complaints are not part of the public record, the complainant’s reasonable expectation of privacy had been breached by the publication of their name and photograph.

In the course of our investigation we queried with the Sunday World why it had not removed the online version of the article from its website in light of the Press Ombudsman’s decision and in light of the complainant’s written request to do so. We also queried how the Sunday World had obtained the complainant’s personal data. In its response, the Sunday World stated its position that the publication was in the public interest as it related to the regimes of care and management of inmates as well as staff of prisons. It also contended that the article had highlighted how the [complaint] system was being deliberately over-used and abused. The Sunday World informed us that the online version of the article had been removed upon receiving the formal request from the complainant. However, the Sunday World relied on the journalistic exemption provision under Section 22A of the Data Protection Acts 1988 & 2003 (the Acts) in relation to the obtaining of the information in relation to the “Category A” complaints and the complainant’s personal data.

The Commissioner issued a formal decision in relation to the complaint and specifically in relation to the application of Section 22A exemption. The rationale behind the exemption in Section 22A is to reconcile the protection of privacy and freedom of expression. Following the entry into the force of the Lisbon Treaty, data protection acquired the status of a fundamental right. The right to freedom of expression is also a fundamental right. Both rights are also recognised in the European Convention on Human Rights, and also referred to in the EU’s Data Protection Directive 95/46/EC which is given effect in Irish law through the Acts.

Section 22A of the Acts specifies that personal data that is processed only for journalistic purposes shall be exempt from compliance with certain provisions of that legislation (including the requirement to have a legal basis for processing the personal data) provided that three cumulative criteria are met. Under Section 22A(1) (b), one of these three criteria is that the data controller, in this instance the Sunday World, must reasonably believe that, having regard in particular to the special importance of the public interest in freedom of expression, such processing (in this case by way of publication in the newspaper) would be in the public interest. The Sunday World claimed that the purpose of the article in question was essentially to highlight what it perceived to be an abuse of process within the Irish Prison Service. In her decision, the Commissioner found that it was not reasonable for the data controller to believe that the processing of the complainant’s personal data by publishing their name and photograph would be in the public interest in achieving the stated objective of the Sunday World. It was the view of the Commissioner that the special importance in freedom of expression could have been satisfied had the journalist in question used other means to reach the desired objective for example by using statistics in relation to the number of ‘Category A’ complainant prisoners and the public interest had been neither enhanced nor diminished by identifying the complainant by means of their name and photograph. As one criterion out of the three cumulative criteria for the application of the journalistic exemption under Section 22A of the Acts had not been satisfied, the Commission found that it was not necessary to consider the remaining two criteria.

As the data controller was unable to rely on Section 22A of the Acts as an exemption from the requirement to have a legal basis for processing by publishing the complainant’s personal data, the Commission in her decision then went on to consider whether there was in fact such basis for the processing. While the Commission considered that the Sunday World had a legitimate interest in obtaining and processing statistical information in relation to ‘Category A’ complaints for the purpose of research for the article in question, she considered that the Sunday World had contravened Section 2(1)(c)(iii) by further processing the complainant’s personal data, through publishing it. This contravention arose as the processing of the data by publication was excessive and unnecessary for the purpose of the point being made by the Sunday World in the article i.e. that the system was being abused.

This case illustrates that the journalistic exemption under Section 22A of the Acts is not a blanket exemption that can be routinely relied on by publishers or journalists seeking to justify publishing unnecessary personal data. The mere existence of a published article is not sufficient to come within the scope of this exemption and instead a data controller must be able to demonstrate that they satisfy all three cumulative criteria in this section, as follows:

(i) the processing is undertaken solely with a view to the publication of journalistic, literary or artistic material;

(ii) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, such publication would be in the public interest; and

(iii) the data controller reasonably believes that, in all the circumstances, that having to comply with the relevant requirement of the Acts would be incompatible with journalistic, artistic or literary purposes.

7) Compliance with a Subject Access Request & Disclosure of personal data / capture of images using CCTV

We received a complaint from an individual employed as a service engineer by a company, which was contracted to provide certain services to a company which was the operator of a toll plaza (the Toll Company). The complainant alleged, amongst other things, that the Toll Company had disclosed the complainant’s personal data (consisting of an audio recording and CCTV footage of a conversation between the complainant and an individual operating a tollbooth at the toll plaza) to the complainant’s employer without the complainant’s knowledge or consent.

During our investigation we established that an incident had occurred involving the complainant resulting in a request being made by the Toll Company to the complainant’s employers that the complainant was not to attend the toll plaza premises again in his capacity as a service engineer. We established that the incident in question involved a dispute at a toll both between the complainant and an individual operating the toll both, over the price of the toll which the complainant was charged. The Toll Company alleged that during the incident in question (which had been captured on CCTV and by audio recording) the complainant had threatened to “bring down” the toll plaza system. The complainant’s employer had confirmed that it would comply with the Toll Company request that the complainant not attend the toll plaza premises again and the Toll Company confirmed to us that at that point it had considered the matter to be concluded. However, approximately two months after the incident had occurred, the complainant’s employers had requested the CCTV footage and audio recording of the alleged incident which the Toll Company then provided to the employer. It was contended by the Toll Company that it was in its legitimate interests to process the complainant’s personal data as a threat to it had been made by the complainant and that one its employees had reported the threat to the Gardaí, who had been called to the toll plaza by the complainant at the time of the incident. The Toll Company also claimed that Sections 8(b) and Section 8(d) of the Data Protection Acts 1988 and 2003 (the Acts) allowed for this processing of the complainant’s personal data as the processing was necessary to prevent damage to the Toll Company’s property. The Company stated that the personal data of the complainant (the CCTV footage and audio recording) had been sent to the complainant’s employer two months after the incident as it had not been requested by the employer prior to that.

As part of our investigation, we noted that signs at the tollbooth notified the public that there was CCTV in operation. We also examined the Toll Company’s data protection policy which was available on its website and which stated that all vehicles using the toll plaza in question are photographed/video recorded and that images are retained for enforcement purposes and to address and resolve any disputes that may arise in relation to a vehicle or account.

In her decision, the Commissioner considered the Toll Company’s purported reliance on pursuit of its legitimate interests as the legal basis under Section 2A(1)(d) of the Acts for the processing. Taking account of the two-month period which had elapsed between the incident in question and the request for the CCTV footage and audio recording being made by the employer, and also having regard to the confirmation of the Toll Company that (prior to receiving the employer’s request for the CCTV footage and audio recording) it had considered the incident to be concluded, the Commissioner decided that this legal basis could not be relied upon for the processing of the personal data. Consequently, a contravention of Section 2A(1) occurred as there had been no other legal basis (e.g. the consent of the complainant) to the processing of his personal data by disclosing it to his employer. The Commissioner also found that there was no adequate notice of the processing of the personal data had not been to the complainant, as it was not apparent from the data protection privacy policy or indeed the public signs at the tollbooth what the extent of the processing was, that audio recording was in operation nor was it stated who the data controller was. Consequently the Toll Company had contravened Section 2D(1) arising from this lack of transparency. Finally, the Commissioner also found that Section 2(1) (c)(ii) of the Acts had been contravened because further processing of the complainant’s personal data had occurred for a purpose (sharing it with the complainant’s employer) which was incompatible with the original purpose for its collection (enforcement purposes and resolving

This case is indicative of a common trend amongst data controllers to seek to rely on legitimate interests as the legal basis for processing personal data as something of a catch-all to cover a situation where personal data has been processed reactively and without proper consideration having been given in advance as to whether it is legitimate to carry out the processing. However, as this case illustrates a data controller must be able to provide evidence to support their assertion as to the legitimate interest relied on. Here, the passage of time since the incident and the fact that the data controller of its own admission considered that the matter had been concluded contradicted the purported reliance on this legal basis. This case also underscores the principle of the foreseeability of processing of personal data as an important element of the overarching principle of fair processing in data protection. At its core this means that a data subject should not be taken by surprise at the nature, extent or manner of the processing of their personal data.

8) Failure to respond fully to an access request.

We received a complaint that an educational organisation had not fully complied with an access request submitted to it by the complainant who was an employee of that organisation. The complainant informed us that in the access request they had specifically sought CCTV footage from the educational organisation’s premises for 4 hour period during which the complainant had allegedly been assaulted by another employee. The complainant informed us that although there were 8 cameras on the premises, in response to their access request they only received an 11 second clip from the CCTV footage for the premises which ended just as the alleged assault came into view. The complainant told us that they had queried the limited amount of CCTV footage and reminded the educational organisation that the access request had been in respect of all footage within that 4 hour period. However, the educational organisation’s response had been that this query would be treated as a new access request. The complainant considered that the CCTV footage had been intentionally withheld and that this approach had been adopted as a delaying tactic so that the CCTV footage would ultimately not have to be released on the grounds that it had been lost or was no longer retained.

In the course of our investigation, we established that the complainant had made a subject access request to the educational organisation which had accepted it as a valid request. The educational organisation’s position was that it understood the complainant’s request to relate to footage of the incident in question only. However, the educational organisation acknowledged that the complainant would have been captured by other CCTV cameras for which the CCTV footage had not been provided. On this basis, we established that, as of the date of the complainant’s access request, additional personal data existed in the form of further CCTV footage which had not been provided to the data subject. The educational organisation informed us that as the CCTV was only retained for 28 days, by the time that the complainant had come back to query the limited amount of CCTV footage received in response to the access request, the additional CCTV footage had been subsequently overwritten without being retained for release to the complainant.

In her decision the Commissioner noted that it was clear that in the complainant’s access request the complainant was specifically seeking access to CCTV footage over a four-hour period and that having received the initial request, the educational organisation should have preserved the footage for that date and sought to clarify with the complainant what CCTV footage exactly they were seeking rather than unilaterally determining that issue itself. The educational organisation therefore contravened Section 4 of the Data Protection Acts 1988 and 2003 in failing to provide the complainant with all of their personal data within the statutory 40-day period.

This case clearly illustrates the position of the DPC which is that upon receipt of an access request relating to CCTV footage from a specific day, a data controller is obliged to preserve any such footage from that day pending resolution of the access request. This obligation applies irrespective of whether any such footage may be ordinarily subject to deletion (whether automated or not) after certain timeframes under the provisions of the data controller’s retention policy. Where a data controller considers that further clarification should be sought from the data subject as to the scope of the personal data requested, that requirement for clarification should not be interpreted as if the access request had not yet been made, as to do so could undermine the data subject’s right to access their personal data or enable a data controller to circumvent its obligations in respect of the access request.

9) : Personal data of a third party withheld from an access request made by the parent of a minor

We received a complaint from an individual who had submitted an access request to a sports club for the personal data of their minor child, for whom the parent was the joint legal guardian. Following intervention from this office, the complainant had received personal data relating to their child from the sports club which was contained in an application for membership of the sports club which had been submitted to the sports club on behalf of the child. However certain information had been redacted from that application form, namely the names of the persons who were submitted to the sports club as emergency contacts for the child, the signature of the person who consented to images of the child being used on digital media by the sports club and the address of the minor. The complainant asserted that the third-party details and the address were all the personal data of their child and that the complainant as the joint legal guardian was therefore entitled to access to it. The sports club’s position was that there was no express provision within Section 4 of the Data Protection Acts 1988 and 2003 (the Acts) which relates to the right of access, which allows a person access to another party’s personal data without their consent. The sports club had also checked with the third parties whose personal data was the subject of the redactions on the application form as to whether they consented to the release of the data to the complainant but they had refused to give their consent.

Section 4(4) of Acts which precludes the release of third party data without that party’s consent was brought to the attention of the complainant. However, the complainant put forward the argument that because the information requested pertained to matters concerning the minor’s welfare and that because the third party was the legal representative of that minor, this rendered the data to be the child’s personal data. We outlined the definition of personal data to the complainant and highlighted case law which has established that a individual’s name represents the personal data of that individual. The complainant was also advised that the address of their child could not be provided without also providing the personal data of a third party and therefore the complainant had no right of access to it.

The complainant sought a decision on their complaint from the Commissioner. In her decision, the Commissioner pointed out that taking account of Section 8(h) of the Acts (which lifts restrictions on the processing of personal data where the processing is made with the consent of the data subject or a person acting on their behalf), her office’s position is that a parent or legal guardian of a young child has an entitlement to exercise the right of access on that child’s behalf. However, in this case as the child in question could not be identified by the names of third parties who were listed as emergency contacts with the sports club, the information to which the complainant sought access was not the personal data of the complainant’s child. The Commissioner in her decision pointed out that if the complainant’s logic were to be followed and an emergency contact were deemed the personal data of a third party, an adult who has listed another adult as an emergency contact would have the right of access over that third party’ name, telephone number, address, etc. The Commissioner found that no contravention of the Acts had occurred in relation to the redactions made to documents which had been released by the sports club on foot of the access request.

This case illustrates that irrespective of the relationship, dependency or connection between two parties, the name of a third party cannot be deemed to be the personal data of a data subject. As highlighted in the Commissioner’s decision, to do so would deprive that third party of control over their own personal data and allow another individual to exercise data subject rights, including the right of access, over the personal data of the third party. Such an outcome would run contrary to the core principle of data protection which is that each data subject has the right to determine the use of their own personal data. However, it is important to distinguish this principle from the limited circumstances in which the rights of a data subject may be lawfully exercised by another person who is permitted to do so on their behalf. Even where data subject rights may be exercised by a third party (such as the parent of a young minor child) this does not render the personal data of the data subject to be the personal data of the third party who is authorised to exercise the data subject’s rights on their behalf.

10) Disclosure of Personal Data via a Social Media App.

We received complaints from two individuals who each claimed that their personal data had been unlawfully disclosed when it was broadcast on “Snapchat”, an instant messaging and multimedia mobile application.

The complainants, who were friends, informed us that they had each submitted their CV with a cover letter to a particular retailer, in person, by way of application for employment with that retailer. The applications had been made by the complainants on the same day and had been received by the same employee of the retailer. Later on the same day the complainants had learned from a third party that a photograph showing both cover letters was appearing on “Snapchat” with a message drawing attention to similarities in the cover letters. It was the complainants’ common understanding that the employee of the retailer to whom they had submitted their CVs had taken this photograph and posted it to “Snapchat”.

During the course of our investigation of these complaints, we established that the employee of the retailer to whom the complainants had handed their CVs and cover letters had been recently notified by the retailer of the termination of their employment. Contrary to the retailer’s policy and the terms of their contract of employment, the employee had a mobile phone on their person during work hours and had used it to take a photograph of both the cover letters and to post it to “Snapchat”. The retailer informed our investigators that the employee was aware that this action was contrary to their contract of employment and the actions of the employee were done in circumstances where the employee was about to leave their employment. The retailer insisted that, in this instance, there was nothing further it could have done to prevent this incident from occurring.

In her decision the Commissioner found that the retailer, as the data controller for the complainants’ personal data, had contravened Section 2A(1) of the Data Protection Acts 1988 and 2003 as the processing of the complainants’ personal data, by way of the taking and posting of the photograph by the retailer’s employee, was incompatible with the purposes for which it had been provided to the retailer by the complainants.

The case should serve as a cautionary reminder to data controllers that as a general principle under data protection law, they are responsible for the actions of their employees in connection with the processing of personal data for which they are the data controller. The motive of an employee or the deliberate or accidental nature of the actions which they have undertaken in relation to personal data does not absolve data controllers of such responsibility. Data controllers have an obligation to ensure that their employees comply with data protection law in relation to the personal data which they hold irrespective of whether it is the employee’s first or last day or employment with the data controller. Indeed this obligation will continue even after an employee leaves a data controller’s employment if that employee can still access the personal data controlled by their former employer.

11) Failure by the Department of Justice and Equality to impose the correct access restrictions on access to medical data of an employee

We received a complaint from an individual concerning an alleged disclosure of their sensitive personal data by the Department of Justice & Equality (the Department). It was claimed by the complainant, who was an employee of the Department, that a report containing information on the complainant’s health had been uploaded to a general departmental open document management database in 2012 and that the report had remained on that database for up to three years where it could be accessed by approximately 80 employees. The complainant informed us that they had been notified of the accessibility of the report on the database by a colleague. The complainant told us that they had requested an explanation from the Department as to why the report had been placed on an open database but had not received official confirmation that the report had since been removed.

We commenced an investigation into the complaint. The Department confirmed that notes relating to a discussion which had taken place between the complainant and their line manager in 2012 (which included a note concerning the complainant’s health) had been stored to the database in question and marked private. However, the line manager had inadvertently omitted to restrict access to the document with the result that it could be accessed by approximately 80 staff members from the Department. The Department informed us that the document had been removed from the database in question some 3 years after having been saved to it. As the line manager in question had since left the Department, it had been unable to establish exactly why the document had been saved there in the first place but claimed that it was due to human error. The Department was also unable to establish how many staff had actually accessed the document during the 3 year period in which it was accessible as the Department’s IT section had been unable to restore the historic data in question.

The Department made an offer, by way of amicable resolution, to write to the complainant confirming that the document in question had been removed from the database and apologising for any distress caused. The complainant chose not to accept this offer and instead sought a formal decision of the Commissioner. In her decision, the Commissioner concluded that the Department had contravened Section 2A(1) and 2B(1) of the Data Protection Acts 1988 & 2003 by processing the complainant’s sensitive personal data without the required consent or another valid legal basis for doing so and by disclosing the complainant’s sensitive personal data to at least one third party. These contraventions had occurred by way of the placing of a confidential document containing details of the complainant’s health on an open database where it appeared to have remained accessible for 3 years and had been accessed by at least one co-worker.

This case is a stark illustration of the consequences for a data subject and general distress which can be caused where the data controller fails to ensure that its staff have adhered to, and continue, to adhere to proper document management protocols for documents containing personal data and moreover, sensitive personal data. While the controller in question was unable to identify how many times and by how many different staff members the document in question had been accessed during the 3 year period when it was accessible to approximately 80 staff members, the potential for further and continuing interference with the data subject’s fundamental rights and freedom remained throughout this period. Had the controller in this case had adequate regular audit and review measures in place for evaluating the appropriateness of documents stored to open access databases, the presence of this confidential document would have been detected much sooner than actually occurred. Further, had the Department an adequate system of training and ensuring awareness by staff managers of basic data protection rules in place, this issue may not have arisen in the first instance.

12) Virgin Media Ireland Limited.

We received a complaint in May 2016 from an individual who had received unsolicited marketing telephone calls from Virgin Media Ireland Limited in March and in May 2016 after she had previously asked the company not to call her again. The complainant is a customer of Virgin Media Ireland Limited and she informed us that the calls promoted Virgin Media products. She advised us that when the company first called her in January 2016 she had asked that her details be placed on the “Do Not Call” list as she did not wish to receive any further marketing calls. She stated that when the company called her again in March 2016 she repeated that she wanted her details to be placed on the “Do Not Call” list but despite her two requests she had received a further unsolicited marketing telephone call to her mobile phone on 27 May 2016.

During our investigation of this complaint, Virgin Media Ireland Limited informed us that due to human error the complainant’s account was not updated correctly to record the “Do Not Call” requests. The company advised us that a review had been conducted on all “Do Not Call” requests handled by the team in question for the period from January 2016 to July 2016 to ensure that all opt-out requests had been completed correctly. It confirmed that the complainant’s details had been removed from the marketing database and it apologised for any inconvenience caused to her.

Prior to September 2015 Virgin Media Ireland Limited traded under the name UPC Communications Ireland Limited. That company had previously been prosecuted, convicted and fined in March 2011 and in April 2010 for twenty similar marketing offences involving telephone calls to subscribers who had not consented to the receipt of such marketing calls. The Data Protection Commissioner therefore decided to prosecute Virgin Media Ireland Limited in respect of the offences identified following the investigation of the latest complaint.

At Dublin Metropolitan District Court on 3 July 2017, Virgin Media Ireland Limited pleaded guilty to two charges of making unsolicited marketing telephone calls to its customer after she notified the company that she did not wish to receive such calls. The Court convicted the company on both charges and it imposed fines of €1,500 and €1,000 respectively on the charges. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.

13) Sheldon Investments Limited (trading as River Medical)

In September 2015 we received a complaint against Sheldon Investments Limited, trading as River Medical, from an individual who had received unsolicited marketing emails to which he had not consented and which were subsequent to his attempts to opt out of such emails. In making his complaint, the individual explained that he had previously had a consultation with River Medical during which he was obliged to complete a form. He stated that when completing the form he expressly stated that he did not wish to receive any marketing emails from them. He subsequently received a marketing email from River Medical in April 2015 and he replied to the email with a request that his address be removed from their marketing list immediately. He received confirmation two days later that his contact details were removed. Despite this, he received a further unsolicited marketing email from River Medical in September 2015 which prompted him to submit a complaint to the Data Protection Commissioner.

During our investigation of this complaint, River Medical told us that the failure to respect the complainant’s opt-out request was due to human error. It explained that it had made his file ‘inactive’ on receipt of his opt-out request, but it did not realise that it needed to manually delete his file in order to prohibit the sending of further marketing material to him. It assured us that on foot of our investigation of the complaint, the individual’s email address had been deleted from its systems. We concluded the investigation of that complaint in December 2015 with a warning to the company that it would likely be prosecuted if it committed any further offences under the marketing regulations.

One year later, in December 2016, the individual submitted a new complaint after he received a further unsolicited marketing email from River Medical. We investigated this complaint and we were informed once again that the latest infringement had been caused by human error in the selection of an incorrect mailing list on Newsweaver, the system used by the company to issue emails. The company apologised for the incident.

As we had previously issued a warning to the company, the Data Protection Commissioner decided to prosecute it in respect of the two unsolicited marketing emails issued in December 2016 and in September 2015. At Dublin Metropolitan District Court on 3 July 2017, Sheldon Investments Ireland Limited pleaded guilty to two charges of sending unsolicited marketing emails without consent. The Court sought the payment of €800 in the form of a charitable donation to Focus Ireland and it adjourned the matter. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Court struck out the charges.

14) Tumsteed Unlimited Company (trading as EZ Living Furniture)

In June 2016 we received a complaint from an individual who received unsolicited marketing text messages from EZ Living Furniture despite having, on three previous occasions, requested them to stop. The complainant informed us that she had made a purchase from the company in the past.

As part of our investigation of this complaint, we asked EZ Living Furniture to show us evidence of the consent of the complainant to receive marketing text messages in the first instance. We also sought an explanation as to why her requests to opt out had not been actioned.

In response to our investigation, EZ Living Furniture stated that, in respect of marketing consent, customers sign into the company’s terms and conditions printed on the back of receipts. It drew our attention to one of the terms and conditions to the effect that customer information will be retained by the EZ Living marketing department and will be added to its database to be used for mailing lists and text messages. In relation to the complainant’s opt out requests not being complied with, EZ Living Furniture explained that there had been a changeover of service providers and the new service provider had a different method for opting out. It claimed that it was totally unaware that the opt-out facility was not working until it received our investigation letter. It assured us that the opt-out issue had now been resolved and it said that it had sent an apology to the complainant. In our response to EZ Living Furniture, we advised it, in relation to customer consent, that while it was relying on terms and conditions of sale, it was in fact obliged by law to provide its customers with an opportunity to opt out of receiving marketing communications at the point of collection of their personal data. We pointed out that, in practice, this means that customers must be provided with an opt-out box for them to tick in order to opt out of marketing, if that is their wish. In a subsequent reply, the company informed us that it had examined the matter further and that it had decided to introduce a stamp that would be placed on the sales docket to provide a checkbox to allow customers to opt out of receiving marketing emails and text messages.

The Data Protection Commissioner had previously issued a warning to EZ Living Furniture in April 2015 following the investigation of a complaint from a different individual in relation to sending her unsolicited marketing text messages without consent. Consequently, the Data Protection Commissioner decided to prosecute the company in respect of the offences which came to light arising from the latest complaint.

At Galway District Court on 4 July 2017, Tumsteed Unlimited Company, trading as EZ Living Furniture, pleaded guilty to two charges of sending unsolicited marketing text messages without consent. The Court convicted the company and it imposed fines of €500 on each of the two charges. The company agreed to make a contribution towards the prosecution costs of the Data Protection Commissioner.

15) Cunniffe Electric Limited.

In December 2016 an individual complained to us that he had recently received unsolicited marketing text messages from Cunniffe Electric Limited of Galway Shopping Centre despite the fact that he had been advised previously on foot of an earlier complaint to us that his mobile phone number had been removed from its marketing database. In early 2015 we had received the complainant’s first complaint in which he informed us that he had given his mobile phone number some years ago to Cunniffe Electric Limited to facilitate the delivery of an electrical appliance which he had purchased from the company. He stated that he did not give the company consent to use his mobile phone number for marketing purposes.

Following our investigation of the first complaint, we received confirmation from Cunniffe Electric Limited that the complainant’s mobile phone number had been removed from its marketing database. We concluded that complaint by issuing a warning to the company that it would likely face prosecution if it breached the marketing regulations again.

On receipt of the complainant’s second complaint, we commenced a new investigation in which we sought from Cunniffe Electric Limited an explanation for the sending of the latest marketing text messages in circumstances where we were previously informed that the complainant’s mobile phone number had been removed from its marketing database. In response, the company admitted that it did not have the consent of the complainant to send him marketing text messages. It said that his mobile number was not on its database but it appeared that there was an error on the part of the service provider that it was using to send marketing text messages and that this error arose from transition issues when the service provider was acquired by another company. It apologised for the inconvenience caused to the complainant.

As the company had previously received a warning, the Data Protection Commissioner decided to prosecute it in relation to the most recent offences. At Galway District Court on 4 July 2017, Cunniffe Electric Limited entered a guilty plea for the sending of an unsolicited marketing text message without consent. In lieu of a conviction and fine, the Court asked the company to make a contribution of €500 to the Court Poor Box and it then struck out the charges. The company agreed to make a contribution towards the prosecution costs of the Data Protection Commissioner.

16) Argos Distributors (Ireland) Limited

Five individuals lodged complaints with us between December 2016 and February 2017 arising from difficulties they were experiencing in opting out of email marketing communications from Argos Distributors (Ireland) Limited. The complainants had supplied their email addresses in the context of making online purchases and they had not opted out of marketing communications at that point. However, when they subsequently attempted to opt out on receipt of marketing emails, the ‘unsubscribe’ system failed. Some complainants subsequently followed up by email to the company seeking to have their email addresses removed from the marketing database and they received responses by email to inform them that their requests had been actioned. However, they continued to receive further email marketing from Argos Distributors (Ireland) Limited.

In response to our investigation, the company acknowledged that its ‘unsubscribe’ system was not working properly for a period of time. It also discovered an issue in processing ‘unsubscribe’ requests for customers based in Ireland. It found that requests from Irish customers were being added to the ‘unsubscribe’ list for UK marketing. In all cases, it confirmed that the opt-out requests of the individuals concerned were now properly processed.

As the company had been warned previously in 2013 following the investigation of a similar complaint of a breach of the marketing regulations, the Data Protection Commissioner decided to prosecute it in relation to these offences. At Navan District Court on 14 July 2017, Argos Distributors (Ireland) Limited pleaded guilty to five charges of sending unsolicited marketing emails to five individuals without consent. In lieu of a conviction and fine, the Court ordered the defendant to contribute €5,000 to a charity of the Court’s choosing. The defendant agreed to pay the prosecution costs incurred by the Data Protection Commissioner.

17) Expert Ireland Retail Limited

In October 2016 an individual complained to us about regular marketing text messages which she received from Expert Ireland Retail Limited. She informed us that in August 2014 she purchased a tumble dryer at the Expert Naas store and she stated that she gave her mobile phone number at the point of sale for the sole purpose of arranging the delivery of the appliance. She stated that she was not asked if she wished to receive marketing text messages and she did not request or agree to same. She informed us that she began receiving regular marketing text messages from December 2015 onwards and despite replying by text message on numerous occasions with the opt-out keyword, further text messages continued to arrive on her phone. She advised us that early in October 2016 her husband called to the Expert store in Naas and he asked the staff there to remove her number from their marketing database. Despite this request the complainant received a further marketing text message about two weeks later, prompting her to lodge a complaint with the Data Protection Commissioner.

In response to our investigation, the company claimed that the complainant would have been asked during the course of the sale if they would like to be contacted by text message for marketing purposes. However, it was unable to provide any evidence that the complainant was given an opportunity to opt out of marketing at the point of sale. Furthermore, it admitted that the sending of the first marketing message after a period of over twelve months had expired was an oversight. The company was unable to explain why no action was taken to remove the complainant’s mobile phone number from the marketing database after her husband called to the Naas store.

As the company had previously been issued with a warning in May 2010 on foot of a similar complaint which we received about unsolicited marketing text messages sent to a different former customer of the Expert store in Naas without her consent, the Data Protection Commissioner decided to prosecute this latest complaint. At Mullingar District Court on 13 October 2017, Expert Ireland Retail Limited pleaded guilty to one charge of sending an unsolicited marketing text message to the complainant without her consent. The Court convicted the company and it imposed a fine of €500. The defendant company agreed to pay the legal costs incurred by the Data Protection Commissioner in respect of this prosecution.

Prosecution of James Cowley Private Investigator
Disclosure of Personal Data to a Third Party in Response to a Subject Access Request
Data Breach at Retail and Online Service Provider
Prosection of Yourtel for Marketing Offences
Prosecution of Glen Collection Investments Limited and One of its Directors
Prosecution of Shop Direct Ireland Limited T/A Littlewoods Ireland for Marketing Offences
Further Processing of an Individual's Personal Data in an Incompatible Manner
Disclosure of Personal Information to a Third Party by a Data Processor
The Necessity to Give Clear Notice When Collecting Biometric Data at a Point of Entry
Residential Care Home's Legimate Use of Audio Recording and Photograph of Data Subject Concerning Allegations of Misconduct
Disclosure of Personal Information to a Third Party
Failure of a Data Controller to Keep Individual's Personal Information Accurate and Up to Date Which Resulted in the Disclosure of Personal Data to a Third Party
Failure by BOI to Properly Verify the Identity of Individual on the Phone Which Resulted in the Disclosure of Personal Information to a Third Party
Data Controller Obliged to Demonstrate Effort Made to Locate Data Within the Statutory 40 Day Period
Personal Data Withheld from an Access Request by Airbnb on the Basis of an Opinion Given in Confidence
Crypto Ransomware Attack on a Primary School
Data Breach at an Online Retailer
Incorrect Association of an Individual's Personal Details with Another File
Prosecution of The Irish Times Limited for Marketing Offences
Prosecution of Coopers Marquees Limited for Marketing Offences
Prosecution of Robert Lynch T/A The Energy Centre for Marketing Offences
Prosecution of Paddy Power Betfair Public Limited Company for Marketing Offences
Prosecution of Trailfinders Ireland Limited for Marketing Offences
Prosecution of Topaz (Local Fuels) Limited for Marketing Offences
Prosecution of Dermaface Limited for Marketing Offences

1) Prosecution of James Cowley Private Investigator

James Cowley was charged with sixty-one counts of breaches of the Data Protection Acts, 1988 & 2003. All charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person. The personal data was kept by the Department of Social Protection. The personal data was disclosed to entities in the insurance sector – the State Claims Agency, Zurich Plc and Allianz Plc.

On 13 June 2016, at Dublin Metropolitan District Court, James Cowley pleaded guilty to thirteen sample charges. He was convicted on the first four charges and the Court imposed a fine of €1,000 in respect of each of these four charges. The remaining nine charges were taken into consideration in the sentence imposed.

The investigation in this case uncovered access by the defendant to social welfare records held on databases in the Department of Social Protection. To access these records, the defendant used a staff contact who was known to him. Mr. Cowley then used the information he obtained for the purposes of compiling private investigator reports for his clients. These activities continued for a number of years up to September 2015 when our investigation team first made contact with him about its concerns in relation to his processing of personal data.

2) Disclosure of Personal Data to a Third Party in Response to a Subject Access Request

An ex-employee of Stobart Air made a complaint in August 2015 to us regarding the unlawful disclosure of their redundancy details to another member of staff following an access request made by that person to the company. The complainant also informed us they had equally received third party personal information in response to a subject access request that they themselves had made to the company in May 2015.

Stobart Air, on commencement of our investigation, confirmed to us that a breach of the complainant’s data had occurred in November 2014. It stated that it had not initially notified the complainant of the breach when it first learned of it as it was unaware of the data protection guidelines that advise the reporting of disclosures to the data subjects involved where the disclosure involves a high risk to the individual’s rights and requesting the third party in receipt of the information to destroy or return the data involved.

The complainant in this case declined an offer of amicable resolution and requested a formal decision of the Commissioner. In her decision the Commissioner found that Stobart Air had, in including the complainant’s personal data in a letter to ex-employees, had carried out unauthorised processing and disclosure of the complainant’s personal data. This had contravened Section 2A(1) of the Data Protection Acts, 1988 and 2003, by processing the complainant’s personal information without the complainant’s consent or another legal basis under the Data Protection Acts 1988 and 2003 for doing so.

Stobart Air identified itself that it had inadequate training and safeguards around data protection in place which it has since sought to rectify.

In a separate complaint received by the DPC in September 2015, we were notified that Stobart Air had disclosed financial data of a third party to the complainant in response to a subject access request. We proceeded to remind Stobart Air of its obligations as a data controller and Stobart Air identified a number of individuals who had been affected by these issues. Stobart Air subsequently notified all affected third parties of the breach of their personal data. However, in trying to comply by notifying the affected individuals, Stobart Air disclosed the complainant’s data, by divulging the fact that the complainant was the recipient of this data, in a letter notifying the individuals whose data was originally disclosed.

Stobart Air had no legal basis to disclose the complainant’s personal data to the third parties involved nor did it have consent of the individual affected. The disclosure of the complainant’s identity to the individuals affected by the original breach was unnecessary in the circumstances and in contravention of Section 2A(1) of the Data Protection Acts 1998 and 2003.

3) Data Breach at Retail and Online Service Provider

In July 2016, we received a breach report from an organisation providing retail and online services.

The organisation was victim of a “brute force” attack, whereby over a two-week period, the attackers tried various username/password combinations, with some combinations successfully being used to gain access to user accounts. When these accounts were accessed, the attackers attempted to withdraw user balances. These withdrawals were enabled by the attacker having the ability to add new payment methods. It was also possible for the attacker to access the personal data associated with the account.

On assessing the breach, we identified that the organisation had deficiencies in the measures it had taken to secure users’ personal data including:

Insufficient measures on password policy and user authentication;
Insufficient control measures to validate changes to a user’s account; and
Insufficient control measures on the retention of dormant user accounts.

We considered that the organisation contravened Section 2(1)(d) of the Data Protection Acts 1988 and 2003 by failing to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of, its users’ personal data.

Recommendations were issued to the organisation that it take steps to mitigate the deficiencies identified or face enforcement action. The organisation subsequently informed us that it had taken the following steps based on our recommendations:

Implementation of passwords which require more than one factor
Implementation of a comprehensive data retention policy

This case highlights the need for organisations to ensure that they have appropriate technical organisational and security measures in place to prevent loss of data through “brute force” or reuse of password attacks. In this scenario, the use of appropriate access and authentication controls, such as multifactor authentication, network rate limiting and logon alerts, could have mitigated the risks. Further, poor retention policies provide an “attack vector” for hackers such as that used as a means of entry in this breach.

4) Prosection of Yourtel for Marketing Offences

We received a complaint in December 2014 from an individual who received marketing telephone calls from Yourtel Limited, a telephone service provider which entered the Irish market in 2013, after he had instructed the company during a previous call not to call him again. The complainant informed us that the calls related to an offer to switch telephone service providers.

In February 2015 a separate complaint was received on behalf of another individual who received marketing telephone calls from Yourtel Limited after the company had been instructed during a similar marketing call on Christmas Eve 2014 not to call his number again. The marketing calls to this individual also concerned switching telephone service provider.

During our investigation of these complaints Yourtel Limited acknowledged the making of the marketing telephone calls. It claimed that it blocked the telephone numbers from receiving further marketing calls on the occasion of the last call in each case when it was informed by the individuals concerned that they did not wish to be contacted again for marketing purposes. It did not accept in either case that it continued to call the individuals after they had instructed Yourtel Limited not to call them again.

The Data Protection Commissioner decided to prosecute the offences as Yourtel Limited had come to our attention previously in 2014 on foot of a complaint about the making of a marketing telephone call to a telephone number which stood recorded on the National Directory Database (NDD) Opt Out Register. Following the investigation of that complaint, we warned the company that it would likely face prosecution if it committed further offences under Regulation 13 of SI 336 of 2011 (known as the ePrivacy Regulations) at any future time.

At Dublin Metropolitan District Court on 21 January 2016 Yourtel Limited pleaded guilty to two charges of making unsolicited marketing telephone calls after the two individuals it called had notified the company that they did not consent to the receipt of such calls. The Court convicted the company on both charges and it imposed two fines of €2,500 each. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.

5) Prosecution of Glen Collection Investments Limited and One of its Directors

The investigation in this case established that the defendant company obtained access to records held on computer databases in the Department of Social Protection over a lengthy period of time and that a company director used a family relative employed in the Department of Social Protection to access the records. The defendant company had been hired by a Dublin-based firm of solicitors to trace the current addresses of bank customers that the respective banks were interested in pursuing in relation to outstanding debts. Having obtained current address information or confirmed existing addresses of the bank customers concerned from the records held by the Department of Social Protection, the defendant company submitted trace reports containing this information to the firm of solicitors which acted for the banks. The case came to light on foot of a complaint which we received in February 2015 from a customer of AIB bank who alleged that an address associated with him and which was known only to the Department of Social Protection was disclosed by that department to an agent working on behalf of AIB bank.

The Data Protection Commissioner decided to prosecute both the company and the director in question, Mr Michael Ryan. Glen Collection Investments Limited was charged with seventy-six counts of breaches of the Data Protection Acts, 1988 & 2003. Sixty-one charges related to breaches of Section 19(4) of the Data Protection Acts for processing personal data as a data processor while there was no entry recorded for the company in the public register which is maintained by the Data Protection Commissioner under Section 16(2) of the Data Protection Acts. Fifteen charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person.

Mr. Michael Ryan, a director of Glen Collection Investments Limited, was separately charged with seventy-six counts of breaches of Section 29 of the Data Protection Acts, 1988 & 2003 for his part in the offences committed by the company. This Section provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of the company directors or other officers.

The cases against Glen Collection Investments Limited and its director were called in Tuam District Court in January, May and July of 2016 before the defendants eventually entered guilty pleas on 10 October 2016. While the defendant company was legally represented in court on all occasions, the Court issued a bench warrant for the arrest of the company director, Mr Ryan, on 10 May 2016 after he had twice failed to appear. The bench warrant was executed at Tuam District Court on 10 October, 2016 prior to the commencement of that day’s proceedings.

At Tuam District Court on 10 October 2016 Glen Collection Investments Limited pleaded guilty to twenty-five sample charges – thirteen in relation to offences under Section 22 and twelve in relation to offences under Section 19(4). The company was convicted on the first five counts with the remainder taken into consideration. The court imposed five fines of €500 each. Mr. Ryan pleaded guilty to ten sample charges under Section 29. He was convicted on all ten charges and the court imposed ten fines of €500 each. In summary, the total amount of fines imposed in relation to this prosecution was €7,500

6) Prosecution of Shop Direct Ireland Limited T/A Littlewoods Ireland for Marketing Offences

In January 2015 we received a complaint against Shop Direct Ireland Limited T/A Littlewoods Ireland from an individual who received an unsolicited marketing email after she opted out of marketing from the company. The individual, who was a customer of Littlewoods Ireland, complained further a few weeks later when she received a marketing email promoting offers for Mother’s Day from Littlewoods Ireland. We had previously issued a warning to Littlewoods Ireland in December 2014 following the investigation of a complaint received from the same complainant with regard to unsolicited marketing emails which she had received after she opted out of receiving marketing. That previous complaint led to an investigation which found that the customer had not been given the opportunity to opt out of marketing from Littlewoods when she opened her account. (She had been given the opportunity to opt out from third party marketing only – an option which she availed of). Arising from our investigation of that complaint, Littlewoods Ireland informed us that the customer’s email address was opted out of direct marketing from 7 March, 2014.

The Data Protection Commissioner decided to prosecute the company. At Dublin Metropolitan District Court on 4 April 2016 Shop Direct Ireland Limited T/A Littlewoods Ireland pleaded guilty to one charge of sending an unsolicited marketing email without consent. The Court ordered the payment of €5,000 in the form of a charitable donation to Pieta House and it adjourned the matter for seven weeks. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Court struck out the charge.

7) Further Processing of an Individual's Personal Data in an Incompatible Manner

An individual submitted a complaint regarding the unfair processing of their personal data. The individual stated that they had received letters from Thornton’s Recycling and Oxigen Environmental respectively explaining that there would be a change-over of refuse collection services from Oxigen Environmental to Thornton’s Recycling within a week of the issuing of the letters. The complainant advised that they had not authorised the transfer of their personal details and had not been previously informed of this transfer of ownership.

We raised the matter with Oxigen Environmental requesting an explanation as to the reason for processing personal data in this manner in light of the data protection requirements of fair obtaining and fair processing of personal data. Oxigen Environmental confirmed that the customer details that were transferred to Thorntons consisted of a name, address and any balance that remained on the customer’s pre-paid account. It advised that no banking details were passed over at any stage. It also alleged that a letter had been sent out to all customers advising them of the transfer and that this letter had been issued before any customer data had been transferred but they were not able to clarify the date on which this allegedly occurred.

Oxigen Environmental indicated that the first and only notification that customers received regarding the transfer of services from Oxigen Environmental to Thorntons Recycling was made by way of two letters, one each from Oxigen Environmental and Thorntons Recycling, contained in the same envelope delivered to customers. The interval between this notification and the transfer of services spanned less than four working days. We considered that this was an insufficient timeframe for customers to consider the change-over and to make alternative arrangements to prevent the further processing of personal data. Whilst the issue of takeovers/mergers is often covered by a company’s contractual terms with its customers, we established that Oxigen Environmental’s terms and conditions and Customer Charter did not cover such issues.

Taking into account the short timeframe that had elapsed between the notification of the transfer of services and the date from which the transfer became effective, our view was that the fair processing requirements under the Acts were not fulfilled. Whilst a proposal for amicable resolution was put forward, we were unable to conclude an amicable resolution of the complaint and a formal decision of the Commissioner issued in July 2016. The Commissioner found Oxigen Environmental to be in contravention of Section 2(1)(a) of the Data Protection Acts 1988 and 2003 in that it unfairly processed personal data without sufficient notice to its customers.

The requirement to provide proper notice of processing to data subjects in accordance with Section 2(1)(a) and Section 2D of the Data Protection Acts 1988 and 2003 is an essential pre-requisite to the lawful processing of personal data. A data subject has the right to be properly informed with adequate notice of a change in the ownership of a business holding his or her personal data, in order to be able to withdraw from the services being provided and prevent the further processing of their personal data (including preventing the transfer to a new owner) and to make alternative arrangements. The issue of what constitutes adequate notice will vary from case to case but in any event it must be at minimum a sufficient period that will allow a data subject to have a meaningful opportunity to consider the changes contemplated and to take steps to exercise their preferences in relation to the proposed changes.

8) Disclosure of Personal Information to a Third Party by a Data Processor

We received a complaint concerning the alleged unauthorised disclosure of the complainant’s personal information by An Post to a third party. The complainant, who had recently been bereaved, informed us that An Post had erroneously issued a valuation statement in respect of a joint savings deposit account that they had previously held with their late partner, to a solicitor acting on behalf of their late partner’s son. The statement contained the complainant’s personal financial data in relation to their joint State Savings account held with the National Treasury Management Agency (NTMA). Prior to making the complaint to this Office, the complainant had received an apology from An Post, on behalf of the NTMA, who acknowledged that the complainant’s personal information had been disclosed in error. However, because the complainant had received very little information as to how the disclosure had occurred they requested that we investigate this matter.

Although the complainant submitted a complaint against An Post, we established in our preliminary that An Post offers products and services on behalf of State Savings, which is the brand name used by the NTMA to describe the range of savings products offered by the NTMA to personal savers. An Post is therefore a "data processor" as defined under the Data Protection Acts 1988 and 2003 as it processes customers’ personal data on behalf of the NTMA. The NTMA is the "data controller" as defined under the Data Protection Acts 1988 and 2003 as it controls the content and use of its customers’ personal data for the purposes of managing their State Savings account.

We commenced an investigation by writing to the NTMA which NTMA did not contest the fact that the complainant’s personal information had been disclosed. The NTMA stated that, having received a full report from its data processor, An Post, it had confirmed that, contrary to State Savings standard operating procedures, a valuation statement, which included details of an account held jointly by the complainant and their deceased partner, was sent to a solicitor acting on behalf of a third party. The NTMA acknowledged that the information should not have been sent to the third party and that correct procedures were not followed in this instance by the data processor.

The complainant chose not to accept an apology and goodwill gesture from the NTMA as an amicable resolution of their data protection complaint, opting instead to seek a formal decision of the Data Protection Commissioner.

A decision of the Data Protection Commissioner issued in July 2016. In her decision, the Commissioner formed the opinion that the NTMA contravened Section 2A(1) of the Data Protection Acts 1988 and 2003 by processing the complainant’s personal information without their consent by way of the disclosure, by An Post as an agent of the NTMA, of the complainant’s personal information to a third party.

This case illustrates that it is vital for data controllers to ensure that their policies and procedures for the protection of personal data are properly and routinely adhered to by all staff. Staff awareness is key to this issue but employers should also ensure that regular reviews of how those policies and procedures are applied in practice are carried out so as to identify potential issues and enable the taking of appropriate remedial actions/ changes to the practices, policies and procedures.

9) The Necessity to Give Clear Notice When Collecting Biometric Data at a Point of Entry

In October 2015, we received a complaint from a contractor in relation to the alleged unfair obtaining and processing of their personal data. The complainant stated that in the course of attending a data centre for work-related purposes the company had collected their biometric data without their consent and had also retained their passport until they had completed the training course. While the complainant had been advised in advance by the data controller to bring identification on the day of attendance at the data centre for security purposes, they had not been informed at that time that the data controller would be collecting their biometric data upon arrival at the data centre.

In the course of our investigation, we established that the data controller had collected the complainant’s biometric data upon their arrival at the data centre by way of a fingerprint scan. However, no information about this process had been provided to the complainant at that time – they were simply told that they could not go through security without this biometric fingerprinting. The data controller confirmed to us that this fingerprint scan data had not been retained, rather it had been used to generate a numerical template which was then stored in encrypted form and that numerical information was associated with a temporary access badge provided to the complainant for the duration of the time which the complainant was in attendance at the data centre. The data controller confirmed that it had deleted this information from its system and back-up files at the data subject’s request upon the data subject’s departure from the data centre. The data controller further confirmed that, while it had retained the complainant’s passport for the duration of the complainant’s attendance at the data centre pursuant to a policy to ensure the return of temporary access badges, it had not taken or retained a copy of the complainant’s passport.

The complainant in this case did not wish to accept the offer of amicable resolution made by the data controller and instead requested that the Commissioner make a formal decision on their complaint.

The decision by the Data Protection Commissioner in October 2016 found that the data controller contravened Section 2(1)(a) and Section 2D(1) of the Data Protection Acts 1988 and 2003 as the data controller should have supplied the complainant with the purposes of the collection and processing of the biometric data, the period for which it would be held and the manner in which it would be retained, used and, if applicable disclosed to third parties. This could have been done by the data controller either when it was in contact with the complainant to advise them of the requirement to bring identification to gain entry to the data centre, or at the latest, at the time the complainant arrived at the data centre.

However in relation to the obtaining and processing of the complainant’s biometric data, having reviewed the information provided by the data controller in the course of the investigation by this office, the Data Protection Commissioner found that the data controller had a legitimate interest under Section 2A(1)(d) of the Acts in implementing appropriate security procedures for the purposes of safeguarding the security of data centre, in particular for the purposes of regulating and controlling access by third parties to the data centre. Given that the biometric data was used solely for the purposes of access at the data centre, it was not transferred to any other party and was deleted in its entirely at the data subject’s request upon departing the data centre, the Data Protection Commissioner’s view was that this did not amount to potential prejudice which outweighed the legitimate interests of the data controller in protecting the integrity of the data centre and preventing unauthorised access to it. Accordingly, the Data Protection Commissioner concluded that the data controller had a legal basis for processing the complainant’s biometric data.

In relation to the retention of the complainant’s passport for the duration of their visit at the data centre, the Commissioner found that this did not give rise to any contravention of the Data Protection Acts 1988 and 2003, as the data controller had a legitimate interest in doing so and the limited processing of the complainant’s passport information (i.e. the retention of the passport itself) did not give rise to any disproportionate interference with the complainant’s fundamental rights.

Transparency is a key principle under data protection law and the giving of notice of processing of personal data to a data subject is a major element of demonstrating compliance with this principle. In particular, the central tenet that individuals whose data is collected and processed should not generally be “surprised” at the collection and processing or its scale or scope, should inform all aspects of a data controller’s data processing operations.

10) Residential Care Home's Legimate Use of Audio Recording and Photograph of Data Subject Concerning Allegations of Misconduct

We received a complaint from a former employee of a residential care home who claimed that photographic evidence and an audio recording of them were used in a disciplinary case against them by their employer resulting in their dismissal.

During our investigation, the complainant’s former employer (the operators of the residential care home) advised us that a formal, externally led investigation had been conducted into allegations that the complainant had been found by a supervisor to be asleep during a night shift on two separate occasions. On the nights in question, the complainant had been the sole staff member on duty responsible for the care of a number of highly vulnerable and dependent adults who had complex medical and care needs and who needed to be checked regularly. Having discovered the complainant asleep on the first occasion, the supervisor had warned the complainant that if it happened again it would be reported in line with the employer’s grievance and disciplinary procedure. On the second occasion, when the supervisor discovered the complainant to be asleep, fully covered by a duvet on a recliner with the lights in the room dimmed and the television off, the supervisor had used their personal phone to take photographs of the complainant sleeping and make a sound recording of the complainant snoring. The allegations had been upheld by the investigation team and a report prepared. This was followed by a disciplinary hearing convened by the employer. The employer had informed the complainant at that hearing that it accepted the verbal and written account given by the supervisor. The employer had found that the act of sleeping on duty constituted gross misconduct in light of the vulnerabilities and dependencies of the clients in the complainant’s care and the complainant had been dismissed.

Having regard to the information supplied to us by the operators of the residential care home and, in particular, the vulnerability of the clients involved and the nature of the complainant’s duties, we formed the view that no breach of the Data Protection Acts 1988 and 2003 had occurred. In this case, we considered that the processing of the complainant’s data, by way of the photograph and audio recording made by the supervisor, and the subsequent disclosure of these to the employer was necessary for the purposes of the legitimate interests pursued by the data controller, the employer, under Section 2A(1)(d) of the Data Protection Acts 1988 and 2003. This legal basis for processing requires the balancing of the data controller’s (or a third party’s or parties’) legitimate interests against the fundamental rights and freedoms or legitimate interests of the data subject, including an evaluation of any prejudice caused to those rights of the data subject.

We considered that the processing of personal data here was limited in nature and scope as it consisted of a one-off taking of a photograph and the making of an audio recording by the supervisor, who acted of their own volition and not in response to any direction or request from the employer. There had been limited further disclosure of the personal data concerned afterwards, i.e. to the employer, while the original photograph and recording were deleted from the supervisor’s phone. A copy of the material had also been provided to the complainant in advance of the complainant meeting the investigation team. We therefore considered that, in the circumstances, the processing was proportionate and that the legitimate interests of the data controller (and indeed the legitimate interests of third parties, being the clients of the residential care home) outweighed the complainant’s right to protection of their personal data.

While the right to protection of one’s personal data attracts statutory protection within the national legal system and, moreover, is a fundamental right under EU law, such rights are not absolute. Accordingly, they must be interpreted to allow a fair balance to be struck between the various rights guaranteed by the EU legal order. In particular, as this case demonstrates, data-protection rights should not be used to ‘trump’ the rights of particularly vulnerable members of society or the legitimate interests pursued by those organisations responsible for safeguarding the health and life of such persons in discharging their duties of care and protection

11) Disclosure of Personal Information to a Third Party

We received two complaints from public servants (a husband and wife) whose personal data was disclosed by PeoplePoint, the human resources and pension shared services for public service employees. The initial complainant, in November 2015, stated that after applying for annual leave, he subsequently made an application to change this request to sick leave. The officer in PeoplePoint responsible for this section proceeded to email the complainant’s line manager at the government department in which the complainant worked. However, on receiving an ‘out-of-office’ reply the officer proceeded to email the complainant’s non-supervisory peer. PeoplePoint had notified us of the breach in June 2015. However, on commencing an investigation and receiving a copy of the email at the centre of the breach, we established that the personal data of the complainant’s spouse, who was also a public servant in a different department, was also contained in the email and that the email had been sent to three third parties. It became apparent that the official in PeoplePoint, when considering the initial complainant’s annual leave, had also accessed his spouse’s personal information without the authorisation of her employer or her consent.

Upon further investigation into this matter it became apparent that the PeoplePoint official had informed the complainant’s spouse and their colleagues about information in relation to the complainant when they had no legal basis to do so and without any authority from the data controller of their personal data, i.e. the employer.

PeoplePoint were subject to an audit by this Office. In relation to this complaint, it informed us that upon being made aware of the breach, it acted to retrieve the data and confirmed that the data had been deleted by all parties involved. It also stated that corrective action had been taken to improve the relevant official’s awareness of data privacy. Whilst a proposal for amicable resolution was proposed by Peoplepoint, the complainants declined it and requested a formal decision of the Commissioner.

The Commissioner concluded the opinion that Section 21(1) of the Data Protection Acts 1988 and 2003 had been contravened. PeoplePoint, is a processor engaged by the data controller (being the relevant government department which is the employer) and as such the data processor owes a duty of care to the data subjects whose personal data it is processing. Under Section 21, a data processor must not disclose personal data without the prior authority of the data controller on behalf of whom the data are processed.

This case is a stark reminder to data processors of the importance of processing data only with the prior consent of the data subject or the data controller. Actions in relation to personal data which may appear innocuous to ill-informed staff can have serious ramifications for data subjects. It is not acceptable for data processors and data controllers to rely on an excuse that an employee did not realise that what they were doing was a breach of data protection law. It is the responsibility of such employers to ensure that all staff are appropriately trained and supervised in relation to the processing of personal data, in order to minimise to the greatest degree possible, the risks to the fundamental rights and freedoms of data subjects whose personal data they process.

12) Failure of a Data Controller to Keep Individual's Personal Information Accurate and Up to Date Which Resulted in the Disclosure of Personal Data to a Third Party

We received a complaint in February 2015 concerning the alleged unauthorised disclosure by Permanent TSB (PTSB) of the data subject’s personal information to a third party. In this complaint the data subject stated that she had lived at a property with her ex-husband, that the mortgage for this property was a joint account in both her and her ex-husband’s names and that she was subsequently removed from this mortgage as part of a divorce settlement. The data subject informed this Office that she subsequently took out a separate mortgage with PTSB, solely in her own name, for a different property. However, PTSB had sent a letter of demand, addressed to her at her new property and also addressed to a third party property which she had never been associated with. The complainant’s ex-husband had been raised at this property; his stepmother was still living there and she had opened the PTSB letter of demand and notified her stepson (the data subject’s ex-husband), who in turn had notified the data subject. We commenced and investigation and PTSB accepted that the data subject’s personal data had been disclosed to a third party. PTSB informed us that this had occurred because the third party address (which the data subject had provided to PTSB as a correspondence address when applying for the previous loan which she held with her ex-husband), was incorrectly linked to the entirely separate subsequent mortgage loan in the data subject’s sole name.

We sought an amicable resolution of this complaint but the proposal which PTSB made the data subject was declined and she instead sought a formal decision of the Commissioner.

The Commissioner found that PTSB had contravened both Section 2A(1) of the Data Protection Acts 1988 and 2003 by processing the data subject’s personal data without her consent or another legitimate basis for doing so and also Section 2(1)(b) by failing to keep her personal data accurate, complete and up to date.

The circumstances of this complaint are a case in point as to the rationale behind the principle that personal data must be kept accurate, complete and up to date. Failure to adhere to this principle, particularly in the context of contact information perpetuates the risk that further data protection failures (such as unauthorised disclosure to third parties) will flow from such non-compliance.

13) Failure by BOI to Properly Verify the Identity of Individual on the Phone Which Resulted in the Disclosure of Personal Information to a Third Party

We received a complaint that Bank of Ireland (BOI) had disclosed the complainant’s personal information to a third party. BOI had notified the complainant of this disclosure which occurred when, in an attempt to contact him regarding his account, a member of BOI staff called his mobile and did not get an answer. BOI stated that as the staff member could not contact him on his mobile, they then attempted to contact him via the landline number listed on his account. According to BOI’s notification, the complainant’s mother had answered the phone and the BOI advisor requested to speak with the complainant, who shares his name with his father, and explained to the complainant’s mother that they could not discuss the account with her as she was not listed on the account. By referring to the complainant by his last name Mr X, his mother mistakenly thought the call was in relation to the account she held with her husband who is also called Mr X. BOI’s position was that that the complainant’s mother was adamant that she was listed on the account and therefore the advisor should speak to her about it. Certain information was then provided to the complainant’s mother regarding his account.

We commenced the investigation of this complaint by writing to BOI asking it to confirm if it had already reported this breach to us as is considered good practice under our “Personal Data Security Code of Practice”. BOI did not contest the fact that the complainant’s personal data had been disclosed and it confirmed that the breach had been previously reported to us. BOI had indicated that some confusion arisen, due to complainant’s father having the same name as him and having a banking relationship with the same bank branch and as a result of this confusion, BOI failed to properly identify the person with whom it was dealing and disclosed the complainant’s personal information to a third party. BOI claimed that it was only made aware of the disclosure of his personal information when the complainant’s mother phoned the advisor later that day to inform BOI that the complainant was her son and that the information was in relation to his loan accounts. BOI also advised us that a letter of apology had been issued to the complainant.

The complainant in this case declined the offer of amicable resolution which was made by BOI and requested a formal decision of the Commissioner.

The Commissioner concluded in her June 2016 decision that BOI contravened Section 2A(1) of the Data Protection Acts 1988 and 2003 when it processed the complainant’s personal information without his consent by disclosing it to a third party.

This case is a further demonstration of how a simple failure by a staff member to rigorously adhere to the requirement to verify a data subject’s identity before disclosing their personal data can result in unauthorised disclosure of personal data. While the circumstances of this case involved the verbal unauthorised disclosure of personal data to a family member of the data subject concerned, this in no way makes it any less serious than if it had been a written disclosure to an unrelated third party

14) Data Controller Obliged to Demonstrate Effort Made to Locate Data Within the Statutory 40 Day Period

We received a complaint from an individual concerning an access request which they had submitted to Meteor seeking a copy of their personal data and, in particular, the call recordings of calls which they had made to Meteor Customer Care for a particular period. Meteor responded initially to his request by stating that only 10% of calls to its Customer Care line are recorded and retained for 30 days and that there was no guarantee that his calls from the previous 30 days had been recorded. Meteor subsequently replied to the complainant’s access request definitively stating that there were no calls recorded and available in relation to the complainant.

We commenced an investigation of the complaint requesting information from Meteor in relation to the efforts it had undertaken to retrieve the call recordings which were the subject of the access request as well as information on the locations and/or business units to which enquiries were made in relation to the requester’s access request. Meteor supplied us with a printout showing the searches undertaken and it responded that that it did not hold any calls in relation to the complainant.

In this case the issue of compliance with the 40 days for responding to an access request under the Data Protection Acts 1988 and 2003 was at issue. The complainant had made a valid access request to Meteor by email dated 24 August 2015. Meteor had finally responded to the requester by email on 29 October 2015 with a substantive answer. This substantive response to the access request fell nearly four weeks outside the 40 day statutory period for responding. Furthermore, Meteor did not provide us with any evidence that it had commenced the search for the call recordings which the complainant had sought within that 40 day period but instead chose to rely on its policy that only 10 % of Customer Care line calls are recorded and simply assumed that the complainant’s calls had not been recorded.

Despite attempting to amicably resolve this complaint we were unable to do so and the data subject requested a formal decision from the Data Protection Commissioner. In her decision the Data Protection Commissioner concluded that Meteor had contravened the Data Protection Acts 1988 and 2003 by not responding to the complainant’s access request within the 40 day period as provided for under Section 4(1)(a).

This case demonstrates that a data controller must not approach a valid data access request on a simple assumption that it does not hold the personal data which is sought. Irrespective of the circumstances of the request, any policies employed or assumptions held by a data controller, it must take all steps necessary to establish in fact whether the requested data is, or is not, held by the data controller and to respond substantively to the access request within the 40 day statutory period. The right of access of a data subject is one of the cornerstones to the protection of an individual's personal data and this right must not be stymied by the actions of data controllers, whether unintentional or otherwise.

15) Personal Data Withheld from an Access Request by Airbnb on the Basis of an Opinion Given in Confidence

We received a complaint in July 2016 from an individual (an Airbnb guest) concerning an access request which he had submitted to Airbnb. The essence of the complaint was that Airbnb had not provided the guest with a particular email about him which had been sent to Airbnb by the host of Airbnb accommodation which the guest had rented. That email related to a complaint by the host about the guest. In responding to the guest’s access request, Airbnb had withheld this email on the basis that it consisted of an expression of opinion given in confidence by the host.

Of relevance here was Section 4(4A)(a) of the Data Protection Acts 1988 and 2003 which allows for personal data which consists of an expression of opinion about the data subject by another person to be disclosed by the data controller to the data subject in response to an access request without the need to obtain the consent of the person who gave the opinion. Equally relevant was Section 4(4A)(b)(ii) of the Data Protection Acts 1988 and 2003 which provides for an exemption from the right of access to personal data where the personal data consists of the expression of an opinion about the data subject by another person which has been given in confidence or on the understanding that it could be treated as confidential.

We commenced an investigation which examined in particular whether the email in question from the host to the data controller, Airbnb, consisted of the expression of a confidential opinion by the host about the guest. We found that the content of the email in question was predominately factual in nature. While one element of the email comprised of an expression of opinion, there was no reference or indication in the email to an expectation on the part of the host that the contents of the email would be kept confidential or not disclosed by Airbnb to the guest. In fact, we noted that in another email directly from the host to the guest, the host had indicated to the guest that they had contacted the Airbnb about the guest.

While Airbnb was clearly trying to fairly balance the rights of the guest against the rights of the host in this case, it was our view based on our examination of the issues and communications involved that there was no evidence at all of an expectation or understanding by the host that their email about the guest would not be released to him. In those circumstances no exemption from the right of access applied under Section 4(4A)(b)(ii). Airbnb accepted our position and accordingly released the email in question to the guest. This allowed the complaint to be amicably resolved.

As this case demonstrates, before withholding personal data on the basis that it consists of the expression of an opinion given in confidence or on the understanding that it could be treated as confidential, a data controller must ensure that there is a solid basis for such an assertion. It is not enough for a data controller to simply assume that this was the case in the absence of any indication to this effect from the person who expressed the opinion.

Furthermore, the inclusion of an opinion which attracts this exemption does not mean that all other personal data which is contained within the same document is similarly exempt from the right of access. Rather, in the context of a full document of personal data, the data subject is entitled to access the personal data within it which is not an opinion given in confidence and the data controller may only redact the part or parts to which the exemption validly applies. Opinions about individuals in respect of which no expectation of confidentiality can be shown to apply, or indeed information which is simply confidential, are not exempt from an access request.

As outlined in our published guidance, an opinion given in confidence on the understanding that it will be kept confidential must satisfy a high threshold of confidentiality. Simply placing the word "confidential" at the top of the page, for example, will not automatically render the data confidential. In considering the purported application of this exemption to a right of access, we will examine the data and its context and will need to be satisfied that the data would not otherwise have been given but for this understanding of confidentiality.

16) Crypto Ransomware Attack on a Primary School

In October 2016, we received a breach report from a primary school that had been the victim of a “Crypto Ransomware” attack, whereby parts of the school’s information systems had been encrypted by a third party thereby rendering the school’s files inaccessible. These files contained personal details including names, dates of birth and Personal Public Service Numbers (PPSNs). A ransom was demanded from the school to release the encrypted files.

Our assessment of the attack identified that the school had deficiencies in the measures it had taken to secure pupils’ personal data including:

No polices or procedures were in place to maintain adequate backups;
No procedures or policy documents existed focusing on system attacks such as ransomware or viruses;
No contracts with data processors (the ICT services providers) were in place (as is required under Section 2C(3) of the Data Protection Acts 1988 and 2003) setting out their obligations and, as a result, actions taken by the ICT suppliers were inadequate in response to the attack; and
A lack of staff training and awareness of the risks associated with opening unknown email attachments or files.

We considered that the school had contravened the provisions of Section 2 (1) (d) of the Acts, having failed to ensure that adequate security measures were in place, to protect against the unauthorised processing and disclosure of personal data.

Recommendations were issued to the school that it take steps to mitigate the risks identified. The school subsequently informed us that it had taken the following steps based on the recommendations issued:

Implement a staff training and awareness programme on the risks associated with email and the use of personal USB keys.
Implementation of a contract review process to ensure appropriate contracts are in place with its ICT suppliers
Ensure that any ICT support the school engages with either on a local basis or as recommended by the Board is performed by competent data processors.

This case demonstrates that schools, like any other organisation - commercial, public sector or private, operating electronic data storage systems and interacting online must ensure that they have appropriate technical security and organisational measures in place to prevent loss of personal data, and to ensure they can restore data in the event of Crypto Ransomware attacks.

17) Data Breach at an Online Retailer

In July 2016, we received a breach report from an organisation operating retail and online sales. The organisation had been notified by a customer that their credit card was used in a fraudulent transaction without their knowledge which they believed arose from their provision of payment details online to the organisation.

The organisation engaged an expert third party to conduct an analysis of its website. It was determined that the payments system on the website had been compromised by malware for the previous 6-8 weeks. The malware copied data entered by customers during the online payment stage to an external destination.

Our assessment of the breach identified that there were deficiencies in the measures which the organisation had taken to secure users’ personal data including the following.

No contract or service level agreement existed between the data controller and the data processor.
No steps were taken to ensure that the data processor was compliant with technical security and organisational measures.
ensure that the server and website platform were maintained and that the software versions were up to date;
ensure that appropriate user authentication and access control measures were in place;
ensure appropriate technical security was in place, such as secure configuration of the website platform, measures to detect malware, measures to monitor suspicious activity and measures to ensure regular backups were taken; and
ensure governance processes were in place such as periodic reviews of the data processor and its technical security and organisational measures.

In light of the above, we considered that the organisation had contravened Section 2(1)(d) of the Data Protection Acts 1988 and 2003 by failing to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of, its users’ personal data.

Recommendations were issued to the organisation that it take steps to mitigate the risks identified. The organisation subsequently informed us that it had taken the following steps to address the recommendations:

Contracts are now in place to ensure that the appropriate technical security and organisational measures are in operation;
The organisation conducts regular reviews of the server and website platforms to ensure they are maintained and that the software versions are up to date;
The organisation conducts annual reviews by a third party expert to ensure compliance and to independently validate that the appropriate technical security and organisational measures are in place.

This case highlights the need for organisations to ensure that they have appropriate technical security and organisational measures for ICT security in place, particularly when engaging a data processor. Organisations should be cognisant of the measures outlined under Section 2C of the Acts to understand their obligations, in particular:

To ensure that appropriate security measures are in place;
Reasonable steps are taken to ensure that employees of the Data Controller and any other persons, for example, Data Processor employees, associated with the processing are aware of their obligations;
To ensure that proper contractual agreements are in place governing the processing;
That reasonable steps are taken to ensure compliance with the measures.

18) Incorrect Association of an Individual's Personal Details with Another File

We received a complaint concerning an alleged breach of an individual’s data protection rights by an insurance company.

During our investigation, the insurer (Insurer X) advised us that the complainant had in the past requested a quotation for household insurance from another insurance company (Insurer Y), the undertakings of which had been transferred to Insurer X. Insurer Y had failed to delete the quotation (the complainant had never proceeded to take out a policy) in line with its own data retention policy. In addition, Insurer Y had mistakenly linked the complainant’s personal details on the quotation to an insurance claim file in respect of a claim it had received from a person with an identical name.

When a transfer of Insurer Y's undertakings to Insurer X was being completed, the insurance claim file which mistakenly included the complainant as the claimant (rather than another individual who had the same name) was transferred to Insurer X. The claim when assessed later turned out to be fraudulent and Insurer X had its solicitors write to the complainant advising that their claim was found to be fraudulent and indicating the follow-up action which Insurer X intended to pursue to protect its interests.

At its centre, this case concerned sloppy handling of personal data. Many people in Ireland have the same name and there was no reason why the complainant’s personal details collected when the complainant obtained a quotation should have been added to an insurance claim file. Sufficient checks and balances should have existed in Insurer Y's data handling processes. However, the more significant issue that arose for this complainant is that they were unable to ascertain, prior to our involvement, how their details came to be in the possession of Insurer X and how the issue that arose had come about.

A number of contraventions therefore occurred in this case – a breach of the requirement of a reasonable retention period due to holding onto the quotation data longer than necessary and longer than was set out in the company’s own retention policy; unlawful further processing of the personal data by associating it with a claim file; failure to respond in a clear and timely manner to the complainant to explain how their data had been sourced and how it came to be processed in the way that it was. The complainant in this case suffered particularly serious consequences as they incurred significant legal costs in defending the accusation of making a fraudulent claim and the threat by Insurer X of instigating Circuit Court proceedings against them.

19) Prosecution of The Irish Times Limited for Marketing Offences

On 28 April 2015 we received a complaint from an individual who received an unsolicited marketing email earlier that day from The Irish Times Limited in the form of a “Get Swimming” newsletter. He explained that he signed up for the “Get Swimming” newsletter some months previously and he told us that he opted out after the receipt of the third or fourth issue by using the unsubscribe instruction at the bottom of the newsletter. However, he claimed that The Irish Times Limited continued to send him the “Get Swimming” newsletter each week thereafter and he continued to unsubscribe using the unsubscribe instruction. He informed us that he also emailed Customer Care in The Irish Times Limited on 21 April 2015 asking to be removed from the newsletter and warning that if not, he would report the matter to the Data Protection Commissioner. Customer Care responded on the same day stating that they would remove him from the newsletter immediately. However, he received a further newsletter one week later.

In response to our investigation, The Irish Times Limited stated that this was a once-off issue that arose from a human error in configuring the unsubscribe process, which had subsequently been fixed. It confirmed that sixty-four other users were affected. It informed us that a procedure had been put in place to prevent a recurrence.

The Data Protection Commissioner had previously issued a warning to The Irish Times Limited in November 2012 following the investigation of a complaint from a different individual in relation to marketing emails which he continued to receive after he had opted out of the receipt of such emails.

The Data Protection Commissioner decided to prosecute the company. At Dublin Metropolitan District Court on 4 April 2016, The Irish Times Limited pleaded guilty to one charge of sending an unsolicited marketing email without consent. The Court ordered the payment of €3,000 in the form of a charitable donation to Pieta House and it adjourned the matter for seven weeks. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Court struck out the charge.

20) Prosecution of Coopers Marquees Limited for Marketing Offences

In September 2015 we received a complaint from an individual about a marketing email which she received a few weeks earlier from Coopers Marquees Limited. The same individual had previously complained to us in January 2014 after she received a marketing email from that company which, she stated, she had not consented to receiving. During the course of our investigation of the first complaint, the company undertook to remove the individual’s email address from its marketing database. We concluded that complaint by issuing a warning to the company that the Data Protection Commissioner would likely prosecute it if it re-offended.

In response to our investigation of the second complaint, we were informed that a new marketing executive for the company used an old version of the marketing database for a marketing campaign. This resulted in the sending of the offending marketing email to the email address of the individual whose details had been removed for over a year. The company accepted that it did not have consent to contact the individual concerned by email and it claimed that there was human error on the part of the new staff member which caused the email to be sent. The Data Protection Commissioner decided to prosecute the company.

At Virginia District Court on 7 June, 2016 Coopers Marquees Limited pleaded guilty to one charge of sending an unsolicited email without consent. The Court ordered a contribution in the amount of €300 as a charitable donation to Mullagh Scout Troop and it indicated that it would apply the Probation of Offenders Act in lieu of a conviction. The defendant company agreed to make a contribution towards the prosecution costs of the Data Protection Commissioner.

21) Prosecution of Robert Lynch T/A The Energy Centre for Marketing Offences

In January 2015 two individuals complained to us about unsolicited marketing calls which they received from The Energy Centre on their landline telephones. In the case of both complainants, their telephone numbers stood recorded on the National Directory Database (NDD) Opt-Out Register. In the case of the first complainant, he informed us that he received an unsolicited marketing call on 5 January 2015 during which the caller offered to arrange to conduct a survey of his home for the purpose of recommending energy saving initiatives that The Energy Centre could sell him. The complainant said that he told the caller not to call him again and he pointed out that his number was on the NDD Opt-Out Register. Three days later, the complainant received a further unsolicited marketing call from The Energy Centre. In the case of the second complainant, he received an unsolicited marketing phone call on 23 January 2015 from a caller from The Energy Centre who told him that there were sales agents in his area and that she wished to book an appointment for one of them to visit his home. The same complainant had previously complained to us in November 2013 having received an unsolicited marketing phone call from the same entity at that time. His first complaint was amicably resolved when he received a letter of apology, a goodwill gesture and an assurance that steps had been taken to ensure that he would not receive any further marketing calls.

By way of explanation during the course of our investigation of the two complaints received in January 2015 The Energy Centre indicated that its IT expert had examined the matter and concluded that there was human error somewhere along the line when someone transferred some telephone numbers from a non-contact list back into the system to be contacted.

The Data Protection Commissioner had previously issued a warning to The Energy Centre following the investigation of a complaint from a different individual in relation to unsolicited marketing calls which he received on his landline telephone while his number was recorded on the NDD Opt-Out Register.

The Data Protection Commissioner decided to prosecute. At Drogheda District Court on 21 June 2016, Robert Lynch T/A The Energy Centre pleaded guilty to three charges of making unsolicited marketing telephone calls to the telephone numbers of two individuals whose numbers were recorded on the NDD Opt-Out Register. In relation to the first case where the complainant’s number was called on two occasions three days apart, the Court convicted the defendant in respect of the charge for the second telephone call, it applied a fine of €100 and it took the other charge in relation to the first telephone call into account. In relation to the second case, the Court applied the Probation of Offenders Act in respect of that charge. The defendant agreed to pay the prosecution costs incurred by the Data Protection Commissioner.

22) Prosecution of Paddy Power Betfair Public Limited Company for Marketing Offences

In June 2016 an individual complained to us about marketing text messages he was receiving from Paddy Power Betfair Plc and he also alleged that the ‘stop’ command at the end of the text messages was not working. He stated that he had never placed a bet with Paddy Power Betfair Plc but he recalled having used its Wi-Fi once.

During our investigation of this case, the company, in relation to the allegation that the ‘stop’ command was not working, admitted that there were technical issues with the opt-out service of its text provider and stated that it had it acted immediately to rectify this once it became aware of it. On the matter of marketing consent, the company informed our investigation that the complainant had logged onto the Wi-Fi at its Lower Baggot Street, Dublin outlet in April 2016. It described how a user must enter their mobile phone number on the sign-in page following which they receive a PIN number to their phone which enables the user to proceed. After entering the PIN correctly, the customer is presented with a tick box to accept the terms of service which includes a privacy policy. Having examined the matter, we advised Paddy Power Betfair Plc that we did not see any evidence that the user was given an opportunity to opt out of marketing as is required by S.I. 336 of 2011 (the ePrivacy Regulations). We formed the view that the company was unable to demonstrate that the complainant unambiguously consented to the receipt of marketing communications. The company understood our position and it undertook to work with its Wi-Fi providers to add the required marketing consent tick box on its registration page. It also immediately excluded all mobile phone numbers acquired through the Wi-Fi portals from further marketing communications.

The Data Protection Commissioner decided to prosecute the company. A warning had previously been issued to the company in 2015 following the investigation of a complaint from a different individual who continued to receive marketing text messages after opting out.

At Dublin Metropolitan District Court on 28 November2016 Paddy Power Betfair Plc pleaded guilty to one charge of sending an unsolicited marketing text message without consent and one charge of not providing the recipient with a valid means of opting out of the receipt of further marketing messages. In lieu of a conviction and fine, the Court ordered the defendant to contribute €500 to the Simon Community by 12 December 2016 and it adjourned the matter for two weeks. The company agreed to discharge the prosecution costs incurred by the Data Protection Commissioner. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Court struck out the charges.

23) Prosecution of Trailfinders Ireland Limited for Marketing Offences

A complaint was lodged with us in June 2016 by an individual who received unsolicited marketing emails at that time from Trailfinders Ireland Limited despite having been informed previously that her email address had been removed from the company’s marketing database in August 2015. In its response to our investigation, the company acknowledged that the offending emails were sent in error. It explained that it had received a written communication about a customer care issue from the complainant a few days prior to the sending of the marketing emails and that its Customer Care team had updated her case concerning that particular issue. This update triggered an automated process which inserted the complainant’s email address into its marketing database. Trailfinders Ireland Limited apologised for the system error and it said that it should not have happened in any circumstances.

On foot of a previous complaint in 2015 against Trailfinders Ireland Limited from the same complainant concerning unsolicited marketing emails to which she had not consented, the Data Protection Commissioner had issued a warning to the company in January 2016. Following our investigation of the second complaint, the Data Protection Commissioner decided to prosecute the company.

At Dublin Metropolitan District Court on 28 November, 2016 Trailfinders Ireland Limited pleaded guilty to two charges of sending unsolicited marketing emails without consent. In lieu of a conviction and fine, the Court ordered the defendant to contribute €500 to the Simon Community by 12 December 2016 and it adjourned the matter for two weeks. The company agreed to discharge the prosecution costs incurred by the Data Protection Commissioner. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Court struck out the charges.

24) Prosecution of Topaz (Local Fuels) Limited for Marketing Offences

In July 2016 an individual complained to us about an unsolicited marketing telephone call which he received on his mobile telephone from Topaz (Local Fuels) Limited. He had previously complained to us in November 2015 about marketing text messages which the company sent him without his consent and he informed us that despite attempting to opt out by replying ‘Stop’ he continued to receive more text messages. In its response to our first investigation, the company said that the inclusion of the complainant’s mobile telephone number in its promotional campaign was as a result of a human error and it acknowledged the failure of its system to register his opt out attempts. It informed us in February 2016 that it had removed the mobile phone number concerned from its marketing database. We concluded that complaint at the time with a warning to Topaz (Local Fuels) Limited.

At Dublin Metropolitan District Court on 28 November, 2016 Topaz (Local Fuels) Limited pleaded guilty to one charge of sending an unsolicited marketing text message without consent and one charge of not providing the recipient with a valid means of opting out of the receipt of further marketing messages. In lieu of a conviction and fine, the Court ordered the defendant to contribute €500 to Our Lady’s Children’s’ Hospital Crumlin by 12 December, 2016 and it adjourned the matter for two weeks. The company agreed to discharge the prosecution costs incurred by the Data Protection Commissioner. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Court struck out the charges.

25) Prosecution of Dermaface Linited for Marketing Offences

In August 2016 we received a complaint from a former customer of Dermaface Limited after she received an unsolicited marketing email. The complainant had previously been informed in 2014 on foot of a previous complaint about unsolicited marketing emails that Dermaface Limited had removed her details from its marketing list. Our investigation sought an explanation from Dermaface Limited. It informed us that the marketing email which was the subject of the latest complaint was sent through the clinic’s software system which it had purchased. It claimed that the new system contacted patients and former patients who had previously been opted out of receiving marketing communications from it. It admitted that the complainant was one of those patients/ former patients who had been sent a marketing email. It sent an apology to the complainant.

Following an investigation in 2011 of a complaint from a different individual who received numerous marketing text messages from Dermaface Limited, the Data Protection Commissioner had issued a warning to the company. The Commissioner decided, therefore, to prosecute the company in respect of the latest offence.

At Dublin Metropolitan District Court on 28 November 2016 Dermaface Limited pleaded guilty to one charge of sending an unsolicited marketing email without consent. In lieu of a conviction and fine, the Court ordered the defendant to contribute €300 to Our Lady’s Children’s’ Hospital Crumlin by 12 December, 2016. The Court also indicated that it expected the company to discharge the prosecution costs incurred by the Data Protection Commissioner and it adjourned the matter for two weeks. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Data Protection Commissioner’s costs. The Court struck out the charge.

Marketing offences by MTS Property Management Limited – prosecution
Marketing offences by Greyhound Household – prosecution
Marketing offences by Imagine Telecommunications Business Limited – prosecution
Marketing Offences by Eircom Limited – prosecution
Defence Forces Ireland – failure to keep data safe and secure
Further processing of personal data by a state body
Supermarket’s excessive use of CCTV to monitor member of staff
Disclosure of personal information to a third party by the Department of Social Protection
Covert CCTV installed without management knowledge
Danske Bank erroneously shares account information with third parties
Failure to update customer’s address compromises the confidentiality of personal data
Unfair use of CCTV Data

Case Study 1: Marketing offences by MTS Property Management Limited – prosecution

We received a complaint in February 2013 from an individual who received marketing SMS messages from MTS Property Management Limited advertising the company’s property-management services. The complainant informed us that she had dealt with the company on one occasion over five years previously but she did not consent to her mobile phone number being used for marketing purposes. She also pointed out that the SMS messages that she received did not provide her with a means of opting out.

Our investigation of this complaint became protracted as the company denied knowledge of the mobile number to which the SMS messages were sent and it denied knowledge of the account holder of the sending phone number. However, our investigation established sufficient evidence to satisfy itself that MTS Property Management Limited was responsible for the sending of the marketing SMS messages to the complainant. We decided to prosecute the offences.

MTS Property Management Limited had come to our attention previously in the summer of 2010 when two individuals complained about unsolicited marketing SMS messages sent to them without consent and without the inclusion of an opt-out mechanism. Following the investigation of those complaints, we warned the company that it would likely face prosecution if it committed further offences under Regulation 13 of SI 336 of 2011 at any future time.

At Dublin Metropolitan District Court on 23 February 2015, MTS Property Management Limited pleaded guilty to one charge of sending an unsolicited marketing SMS without consent and it pleaded guilty to one charge of failing to include an opt-out mechanism in the marketing SMS. The Court convicted the company on both charges and it imposed two fines of €1,000 each. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.

Case Study 2: Marketing offences by Greyhound Household – prosecution

In May 2014, we received a complaint against Greyhound Household from an individual who received an unsolicited marketing phone call on his mobile telephone from the company’s sales department. The same individual had previously complained to us in December 2013 as he was receiving marketing SMS messages from Greyhound Household that he had not consented to receiving. He informed us that he had ceased being a customer of the company in May 2013. Arising from the investigation of the previous complaint, Greyhound Household had undertaken to delete the former customer’s details and it apologised in writing to him. On that basis, we concluded the matter with a formal warning to the effect that any future offences would likely be prosecuted.

On receipt of the latest complaint, we commenced a further investigation. Greyhound Household admitted that a telephone call was made to the complainant’s mobile phone number without consent but it was unable to explain why his details had not been deleted in line with the company’s previous undertaking. We decided to prosecute the offence.

At Dublin Metropolitan District Court on 23 February 2015, Greyhound Household pleaded guilty to one charge of making an unsolicited marketing phone call to a mobile phone number without consent. The Court applied Section 1(1) of the Probation of Offenders Act subject to the defendant making a charitable donation of €1,000 to Pieta House. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.

Case Study 3: Marketing offences by Imagine Telecommunications Business Limited – prosecution

In March 2015, we received a complaint against Imagine Telecommunications Business Limited from a company that had received unsolicited marketing telephone calls. The same company had previously complained to us in 2014 about repeated cold calling to its offices. Despite having submitted an opt-out request to Imagine Telecommunications Business Limited, it continued to receive marketing phone calls. Following our investigation of the first complaint, and having been assured that the phone number of the complainant company had been removed from the marketing database, we issued a formal warning to Imagine Telecommunications Business Limited that any future offences would likely be prosecuted.

On investigating the current complaint, we were informed by Imagine Telecommunications Business Limited that it had failed to mark the telephone number concerned as ‘do not contact’ on the second of two lists on which it had appeared. This led to the number being called again in March and June 2015. It stated that the only reason the number was called after the previous warning was due to this error and it said that it took full responsibility for it.

We prosecuted the offences at Dublin Metropolitan District Court on 2 November 2015. Imagine Telecommunications Business Limited pleaded guilty to one charge of making an unsolicited marketing telephone call without consent. The Court applied Section 1(1) of the Probation of Offenders Act conditional upon a charitable donation of €2,500 being made to the Merchant’s Quay Project. Prosecution costs were recovered from the defendant.

Case Study 4: Marketing offences by Eircom Limited – prosecution

We received complaints from two individuals in February and April 2015 concerning marketing telephone calls that they had received on their landline telephones from Eircom Limited. In both cases, and prior to lodging their complaints, the individuals had submitted emails to Eircom Limited requesting that they not be called again. Eircom’s Customer Care Administration Team replied to each request and informed the individuals that their telephone numbers had been removed from Eircom’s marketing database. Despite this, each individual subsequently received a further marketing telephone call in the following months, thus prompting their complaints to this Office.

Eircom informed our investigations that the agents in its Customer Care Administration Team who handled the opt-out requests had not updated the system to record the new marketing preference after sending out the replying email to the individuals concerned. It undertook to provide the necessary refresher training to the agents concerned.

Separately, a former customer of Eircom complained in May 2013 that he continued to regularly receive unsolicited marketing phone calls from Eircom on his landline telephone despite clearly stating to each caller that he did not wish to receive further calls. He stated that the calls were numerous and that they represented an unwarranted intrusion into his privacy. Eircom continued to make a further ten marketing telephone calls to the individual after the commencement of our investigation of this complaint. Our investigation subsequently established that this former customer had received over 50 marketing contacts from Eircom since 2009 when he ceased to be an Eircom customer. Eircom explained that the continued calls arose from a misunderstanding of what systems the former customer’s telephone number was to be opted out from.

In October 2014, an Eircom customer complained that he had received a marketing SMS from Eircom that did not provide him with a means to opt out of receiving further marketing SMS messages. Eircom informed our investigation of this complaint that the inclusion of an opt-out is the norm in all of its electronic-marketing campaigns but, in this instance, and due to human error, the link to the necessary opt-out had not been set properly. Our investigation established that this error affected over 11,600 marketing messages that were sent in the campaign concerned.

We proceeded to prosecute the offences identified on foot of the complaints received in the aforementioned cases. At Dublin Metropolitan District Court on 2 November 2015, Eircom Limited pleaded guilty to six charges of making unsolicited marketing calls without consent and it pleaded guilty to one charge of sending a marketing SMS without a valid address to which the recipient may send an opt-out request. The Court applied Section 1(1) of the Probation of Offenders Act conditional on the defendant making donations amounting to €35,000 as follows: €15,000 to Pieta House, €10,000 to LauraLynn (Children’s Hospice) and €10,000 to Our Lady’s Children’s Hospital, Crumlin. The company agreed to pay the prosecution costs incurred by this Office.

Case Study 5: Defence Forces Ireland – failure to keep data safe and secure

A member of the Defence Forces made a complaint to this Office that certain personal data relating to him was not kept safe and secure by the Defence Forces.

The circumstances of the individual’s complaint to our Office arose when a Military Investigating Officer (MIO) was appointed to review an internal complaint made by him as a member of the Defence Forces. Subsequently, the Defence Forces Ombudsman was appointed to review the process of the handling of the complaint and, during the course of its review, it was ascertained that the MIO could not supply details of interview notes of an interview he had conducted with the complainant as he had stored them at an unsecure location and they were damaged or lost following flooding and a burglary at that location when the MIO was on an overseas mission. The unsecure location was in fact the MIO’s private house.

We raised the matter with the Defence Forces, who confirmed the complainant’s allegation that the notes had been stored at an unsecure location and had been damaged or lost as stated.

The Defence Forces informed us of the measures taken to keep data safe and secure, and referred us to its Administration Instruction, which provides for the prohibition of removal of records.

The Defence Forces further stated thatthe removal of records from their place of custody to a private residence would breach this instruction and that a breach of this provision may constitute an offence under S.168 of the Defence Act 1954. It advised that, as the MIO was no longer a serving member of the Defence Forces, he is not subject to military law.

The Defence Forces unequivocally acknowledged that the loss of the data in this case should not have occurred and was fully regretted. It informed us that it had recently undertaken a full review of practices and procedures in respect of both the processing and disclosure of data to mitigate the possibility of any future unauthorised or accidental disclosure of personal data.

The Commissioner’s decision on this complaint issued in June 2015, and it found that the Defence Forces contravened Section 2(1)(d) of the Data Protection Acts by failing to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the complainant’s personal data when it allowed it to be stored at an unsecure location, namely a private house.

This Office acknowledges that the Defence Forces has procedures in place in relation to the protection of personal data as set out in its Administration Instruction. However, those procedures were not followed in this case and when an official record was removed from its place of custody, it resulted in the complainant’s personal data being lost or stolen because the appropriate security measures in place were not followed.

There are many workplace scenarios where staff and managers, in particular, may need to take files, including personal data, home with them. Extreme caution should always be exercised in such cases to ensure that there is no risk to the security of personal data either in the transit of the files or while the files are in the employee’s home. Data controllers must ensure that employees act in a responsible manner with regard to the safe custody and handling of workplace files. This demands a proper system that records the taking of and returning of files and the following of prescribed procedures for the safe keeping of personal data while the files concerned are absent from the workplace. Likewise, it is critical that employees are prohibited from emailing official files from their workplace email account to their personal email account for afterhours work or for any other reason. In such situations, data controllers lose control of personal data that they are obliged by law to protect.

Case Study 6: Further processing of personal data by a state body

In February 2015, we received a complaint from an employee of a state body in relation to the alleged unfair processing of his personal data. The complainant stated that, in the course of a meeting, he had been advised that his manager had requested access to data from his security swipe card in order to compare it with his manually completed time sheets. The complainant explained that this had been carried out without any prior consultation with him or his line manager. By way of background, the complainant informed us that the security swipe cards used by the employees are for accessing the building and secured areas only, and are not used as a time management/attendance system.

We sought an explanation from the body concerned as to how it considered that it had complied with its obligations under the Data Protection Acts in the processing of the complainant’s personal information obtained from his swipe-card data. We also advised it that we had sight of the relevant section of its staff handbook and we noted that there was no reference to the swipe card being used for the purpose of checking attendance.

We received a response explaining that the swipe-card data relating to the complainant was handed over to the complainant’s manager in good faith on the basis that it was corporate rather than personal data. The organisation also confirmed that it checked the staff handbook and any other information that may have been circulated to staff regarding the purposes of the swipe card and that there was no mention of the use of swipe cards in relation to recording time or attendance. It advised that the focus of the information circulated with regard to swipe cards was on security and access only.

After consideration of the response received, along with the content of the complaint, we informed the organisation concerned that we considered that the Data Protection Acts were breached when the employee’s swipe-card details were provided to his manager to verify his working hours. We referred to the provisions of Section 2(1)(c)(ii) of the Data Protection Acts, which state that data shall not be further processed in a manner incompatible with the purpose for which it was obtained. Given that we considered the information concerned had been processed in contravention of the Data Protection Acts 1988 and 2003, we required an assurance that all email records created in relation to the further processing of the swipe-card details concerned be deleted from its systems; this assurance was duly provided.

The complainant in this case agreed, as an amicable resolution to his complaint, that he would accept a written apology from his employer. This apology acknowledged that the complainant’s data protection rights had been breached and it confirmed that the organisation had taken steps to ensure that this type of error did not recur in the future.

This case highlights the temptation organisations face to use personal data that is at their disposal for a purpose other than that for which it was originally obtained and processed. The scenario outlined above is not uncommon, unfortunately. Time and attendance monitoring may occasionally prove difficult for managers, and contentious issues arise from time to time. The resolution of those issues should not involve an infringement of the data protection rights of employees similar or otherwise to the circumstances in this case.

Case Study 7: Supermarket’s excessive use of CCTV to monitor member of staff

A former staff member of a supermarket submitted a complaint to this Office regarding her employer’s use of CCTV.

The complainant informed us that she had been dismissed by her employer for placing a paper bag over a CCTV camera in the staff canteen. She informed us that the reason for her covering the CCTV camera was that when she was on an official break in the staff canteen, a colleague styled her. The complainant also stated that the camera was placed in the corner of the staff canteen and there was no signage to inform staff that surveillance was taking place. She informed us that she was never officially advised of the existence of the camera nor had her employer ever informed her of the purpose of the CCTV in the canteen.

In its response to our investigation, the supermarket informed us that the complainant was dismissed for gross misconduct, which occurred when she placed a plastic bag over the camera in the canteen to prevent her actions being recorded and thereby breaching the store’s honesty policy as outlined in the company handbook. The supermarket owner informed us that the operation of CCTV cameras within the retail environment was to prevent shrinkage, which can arise from customer theft, waste and staff theft. He stated that it was also used for health and safety, to counter bullying and harassment and for the overall hygiene of the canteen. In relation to the incident concerning the complainant, the owner informed us that, on the day in question, the store manager noticed some customers acting suspiciously around the off-licence area and that on the following day CCTV footage was reviewed. It was during the viewing of the footage in relation to suspicious activity in the off-licence area that he noticed the complainant putting a bag over the camera.

Following an inspection by one of our Authorised Officers, we informed the supermarket owner that, in our view, there was no justification from a security perspective for having a camera installed in the canteen area.

The complainant in this case declined an offer of an amicable resolution and she requested a formal decision of the Commissioner.

The decision by the Commissioner in January 2015 found that the supermarket contravened Section 2(1)(c)(iii) of the Data Protection Acts, 1988 and 2003, by the excessive processing of the complainant’s personal data by means of a CCTV camera in a staff canteen.

Data controllers are tempted to use personal information captured on CCTV systems for a whole range of purposes. Many businesses have justifiable reasons, usually related to security, for the deployment of CCTV systems on their premises but any further use of personal data captured in this way is unlawful under the Data Protection Acts unless the data controller has at least made it known at the time of recording that images captured may be used for those additional purposes, as well as balancing the fundamental rights of employees to privacy at work in certain situations, such as staff canteens and changing rooms.

Case Study 8: Disclosure of personal information to a third party by the Department of Social Protection

This Office received a complaint in July 2014 concerning an alleged unauthorised disclosure of the complainant’s personal information by the Department of Social Protection to a third party. The complainant informed us that, in the course of an Employment Appeals Tribunal hearing, her employer produced to the hearing an illness-benefit statement relating to her. The statement contained information such as her name, address, PPSN, date of birth, bank details and number of child dependants. She stated that her employer was asked how he had obtained this illness-benefit statement. He stated that he had phoned the Department of Social Protection and the statement had subsequently been sent to him by email. Prior to making the complaint to this Office, the complainant had, via her solicitors, received an apology from the Department, who acknowledged that her information had been disclosed in error and that proper procedures had not been followed. However, she informed us that she had very little information as to how the disclosure had occurred and that the matter had caused her considerable distress.

We commenced an investigation by writing to the Department of Social Protection. In response, it stated that it accepted that a statement of illness benefit was disclosed to the complainant’s employer in error, on foot of a telephone call from the employer. The Department acknowledged that the information should not have been sent out to the employer and that the correct procedures were not followed on this occasion. It stated that the staff member who supplied the information was new to the Department. It explained that it was not normal practice to issue a screenshot to the employer; the correct procedure was to issue a statement to the employee along with a note informing the employee that the information had been requested by their employer.

The data subject chose not to accept an apology from the Department as an amicable resolution of her data protection complaint, opting instead to seek a formal decision of the Data Protection Commissioner.

A decision of the Data Protection Commissioner issued in October 2015. In her decision, the Commissioner formed the opinion that the Department of Social Protection contravened Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 by the further processing of the complainant’s personal data in a manner incompatible with the purpose for which it had been obtained. The contravention occurred when the Department of Social Protection disclosed the complainant’s personal data to an unauthorised third party.

This case serves as a reminder to data controllers of the importance of ensuring that new staff are fully trained and closely supervised in all tasks, particularly in those tasks that involve the processing of personal data. Errors by staff present a high risk of data breaches on an ongoing basis and it is critically important that efforts are made to mitigate against those risks by driving data protection awareness throughout the organisation, with particular focus on new or re-assigned staff.

Case Study 9: Covert CCTV installed without management knowledge

This Office received a complaint from staff of Letterkenny General Hospital in relation to the operation of covert CCTV surveillance by management within the Maintenance Department of Letterkenny General Hospital.

We also received a ‘Data-Breach Incident Report’ from the Health Service Executive (HSE) about this matter. This breach report recorded the incident as ‘Unauthorised CCTV Surveillance of Office Area’ and stated that a covert CCTV camera was installed by two maintenance foremen in their two-man office due to concerns they had in relation to the security of their office.

We commenced an investigation of the complaint by writing to the Health Service Executive (HSE), outlining the details of the complaint. We sought information from it in relation to the reporting arrangements between the maintenance staff in Letterkenny General Hospital and the maintenance foremen who installed the covert CCTV; the whereabouts of footage captured by the covert CCTV; the outcome of the internal investigation; how the covert CCTV was installed without notice to the management of Letterkenny General Hospital; and details of any instruction or notification issued to staff on foot of the internal investigation.

In response, the HSE stated that the foremen who had installed the camera were direct supervisors of the maintenance department staff and that the footage recorded was stored on a DVD and secured in a locked safe. It further stated that an internal investigation concluded that two staff had installed the covert CCTV without the authority, consent or knowledge of the management of Letterkenny General Hospital, due to concerns regarding unauthorised access/security in their office. We established that the camera in question was previously installed in a now disused area of the hospital, had been decommissioned and was re-installed in the office in question.

As well as confirming that the footage captured by the covert camera was of normal daily comings and goings to the maintenance office, the HSE stated that this was an unauthorised action by staff in the maintenance section and that it was keenly aware of its duty to all staff to provide a workplace free from unauthorised surveillance. The HSE confirmed that it would initiate steps to ensure that there would be no repetition of this action.

The HSE subsequently issued a written apology to the complainants in which it also confirmed that the recordings had been destroyed.

A decision of the Data Protection Commissioner issued in April 2015. In her decision, the Commissioner formed the opinion that the HSE contravened Section 2(1)(a) of the Data Protection Acts 1988 and 2003 by failing to obtain and process fairly the personal data of individuals whose images were captured and recorded by a covert CCTV camera installed without its knowledge or consent.

Covert surveillance is normally only permitted on a case-by-case basis, where the data is kept for the purpose of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This implies that a written specific policy must be put in place detailing the purpose, justification, procedures, measures and safeguards that will be implemented in respect of the covert surveillance, with the final objective being an active involvement of An Garda Síochána or other prosecutorial authority. Clearly, any decision by a data controller to install covert cameras should be taken as a last resort after the full exhaustion of all other available investigative steps.

Case Study 10: Danske Bank erroneously shares account information with third parties

We received a complaint against Danske Bank alleging that it had disclosed personal data and account information in relation to a mortgage on a property owned by the complainant to third parties. We commenced an investigation of the matter by writing to Danske Bank, outlining the details of the complaint. We received a prompt response from Danske Bank, which stated that the complainant and the individual who received his personal data were joint borrowers on certain loan facilities and that it was during the course of email communications with the other individual in respect of that individual’s loan arrears that the personal data relating to the complainant was disclosed to two third parties. Danske Bank admitted that this was an error on its part and stated that it was unfortunate that it had occurred. It went on to explain that, in dealing with the queries raised by the other individual in respect of his arrears and entire exposure to Danske Bank, the relationship manager also included information on all arrears in respect of that individual’s connections, which included the complainant. The staff member concerned expressed his regret at the incident and Danske Bank confirmed that the staff member was reminded of its procedures with regard to data protection and the need to be vigilant when dealing with the personal data of customers. Danske Bank apologised for the incident and offered reassurance that it would endeavour to prevent a future reoccurrence.

Danske Bank went on to state that it had robust controls in place to ensure that such incidents did not occur; however, it admitted that, despite such controls, this was a case of a human error and it did not believe that it was in any way intentional.

The complainant requested that the Data Protection Commissioner issue a formal decision on his complaint. A decision of the Commissioner issued in January 2015, and it stated that, following the investigation of the complaint, she was of the opinion that Danske Bank contravened Section 2(1)(d) the Data Protection Acts 1988 and 2003 by disclosing the complainant’s personal data to a number of third parties without his knowledge or consent.

This case is illustrative of the need for financial institutions to be vigilant when dealing with the personal data of individuals who have common banking relationships with others, and to ensure that appropriate safeguards are in place to prevent accidental or erroneous sharing of personal data.

Case Study 11: Failure to update customer’s address compromises the confidentiality of personal data

This Office received a complaint that Allied Irish Banks (AIB) failed to keep the complainant’s personal data up-to-date over a prolonged period, despite repeated requests by the individual to do so, and that it failed to maintain the security of the individual’s personal information. The complainant informed us that he had repeatedly asked AIB to update his address details but that it had failed to do so. As a result, his correspondence from AIB continued to be sent to a previous address. The complainant alleged that, arising from the failure of AIB to update his address, his correspondence containing his personal data, which was sent to his previous address by AIB, was disclosed to unknown third parties at this previous address.

We commenced an investigation of the matter by writing to AIB, outlining the details of the complaint. AIB confirmed to us that, due to a breakdown in internal processes, the complainant’s correspondence address was had not been updated on all its systems in a timely manner, resulting in automated arrears letters continuing to issue to an old address.

In circumstances where AIB had been advised that the complainant had changed address, our investigation was satisfied that its continued sending by post or delivering by hand of correspondence intended for the complainant to the previous address failed to secure the complainant’s personal data against unauthorised access by parties who had access to the letterbox at the previous address.

Efforts to resolve the complaint by means of an amicable resolution were unsuccessful and the complainant sought a formal decision. In her decision, the Commissioner formed the opinion that AIB contravened Section 2(1)(b) of the Data Protection Acts 1988 and 2003 by failing to keep the complainant’s personal data up to date. This contravention occurred when AIB failed to remove the complainant’s previous address from his account despite notification from him to do so. The Commissioner also formed the opinion that AIB contravened Section 2(1)(d) by failing to take appropriate security measures against unauthorised access to the complainant’s personal data by sending correspondence by post and by hand delivery to an address at which he no longer resided, while knowing that this was no longer his residential address.

This case demonstrates the need for all data controllers to ensure that personal data is kept accurate and up-to-date at all times. Failure to do so may result in the disclosure of personal data to unauthorised persons as well as unnecessary distress and worry for data subjects who have updated the data controller with the most accurate information, only to find that the necessary safeguards were not in place to prevent their personal data being compromised by use, as in this case, of a previous address.

Case Study 12: Unfair use of CCTV data

The subject matter of this complaint was the use by the data controller of CCTV footage in a disciplinary process involving one of its drivers. The data controller, Aircoach, advised that it was reviewing CCTV footage from one of its coaches as part of dealing with an unrelated customer-complaint issue when it happened to observe a driver using her mobile phone while driving a coach.

As is often the case with such complaints, the complainant objected to the use of the CCTV footage as evidence in a disciplinary process that was taken by Aircoach against her, the basis of the objection being that it was unfairly obtained.

Aircoach informed us that it had introduced CCTV across its fleet in order to further enhance safety and security for both staff and customers. It further advised that all staff are informed that CCTV is installed and of the reasons behind its use, but admitted that it was not until the middle of 2014 that significant efforts were made to fully inform both staff and customers as to the presence of CCTV on its coaches.Aircoach provided us with a copy of its new CCTV policy and it also provided us with photos showing the CCTV signage on the coach entrance doors, adding that the process of putting appropriate signage in place on its coaches commenced in January 2014 and was concluded by October 2014.

The law governing the processing of personal data, including CCTV images, is provided for under Section 2 of the Data Protection Acts 1988 and 2003. Processing includes, among other things, the obtaining and use of personal data by a data controller and it must be legitimate by reference to one of the conditions outlined under Section 2A(1) of the Acts. In addition, a data controller must also satisfy the fair-processing requirements set out under Section 2D(1) of the Acts, which requires that certain essential information is supplied to a data subject before any personal data is recorded.

The investigation in this case established that, at the time of the relevant incident on 19 February 2014, the roll-out of CCTV signage by Aircoach had commenced; however, the company failed to properly or fully inform staff that CCTV footage might be used in disciplinary proceedings. Any monitoring of employee behaviour through the use of CCTV cameras should take place in exceptional cases rather than as a norm and must be a proportionate response by an employer to the risk faced, taking into account the legitimate privacy and other interests of workers. In this case, when processing the complainant’s image, Aircoach was not aware of any particular risk presented and, by its own admission, was investigating an unrelated matter. While it subsequently transpired that the incident in question was indeed a very serious matter, involving alleged use by a driver of a mobile phone while driving, there was no indication at the time of the actual processing that this was the case and the processing therefore lacked justification. In addition, the fair-processing requirements set out in Section 2D were not fully met and fair notice of the processing for the specific purpose of disciplinary proceedings was not given to drivers whose images might be captured and used against them. In those circumstances, the processing could not be said to have been done in compliance with the Acts and the Commissioner found that Section 2(1)(a) had been contravened.

It is important to note that the processing of CCTV images in disciplinary proceedings against an employee is very much circumstance-dependent. Thus, while on this occasion the employer was found to have been in contravention of the Acts because the images were processed without justifiable cause or fair notice to the employee in question, in other circumstances the processing might be regarded as being proportionate and fair, especially if the processing is done in response to an urgent situation and the employer has the correct procedures in place. Employers should therefore be careful to ensure that a comprehensive CCTV policy is in place and followed if they wish to stay within their legal obligations.

Prosecutions: Private Investigators
Prosecutions: Marketing Offences
Excessive Data Collection by An Post
Disclosure of Employee Salary Details by the HSE
Excessive Data Collection by a Letting Agency
Disclosure of Financial Information by a Credit Union
Complaint of Disclosure by Permanent TSB Not Upheld
Patient Denied Right of Access by SouthDoc
Excessive Data Collection by the Department of Agriculture
Personal Data Disclosed by County Council
Eircom Fails to Meet Statutory Timeframe for Processing Access Request
Third-Level Student Data Appeared on Third-Party Website
Data Controller Discloses Personal Data to Business Partner
Employee of Financial Institution Resigns Taking Customer Personal Data
Theft of Unencrypted Laptop
Compromise of Adobe Network

Case Study 1: Prosecutions: Private Investigators

This Office initiated prosecutions in the private investigator/tracing-agent sector for the first time in 2014. These prosecutions arose from a detailed investigation that commenced in the summer of 2013. Arising from audits carried out in a number of credit unions at that time, the Office became concerned about the methods employed by some private investigators hired by credit unions to trace the current addresses of members who had defaulted on their loans. The Office launched a major investigation to identify the sources from which the private investigators had obtained the current address data. This investigation involved a wide range of public bodies and private companies. As a result of our findings, the Office established that personal data on databases kept by the Department of Social Protection, the Primary Care Reimbursement Service of the Health Service Executive, An Garda Síochána and the Electricity Supply Board had been accessed unlawfully and the information was disclosed thereafter to credit unions. Details of the prosecutions that ensued are as follows:

M.C.K. Rentals Limited and its Directors

M.C.K. Rentals Limited (trading as M.C.K. Investigations) was charged with 23 counts of breaches of Section 22 of the Data Protection Acts 1988 and 2003 for obtaining access to personal data without the prior authority of the data controller by whom the data is kept, and disclosing the data to another person. The personal data was kept by the Department of Social Protection (7 cases) and by the Primary Care Reimbursement Service of the Health Service Executive (16 cases). In all cases, the personal data was disclosed to various credit unions in the state.

The two directors of M.C.K. Rentals Limited, Ms Margaret Stuart and Ms Wendy Martin, were separately charged with 23 counts of breaches of Section 29 of the Data Protection Acts 1988 and 2003 for their part in the offences committed by the company. This Section provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, the company directors or other officers.

At Bray District Court on 6 October 2014, M.C.K. Rentals Limited pleaded guilty to five sample charges for offences under Section 22 of the Data Protection Acts 1988 and 2003. The Court convicted the company in respect of each of the five charges and it imposed a fine of €1,500 per offence. Company Secretary and Director Ms Margaret Stuart pleaded guilty to one sample charge for an offence under Section 29 of the Data Protection Acts 1988 and 2003. The Court convicted Ms Stewart in respect of that offence and imposed a fine of €1,500. Company Director Ms Wendy Martin pleaded guilty to one sample charge for an offence under Section 29 of the Data Protection Acts 1988 and 2003. The Court convicted Ms Martin in respect of that offence and it imposed a fine of €1,500.

This was the first occasion on which company directors were prosecuted by the Data Protection Commissioner for their part in the commission of data-protection offences by their company, and the proceedings in this case send out a strong warning to directors and other officers of bodies corporate that they may be proceeded against and punished in a court of law for criminal offences committed by the body corporate.

The investigation of this company uncovered wholesale and widespread “blagging” techniques used by the offenders, and this was the first prosecution by the Data Protection Commissioner of offenders engaged in such practices. The findings of the investigation carried out in this case expose the constant threat to the security of personal data that is in the hands of large data controllers and the vigilance that is required by front-line staff at all times to prevent unlawful soliciting of personal data, in particular by means of telephone contact, by unscrupulous agents. Data controllers across the state should regularly review their data-protection procedures to maximise the effectiveness of their security protocols in order to counter such criminal activity. They must ensure that all staff, and particularly those at the front line who handle telephone calls, are fully trained in the security protocols in order to be able to recognise and deal with the threat of information blagging or pretext calling if it arises.

Michael J. Gaynor

Michael J. Gaynor (trading as MJG Investigations) was charged with 72 counts of breaches of the Data Protection Acts 1988 and 2003. Twelve charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept, and disclosing the data to another person. The personal data was kept by the Electricity Supply Board (9 cases) and by An Garda Síochána (3 cases). In all cases, the personal data was disclosed to various credit unions in the state. A further 60 charges related to breaches of Section 16(2) of the Data Protection Acts in respect of the processing of personal data of a number of individuals in circumstances where no record was recorded in respect of the accused in the public register maintained by the Data Protection Commissioner. Mr Gaynor is a former member of An Garda Síochána.

On 25 November 2014, at Dublin Metropolitan District Court, Michael J. Gaynor was convicted on two charges for offences under Section 22 of the Data Protection Acts 1988 and 2003. The Court imposed a fine of €2,500 in each of these two charges. Separately the defendant pleaded guilty to 69 charges (60 of which related to breaches of Section 16(2)) and these were taken into consideration in the sentence imposed.

This was the first prosecution to be completed by the Data Protection Commissioner of a data processor for processing personal data without having registered as a data processor on the public register of the Office of the Data Protection Commissioner. The investigation in this case uncovered access by the defendant to customer data held on databases held by the Electricity Supply Board. To access the personal data, the defendant used a staff contact in the Electricity Supply Board, which he had established during his previous Garda career.

These prosecutions send a strong message to private investigators and tracing agents to comply fully with data-protection legislation in the conduct of their business, and that if they fail to do so they will be pursued and prosecuted for offending behaviour. They also serve to remind all companies and businesses who hire private investigators or tracing agents that they have onerous responsibilities under the Data Protection Acts to ensure that all tracing or other work carried out on their behalf by private investigators or tracing agents is done lawfully. Specifically, in this regard, those operating in the credit union, banking, financial services, legal and insurance sectors should review their engagement of private investigators and tracing agents to ensure they have fully safeguarded all personal data against unlawful forms of data processing.

These investigations uncovered serious issues in relation to the hiring of private investigators or tracing agents by credit unions, particularly in respect of a lack of awareness on their part of how the private investigators were tracing members and, in some cases, in relation to the disclosure of PPS numbers by credit unions to private investigators. This Office has pursued all of these issues with the credit unions concerned and with their representative bodies in recent months. In addition, we have undertaken a range of follow-up work with the Department of Social Protection, the Health Service Executive, An Garda Síochána and the Electricity Supply Board on the implications of the data-security breaches that occurred in their organisations and on the measures required to deal with those breaches and to prevent a recurrence. This Office welcomes the fact that the Private Security Authority has proposed the introduction of regulation of private investigators.

Case Study 3: Prosecutions: Marketing Offences

Pure Telecom Limited

We received a complaint in March 2013 from an individual who received two marketing phone calls from Pure Telecom Limited on his landline telephone. The individual’s telephone number was listed on the National Directory Database opt-out register. It is an offence to make a marketing call to a telephone number listed on that register.

Pure Telecom Limited informed our investigators that it used the services of a third-party representative to make the marketing calls and it explained that the agent sourced the individual’s number themselves rather than using marketing data provided by Pure Telecom Limited. The company admitted that the third-party agent did not have consent to contact the complainant for marketing purposes.

At Dublin District Court on 3 February 2014, Pure Telecom Limited pleaded guilty to two charges concerning breaches of Regulation 13 (5)(b) of S.I. 336 of 2011 relating to two marketing phone calls to a phone number listed on the opt-out register. The Court imposed a conviction in respect of both charges and a fine of €500. It further ordered payment of the prosecution costs of the Data Protection Commissioner. The hearing was informed that the defendant had a previous conviction from 2010 for a similar offence.

Next Retail Limited

In February 2013, this Office received a complaint from an individual who received a number of unsolicited marketing emails from Next Retail Limited after she requested the company not to send her any more such emails. The complainant claimed to have unsubscribed firstly by using the unsubscribe link that was provided in a marketing email sent by the company and, following this, in four separate emails to the company requesting not to be contacted with marketing emails again.

Next Retail Limited informed our investigators that as it no longer used the services of the company that it had engaged to process unsubscriptions it was unable to explain what happened to the first unsubscribe request. With regard to the emails containing unsubscribe requests, the company confirmed that they did reach its complaints inbox but it was unable to trace where the emails went afterwards.

At Dublin District Court on 3 February 2014, Next Retail Limited pleaded guilty to two charges concerning breaches of Regulation 13(1) of S.I. 336 of 2011 relating to the sending of two unsolicited marketing emails without consent. The Court imposed a conviction in respect of one charge, with the second charge taken into consideration. A fine of €100 was imposed. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.

Next Retail Limited subsequently appealed the severity of the sentence. On 19 March 2014, the Circuit Court affirmed the conviction and penalty previously imposed by the District Court and it noted the appellant’s intention to discharge the Data Protection Commissioner’s reasonable costs for the appeal.

Airtricity Limited

In May 2013, this Office received a complaint against Airtricity Limited from a person who received an unsolicited marketing phone call on his landline telephone, which was listed on the National Directory Database opt-out register. The complainant informed us that the purpose of the marketing call was to encourage him to switch energy supplier to Airtricity.

In response to our investigation, Airtricity admitted that the phone call had been made by a third-party contractor acting on its behalf. It explained that the error occurred when an old PC, on which the 2009 phone book was installed, was re-commissioned by the contractor. A spreadsheet containing the complainant’s phone number was still on the old PC and this led to the number being dialled in error.

At Dublin District Court on 3 February 2014, Airtricity Limited pleaded guilty to one charge concerning a breach of Regulation 13(5)(b) of S.I. 336 of 2011 relating to one marketing phone call to a phone number listed on the opt-out register. The Court imposed a conviction in respect of the charge and a fine of €75. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.

The Carphone Warehouse Limited

In March 2013, we received a complaint from a customer of The Carphone Warehouse Limited after he received marketing text messages from the company despite having ticked the marketing opt-out box when he had previously made a purchase in one of its stores. The company informed our investigators that a systems error resulted in the customer being incorrectly included in its marketing list.

In April 2013, we received a complaint from another customer of The Carphone Warehouse Limited who received regular offers by text message from the company even though he had called the company on at least three occasions, asking that it stop. The company told our investigators that its system temporarily did not recognise the customer’s preference not to receive marketing due to an internal issue within the electronic filter process and this resulted in the customer’s phone number being accidentally selected for marketing campaigns.

At Dublin District Court on 3 March 2014, The Carphone Warehouse Limited entered a guilty plea in respect of five charges concerning breaches of Regulations 13(1) and 13(4) of S.I. 336 of 2011. The court imposed convictions in respect of four charges, with the fifth charge taken into consideration. It imposed fines of €1,500 in respect of each conviction. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner. The hearing was informed that the defendant had two previous convictions from 2012 in relation to the sending of unsolicited marketing emails.

Valterous Limited (trading as Therapie Clinic and/or Therapie)

A former customer of Valterous Limited (trading as Therapie Clinic and/or Therapie) complained to this Office in June 2013 after receiving an unsolicited marketing text message despite having opted out of receiving such communications over three months earlier. Therapie explained to our investigators that the complainant’s contact details were on systems in two branches and that when the opt-out request was made the company removed their details from one database and did not realise they were also on another one, thus leading to a further unsolicited text message being sent to the same contact number.

In July 2013, we received a complaint from another former customer of Therapie who had received marketing text messages on several occasions. The complainant informed us that she sent a text message to opt out but the company continued to send her further marketing text messages. Our investigation found no evidence that Therapie had obtained consent at any time for the sending of marketing text messages to this individual. In relation to the sending of text messages after the former customer had opted out, Therapie explained that the individual should have texted the word “STOP” rather than the word “OPTOUT” at the time of attempting to opt out of the marketing database. We did not accept this as a valid excuse as the opt-out instruction on the marketing text message sent to the individual read “OptOut:086.......”.

At Dublin District Court on 3 March 2014, Valterous Limited (trading as Therapie Clinic and/or Therapie) pleaded guilty in relation to three charges concerning breaches of Regulation 13(1) of S.I. 336 of 2011 concerning the sending of unsolicited marketing text messages without consent. The Court imposed convictions in respect of two charges, with the third charge taken into consideration. It imposed fines of €1,500 in respect of each conviction. The defendant agreed to pay the prosecution costs of the Data Protection Commissioner. The Court was told that in 2012 Therapie Laser Clinics Limited (trading as Therapie Clinic and/or Therapie) was convicted for two offences in relation to the sending of unsolicited marketing text messages.

Case Study 4: Excessive Data Collection by An Post

This Office received two complaints from members of the public concerning new requirements that were introduced in November 2013 by An Post in relation to direct-debit applications for payment of TV licence fees. A mandatory requirement was introduced to provide a recent bank statement with the direct-debit application and mandate form. An Post’s TV licence website explained that a copy of a bank statement was required to verify the bank-account details provided by the licensee for payment of their TV licence fee. It went on to state that the bank statement must show the BIC, IBAN and the full name and address of the bank-account holder. The complainants argued that requesting a copy of confidential financial information that appears on bank statements was excessive.

We investigated these complaints with An Post. By way of background, An Post explained that the new SEPA regulations impose significant new obligations on direct-debit originators such as An Post with the TV Licence Direct Debit Scheme. It said that the commercial risk attached to accepting direct debits is now the sole responsibility of An Post and therefore An Post has to verify the direct-debit details supplied by the customer. It stated that An Post does not have proof that the bank-account details exist, are accurate or that the account is owned by the person stated on the mandate. Accordingly, it developed its new bank-detail verification process to check the mandate details supplied, and in that new process it seeks extra documentation to verify that the bank-account details supplied by the applicant are accurate, complete and up to date. It also pointed out that it cannot process a direct-debit application without having valid BIC and IBAN numbers in respect of the account on which the direct debit is drawn. An Post indicated that, further to our correspondence, it had decided that customers who choose direct-debit payment are no longer required to submit details of their bank balances.

We considered the matter further and we advised An Post that applicants should either be allowed to submit a copy of only the portion of the bank statement containing the name, address, BIC and IBAN numbers or they should be allowed to blacken out all of the transaction information on any copies supplied. An Post agreed to implement our advice. It amended its TV licence direct-debit application form to include the following text: “You should ensure that financial transactions on your bank statement are fully masked or removed before you attach it to your application. All bank statements are destroyed once the first successful payment has gone through.” An Post also amended its website to reflect this change and to clarify that it does not require the balance on the bank statement to be shown. We were satisfied with the changes implemented by An Post and with the manner in which it dealt with the matter expeditiously once we had drawn it to its attention.

Organisations that seek copies of bank statements for purposes such as proof of current address, as a verifier of identify or other similar issues should bear in mind that such documents contain a range of financial information that is private to the individual to whom it relates. As a general rule, individuals must be permitted to blacken out or otherwise mask those financial details and transactions as they are irrelevant for the purposes of address verification, etc. This case study should serve as a reminder to organisations to consider all the implications and the potential to collect an excessive amount of personal data in circumstances where they seek copies of bank statements from customers or clients.

Case Study 5: Disclosure of Employee Salary Details by the HSE

An employee of the Health Service Executive (HSE) complained in March 2014 concerning the alleged disclosure on two occasions of his salary details to his ex-wife. He informed us in his complaint that the matter came to his attention when his ex-wife went to court in the summer of 2013 in relation to maintenance issues, and in court she provided exact details from his payslips. In December of the same year, his ex-wife went back to court for a review of maintenance and on that occasion she produced a copy of his P60 along with his salary details for the previous four months.

We commenced an investigation of the matter by writing to the HSE. In response, the HSE accepted that on two separate occasions, in May 2013 and in November 2013, personal data relating to its employee was disclosed to a third party without his consent. It acknowledged that there was no legal basis for the disclosure of the personal data. It stated that it established who, within the HSE, made the first disclosure but it was not possible to establish who made the second disclosure. It explained that its payroll department had received a number of court orders directing the HSE to make maintenance payments to its employee’s ex-wife. It stated that numerous queries were raised by a firm of accountants and tax professionals called Accountax on behalf of its employee’s ex-wife. Those queries sought clarifications with regards to the payments made. It went on to state that, in relation to the first breach, a specific request was made seeking a copy of its employee’s most recent payslip showing the maintenance deductions from January 2013 to date. The HSE admitted that the requests for constant updates regarding maintenance payments ultimately resulted in the unauthorised disclosure of its employee’s personal data. The HSE accepted that in hindsight the only data that should have been released by its payroll department to its employee’s ex-wife (or to a person acting on her behalf) was a summary of payments made that related to the court orders.

We informed the HSE that we considered that the Data Protection Acts were breached when the personal data of its employee was disclosed to a third party without his consent. The HSE indicated that it wished to pursue an amicable resolution to the complaint and, to this end, it enclosed a letter of apology for the complainant. The data subject considered the letter of apology and he decided that he did not wish to accept it, opting instead to seek a formal decision of the Data Protection Commissioner on his complaint.

A decision of the Data Protection Commissioner was issued in August 2014. In his decision, the Commissioner formed the opinion that the HSE contravened Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 on two occasions by the further processing of the complainant’s personal data in a manner incompatible with the purpose for which it had been obtained. These contraventions occurred in May 2013 and in November 2013 when the HSE disclosed his personal information to a third party. Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 provides that data shall not be further processed in a manner incompatible with the purpose for which it was obtained. In this case, the HSE acknowledged that on two separate occasions the personal data was disclosed to a third party without the consent or knowledge of the data subject. Such disclosures constitute further processing of personal data.

Case Study 6: Excessive Data Collection by a Letting Agency

In July 2014, a prospective tenant complained about the collection of bank details, PPS numbers and copies of utility bills by a letting agency when applying to rent a property. The complainant stated that this information was in addition to the usual material, such as previous landlord’s reference, which one would expect to submit at application stage. She stated that she believed that if she did not supply all of the sought data up-front, her application would not be seriously considered by the letting agency. The complainant said that the practice of collecting such a broad range of personal data forces prospective tenants who are desperate to rent a property to submit this personal information at application stage even though they do not know if their application will be successful. She pointed out that the majority of applications are unsuccessful given the high demand for a limited supply of available rental properties in the Dublin area.

We commenced an investigation of the matter with the letting agency concerned, seeking an explanation for the collection of such a broad range of personal data at application stage. In response, the letting agency said that it requested PPS numbers from applicants because this verifies that they are entitled to work in the state, and that bank details are required to show that a tenant has a bank account because they would be ineligible if they were not able to pay rent through a bank account. We told the letting agency that we could not see any basis for collecting bank details, PPS numbers or copies of utility bills at application or property-viewing stage and we urged it to cease the practice immediately. We questioned the letting agency further about using the PPS number to verify the applicant’s work status. It replied to the effect that the main reason it requests PPS numbers is that it is required for the Private Residential Tenancies Board (PRTB) registration form and it said that it cannot register a tenant without it. It went on to say that it is only an added assurance that the applicant is working and it stated that it does not verify the PPS number.

We accepted that personal data concerning bank details, PPS numbers and utility bills could be requested once the applicant had been accepted as a tenant. In October 2014, the letting agency confirmed, following our investigation, that it had ceased the requesting of this personal data prior to the property being let and it undertook that it would only request this information once the tenant had been accepted. The complainant informed us that she was very satisfied with the outcome of her complaint.

This case study is a classic example of the temptation of some data controllers to collect a whole range of personal data in case they might need it in the future. In this case, the letting agency collected a significant amount of personal data from every applicant who expressed an interest in renting a property even though, at the end of the process, only one applicant could be accepted as the new tenant and it was only in the case of that successful applicant that the full range of personal data was required. Section 2(1)(c)(iii) places an obligation on data controllers to ensure that personal data which they process is adequate, relevant and not excessive in relation to the purpose or purposes for which it is collected or are further processed. Data controllers must be mindful of this requirement and abide by it despite the temptation for convenience or other reasons to embark on an unnecessary broad data collection exercise.

Case Study 7: Disclosure of Financial Information by a Credit Union

A member of a credit union complained in 2013 in relation to the alleged disclosure of his loan and savings information by the credit union to his daughter. By way of background, the complainant explained that he was a guarantor on a credit union loan to his daughter. He received a letter from the credit union to inform him of difficulties that his daughter was experiencing with her loan. The purpose of the letter was to call on him, as the loan guarantor, to pay the balance of monthly repayments. He outlined that the letter was addressed to him and that it contained his membership number along with his savings and loan details, including balance outstanding. Soon afterwards, his daughter called to his house with a copy of the same letter as the credit union had also sent it to her. The complainant said that he considered this disclosure of his financial information to be a gross violation of his privacy.

We investigated the matter with the credit union concerned. It explained that the error that led to the disclosure occurred when the letter to the guarantor was issued under the guarantor’s membership number and not under the membership number of his daughter, whose loan it referred to. It explained that the computer system automatically brings across the account details of the membership number keyed in. The credit union admitted that a member of its credit-control staff inadvertently typed the letter under the guarantor’s membership number and, as a result, his account details were printed on the letter.

The credit union proposed that, as a means of trying to reach an amicable resolution of the complaint, it would issue a letter of apology to the guarantor. It also carried out staff training in regard to issuing letters to members, in particular letters to guarantors, and it re-circulated its data-protection policy to all staff. The complainant considered the offer and rejected it. He sought a formal decision of the Data Protection Commissioner on his complaint.

In April 2014, a decision issued to the complainant. In his decision, the Commissioner formed the opinion, following the investigation of the complaint, that the credit union contravened Section 2(1)(d) of the Data Protection Acts by providing details of the complainant’s membership account to a third party by means of a letter that was copied to the third party. Section 2(1)(d) obliges data controllers, among other things, to take appropriate security measures against unauthorised disclosure of personal data.

This case highlights the serious consequences for the complainant concerned arising from what appeared to be an innocuous error on the part of the staff member typing a letter for the complainant on his own account rather than on the account of his daughter, to whom the subject matter of the letter related. It serves as a reminder to data controllers generally to keep data-protection awareness to the forefront, with regular staff training for those whose work involves any form of data processing.

Case Study 8: Complaint of Disclosure by Permanent TSB Not Upheld

A complaint from a customer of Permanent TSB alleged that the bank had violated the Data Protection Acts by discussing their accounts and personal details with a third party, the complainant’s tenant, thereby causing financial loss and stress.

We investigated the allegation with Permanent TSB. In response, the bank informed us that it had made no contact with residents in the properties concerned to discuss the mortgage account details of the complainant concerned. It further stated that all telephone calls received from the tenant concerned had been listened to and at no time did any staff member discuss the details of the mortgage account with her. As part of our investigation we sought a copy of the recordings of phone calls that took place between Permanent TSB and the tenant. We listened to the call recordings and we were satisfied that no personal data relating to the complainant was passed to the tenant during the phone calls with Permanent TSB. Instead, the tenant was repeatedly told that Permanent TSB could not discuss anything with her without the written authority of the account holder. In one instance, the tenant offered to give her contact number to Permanent TSB but she was informed that it was not required as Permanent TSB would not be contacting her. This Office’s investigation found no evidence that Permanent TSB disclosed any personal data relating to the complainant to the third party concerned.

In a separate aspect to the same complaint, it was alleged by the complainant that Permanent TSB had sent correspondence to a previous residential address after it had been notified of a change of address. The complainant supplied us with a copy of a letter sent by them in August 2011 notifying the bank of the new address for correspondence and we were also supplied with copies of letters sent by Permanent TSB to the previous address after that date. In response to our investigation of this matter, Permanent TSB confirmed that it had received the August 2011 letter, which notified it of the new address, but it could offer no explanation as to why its systems had not been updated at that time to reflect this. It informed us that it was not until it received a further letter in January 2012 that the system was updated. To assist with trying to resolve the complaint, the bank offered a goodwill gesture as an acknowledgement of the delay encountered and of any stress the delay may have caused, but this was rejected by the complainant.

The complainant sought a formal decision on the complaint. With regard to the failure to update the contact address, having been requested to do so in August 2011, the Commissioner formed the opinion that Permanent TSB contravened Section 2(1(b) of the Data Protection Acts. This section obliges data controllers to comply with the requirement to keep personal data accurate and up to date.

With regard to the allegation of disclosure of the complainant’s personal data to a tenant, the Commissioner was unable to form the opinion that a contravention of the Data Protection Acts occurred in this instance.

Case Study 9: Patient Denied Right of Access by SouthDoc

We received a complaint in June 2014 from a firm of solicitors whose client had made an access request in May 2014 to the Practice Manager at South West Doctors-On-Call Limited (trading as SouthDoc) seeking a copy of his medical notes. In response to the access request, SouthDoc replied to the solicitors, stating that they are advised to contact the patient’s own GP, who holds a complete record for the patient. The solicitors wrote back to SouthDoc, pointing out that the access request was made to SouthDoc and that it was a separate request to any request their client may make to his own GP. The solicitors pointed out that SouthDoc was obliged to comply with the request. In submitting the complaint to this Office, the solicitors informed us that SouthDoc had not replied to their latest letter but had returned it to them unanswered.

We began an investigation by writing to SouthDoc. It responded by return post, indicating that the request for medical records had now been dealt with. Soon afterwards, the solicitors for the complainant supplied us with a copy of a letter they had received from SouthDoc stating that, further to the access request, the patient’s records had been forwarded to his own GP. The solicitors pointed out that SouthDoc had not complied with the access request as it was their client who requested the records, and it was not sufficient for SouthDoc to give them to his GP. We wrote to SouthDoc again, seeking an explanation. A few days later we received from SouthDoc a copy of a letter that it had issued to the patient’s solicitors, enclosing a copy of the patient’s medical records. We then concluded our investigation.

There are a number of after-hours or on-call service providers such as SouthDoc in operation in Ireland, all of which provide an essential medical service for the general public. In doing so, these service providers collect and process both personal data and sensitive personal data (data relating to the physical or mental health of the attending patient). For the purposes of data protection, it is important that patients and service providers understand that when a patient attends one of those services, they provide their personal data to an organisation (data controller) that is entirely separate to their usual GP practice. Accordingly, the records created by the service provider in respect of the patient’s attendance and treatment are new records in respect of which the service provider is the data controller. For that reason, the patient has a right to access those records directly from the service provider by making an access request for a copy of them. This right of access to the records of the service provider exists whether or not the service provider passes on details of the patient’s attendance and treatment to the patient’s GP. Furthermore, the service provider is obliged to supply a copy of the personal data directly to the requesting patient (or to the solicitor acting on his behalf, as in the above case) rather than to the patient’s own GP. (Access to medical records is subject to the provisions of S.I. 82 of 1989, which prohibits the supply of data to a patient in response to an access request if that would cause harm to his or her physical or mental health.)

Case Study 10: Excessive Data Collection by the Department of Agriculture

An individual complained to this Office about new requirements introduced by the Department of Agriculture to produce bank-account details in relation to registering premises to comply with the Diseases of Animals Act 1966–2001. He explained that horse owners are required to register the premises in which horses are kept with the Register of Horse Premises and he said he had no difficulty with that requirement. However, he objected to being asked to supply his bank-account details and he pointed out that there was no possibility of this information being needed by the Department as there were no schemes or grants that entitle horse owners to payment. He told us that he and his wife each own a horse and that both horses are kept purely for pleasure purposes. He said that he had expressed his concerns directly to the Department initially but the Department continued to insist that he submit bank details.

We sought an explanation from the Department of Agriculture. In its response, the Department referred to the government’s drive towards e-commerce and the fact that government departments can no longer issue payable orders. It said that payments due by the Department can only be made by way of electronic fund transfer to a bank account. Accordingly, all clients of the Department in receipt of payments are asked to supply bank details as a prerequisite for entry onto the Department’s Corporate Customer System. It said that as most of the Department’s clients are in receipt of payments or could potentially receive payments, it was decided that all new clients (applicants), including those who exceptionally might not currently qualify for payments, would be asked for their bank-account details.

We referred the Department to the provisions of Section 2(1)(c)(iii) of the Data Protection Acts, which places a requirement on data controllers to ensure that personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is collected. We pointed out that the principle established by this provision required that personal data should be collected when required and not on the basis that it might be required at some future point. We received confirmation from the Department in February 2014 that the practice of seeking bank details in anticipation of possible future payments had ceased. We were informed that an information notice had been issued to staff, stating that customer bank details are required only where a customer will be in receipt of payments from the Department.

The complainant in this case raised a very valid complaint with this Office, having failed to resolve the matter directly with the Department himself. Insufficient thought appears to have been given at the outset to the concept of requiring bank details from every customer or potential customer of the Department – whether that information was needed or not. More disappointingly, however, was the fact that the Department did not review the situation and fix it after this individual drew the Department’s attention to his circumstances and the circumstances of others who keep horses for pleasure purposes – pointing out that the Department would never need to use his bank-account details as he was not an applicant for a scheme or grant. In the end, it took the intervention of this Office to persuade the Department to cease seeking excessive personal data and to comply with the principle that data collection shall be adequate, relevant and not excessive.

Case Study 11: Personal Data Disclosed by County Council

In April 2014, we received a complaint from an individual who alleged that her private email address was disclosed to third parties without her permission by Dun Laoghaire Rathdown County Council. The complainant had made a submission to the county council in respect of a local area plan. She found out about the disclosure when one of the parties to whom her email address had been disclosed made an unsolicited contact with her using her email address. She indicated that she was worried as she did not know how many people were in possession of her private email address as a result of the disclosure.

We commenced an investigation by writing to Dun Laoghaire Rathdown County Council. In response, the county council by way of background explained that it supplies notices, agendas and minutes of its meetings to parliamentary representatives in accordance with Local Government Act 2001 (Section 237A) Regulations 2003.

It went on to state: “It has been the practice of this Authority heretofore to supply copies of all reports that issue with these agenda, as this is how the agenda issues to our councillors. In accordance with the Planning and Development Act 2000 [as amended], Section 20(3)(c)(ii), a Manager's Report for a Local Area Plan must list the persons who made submissions or observations. In all cases a list of submitters is prepared, for internal use and file, which includes necessary contact details, home address and email address. It is our standard practice, however, to remove the email addresses before circulation to councillors. The home addresses are left on as councillors wish to see who in their constituency made a submission. In this case we inadvertently included the email and home addresses with the list of submitters. This was an error on our part, and not standard practice. What has been placed on our website, however, is the list without the contact details. In order to prevent a recurrence of this, we have reminded all staff not to include the contact details of submitters in reports which are circulated to councillors or placed on the website. Additionally, although as mentioned above the list that went to councillors usually contained the submitter's address for the councillors’ information, we will not include either home address or email address in any reports issuing to councillors. In addition to the above, and to further prevent the inadvertent release of personal information, the Council will cease the practice of issuing reports with the agenda which are supplied to parliamentary representatives.”

The county council stated that it had issued a revised report, with all of the personal contact details removed, to all of the recipients and it asked that they delete the original version. The county council concluded by saying that in this case the information was disclosed accidentally and it said that it would endeavour to ensure that there will be no repeat of this incident by adhering to its standard procedure and by reminding all staff concerned of those procedures.

The complainant sought a formal decision on her complaint.

Section 2(1)(c)(ii) of the Data Protection Acts provides that personal data shall not be further processed in a manner incompatible with the purpose for which it was obtained. The data controller in this case, Dun Laoghaire Rathdown County Council, explained to our investigation that in accordance with the Planning and Development Act 2000, a County Manager's Report for a Local Area Plan must list the persons who made submissions or observations. The data controller further stated that in all cases a list of submitters is prepared for internal use, which includes contact details, home address and email address, and that it is its standard practice to remove the email addresses from this list before circulation to councillors. However, it was clear that in this particular instance the email addresses of the submitters was not removed from the circulation list. In making his decision, the Commissioner formed the opinion that Dun Laoghaire Rathdown County Council contravened Section 2(1)(c)(ii) of the Data Protection Acts. This contravention occurred by the further processing of the complainant’s personal data in a manner incompatible with the purpose for which it had been obtained when her email address was disclosed by Dun Laoghaire Rathdown County Council via the circulation of a report to county councillors, TDs and senators in relation to a local area plan.

Case Study 12: Eircom Fails to Meet Statutory Timeframe for Processing Access Request

A staff member of Eircom submitted a complaint to this Office in relation to the alleged failure of Eircom to comply with an access request submitted by him to the company in September 2013. In his access request, he specifically requested a copy of a particular letter that was sent on a date in February 2013 to Eircom's Chief Medical Officer.

We commenced the investigation of the complaint and we asked Eircom to respond to the access request without further delay. We were informed by Eircom that it had already provided the data subject with a copy of the letter that was the subject of his access request, and it subsequently provided us with a copy of its response to an access request. However, on further inspection of Eircom's response to that access request, it was unclear to us that the response was in relation to the particular access request that was the subject of the current complaint as the response issued to the data subject prior to the date of his access request. We asked Eircom to review the matter. Eventually, on 2 May 2014, we received an email from Eircom enclosing a copy of the response of that date to the data subject’s access request of 22 September 2013, supplying a copy of the document that the data subject had sought access to.

The complainant asked for a formal decision of the Data Protection Commissioner on his complaint. In making his decision, the Commissioner formed the opinion that Eircom Limited contravened Section 4(1)(a) of the Data Protection Acts by failing to supply the data subject with a copy of his personal data in response to his access request submitted on 22 September 2013 within the statutory period of 40 days. This contravention occurred when Eircom Limited released a copy of the data subject’s personal data to him on 2 May 2014 – which was outside the statutory period of 40 days.

As outlined elsewhere in this annual report, over half of the complaints received by this Office in 2014 were made by data subjects who experienced difficulties in accessing their personal data. One common theme that emerges in many of these complaints is lateness on the part of the data controller in processing the access request. The Acts lay down a period of 40 days for compliance with an access request and if this is not met, as in the case outlined above, the data controller contravenes the Data Protection Acts. The Office of the Data Protection Commissioner is very concerned about the prevalence of this particular contravention. In some instances, the data controller fails to even acknowledge receipt of the access request within the 40-day period. This means that the requester has no idea whether their access request is being dealt with or ignored. There have been many instances where the data controller has taken no action whatsoever in terms of processing the access request until this Office commences an investigation on foot of receiving a complaint from the data subject. Clearly, that is an undesirable situation. Data subjects have a statutory right to access their personal data held by a data controller by the simple means of submitting an access request, and the data controller has a statutory obligation to comply with that request within 40 days. A data subject should not have to resort to the extra step of lodging a complaint with the Office of the Data Protection Commissioner in order to have their statutory right of access enforced. Unfortunately, as the complaint statistics reveal, far too many data subjects are experiencing barriers and access-denying tactics on the part of data controllers.

In the above case, the data subject’s right of access was severely delayed. There is no justification for such a lengthy delay in any circumstances. Such a delay is particularly unacceptable in a situation where the requester simply sought a copy of personal data contained in one relatively recently created letter and where the data controller is a large telecommunications company that is well aware of the Data Protection Acts and receives and processes subject access requests on a regular basis. Eircom is the subject of several data-protection complaints every year across a range of issues, many of which relate to access requests. The Office of the Data Protection Commissioner expects to see a marked improvement in that company’s data-protection performance in the near future, particularly in the context of processing subject access requests in a timely manner.

Case Study 13: Third-Level Student Data Appeared on Third-Party Website

The Office received a notification from a data controller, in accordance with the Personal Data Security Breach Code of Practice. The notification alerted the Office to the fact that data relating to a large number of students had been discovered on a website that was unrelated to the data controller. The data related to the 2010 academic year.

The Office began an investigation of the matter. The data controller advised the investigation team that the information disclosed on the website included the name, email address and password of the student. The investigation team confirmed that there was no financial or sensitive data involved.

The data controller engaged an external security company to carry out its own investigation into the security breach.

Due to the passage of time, there were no server logs showing when or by whom the data had been uploaded to the website. However, the data controller was able to identify that the data published matched a file created for testing purposes in mid-2011. This file was then sent to a third-party service provider who was engaged in developing a management system for the data controller. The file was sent via unsecured email.

The third-party service provider informed the data controller that while there was a relationship between their staff and the website on which the data was published, they had conducted a very thorough review of the matter and could find no evidence to show that the file had been posted onto the website due to an act of omission on their part.

Our evaluation of the information showed that the data controller, when creating student accounts, used generic passwords when generating the student accounts. The password was the date of birth of the student. While students could change their passwords, they were never advised to change them.

While it could not be determined exactly how the data appeared on the website, it was evident that there had been a breach of the Data Protection Acts, in that appropriate security measures were not in place to prevent the unauthorised disclosure of personal data.

Our investigation also found that the use of live data for testing purposes was not in accordance with data-protection best practices. Where live data is being used by an organisation for testing purposes, there would have to be a strong justification for such use and we were not aware of any justification applicable in this particular case. The Office recommended that the data controller cease the use of live personal data for testing and either anonymise the data or create a fictitious data set for testing purposes.

The transmission of such student data via an unsecured channel is also inconsistent with the Data Protection Acts. It was found that, during the development of the management system, personal data, including passwords, was exchanged between the data controller and the service provider, using an unsecured channel. The data controller advised my Office of the fact that they now transmit such data via a secure mechanism. The Office recommended that this mechanism be brought to the attention of all staff.

Another issue discovered during our investigation that caused great concern was the use of a generic password. The fact that the date of birth of the student was assigned as their password meant that any individual who had access to the date of birth of another student could access the user account of that student. The Office recommended that the data controller communicate with students, advising that they change their password and that the new password be a minimum of 12 characters and include upper- and lower-case characters, numerals and special characters, such as a symbol or punctuation mark.

Case Study 14: Data Controller Discloses Personal Data to Business Partner

The Office received notification from a data controller advising that an email had been issued to a business partner which included personal data that should not have been disclosed.

The data controller advised the Office that it had entered into a business agreement with a third-party company to provide anonymised data to allow for a feasibility assessment of a proposed business venture. An email was issued to the third-party company which included the names of individuals in addition to the agreed anonymised data. This allowed for the third-party company to identify the individuals involved.

The data controller, in notifying this Office, stated that the third-party company had provided assurances that the data had been deleted.

The Office commenced an investigation of a data-security breach, under Section 10 of the Data Protection Acts.

Given the nature of the data involved and additional information received by a third party, this Office decided to visit the premises of the third-party business partner to satisfy ourselves that the data had been deleted and not further processed.

An investigation team, using our powers under Section 24 of the Data Protection Acts, arrived unannounced at the premises of the business partner. The team obtained documents in relation to the business agreement; these showed that only anonymised data had been sought. The team also obtained reports that had been created on foot of the receipt of the personal data. It was evident from these reports that, while personal data was available to the third party, it had not been used in the preparation of the reports and had no impact on the reports.

The team then examined the computer systems of the company and discovered several instances of the email it had received which contained the personal data.

The Commissioner felt it appropriate to issue an Enforcement Notice to the third-party company, requiring them to engage an external IT security company to delete any and all copies of the personal data it had received. The IT security company was to provide my Office with a report on the completion of the work. This report was duly received and this Office was satisfied that all copies of the personal data had been securely deleted.

The investigation found that personal data had been disclosed without consent or a legal basis. The investigation also noted that non-business related email accounts had been used by members of staff of the data controller in the conduct of business matters. The data controller was advised to prevent the use of non-business email accounts as the data controller could not control any data that would be transmitted through these non-business accounts.

Case Study 15: Employee of Financial Institution Resigns Taking Customer Personal Data

The Office received a notification from a data controller, in accordance with the Personal Data Security Breach Code of Practice. The notification stated that an employee had tendered their resignation and the data controller then discovered that the employee had emailed a spreadsheet to their personal email account prior to their resignation. The spreadsheet contained details of customers, including their employment details, salaries, contact details and medical consultant.

The data controller provided the name and home address of the employee.

The Office was also contacted by the umbrella organisation of the data controller seeking assistance on how to advise their member.

The Office verified, through the Companies Registration Office, that a business was operating from the home address of the employee. We then contacted the employee on the basis that they were now operating as a data controller in their own right. We sought clarification from the employee as to the consent they had to process any personal data they obtained from their previous employment.

The employee advised the Office that, as part of their employment, they were asked to use their own laptop and personal phone for all business dealings. The employee also advised that they had not yet started canvassing for clients. The employee also confirmed that they had deleted all the personal data they held in relation to their previous employment.

We also engaged with the data controller who had made the notification in relation to the security procedures that were in place to protect customer data in its possession. The Office noted that the employment contract contained appropriate data-protection clauses. However, of concern was the fact that employees were using their own equipment for business purposes. In such circumstances, the data controller has little or no control over that data held on personal equipment.

The data controller introduced further procedures and policies on foot of the issue to prevent a repeat of this type of incident, including the introduction of software to password protect any data records being emailed. Furthermore, all employees must sign an undertaking on termination of employment that all data has been returned and will not be further processed.

Case Study 16: Theft of Unencrypted Laptop

The Office received a data-security breach notification during the year from a medical professional relating to a stolen laptop.

The notification advised that the laptop was password protected, but not encrypted. The notification also advised that the data stored on the laptop related to a medical study that was undertaken in 2009 and included audio files of interviews carried out with the study subjects which contained limited information. It was determined that a file listing the subjects of the study contained an ID number rather than the name of the individual. However, a further file that correlated the ID number with the subject name was also stored on the laptop. This file was also password protected.

It was noted that, before the study began, approval was obtained from the relevant Ethics Committee that covered the storage of data.

This Office advised the data controller of our guidance in relation to the notification of the affected individuals. In this particular case, the data controller advised the Office that it was of the view that notification to affected individuals would cause more distress than help to the affected individuals. This view was offered by the relevant medical professional overseeing the project. This Office must note the opinion of a medical professional who has a professional relationship with the affected individuals. We assume this decision is taken weighing the potential effects of an unauthorised disclosure of this data against the potential distress of the individual being notified of the security breach.

The Office, however, noted that laptops are now being encrypted. This case highlights the fact that data-protection considerations need to be constantly monitored. What may have been an acceptable standard five years previous may not now be acceptable, and security arrangements must be periodically reviewed.

Case Study 17: Compromise of Adobe Network

Adobe Systems Software Ireland Ltd notified this Office in October 2013, in accordance with the Personal Data Security Breach Code of Practice, of a data-security breach regarding an unauthorised access to their systems. Personal data was compromised and the attacker also took Adobe software source-code elements.

Two data controllers were affected: Adobe US and Adobe Systems Software Ireland Ltd (Adobe Irl). We engaged in a coordinated investigation with the Office of the Privacy Commissioner of Canada and we were co-joined in our investigation by the Office of the Australian Information Commissioner.

Nature of Data Compromised

Adobe Irl created three classifications of individuals affected:

Payment-card users, i.e. those whose encrypted payment-card numbers were accessed during the breach. The data involved was encrypted payment-card data – approximately 3.65 million payment cards (1 million controlled by Adobe Irl) relating to approximately 3.1 million individuals.
Active users, i.e. those who had logged in to Adobe systems at least once in the two years prior to the discovery of the breach. The data involved was: email address and current encrypted password – 41 million (reduces to 33 million, as 8 million email notifications were undeliverable) (20.5 million controlled by Adobe Irl).
Non-active users, i.e. those who had not logged in to Adobe in the two years prior to the discovery of the breach. The data involved was: email address and current encrypted password – 71 million (reduces to 46.5 million due to 25 million email notifications undeliverable) (28.5 million controlled by Adobe Irl).

How the Breach Occurred

The attack was a sophisticated and sustained intrusion of Adobe’s computer systems. Attackers identified and removed data from a backup server that stored the compromised data described above. Adobe states it has no evidence to show that unencrypted card details were taken. Forensic consultants engaged by Adobe supported this conclusion.

When Adobe learned of the security breach, they began an investigation of the cause of the issue and also initiated a series of measures including the following:

Disconnected the impacted database server from the network
Blacklisted IP addresses from which the attacker accessed their systems
Reset passwords for all potentially affected users (including active, non-active)
Changed passwords for relevant administrator accounts
Notified the banks processing customer payments for Adobe, so they could work to protect customers’ accounts
Reported the breach to law-enforcement authorities
Employed a third-party company to conduct an investigation of the cause of the security breach of its systems and to identify what data may have been compromised
Took actions to reduce the risks related to the theft of certain source-code elements
Issued notifications to affected individuals, beginning on 3 October 2013, which alerted customers to the security breach

At risk: the attacker posted some data that was exfiltrated on a website and included the email address and encrypted password of certain Adobe users. A number of research articles have demonstrated that some passwords have been deciphered by reference to password hints and repeated passwords (i.e., the same password used by more than one user). One article highlighted an organisation that had checked the compromised usernames and deciphered passwords against its own platform and found a significant number of these credentials would have worked on its own platform. The organisation contacted some of its affected users, alerting them to the issue, and also confirmed the scenario to this office. At issue here is that while Adobe enforced a password change on its own site and advised users to change their passwords elsewhere, it is evident that not all users followed such advice.

Hints: Parts of the data exfiltrated by the attacker were the password hints of a small percentage of users. These hints were stored in clear text and associated with the username (email address). This information, along with an analysis of the encrypted passwords, will allow for the identification of certain simple passwords. However, as previously noted, Adobe reset the passwords for all impacted users.

Storage: The Office queried why passwords were stored in one system in an encrypted manner rather that hashed and salted. Encrypted passwords can be unencrypted, which would allow a data controller to see the passwords of users, or attackers, if they gained access. Adobe stated it was actually hashing and salting passwords within a new system for a number of years prior to the discovery of the security breach, but decided to also keep the database in the old system as a backup measure in case of issues with the new system. Passwords in the old system’s database had been encrypted.

Retention of Card Data with Customer Records

Customers who used payment cards to purchase Adobe products or services had their card details (encrypted) stored with the customer account within one particular system. Card numbers have now been replaced with a token system. This process began prior to the discovery of the security breach and was completed shortly thereafter. The token, which is encrypted, represents the payment-card number within the customer record and Adobe systems transmits the encrypted token to a third-party service provider, whose systems are located outside Adobe’s network, for payment processing.

Notifications to Affected Individuals

Adobe provided the Office with a list of when they notified each class of affected individuals and the relevant notification. In addition, Adobe publicly announced the 2013 breach in posts on its website, which included discussion of the theft of source code. The various notifications did advise individuals to monitor their credit-card statements and change their password if it was used on another site.

When we queried why notifications did not issue to those individuals where only contact details were compromised and did not include password or payment-card data, Adobe replied that it believed that notice in this scenario would lead to over-notification and notification fatigue and that there is not a significant risk of harm with respect to a compromise of this type of data element. The Code of Practice recommends that affected users are notified, so that each affected individual can consider the consequences for themselves and take appropriate measures.

This Office would expect that if a similar incident were to occur in the future, Adobe, or any other data controller, would automatically include all individuals for whom personal data had been compromised in its notification process.

Conclusion and Findings

Adobe fully cooperated with our investigation of the security breach reported to us on 2 October 2013. Adobe took appropriate action on discovery of the attack to prevent further access to their systems as required under Section 2(1)(d) of the Data Protection Acts 1988 and 2003. It also enforced a password change for its users to protect against unauthorised access to account data. Adobe’s quick reaction on learning of the security breach prevented the attacker from exfiltrating unencrypted payment-card details.

Adobe’s transitioning from the use of encrypted passwords in the old system to the use of hashed and salted passwords in the new system could have been achieved more effectively and expeditiously than was the case. Of concern to those users who provided password hints, Adobe stored these in plain text rather than in an encrypted format, some of which have been compromised.

This Office is cognisant of the fact that data controllers such as Adobe will always be a target for attackers and new attack methods are constantly being devised.

This Office found that Adobe was in breach of Section 2(1)(d) of the Acts by failing to have in place appropriate security measures to protect the data under its control, despite its documented security programme. It was also recommended that Adobe engages a third party to carry out an independent review of its systems.

Adobe has since put in place substantial improvements in its security protocols, practices and procedures, and this Office is satisfied that it now has appropriate procedures in place to minimise the possibility of a similar security breach in the future.

Trending News

Related Practices & Jurisdictions

Communications, Media & Internet
Election Law / Legislative News

On 11 August 2023, after close to a decade since its initial conception, India’s Digital Personal Data Protection Act (Act) received presidential assent, formalising the nation’s first ever comprehensive data protection law.

Definitions

There are several key definitions and references adopted in the Act, as follows:

“Data principal” means a data subject.
“Data fiduciary” means a data controller.
“Data processor” means a data processor, but it is remains unclear if it includes a sub-processor.
“Consent manager” means a person registered with the Data Protection Board of India (Board), who acts as a point of contact to enable a data principal to give, manage, review and withdraw their consent.
Prior references to sensitive personal data and critical personal data found in the earlier 2022 version of the Digital Personal Data Protection Bill (Bill) have since been removed.

Scope and Applicability

The Act applies to digital personal data, including non-digital data that is subsequently digitised.

Similar to the EU GDPR and UK GDPR, the Act asserts extraterritorial reach, applying to the “processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India”. As such, overseas entities that offer goods or services in India may find themselves subject to the obligations under the Act. However, unlike the EU GDPR, UK GDPR and even the earlier 2022 version of the Bill, those extraterritorial reach provisions do not apply to processing in connection with profiling of individuals within India. That omission is potentially helpful to organisations outside India looking to use data to, for instance, train artificial intelligence (AI) models using big datasets likely to include personal data relating to individuals within India. It potentially allows AI service providers to scrape publicly available personal data from the internet without consent and without being swept up by other provisions of the Act.

A noteworthy aspect is that business process outsourcing (BPO) providers are exempted from the Act for offshore personal data processing. More specifically, the exclusion applies where “personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India”. This, in effect, insulates BPO service providers in India from many of the Act’s provisions, though not from the obligation to implement “reasonable safeguards to prevent [a] personal data breach”. This seems particularly pertinent, given that India houses the world’s largest BPO industry.

Further, the Act does not apply where processing is necessary for “research, archiving or statistical purposes” if the personal data is not used in any decision specific to a data principal and is carried on in accordance with standards that are to be prescribed.

There are also narrower exemptions (specifically, exclusions from most of the obligations imposed on data fiduciaries, save for implementing reasonable security measures to protect the data) in respect of processing of personal data:

That is necessary for enforcing any legal right or claim
In the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law
That is for a scheme of arrangement, merger or amalgamation, or transfer of an undertaking, or involving the division of one or more companies, approved by a court or tribunal or other competent authority
For debt recovery purposes as circumscribed under the Act

Legal Bases for Processing

The Act only recognises two main lawful grounds for processing personal data, namely:

Consent from data principals
A data principal voluntarily providing, to the data fiduciary, their personal data for a specified purpose, without indicating that they do not consent to the use of such data [1]
Where the state provides or issues to the data principal any subsidy, benefit, service, certificate, licence or permit, or performs any functions at law or in the interest of India’s sovereignty, integrity or security
To fulfil any legal obligation or comply with any judgement, decree or order at law
To respond to a medical emergency, provide medical treatment or health services during an epidemic, or for the safety of or to provide assistance during a disaster

Notice and Consent

Notices have the following content requirements:

They must be in clear and plain language, either in English or, at the data principal’s option, any of the 21 languages specified in the Eighth Schedule to the Constitution of India.
Notices must include:
The nature of personal data being collected and processed
The purpose of processing
The mechanism or process through which a data principal can exercise their rights in relation to their personal data
The mechanism or process through which a data principal can make a complaint to the Board
If a data fiduciary is a significant data fiduciary (see below), the contact details of the data protection officer or any other person authorised by the data fiduciary to respond to complaints and grievances

Unlike its earlier 2022 version of the Bill, however, an itemised notice is not required. Further requirements in relation to notices may be prescribed by the central government from time to time.

Notably, a recent committee report[2] on the new bill contains statements from the Ministry of Electronics and Information Technology, which suggest that these forthcoming rules may require data fiduciaries to provide videos and animations to help data fiduciaries actually understand the notice and any consent form used.

The Act introduces the concept of a consent manager. Data principals can give, manage, review or withdraw their consent to the data fiduciary through a consent manager, who remains accountable to the data principal and must act on their behalf in such manner and subject to such obligations as may be prescribed. Consent managers must also be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.

Where personal data was collected prior to the enactment of the Act, the data fiduciary must notify the data principal of such collection and use of their data within a reasonably practicable time. If the processing is based on consent from the data principal, then the data fiduciary can only continue to process their personal data until such time as the data principal withdraws their consent.

Significant Data Fiduciaries

The central government is empowered to classify any persons or category of persons as “significant data fiduciaries” based on the following factors:

The volume and sensitivity of personal data processed
Risk to the rights of harm to the data principal
Potential impact on the sovereignty and integrity of India
Risk to electoral democracy
Security of the state
Public order

Once designated, significant data fiduciaries will be required to carry out periodic data protection impact assessments and independent audits, and appoint a data protection officer, who must be an individual based in India, and responsible to the company’s board of directors.

Compared to the earlier 2022 version of the Bill, the obligation to keep personal data accurate has been enhanced. A data fiduciary must ensure the completeness, accuracy and consistency of any personal data it processes, so long as that data is likely to be disclosed to another data fiduciary, or used to make a decision affecting the data principal.

Protection and Security

A data fiduciary must protect personal data in its possession or under its control, by taking reasonable security safeguards to prevent a personal data breach. This extends to where a data fiduciary engages a data processor to carry out processing of personal data on its behalf.

Cross-border Transfers

Unlike the earlier 2022 version of the Bill, the Act adopts a “negative list” approach for cross-border transfers of personal data from India overseas. It remains to be seen whether neighbouring countries will be included in this negative list, similar to the approach taken in the regulation of foreign direct investment. Additionally, this provision potentially allows sectoral regulatory bodies to introduce specialised legislation aimed at overseeing the storage and transfer of personal data within their respective sectors.

If there are other such requirements or rules that accord a higher standard of protection or impose stricter restrictions for the transfer of data than those under the Act, then these latter requirements will prevail over the Act.

Data Principal Rights

Data principals have the following rights under the Act:

Right of access
Right to correction
Right to erasure [3]
Right to withdraw consent
Right to grievance redressal
Right to nominate any other individual who, in the event of death or incapacity of the data principal, can exercise their rights under the Act.

Data fiduciaries must erase personal data upon a data principal withdrawing their consent or as soon as the purpose for its processing no longer exists, whichever is sooner. This extends to its having to procure its data processor to erase such data, where the data was made available to such data processor. Under the Act, the central government is entitled to set maximum retention periods for personal data; however, no further details have been provided yet.

Data Breaches

The Act does not prescribe any thresholds or timelines for data breach notifications. It stipulates that in the event of a personal data breach, the data fiduciary must give the Board and each affected data principal “intimation of such breach in such form and manner as may be prescribed”. These aspects are expected to be addressed in forthcoming rules to be issued by the government of India. It is unclear whether exceptions will be granted for minor breaches.

Notwithstanding, this is a notable new obligation, especially when compared to the existing requirements of having to report to the Indian Computer Emergency Response Team (CERT-In) within six hours of an incident, or to a sectoral regulator, where these rules do not appear as actively enforced.

Additionally, the Act makes it clear that data security and breach reporting now lie solely on data fiduciaries and not processors.

Data fiduciaries must, prior to processing any personal data of children under 18 years of age, obtain verifiable consent of their parents or legal guardians. There are also prohibitions imposed on the tracking or behavioural monitoring of children or advertising targeted at children.

Implementation Period

While the industry has generally embraced this legislation, certain concerns regarding its implementation have arisen. There has not been any definitive stipulation of an implementation timeframe for the Act. It is generally expected that businesses will be given a transitional period of between six and 10 months, though this has yet to be formally published or announced. The Indian government has expressed a willingness to engage in discussions with stakeholders to address the transition period, ensuring a seamless implementation process. Therefore, it is also presently uncertain whether all provisions will come into effect simultaneously or in phases.

The Board has been vested with the authority to handle complaints in connection with the Act. Aggrieved parties that wish to appeal against a decision by the Board can do so to the Telecom Disputes Settlement and Appellate Tribunal of India.

The central government has very broad discretion and powers under the Act[4], including to exempt certain startups and other data fiduciaries from any specific obligations. The decision to grant such exemptions would typically be based on factors like the volume and nature of personal data being processed.

The Board is entitled to impose up to US$30 million in regulatory fines for contraventions of the Act, as well as to compel the blocking of applications and services for repeat offenders.

Now that India has enacted a comprehensive law on data privacy, the importance of undertaking thorough data mapping and information governance cannot be overstated. It forms a crucial starting point for businesses operating in India to ascertain what obligations apply to the data collected, processed and transferred and what compliance measures need to be adopted under the Act, including determining the notices, consents, and protocols needed to respond to data principal rights, conducting periodic trainings on data policies, implementing data management, retention, security, incident response measures, and ensuring robust and compliant contracts with third-party processors. Businesses with significant data processing activities (and thus likely to be classified as a significant data fiduciary down the road) should also consider appointing a data protection officer.

While enactment of the Act is certainly a monumental step for a nation that has a population of a whopping 1.43 billion people, it is also expected that further regulations and guidance will be issued to provide clarity and certainty over specific aspects of the law. With this in mind, businesses should regard compliance with the Act as an ongoing exercise, failing which they risk incurring large regulatory fines and potential lawsuits for infringements.

[1] This has replaced the reference to “deemed consent” in the earlier 2022 version of the Bill.

[2] 48th report of the Standing Committee on Communications and Information Technology of the Lok Sabha on the new bill.

[3] Data fiduciaries are obliged to erase personal data that they hold, upon withdrawal of consent by the relevant data principal(s), unless retention is necessary for a specified purpose or to comply with applicable law.

[4] Section 40

Current Legal Analysis

More from squire patton boggs (us) llp, upcoming legal education events.

IMAGES

The 8 Principles of Data Protection Act 1998
Data Protection Act 1998
PPT
The Data Protection Act 1998 Freedom of Information
DPA: Data Protection Act of 1998
An overview of the Data Protection Act 1998

VIDEO

Digital Personal Data Protection Act Lecture and presentation in a critique format
Digital Personal Data Protection Act, 2023
Data Protection Act SkillByte
Data Protection Act 2023: What is Data Protection Act
Rights & Duties of Data Principal under the Digital Personal Data Protection Act, 2023
Data protection Act

COMMENTS

Top 10 Privacy and Data Protection Cases of 2021: A selection
Inforrm covered a wide range of data protection and privacy cases in 2021. Following my posts in 2018, 2019 and 2020 here is my selection of most notable privacy and data protection cases across 2021:. Lloyd v Google LLC [2021] UKSC 50 In the most significant privacy law judgment of the year the UK Supreme Court considered whether a class action for breach of s4(4) Data Protection Act 1998 ...
Lloyd v Google UK GDPR: Data Privacy Class Action
The UK Supreme Court handed down its much-anticipated decision in the Lloyd v Google LLC [2021] UKSC 50 case on 10 November 2021 restricting claimants' ability to bring data privacy class ...
The Data Protection Act 1998
The Data Protection Act 1988 creates a series of rights for people in relation to data which is held about them, and also a mechanism (the Information Commissioner) to enforce those rights. It sets out a series of data protection principles which have now stood the test of time. The eight data protection principles are set out in schedule 1 of ...
Data Protection Breaches
The nurse who accessed the data was the man's partner at the time. The patient claimed that the breach of the Data Protection Act 1998 (DPA) and the way his subsequent complaint regarding the matter was handled had made worse a pre-existing paranoid personality disorder and prevented him from working. He was awarded damages of £12,500 for ...
PDF Lloyd (Respondent) v Google LLC (Appellant)
A. INTRODUCTION. Mr Richard Lloyd - with financial backing from Therium Litigation Funding IC, a commercial litigation funder - has issued a claim against Google LLC, alleging breach of its duties as a data controller under section 4(4) of the Data Protection Act 1998 ("the DPA 1998").
Lloyd -v- Google: a landmark decision
Future actions brought under modern data protection laws. Lord Leggatt specifically contained the judgment's reach, stating that it referred only to the DPA 1998. The judgment did not provide confirmation as to whether any precedents from this case will be carried across to cases brought under the Data Protection Act 2018 (the DPA 2018).
Data Protection Act 1998
Principle 3 - Adequacy. Personal data should only be adequate to the purpose it will be used for. It must not be excessive to the purpose it will be used. The third data protection principle placed an obligation on the controller to only collect the minimum amount of information required. Principle 4 - Accuracy.
Morrisons & A landmark Judgment in Data Protection
Morrisons vindicated: A landmark judgment in data protection and vicarious liability. 03 April 2020. First hand insights from the team who worked on the ground-breaking case before the Supreme Court. DWF acted for Wm Morrison Supermarkets in their successful defence of a group action for vicarious liability arising out of a mass employee data ...
2
Huntley [2005], better known as the Soham murders, where a police force wrongly claimed that data on the defendant could not be shared under the Data Protection Act 1998 and there was a lack of a clear retention policy for documents. This case was followed by an in-depth study of the way that the Huntley information was handled, and resulted in ...
Facebook fined £500k for UK data protection law breaches
25 Oct 2018, 4:07 pm. Facebook has been fined £500,000 by the UK's Information Commissioner's Office (ICO) after the watchdog found that the company was responsible for serious breaches of UK data protection laws. The ICO found fault with the access Facebook allowed third party app developers to obtain to the data of users and their Facebook ...
GDPR: Key cases so far
Although this incident occurred in 2014 and therefore decided under the Data Protection Act 1998, this case demonstrates how vital it is that organisations put in place appropriate technical and organisational security measures adequate for the type of data that is being held and also taking into account the risk of disgruntled employees and ...
GDPR & Data Protection Act Case Studies
At The DPO Centre, we help organisations of all types to comply with UK and EU GDPR and the other UK, EU and global data protection laws. Our services will help your organisation to better understand your data and current level of compliance. We provide tailored advice, expertise and resources that are backed up by the support, shared best ...
PDF Data Protection Act 1998
ch0029c06a ACT Unit: pag122-10-98 01:35:45 Ch 29, 1998, Vellum, 20.10.98 2 c. 29 Data Protection Act 1998 Part I "personal data" means data which relate to a living individual who can be identiﬁed— (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of ...
Qualitative Research and the Data Protection Act 1998
The Data Protection Act 1998 is the UK's response to an EU Data Protection Directive designed to protect individual rights in the collection, processing and transferring of personal data. Similar responses are being produced all over Europe and they vary in severity from the relatively relaxed regimes proposed in Ireland and Sweden to the tough ...
Data Protection Act 1998
Data Protection Act 1998 is up to date with all changes known to be in force on or before 17 May 2024. There are changes that may be brought into force at a future date. View outstanding changes. Introductory Text. Part I Preliminary. 1. Basic interpretative provisions. 2. Sensitive personal data.
Case studies and examples
Our data sharing code provides real-world examples and case studies of different approaches to data sharing, including where organisations found innovative ways to share data while protecting people's information. Here are some case studies additional to those in the code. Data sharing to improve outcomes for disadvantaged children and families.
Data, distress, and damage: UK data protection and privacy case law in
As with our 2021 roundup, in this article we look beyond the fines and regulatory guidance to focus on the data protection and privacy developments in UK case law over the previous year.Whilst we may not have seen decisions as fundamental as 2021's Lloyd v.Google [2021] UKSC 50 (Lloyd v.Google), 2022 case law has built on these precedents and provides guidance on other distinct and important ...
Data protection legislation: interpretation and barriers to research
Data Protection Act 1998 —This brings into UK law European Directive 95/46/EC on the processing of personal data. It came into effect on 1 March 2000, and in comparison with the 1984 act (which it replaces) it is concerned with both records on paper and records held on computers. The act is based on eight principles the first of which ...
2023 UK Data Protection and Privacy Case Law Update
February. Riley v. Student Housing Co (Ops) Ltd [2023] 2 WLUK 278. In this case, a former employee of the defendant, Mr Courtney Timoney Riley, launched proceedings alleging breach of Article 5 of the UK GDPR (GDPR) arising from the mishandling of his personal data as part of the defence of an employment tribunal claim raised by another former employee, and seeking £75,000 in damages.
Data Protection Act 1998
Data Protection Act 1998 is up to date with all changes known to be in force on or before 17 May 2024. There are changes that may be brought into force at a future date. ... Where the data controller receives a request under section 7 in a case where personal data of which the individual making the request is the data subject are being ...
Case Studies
The DPC applied the test for application of this exemption which had been set out in the UK judgment of Guriev & another v. Community Safety Development (UK) Limited [2016] EWHC 643. That case had concerned the equivalent exemption under the UK Data Protection Act 1998.
The UK Data Protection Act of 1998: Summary & Principles
The UK Data Protection Act of 1998 worked to help make sure that the private information of UK citizens was protected. To unlock this lesson you must be a Study.com Member. Create your account
India's Digital Personal Data Protection Act and its Scope
On 11 August 2023, after close to a decade since its initial conception, India's Digital Personal Data Protection Act (Act) received presidential assent, formalising the nation's first ever ...

Top 10 Privacy and Data Protection Cases of 2021: A selection – Suneet Sharma

Share this:

Leave a Reply Cancel reply

Contact the Inforrm Blog

Email Subscription

Media Law Employment Opportunities

Recent Judgments

Search Inforrm’s Blog

Blogs about Privacy and Data Protection

Blogs about the Media

Blogs and Websites: General Legal issues

Court, Government, Regulator and Other Resource Sites

Data Protection Authorities

Freedom of Expression Blogs and Sites

Freedom of Information Blogs and Sites

Inactive and Less Active Blogs and Sites

Journalism and Media Websites

Law and Media Tweets

Media Law Blogs and Websites

US Law Blogs and Websites

US Media Blogs and Websites

Discover more from Inforrm's Blog

Data Protection Breaches - Recent Cases

Data Protection Act 1998 – A Summary of the 8 Guiding Principles

Legal Services

Legal Operations

Business Services

Morrisons vindicated: A landmark judgment in data protection and vicarious liability

Register for our webinar to understand what this means for your business

Register for our webinar >

Take away points from the Supreme Court

1. The field of activities

2. Close connection test

Vicarious Liability within the data protection world

Related Authors

Andrew Harris

Michelle Maher

Kirsty Rogers

Stewart Room

Related Sectors

Related Services

Further Reading

GDPR: Key cases so far

Google fined by national French data protection regulator

Marriot International suffer unprecedented data breach

The ICO takes action against organisations for failing to pay the new data protection fee

The ICO issues its first Enforcement Notice for a breach of GDPR

Morrisons held liable for the wrongful acts of its rogue employee by the Court of Appeal (England)

The ICO receives notification of thousands of breaches

Related services

Stay updated

About the author

Make an enquiry

GDPR & Data Protection Act Case Studies

Reveal Media

Copleston High School

Eaton House Schools

Birmingham & Solihull Mental Health NHS Foundation Trust

London Borough Barking & Dagenham Council

Portman Dental Care

Clinisupplies

Spencer Private Hospitals

Shard Capital

Unbar Rothon

NSPCC Fundraising

NSPCC Children’s Services

Prostate Cancer Clinical Trials

What our clients say about us

Professional Case Management

Drew Davies

Ufford Park

Hughes Electrical

MACC International Ltd

West Suffolk College

Positive Steps PT

Data Protection Services

Enquire Today

Related articles

All feedback is valuable

Join us on our journey