| Crown Copyright Acknowledged | | PART-1 | | |
Definitions.
1.—
In this Act—
|
“Minister” means Minister for Justice, Equality and Law Reform; |
|
“the Principal Act” means the Data Protection Act 1988 . | |
| Top | | |
|
Amendment of section 1 (interpretation and application of Act) of Principal Act. |
|
2.—
Section 1 of the Principal Act is amended— |
|
(a) in subsection (1)— |
|
(i) by the insertion of the following definitions: |
|
“‘the Act of 2003’ means the Data Protection (Amendment) Act 2003; |
|
‘automated data’ means information that— |
|
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or |
|
(b) is recorded with the intention that it should be processed by means of such equipment; |
|
‘blocking’, in relation to data, means so marking the data that it is not possible to process it for purposes in relation to which it is marked; |
|
‘the Directive’ means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1) ; |
|
‘the EEA Agreement’ means the Agreement on the European Economic Area signed at Oporto on 2 May 1992 as adjusted by the Protocol signed at Brussels on 17 March 1993; |
|
‘enactment’ means a statute or a statutory instrument (within the meaning of the Interpretation Act 1937 ); |
|
‘the European Economic Area’ has the meaning assigned to it by the EEA Agreement; |
|
‘manual data’ means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; |
|
‘relevant filing system’ means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible; |
|
‘sensitive personal data’ means personal data as to— |
|
(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, |
|
(b) whether the data subject is a member of a trade union, |
|
(c) the physical or mental health or condition or sexual life of the data subject, |
|
(d) the commission or alleged commission of any offence by the data subject, or |
|
(e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings;”, |
|
(ii) by the substitution of the following definition for the definition of “data”: |
|
“‘data’ means automated data and manual data;”, |
|
(iii) by the substitution of the following for the definition of “direct marketing”: |
|
“‘direct marketing’ includes direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office;”, |
|
(iv) by the substitution of the following definition for the definition of “personal data”: |
|
“‘personal data’ means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;”, |
|
and |
|
(v) by the substitution of the following definition for the definition of “processing”: |
|
“‘processing’, of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including— |
|
(a) obtaining, recording or keeping the information or data, |
|
(b) collecting, organising, storing, altering or adapting the information or data, |
|
(c) retrieving, consulting or using the information or data, |
|
(d) disclosing the information or data by transmitting, disseminating or otherwise making it available, or |
|
(e) aligning, combining, blocking, erasing or destroying the information or data;”, |
|
(b) by the insertion of the following subsections after subsection (3): |
|
“(3A) A word or expression that is used in this Act and also in the Directive has, unless the context otherwise requires, the same meaning in this Act as it has in the Directive. |
|
(3B)
(a) Subject to any regulations under section 15(2) of this Act, this Act applies to data controllers in respect of the processing of personal data only if— |
|
(i) the data controller is established in the State and the data are processed in the context of that establishment, or |
|
(ii) the data controller is established neither in the State nor in any other state that is a contracting party to the EEA Agreement but makes use of equipment in the State for processing the data otherwise than for the purpose of transit through the territory of the State. |
|
(b) For the purposes of paragraph (a) of this subsection, each of the following shall be treated as established in the State: |
|
(i) an individual who is normally resident in the State, |
|
(ii) a body incorporated under the law of the State, |
|
(iii) a partnership or other unincorporated association formed under the law of the State, and |
|
(iv) a person who does not fall within subparagraphs (i), (ii) or (iii) of this paragraph, but maintains in the State— |
|
(I) an office, branch or agency through which he or she carries on any activity, or |
|
(II) a regular practice, |
|
and the reference to establishment in any other state that is a contracting party to the EEA Agreement shall be construed accordingly. |
|
(c) A data controller to whom paragraph (a)(ii) of this subsection applies must, without prejudice to any legal proceedings that could be commenced against the data controller, designate a representative established in the State. |
|
(3C) Section 2 and sections 2A and 2B (which sections were inserted by the Act of 2003) of this Act shall not apply to— |
|
(a) data kept solely for the purpose of historical research, or |
|
(b) other data consisting of archives or departmental records (within the meaning in each case of the National Archives Act 1986 ), |
|
and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects.”, |
|
and |
|
(c) by the insertion of the following subsection after subsection (4): |
|
“(5)
(a) A right conferred by this Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997 . |
|
(b) The Commissioner and the Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other.”. | |
| Top | | |
|
Amendment of section 2 (collection, processing, keeping, use and disclosure of personal data) of Principal Act. |
|
3.—
Section 2 of the Principal Act is amended— |
|
(a) by the substitution of the following subsection for subsection (1): |
|
“(1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions: |
|
(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly, |
|
(b) the data shall be accurate and complete and, where necessary, kept up to date, |
|
(c) the data— |
|
(i) shall have been obtained only for one or more specified, explicit and legitimate purposes, |
|
(ii) shall not be further processed in a manner incompatible with that purpose or those purposes, |
|
(iii) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and |
|
(iv) shall not be kept for longer than is necessary for that purpose or those purposes, |
|
(d) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”, |
|
(b) in subsection (5), by the substitution of the following paragraph for paragraph (a): |
|
“(a) Subparagraphs (ii) and (iv) of paragraph (c) of the said subsection (1) do not apply to personal data kept for statistical or research or other scientific purposes, and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects, and”, |
|
(c) by the deletion of subsection (6), and |
|
(d) by the substitution of the following subsections for subsection (7): |
|
“(7) Where— |
|
(a) personal data are kept for the purpose of direct marketing, and |
|
(b) the data subject concerned requests the data controller in writing— |
|
(i) not to process the data for that purpose, or |
|
(ii) to cease processing the data for that purpose, |
|
then— |
|
(I) if the request is under paragraph (b)(i) of this subsection, the data controller— |
|
(A) shall, where the data are kept only for the purpose aforesaid, as soon as may be and in any event not more than 40 days after the request has been given or sent to him or her, erase the data, and |
|
(B) shall not, where the data are kept for that purpose and other purposes, process the data for that purpose after the expiration of the period aforesaid, |
|
(II) if the request is under paragraph (b)(ii) of this subsection, as soon as may be and in any event not more than 40 days after the request has been given or sent to the data controller, he or she— |
|
(A) shall, where the data are kept only for the purpose aforesaid, erase the data, and |
|
(B) shall, where the data are kept for that purpose and other purposes, cease processing the data for that purpose, |
|
and |
|
(III) the data controller shall notify the data subject in writing accordingly and, where appropriate, inform him or her of those other purposes. |
|
(8) Where a data controller anticipates that personal data, including personal data that is required by law to be made available to the public, kept by him or her will be processed for the purposes of direct marketing, the data controller shall inform the persons to whom the data relates that they may object, by means of a request in writing to the data controller and free of charge, to such processing.”. | |
| Top | | |
|
Provisions in relation to processing. |
|
4.—
The following sections are inserted in the Principal Act after section 2: |
|
“Processing of personal data. |
|
2A.—
(1) Personal data shall not be processed by a data controller unless section 2 of this Act (as amended by the Act of 2003) is complied with by the data controller and at least one of the following conditions is met:
(a) the data subject has given his or her consent to the processing or, if the data subject, by reason of his or her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of such consent, it is given by a parent or guardian or a grandparent, uncle, aunt, brother or sister of the data subject and the giving of such consent is not prohibited by law,
(b) the processing is necessary—
(i) for the performance of a contract to which the data subject is a party,
(ii) in order to take steps at the request of the data subject prior to entering into a contract,
(iii) for compliance with a legal obligation to which the data controller is subject other than an obligation imposed by contract, or
(iv) to prevent—
(I) injury or other damage to the health of the data subject, or
(II) serious loss of or damage to property of the data subject,
or otherwise to protect his or her vital interests where the seeking of the consent of the data subject or another person referred to in paragraph (a) of this subsection is likely to result in those interests being damaged,
(c) the processing is necessary—
(i) for the administration of justice,
(ii) for the performance of a function conferred on a person by or under an enactment,
(iii) for the performance of a function of the Government or a Minister of the Government, or
(iv) for the performance of any other function of a public nature performed in the public interest by a person,
(d) the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
(2) The Minister may, after consultation with the Commissioner, by regulations specify particular circumstances in which subsection (1)(d) of this section is, or is not, to be taken as satisfied.
Processing of sensitive personal data. |
|
2B.—
(1) Sensitive personal data shall not be processed by a data controller unless:
(a) sections 2 and 2A (as amended and inserted, respectively, by the Act of 2003) are complied with, and
(b) in addition, at least one of the following conditions is met:
(i) the consent referred to in paragraph (a) of subsection (1) of section 2A (as inserted by the Act of 2003) of this Act is explicitly given,
(ii) the processing is necessary for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment,
(iii) the processing is necessary to prevent injury or other damage to the health of the data subject or another person or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where—
(I) consent to the processing cannot be given by or on behalf of the data subject in accordance with section 2A(1)(a) (inserted by the Act of 2003) of this Act, or
(II) the data controller cannot reasonably be expected to obtain such consent,
or the processing is necessary to prevent injury to, or damage to the health of, another person, or serious loss in respect of, or damage to, the property of another person, in a case where such consent has been unreasonably withheld,
(iv) the processing—
(I) is carried out in the course of its legitimate activities by any body corporate, or any unincorporated body of persons, that—
(A) is not established, and whose activities are not carried on, for profit, and
(B) exists for political, philosophical, religious or trade union purposes,
(II) is carried out with appropriate safeguards for the fundamental rights and freedoms of data subjects,
(III) relates only to individuals who either are members of the body or have regular contact with it in connection with its purposes, and
(IV) does not involve disclosure of the data to a third party without the consent of the data subject,
(v) the information contained in the data has been made public as a result of steps deliberately taken by the data subject,
(vi) the processing is necessary—
(I) for the administration of justice,
(II) for the performance of a function conferred on a person by or under an enactment, or
(III) for the performance of a function of the Government or a Minister of the Government,
(vii) the processing—
(I) is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings, or
(II) is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
(viii) the processing is necessary for medical purposes and is undertaken by—
(I) a health professional, or
(II) a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health professional,
(ix) the processing is necessary in order to obtain information for use, subject to and in accordance with the Statistics Act 1993 , only for statistical, compilation and analysis purposes,
(x) the processing is carried out by political parties, or candidates for election to, or holders of, elective political office, in the course of electoral activities for the purpose of compiling data on people's political opinions and complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects,
(xi) the processing is authorised by regulations that are made by the Minister and are made for reasons of substantial public interest,
(xii) the processing is necessary-for the purpose of the assessment, collection or payment of any tax, duty, levy or other moneys owed or payable to the State and the data has been provided by the data subject solely for that purpose,
(xiii) the processing is necessary for the purposes of determining entitlement to or control of, or any other purpose connected with the administration of any benefit, pension, assistance, allowance, supplement or payment under the Social Welfare (Consolidation) Act 1993 , or any nonstatutory scheme administered by the Minister for Social, Community and Family Affairs.
(2) The Minister may by regulations made after consultation with the Commissioner—
(a) exclude the application of subsection (1)(b)(ii) of this section in such cases as may be specified, or
(b) provide that, in such cases as may be specified, the condition in the said subsection (1)(b)(ii) is not to be regarded as satisfied unless such further conditions as may be specified are also satisfied.
(3) The Minister may by regulations make such provision as he considers appropriate for the protection of data subjects in relation to the processing of personal data as to—
(a) the commission or alleged commission of any offence by data subjects,
(b) any proceedings for an offence committed or alleged to have been committed by data subjects, the disposal of such proceedings or the sentence of any court in such proceedings,
(c) any act or omission or alleged act or omission of data subjects giving rise to administrative sanctions,
(d) any civil proceedings in a court or other tribunal to which data subjects are parties or any judgment, order or decision of such a tribunal in any such proceedings,
and processing of personal data shall be in compliance with any regulations under this subsection.
(4) In this section—
‘health professional’ includes a registered medical practitioner, within the meaning of the Medical Practitioners Act 1978, a registered dentist, within the meaning of the Dentists Act 1985 or a member of any other class of health worker or social worker standing specified by regulations made by the Minister after consultation with the Minister for Health and Children and any other Minister of the Government who, having regard to his or her functions, ought, in the opinion of the Minister, to be consulted;
‘medical purposes’ includes the purposes of preventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.
Security measures for personal data. |
|
2C.—
(1) In determining appropriate security measures for the purposes of section 2(1)(d) of this Act, in particular (but without prejudice to the generality of that provision), where the processing involves the transmission of data over a network, a data controller—
(a) may have regard to the state of technological development and the cost of implementing the measures, and
(b) shall ensure that the measures provide a level of security appropriate to—
(i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, the data concerned, and
(ii) the nature of the data concerned.
(2) A data controller or data processor shall take all reasonable steps to ensure that—
(a) persons employed by him or her, and
(b) other persons at the place of work concerned,
are aware of and comply with the relevant security measures aforesaid.
(3) Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall—
(a) ensure that the processing is carried out in pursuance of a contract in writing or in another equivalent form between the data controller and the data processor and that the contract provides that the data processor carries out the processing only on and subject to the instructions of the data controller and that the data processor complies with obligations equivalent to those imposed on the data controller by section 2(1)(d) of this Act,
(b) ensure that the data processor provides sufficient guarantees in respect of the technical security measures, and organisational measures, governing the processing, and
(c) take reasonable steps to ensure compliance with those measures.
Fair processing of personal data. |
|
2D.—
(1) Personal data shall not be treated, for the purposes of section 2(1)(a) of this Act, as processed fairly unless—
(a) in the case of data obtained from the data subject, the data controller ensures, so far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the information specified in subsection (2) of this section,
(b) in any other case, the data controller ensures, so far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the information specified in subsection (3) of this section—
(i) not later than the time when the data controller first processes the data, or
(ii) if disclosure of the data to a third party is envisaged, not later than the time of such disclosure.
(2) The information referred to in subsection (1)(a) of this section is:
(a) the identity of the data controller,
(b) if he or she has nominated a representative for the purposes of this Act, the identity of the representative,
(c) the purpose or purposes for which the data are intended to be processed, and
(d) any other information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data to be fair to the data subject such as information as to the recipients or categories of recipients of the data, as to whether replies to questions asked for the purpose of the collection of the data are obligatory, as to the possible consequences of failure to give such replies and as to the existence of the right of access to and the right to rectify the data concerning him or her.
(3) The information referred to in subsection (1)(b) of this section is:
(a) the information specified in subsection (2) of this section,
(b) the categories of data concerned, and
(c) the name of the original data controller.
(4) The said subsection (1)(b) does not apply—
(a) where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of the information specified therein proves impossible or would involve a disproportionate effort, or
(b) in any case where the processing of the information contained or to be contained in the data by the data controller is necessary for compliance with a legal obligation to which the data controller is subject other than an obligation imposed by contract,
if such conditions as may be specified in regulations made by the Minister after consultation with the Commissioner are complied with.”. | |
| Top | | |
|
Amendment of section 4 (right of access) of Principal Act. |
|
5.—
Section 4 of the Principal Act is amended— |
|
(a) in subsection (1), by the substitution of the following paragraphs for paragraphs (a) and (b): |
|
“(a) Subject to the provisions of this Act, an individual shall, if he or she so requests a data controller by notice in writing— |
|
(i) be informed by the data controller whether the data processed by or on behalf of the data controller include personal data relating to the individual, |
|
(ii) if it does, be supplied by the data controller with a description of— |
|
(I) the categories of data being processed by or on behalf of the data controller, |
|
(II) the personal data constituting the data of which that individual is the data subject, |
|
(III) the purpose or purposes of the processing, and |
|
(IV) the recipients or categories of recipients to whom the data are or may be disclosed, |
|
(iii) have communicated to him or her in intelligible form— |
|
(I) the information constituting any personal data of which that individual is the data subject, and |
|
(II) any information known or available to the data controller as to the source of those data unless the communication of that information is contrary to the public interest, |
|
and |
|
(iv) where the processing by automatic means of the data of which the individual is the data subject has constituted or is likely to constitute the sole basis for any decision significantly affecting him or her, be informed free of charge by the data controller of the logic involved in the processing, |
|
as soon as may be and in any event not more than 40 days after compliance by the individual with the provisions of this section and, where any of the information is expressed in terms that are not intelligible to the average person without explanation, the information shall be accompanied by an explanation of those terms. |
|
(b) A request under paragraph (a) of this subsection that does not relate to all of its subparagraphs shall, in the absence of any indication to the contrary, be treated as relating to all of them.”, |
|
(b) by the insertion of the following subsection after subsection (4): |
|
“(4A)
(a) Where personal data relating to a data subject consist of an expression of opinion about the data subject by another person, the data may be disclosed to the data subject without obtaining the consent of that person to the disclosure. |
|
(b) Paragraph (a) of this subsection does not apply— |
|
(i) to personal data held by or on behalf of the person in charge of an institution referred to in section 5(1)(c) of this Act and consisting of an expression of opinion by another person about the data subject if the data subject is being or was detained in such an institution, or |
|
(ii) if the expression of opinion referred to in that paragraph was given in confidence or on the understanding that it would be treated as confidential.”, |
|
(c) in subsection (8)(a), by the insertion after “in the interests of data subjects” of “or in the public interest”, and |
|
(d) by the insertion of the following subsections after subsection (8): |
|
“(9) The obligations imposed by subsection (1)(a)(iii) (inserted by the Act of 2003) of this section shall be complied with by supplying the data subject with a copy of the information concerned in permanent form unless— |
|
(a) the supply of such a copy is not possible or would involve disproportionate effort, or |
|
(b) the data subject agrees otherwise. |
|
(10) Where a data controller has previously complied with a request under subsection (1) of this section, the data controller is not obliged to comply with a subsequent identical or similar request under that subsection by the same individual unless, in the opinion of the data controller, a reasonable interval has elapsed between compliance with the previous request and the making of the current request. |
|
(11) In determining for the purposes of subsection (10) of this section whether the reasonable interval specified in that subsection has elapsed, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered. |
|
(12) Subsection (1)(a)(iv) of this section is not to be regarded as requiring the provision of information as to the logic involved in the taking of a decision if and to the extent only that such provision would adversely affect trade secrets or intellectual property (in particular any copyright protecting computer software). |
|
| | |
