Data Protection Act 1984

JurisdictionUK Non-devolved
Citation1984 c. 35


Data Protection Act 1984

1984 CHAPTER 35

An Act to regulate the use of automatically processed information relating to individuals and the provision of services in respect of such information.

[12th July 1984]

Be it enacted by the Queen's most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—

I Preliminary

Part I

Preliminary

S-1 Definition of ‘data’ and related expressions.

1 Definition of ‘data’ and related expressions.

(1) The following provisions shall have effect for the interpretation of this Act.

(2) ‘Data’ means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.

(3) ‘Personal data’ means data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user), including any expression of opinion about the individual but not any indication of the intentions of the data user in respect of that individual.

(4) ‘Data subject’ means an individual who is the subject of personal data.

(5) ‘Data user’ means a person who holds data, and a person ‘holds’ data if—

(a ) the data form part of a collection of data processed or intended to be processed by or on behalf of that person as mentioned in subsection (2) above; and

(b ) that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection; and

(c ) the data are in the form in which they have been or are intended to be processed as mentioned in paragraph (a ) above or (though not for the time being in that form) in a form into which they have been converted after being so processed and with a view to being further so processed on a subsequent occasion.

(6) A person carries on a ‘computer bureau’ if he provides other persons with services in respect of data, and a person provides such services if—

(a ) as agent for other persons he causes data held by them to be processed as mentioned in subsection (2) above; or

(b ) he allows other persons the use of equipment in his possession for the processing as mentioned in that subsection of data held by them.

(7) ‘Processing’, in relation to data, means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data and, in the case of personal data, means performing any of those operations by reference to the data subject.

(8) Subsection (7) above shall not be construed as applying to any operation performed only for the purpose of preparing the text of documents.

(9) ‘Disclosing’, in relation to data, includes disclosing information extracted from the data; and where the identification of the individual who is the subject of personal data depends partly on the information constituting the data and partly on other information in the possession of the data user, the data shall not be regarded as disclosed or transferred unless the other information is also disclosed or transferred.

S-2 The data protection principles.

2 The data protection principles.

(1) Subject to subsection (3) below, references in this Act to the data protection principles are to the principles set out in Part I of Schedule 1 to this Act; and those principles shall be interpreted in accordance with Part II of that Schedule.

(2) The first seven principles apply to personal data held by data users and the eighth applies both to such data and to personal data in respect of which services are provided by persons carrying on computer bureaux.

(3) The Secretary of State may by order modify or supplement those principles for the purpose of providing additional safeguards in relation to personal data consisting of information as to—

(a ) the racial origin of the data subject;

(b ) his political opinions or religious or other beliefs;

(c ) his physical or mental health or his sexual life; or

(d ) his criminal convictions;

and references in this Act to the data protection principles include, except where the context otherwise requires, references to any modified or additional principle having effect by virtue of an order under this subsection.

(4) An order under subsection (3) above may modify a principle either by modifying the principle itself or by modifying its interpretation; and where an order under that subsection modifies a principle or provides for an additional principle it may contain provisions for the interpretation of the modified or additional principle.

(5) An order under subsection (3) above modifying the third data protection principle may, to such extent as the Secretary of State thinks appropriate, exclude or modify in relation to that principle any exemption from the non-disclosure provisions which is contained in Part IV of this Act; and the exemptions from those provisions contained in that Part shall accordingly have effect subject to any order made by virtue of this subsection.

(6) An order under subsection (3) above may make different provision in relation to data consisting of information of different descriptions.

S-3 The Registrar and the Tribunal.

3 The Registrar and the Tribunal.

(1) For the purposes of this Act there shall be—

(a ) an officer known as the Data Protection Registrar (in this Act referred to as ‘the Registrar’); and

(b ) a tribunal known as the Data Protection Tribunal (in this Act referred to as ‘the Tribunal’).

(2) The Registrar shall be appointed by Her Majesty by Letters Patent.

(3) The Tribunal shall consist of—

(a ) a chairman appointed by the Lord Chancellor after consultation with the Lord Advocate;

(b ) such number of deputy chairmen appointed as aforesaid as the Lord Chancellor may determine; and

(c ) such number of other members appointed by the Secretary of State as he may determine.

(4) The members of the Tribunal appointed under subsection (3)(a ) and (b ) above shall be barristers, advocates or solicitors, in each case of not less than seven years' standing.

(5) The members of the Tribunal appointed under subsection (3)(c ) above shall be—

(a ) persons to represent the interests of data users; and

(b ) persons to represent the interests of data subjects.

(6) Schedule 2 to this Act shall have effect in relation to the Registrar and the Tribunal.

II Registration and Supervision of Data Users and Computer Bureaux

Part II

Registration and Supervision of Data Users and ComputerBureaux

Registration

Registration

S-4 Registration of data users and computer bureaux.

4 Registration of data users and computer bureaux.

(1) The Registrar shall maintain a register of data users who hold, and of persons carrying on computer bureaux who provide services in respect of, personal data and shall make an entry in the register in pursuance of each application for registration accepted by him under this Part of this Act.

(2) Each entry shall state whether it is in respect of a data user, of a person carrying on a computer bureau or of a data user who also carries on such a bureau.

(3) Subject to the provisions of this section, an entry in respect of a data user shall consist of the following particulars—

(a ) the name and address of the data user;

(b ) a description of the personal data to be held by him and of the purpose or purposes for which the data are to be held or used;

(c ) a description of the source or sources from which he intends or may wish to obtain the data or the information to be contained in the data;

(d ) a description of any person or persons to whom he intends or may wish to disclose the data;

(e ) the names or a description of any countries or territories outside the United Kingdom to which he intends or may wish directly or indirectly to transfer the data; and

(f ) one or more addresses for the receipt of requests from data subjects for access to the data.

(4) Subject to the provisions of this section, an entry in respect of a person carrying on a computer bureau shall consist of that person's name and address.

(5) Subject to the provisions of this section, an entry in respect of a data user who also carries on a computer bureau shall consist of his name and address and, as respects the personal data to be held by him, the particulars specified in subsection (3)(b ) to (f ) above.

(6) In the case of a registered company the address referred to in subsections (3)(a ), (4) and (5) above is that of its registered office, and the particulars to be included in the entry shall include the company's number in the register of companies.

(7) In the case of a person (other than a registered company) carrying on a business the address referred to in subsections (3)(a ), (4) and (5) above is that of his principal place of business.

(8) The Secretary of State may by order vary the particulars to be included in entries made in the register.

S-5 Prohibition of unregistered holding etc. of personal data.

5 Prohibition of unregistered holding etc. of personal data.

(1) A person shall not hold personal data unless an entry in respect of that person as a data user, or as a data user who...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT