The Regulator for Charities in England and Wales

OPERATIONAL GUIDANCE

DATA PROTECTION ACT 1998

THE PROVISIONS OF THE DATA PROTECTION ACT 1998

OG 58 A3 - 14 February 2002

Purpose: This guidance sets out the provisions of the 1998 Act.

Divisional responsibility

For action:

All divisions

For information:

All divisions

Contents

1. The general effect of the 1998 Act
2. Bringing the 1998 Act into effect
3. Individuals’ rights
4. Exemptions
5. The Information Commissioner
6. Notification
7. Offences under the 1998 Act
8. Subordinate legislation

Meaning of expressions - list of Glossary terms used in this Guidance
Index to further related information

 

Legal requirement symbol

Legal advice symbol

Accountancy advice symbol

The law Refer to a lawyer Refer to an accountant
   
 

1. The general effect of the 1998 Act

 

The 1998 Act received Royal Assent on 16th July 1998 and came into force on 1 March 2000. It gives effect in UK law to EC Directive 95/46/EC which requires Member States "to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data". The EC Data Protection Directive was due to be implemented by all member states on 24 October 1998. The UK introduced the 1998 Act in order to do so. Although implementation of the 1998 Act was delayed until 1 March 2000, 24 October 1998 remains a significant date for the purposes of establishing which data was covered immediately following implementation of the 1998 Act and which benefit from transitional arrangements which allow up to 3 or 9 years for full compliance.

 

The 1998 Act applies to the processing of personal data and replaces the Data Protection Act 1984. It affects all organisations (not just public authorities) that use information about individuals. The general effect of the 1998 Act is:

 
  • to ensure that organisations (data controllers) that use information about living people (data subjects) do so in accordance with the eight Data Protection Principles (which are set out in full in OG 58 B4) with the underlying purpose of protecting the civil liberties of the person who is the subject of the data. Broadly, the Data Protection Principles are that:
   

(i)

Personal data is processed fairly and lawfully.

   

(ii)

Personal data is obtained for specified and lawful purposes, and is not processed for other purposes.

   

(iii)

Personal data must be relevant to the purpose for which it was obtained.

   

(iv)

Personal data must be accurate and kept up to date.

   

(v)

Personal data must not be retained unnecessarily.

   

(vi)

The statutory rights of data subjects (eg access to data) must be respected.

   

(vii)

The data controller must take appropriate technical and organisational measures against improper processing and the risk of loss or destruction of, or damage to, the data.

   

(viii)

Personal data are not transferred to a non-EU country unless its law provides comparable civil rights protection.
 
  • to require notification of the processing of personal data to the Information Commissioner, who maintains a register of data controllers which is accessible to the public;
 
  • to require the person processing personal data to take the initiative in providing a limited range of information to any person who is the subject of that data processing;
 
  • at the request of the data subject, to require the person processing the data to give detailed information about the data which is being processed about them;
 
  • to give the data subject the right in certain circumstances to prohibit the processing of personal data of which they are the subject;
 
  • to give the data subject the right to have corrected inaccurate data being processed about them.

Up ArrowDown Arrow

 

2. Bringing the 1998 Act into effect

 

The 1998 Act repeals the Data Protection Act 1984. This means that any new data processing is caught by the provisions of the 1998 Act unless that processing was being carried out prior to 24 October 1998, in which case it may benefit from the transitional arrangements which allow more time for compliance with the 1998 Act.

 

OG 58 B7 sets out the exemptions which will apply during the transitional period and OG 58 C3 shows the effect of these transitional arrangements on data processing in the Commission.

Up ArrowDown Arrow

 

3. Individuals’ rights

 

The 1998 Act gives rights to individuals in respect of personal data held about them by others. These are:

 
  • right of subject access;
 
  • right to prevent processing likely to cause damage or distress;
 
  • right to prevent processing for the purposes of direct marketing;
 
  • rights in relation to automated decision-taking;
 
  • right to take action for compensation if the individual suffers damage by contravention of the 1998 Act by the data controller;
 
  • right to take action to rectify, block, erase or destroy inaccurate data;
 
  • right to make a request to the Information Commissioner for an assessment to be made as to whether any provision of the 1998 Act has been contravened.
 
OG 58 B5 explains these rights in more detail.

Up ArrowDown Arrow

 

4. Exemptions

 

The 1998 Act contains a number of exemptions from various provisions, provided in Part IV (sections 28-36) and Schedule 7 of the Act. Those contained in Part IV are known as the ‘primary exemptions’ and those contained in Schedule 7 are known as the ‘miscellaneous exemptions’. Other exemptions apply only during the period of transitional relief. In general, the primary exemptions are the ones which are either more likely to be claimed or which are more wide-ranging in terms of the scope of the exemption available.

 

These exemptions and limitations of the 1998 Act mean that:

 
  • not all types of processing of personal data are regulated;
 
  • the processing of personal data for certain purposes is not regulated;
 
  • for some regulated processing some of the Data Protection Principles are excluded or modified;
 
  • for some regulated processing the requirement to give the data subject information is excluded or limited;
 
  • for some regulated processing the right of data subjects to prohibit processing is excluded;
 
  • for some regulated processing the right of data subjects to correct data is excluded.
 
OG 58 B6 explains these exemptions in more detail.

Up ArrowDown Arrow

 

5. The Information Commissioner

 

The Information Commissioner has the responsibility in the UK for ensuring compliance with the Data Protection Principles. He or she has responsibility for issuing guidance on the interpretation of the 1998 Act and for promoting good practice by data controllers. The Information Commissioner is the person to whom complaints regarding non-compliance with the 1998 Act are made and, in that context, has certain powers to investigate such complaints and enforce compliance.

 

OG 58 C4 sets out the duties and powers of the Information Commissioner in more detail.

Up ArrowDown Arrow

 

6. Notification

 

Register of data controllers

 

The Data Protection Act 1984 established the Data Protection Register and the system of registration of data users maintained by the Registrar. The 1998 Act introduced a new system of notification to replace the registration scheme. Notification is the process by which a data controller informs the Information Commissioner of certain details about the processing of personal data carried out by that data controller. Those details are used by the Commissioner to make an entry describing the processing in a register which is available to the public for inspection.

 

There will be some exemptions from the requirement to notify. Unless exempt from notification, anyone not already registered as a data user prior to the commencement of the new notification regime will be prohibited from processing personal data until they have applied for notification.

 

The principle purpose of having notification and the public register is transparency or openness. The Act places obligations on data controllers in order to achieve transparency.

 

Details required for notification

 

The processing of personal data is generally unlawful unless the person doing the processing notifies the Information Commissioner of:-

 
  • their name and address;
 
  • the name and address of any nominated representative;
 
  • a description of the personal data being processed;
 
  • a description of the categories of data subject;
 
  • a description of the purpose of the processing;
 
  • a description of the classes of people to whom data may be disclosed;
 
  • an indication of the organisational steps which the person processing the data has in place to ensure that the people who actually do the processing are aware of and comply with the data protection principles.
 

These details are known as the ‘registrable particulars’.

 

When a notification is made by a data controller they must also provide a general description of the security measures taken to protect the personal data they process. This means that, as data controller, the Charity Commissioners will have the responsibility of ensuring that appropriate technical and organisational measures are taken to prevent the unauthorised or unlawful processing or disclosure of personal data and against accidental loss or destruction of or damage to personal data. One aspect of this is that we must take reasonable steps to ensure the reliability of any staff who have access to personal data. There is also a requirement for data controllers to ensure that where a data processor processes data on behalf of the controller there is a written contract between the parties whereby the processor agrees only to act on the instructions of the controller and to abide with the provisions of the security principle. Anyone who, on behalf of the Commission, contracts with a data processor needs to consider the implications of this requirement and ensure that the security measures are appropriate for the types of data that are being processing. A registration fee will be payable by the person processing the data. NB Anyone proposing to enter into an arrangement with a data processor should first consult the Departmental Record Officer.

 

The Charity Commission’s notification

 
The Charity Commission submitted its notification in January 2002 and the period of notification is for one year.
 

Please note: Responsibility for making and renewing the Charity Commission’s notification rests with the Departmental Record Officer.

 

When notification is not required

 

Notification will not normally be required:

 
  • to authorise regulated manual processing;
 
  • where the purpose of the regulated processing is the maintenance of a public register, such as the central register of charities (but notification is required in respect of any personal data that is included in the non-public part of the charity database);
 
  • in other cases where the Home Secretary thinks that regulated processing is unlikely to interfere with individual civil rights.
 

Data controllers who are exempt from notification

 

The 1998 Act contains certain exceptions from the requirement to notify. There is a specific exemption, for example, for any processing whose sole purpose is the maintenance of a public register. Also there is no requirement to register as a data controller where the only personal data held is exempt from notification.

 

A significant difference however between the Data Protection Act 1984 and the 1998 Act is that whilst the Registrar could not enforce the Data Protection Principles against those who were exempt from registration, the Information Commissioner will be able to enforce the Principles against those who are exempt from notification. Data controllers will therefore need to consider how they will comply with the 1998 Act even if they are exempt from the requirement to notify.

 

In addition there is also a requirement for data controllers to make public the details of their processing on request. This will apply even where there is no requirement to notify. This means that for data processing that we do not have to notify to the Information Commissioner we are under a duty to provide the same information about that processing that would be required for notification (ie the registrable particulars set out above), free of charge, within 21 days of receiving a written request from any person. This is known as a ‘registrable particulars request’.

Up ArrowDown Arrow

 

7. Offences under the 1998 Act

 

There are a number of offences with which a person (ie individual or organisation) may be charged under the 1998 Act. Those that are likely to be of most relevance to us in the Commission are:

Legal requirement symbol

(i) Processing without notification

Legal requirement symbol

  It is an offence to process personal data without notification unless the data or the processing falls within one of the exemptions or is outside the scope of the 1998 Act.

Legal requirement symbol

(ii) Failure to notify the Information Commissioner of changes to the notification register entry

Legal requirement symbol

  Detailed guidance relating to this offence will be contained in the notification regulations. A defence is available to persons charged with such an offence if they can show they exercised due diligence to comply with the duty.

Legal requirement symbol

(iii) Failure to comply with a written request for particulars

Legal requirement symbol

  Although it will not be a criminal offence to process personal data without notifying the Information Commissioner (where that data falls within the exceptions to notification) it will nevertheless be a criminal offence to fail to comply with a ‘registrable particulars request’ (ie to fail to provide, within 21 days of receiving a written request from any person, the same information that would be provided to the Information Commissioner if notification were required).

Legal requirement symbol

  A defence is available to persons charged with such an offence if they can show they exercised due diligence to comply with the duty.

Legal requirement symbol

(iv) Failure to comply with an enforcement notice/information notice/special information notice

Legal requirement symbol

  It is an offence to fail to comply with any of these notices unless the person charged is able to show that they exercised all due diligence to comply. It is also an offence for someone to make a statement which they know to be false or recklessly to make a statement which is false in purporting compliance with an information or special information notice.

Legal requirement symbol

(v) Unlawful obtaining, etc, of personal data

Legal requirement symbol

  It is an offence (under s 55 of the 1998 Act) for a person, without the consent of the data controller, knowingly or recklessly, to obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data, unless the personal data are exempt from this section of the 1998 Act (ie if it is required for the purpose of safeguarding national security, s 28 of the 1998 Act) or unless the person can show:

Legal requirement symbol

 
  • that the obtaining, disclosing or procuring was necessary to prevent or detect crime, or was required or authorised by law;

Legal requirement symbol

 
  • that they acted in the reasonable belief that they had the legal right to obtain, disclose or procure the disclosure;

Legal requirement symbol

 
  • that they had acted in the reasonable belief that the data controller would have consented to the obtaining, disclosing or procuring if the data controller had known; or

Legal requirement symbol

 
  • that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

Legal requirement symbol

(iv) Unlawful selling of personal data

Legal requirement symbol

  If personal data has been obtained in contravention of the provisions in (vii) above, it is an offence to sell or offer to sell that data;

Legal requirement symbol

(vii) Enforced subject access

Legal requirement symbol

  Unless statutory exceptions apply (ie it is required or authorised by law or is justified as being in the public interest, which does not include the prevent or detection of crime as this is covered by Part V of the Police Act 1997) it is an offence for a person to require another person or third party to use their right of subject access in order to supply them with a relevant record (eg records of cautions, criminal convictions, social security records) or to produce a relevant record to them:

Legal requirement symbol

 
  • in connection with the recruitment of that other person as an employee, the continued employment of that person or any contract for the provision of services to them by that other person; or

Legal requirement symbol

 
  • where a person is concerned with providing (for payment or not) goods, facilities or services to the public or a section of the public, as a condition of providing or offering to provide any goods, facilities or services to that other person.

Legal requirement symbol

 
  • the disclosure is made for the purposes of any criminal or civil proceedings; or

Legal requirement symbol

 
  • the disclosure is necessary in the public interest, taking account of the rights and freedoms or legitimate interest of any person.

Legal requirement symbol

All the above offences are triable in the Magistrates’ Court or the Crown Court. Upon conviction an offender is liable to a maximum fine of £5,000 in the Magistrates’ Court or an unlimited fine in the Crown Court. The 1998 Act provides for separate personal liability for any of the offences under the 1998 Act for directors or other officers of any company which has committed an offence under the 1998 Act. Where it is proved that the company committed the offence with the consent or connivance of, or due to any neglect on the part of, the officer concerned that person will be guilty of the offence as well as the company and will be liable to be proceeded against and punished accordingly. In England and Wales proceedings for a criminal offence under the 1998 Act can be commenced only by the Information Commissioner or by (or with) the consent of the Director of Public Prosecutions.

Up ArrowDown Arrow

 

8. Subordinate legislation

 

When the 1998 Act came into force on 1 March 2000, it gave effect to the EC Data Protection Directive (95/46/EC). In addition, about 20 statutory instruments are needed to complete the data protection regime created by the 1998 Act. Further details about these can be found on the website for the Information Commissioner's Office at http://www.dataprotection.gov.uk/index.htm.

 

These include:

 
  • Data Protection (Notification and Notification Fees) Regulations;
 
  • The Telecommunications (Data Protection and Privacy) Regulations 1999 (details of which can be found in OG 58 A4 and B1);
 
  • The Consumer Credit (Credit Reference Agency) Regulations 1999;
 
  • The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 1999;
 
  • The Data Protection (Subject Access Modification) (Health) Order 1999;
 
  • The Data Protection (Processing of Sensitive Personal Data) Order 1999;
 
  • The Data Protection Tribunal (Enforcement Appeals) Rules;
 
  • Data Protection Tribunal (Enforcement Appeals) Rules;
 
  • Data Protection Tribunal (National Security Appeals) Rules;
 
  • The Data Protection (Corporate Finance Exemption) Order;
 
  • The Data Protection (Designated Codes of Practice) Order 1999;
 
  • The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 1999;
 
  • The Data Protection (Subject Access Modification) (Education) Order 1999;
 
  • The Data Protection (Subject Access Modification) (Social Work) Order 1999;
 
  • The Data Protection (Miscellaneous Subject Access Exemptions) Order 1999;
 
  • The Data Protection (Crown Appointments) Order 1999;
 
  • The Data Protection (Functions of Designated Authority) Order 1999;
 
  • Data Protection (International Co-operation) Order;
 
  • The Data Protection (Fees under section 19(7)) Regulations 1999.

Up ArrowDown Arrow

 

The following words and phrases are defined in the Glossary of Terms:

 











1998 Act
assessable processing
automated decision-taking
data controller
data subject
notification
personal data
processing
registrable particulars
sensitive personal data
subject access

Go to: Index to further related information