Data Protection Act 1998
1998 Chapter 29 - continued

back to previous text
 
  PART VI
  MISCELLANEOUS AND GENERAL
 
Functions of Commissioner
General duties of Commissioner.     51. - (1) It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers.
 
      (2) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act, and may give advice to any person as to any of those matters.
 
      (3) Where-
 
 
    (a) the Secretary of State so directs by order, or
 
    (b) the Commissioner considers it appropriate to do so,
  the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice.
 
      (4) The Commissioner shall also-
 
 
    (a) where he considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, such codes of practice, and
 
    (b) where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice.
      (5) An order under subsection (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.
 
      (6) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of-
 
 
    (a) any Community finding as defined by paragraph 15(2) of Part II of Schedule 1,
 
    (b) any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, which is made for the purposes of Article 26(3) or (4) of the Directive, and
 
    (c) such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.
      (7) The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.
 
      (8) The Commissioner may charge such sums as he may with the consent of the Secretary of State determine for any services provided by the Commissioner by virtue of this Part.
 
      (9) In this section-
 
 
    "good practice" means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;
 
    "trade association" includes any body representing data controllers.
Reports and codes of practice to be laid before Parliament.     52. - (1) The Commissioner shall lay annually before each House of Parliament a general report on the exercise of his functions under this Act.
 
      (2) The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.
 
      (3) The Commissioner shall lay before each House of Parliament any code of practice prepared under section 51(3) for complying with a direction of the Secretary of State, unless the code is included in any report laid under subsection (1) or (2).
 
Assistance by Commissioner in cases involving processing for the special purposes.     53. - (1) An individual who is an actual or prospective party to any proceedings under section 7(9), 10(4), 12(8) or 14 or by virtue of section 13 which relate to personal data processed for the special purposes may apply to the Commissioner for assistance in relation to those proceedings.
 
      (2) The Commissioner shall, as soon as reasonably practicable after receiving an application under subsection (1), consider it and decide whether and to what extent to grant it, but he shall not grant the application unless, in his opinion, the case involves a matter of substantial public importance.
 
      (3) If the Commissioner decides to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant, stating the extent of the assistance to be provided.
 
      (4) If the Commissioner decides not to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant of his decision and, if he thinks fit, the reasons for it.
 
      (5) In this section-
 
 
    (a) references to "proceedings" include references to prospective proceedings, and
 
    (b) "applicant", in relation to assistance under this section, means an individual who applies for assistance.
      (6) Schedule 10 has effect for supplementing this section.
 
International co-operation.     54. - (1) The Commissioner-
 
 
    (a) shall continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Convention, and
 
    (b) shall be the supervisory authority in the United Kingdom for the purposes of the Data Protection Directive.
      (2) The Secretary of State may by order make provision as to the functions to be discharged by the Commissioner as the designated authority in the United Kingdom for the purposes of Article 13 of the Convention.
 
      (3) The Secretary of State may by order make provision as to co-operation by the Commissioner with the European Commission and with supervisory authorities in other EEA States in connection with the performance of their respective duties and, in particular, as to-
 
 
    (a) the exchange of information with supervisory authorities in other EEA States or with the European Commission, and
 
    (b) the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases excluded by section 5 from the application of the other provisions of this Act, of functions of the Commissioner specified in the order.
      (4) The Commissioner shall also carry out any data protection functions which the Secretary of State may by order direct him to carry out for the purpose of enabling Her Majesty's Government in the United Kingdom to give effect to any international obligations of the United Kingdom.
 
      (5) The Commissioner shall, if so directed by the Secretary of State, provide any authority exercising data protection functions under the law of a colony specified in the direction with such assistance in connection with the discharge of those functions as the Secretary of State may direct or approve, on such terms (including terms as to payment) as the Secretary of State may direct or approve.
 
      (6) Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule.
 
      (7) The Commissioner shall inform the European Commission and the supervisory authorities in other EEA States-
 
 
    (a) of any approvals granted for the purposes of paragraph 8 of Schedule 4, and
 
    (b) of any authorisations granted for the purposes of paragraph 9 of that Schedule.
      (8) In this section-
 
 
    "the Convention" means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981;
 
    "data protection functions" means functions relating to the protection of individuals with respect to the processing of personal information.
 
Unlawful obtaining etc. of personal data
Unlawful obtaining etc. of personal data.     55. - (1) A person must not knowingly or recklessly, without the consent of the data controller-
 
 
    (a) obtain or disclose personal data or the information contained in personal data, or
 
    (b) procure the disclosure to another person of the information contained in personal data.
      (2) Subsection (1) does not apply to a person who shows-
 
 
    (a) that the obtaining, disclosing or procuring-
 
      (i) was necessary for the purpose of preventing or detecting crime, or
 
      (ii) was required or authorised by or under any enactment, by any rule of law or by the order of a court,
 
    (b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,
 
    (c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or
 
    (d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.
      (3) A person who contravenes subsection (1) is guilty of an offence.
 
      (4) A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).
 
      (5) A person who offers to sell personal data is guilty of an offence if-
 
 
    (a) he has obtained the data in contravention of subsection (1), or
 
    (b) he subsequently obtains the data in contravention of that subsection.
      (6) For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.
 
      (7) Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), "personal data" includes information extracted from personal data.
 
      (8) References in this section to personal data do not include references to personal data which by virtue of section 28 are exempt from this section.
 
 
Records obtained under data subject's right of access
Prohibition of requirement as to production of certain records.     56. - (1) A person must not, in connection with-
 
 
    (a) the recruitment of another person as an employee,
 
    (b) the continued employment of another person, or
 
    (c) any contract for the provision of services to him by another person,
  require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.
 
      (2) A person concerned with the provision (for payment or not) of goods, facilities or services to the public or a section of the public must not, as a condition of providing or offering to provide any goods, facilities or services to another person, require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.
 
      (3) Subsections (1) and (2) do not apply to a person who shows-
 
 
    (a) that the imposition of the requirement was required or authorised by or under any enactment, by any rule of law or by the order of a court, or
 
    (b) that in the particular circumstances the imposition of the requirement was justified as being in the public interest.
      (4) Having regard to the provisions of Part V of the Police Act 1997 (certificates of criminal records etc.), the imposition of the requirement referred to in subsection (1) or (2) is not to be regarded as being justified as being in the public interest on the ground that it would assist in the prevention or detection of crime.
 
      (5) A person who contravenes subsection (1) or (2) is guilty of an offence.
 
      (6) In this section "a relevant record" means any record which-
 
 
    (a) has been or is to be obtained by a data subject from any data controller specified in the first column of the Table below in the exercise of the right conferred by section 7, and
 
    (b) contains information relating to any matter specified in relation to that data controller in the second column,
  and includes a copy of such a record or a part of such a record.
 
 
 
TABLE
 
Data controller
 
Subject-matter
 

1. Any of the following persons-
(a) a chief officer of police of a police force in England and Wales.
(b) a chief constable of a police force in Scotland.
(c) the Chief Constable of the Royal Ulster Constabulary.
(d) the Director General of the National Criminal Intelligence Service.
(e) the Director General of the National Crime Squad.
 

(a) Convictions.
(b) Cautions.
 
2. The Secretary of State.
 

(a) Convictions.
(b) Cautions.
(c) His functions under section 53 of the Children and Young Persons Act 1933, section 205(2) or 208 of the Criminal Procedure (Scotland) Act 1995 or section 73 of the Children and Young Persons Act (Northern Ireland) 1968 in relation to any person sentenced to detention.
(d) His functions under the Prison Act 1952, the Prisons (Scotland) Act 1989 or the Prison Act (Northern Ireland) 1953 in relation to any person imprisoned or detained.
(e) His functions under the Social Security Contributions and Benefits Act 1992, the Social Security Administration Act 1992 or the Jobseekers Act 1995.
(f) His functions under Part V of the Police Act 1997.
 
3. The Department of Health and Social Services for Northern Ireland.
 
Its functions under the Social Security Contributions and Benefits (Northern Ireland) Act 1992, the Social Security Administration (Northern Ireland) Act 1992 or the Jobseekers (Northern Ireland) Order 1995.
      (7) In the Table in subsection (6)-
 
 
    "caution" means a caution given to any person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;
 
    "conviction" has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978.
      (8) The Secretary of State may by order amend-
 
 
    (a) the Table in subsection (6), and
 
    (b) subsection (7).
      (9) For the purposes of this section a record which states that a data controller is not processing any personal data relating to a particular matter shall be taken to be a record containing information relating to that matter.
 
      (10) In this section "employee" means an individual who-
 
 
    (a) works under a contract of employment, as defined by section 230(2) of the Employment Rights Act 1996, or
 
    (b) holds any office,
  whether or not he is entitled to remuneration; and "employment" shall be construed accordingly.
 
Avoidance of certain contractual terms relating to health records.     57. - (1) Any term or condition of a contract is void in so far as it purports to require an individual-
 
 
    (a) to supply any other person with a record to which this section applies, or with a copy of such a record or a part of such a record, or
 
    (b) to produce to any other person such a record, copy or part.
      (2) This section applies to any record which-
 
 
    (a) has been or is to be obtained by a data subject in the exercise of the right conferred by section 7, and
 
    (b) consists of the information contained in any health record as defined by section 68(2).
 
 
 
  continue previous section contents
  Other UK Acts |  Home |  Scotland Legislation |  Wales Legislation |  Northern Ireland Legislation |  Her Majesty's Stationery Office

We welcome your comments on this site
© Crown copyright 1998
Prepared 24 July 1998