Data Protection (Amendment) Act 2003

1 Definitions.

1.—In this Act—

“Minister” means Minister for Justice, Equality and Law Reform;

“the Principal Act” means the Data Protection Act 1988.

2 Amendment of section 1 (interpretation and application of Act) of Principal Act.

2.—Section 1 of the Principal Act is amended—

(a)in subsection (1)—

(i)by the insertion of the following definitions:

“‘the Act of 2003’ means the Data Protection (Amendment) Act 2003;

‘automated data’ means information that—

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or

(b) is recorded with the intention that it should be processed by means of such equipment;

‘blocking’, in relation to data, means so marking the data that it is not possible to process it for purposes in relation to which it is marked;

‘the Directive’ means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data[^(1)];

‘the EEA Agreement’ means the Agreement on the European Economic Area signed at Oporto on 2 May 1992 as adjusted by the Protocol signed at Brussels on 17 March 1993;

‘enactment’ means a statute or a statutory instrument (within the meaning of the Interpretation Act 1937);

‘the European Economic Area’ has the meaning assigned to it by the EEA Agreement;

‘manual data’ means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;

‘relevant filing system’ means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;

‘sensitive personal data’ means personal data as to—

(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,

(b) whether the data subject is a member of a trade union,

(c) the physical or mental health or condition or sexual life of the data subject,

(d) the commission or alleged commission of any offence by the data subject, or

(e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings;”,

(ii)by the substitution of the following definition for the definition of “data”:

“‘data’ means automated data and manual data;”,

(iii) by the substitution of the following for the definition of “direct marketing”:

“‘direct marketing’ includes direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office;”,

(iv) by the substitution of the following definition for the definition of “personal data”:

“‘personal data’ means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;”,

and

(v) by the substitution of the following definition for the definition of “processing”:

“‘processing’, of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including—

(a) obtaining, recording or keeping the information or data,

(b) collecting, organising, storing, altering or adapting the information or data,

(c) retrieving, consulting or using the information or data,

(d) disclosing the information or data by transmitting, disseminating or otherwise making it available, or

(e) aligning, combining, blocking, erasing or destroying the information or data;”,

(b)by the insertion of the following subsections after subsection (3):

“(3A) A word or expression that is used in this Act and also in the Directive has, unless the context otherwise requires, the same meaning in this Act as it has in the Directive.

(3B) (a) Subject to any regulations under section 15(2) of this Act, this Act applies to data controllers in respect of the processing of personal data only if—

(i)the data controller is established in the State and the data are processed in the context of that establishment, or

(ii) the data controller is established neither in the State nor in any other state that is a contracting party to the EEA Agreement but makes use of equipment in the State for processing the data otherwise than for the purpose of transit through the territory of the State.

(b) For the purposes of paragraph (a) of this subsection, each of the following shall be treated as established in the State:

(i)an individual who is normally resident in the State,

(ii)a body incorporated under the law of the State,

(iii) a partnership or other unincorporated association formed under the law of the State, and

(iv) a person who does not fall within subparagraphs (i), (ii) or (iii) of this paragraph, but maintains in the State—

(I)an office, branch or agency through which he or she carries on any activity, or

(II) a regular practice,

and the reference to establishment in any other state that is a contracting party to the EEA Agreement shall be construed accordingly.

(c) A data controller to whom paragraph (a)(ii) of this subsection applies must, without prejudice to any legal proceedings that could be commenced against the data controller, designate a representative established in the State.

(3C) Section 2 and sections 2A and 2B (which sections were inserted by the Act of 2003) of this Act shall not apply to—

(a)data kept solely for the purpose of historical research, or

(b)other data consisting of archives or departmental records (within the meaning in each case of the National Archives Act 1986),

and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects.”,

and

(c)by the insertion of the following subsection after subsection (4):

“(5) (a) A right conferred by this Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997.

(b) The Commissioner and the Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other.”.

3 Amendment of section 2 (collection, processing, keeping, use and disclosure of personal data) of Principal Act.

3.—Section 2 of the Principal Act is amended—

(a)by the substitution of the following subsection for subsection (1):

“(1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions:

(a)the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,

(b)the data shall be accurate and complete and, where necessary, kept up to date,

(c)the data—

(i)shall have been obtained only for one or more specified, explicit and legitimate purposes,

(ii) shall not be further processed in a manner incompatible with that purpose or those purposes,

(iii) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and

(iv) shall not be kept for longer than is necessary for that purpose or those purposes,

(d)appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”,

(b)in subsection (5), by the substitution of the following paragraph for paragraph (a):

“(a) Subparagraphs (ii) and (iv) of paragraph (c) of the said subsection (1) do not apply to personal data kept for statistical or research or other scientific purposes, and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects, and”,

(c)by the deletion of subsection (6), and

(d)by the substitution of the following subsections for subsection (7):

“(7) Where—

(a)personal data are kept for the purpose of direct marketing, and

(b)the data subject concerned requests the data controller in writing—

(i)not to process the data for that purpose, or

(ii) to cease processing the data for that purpose,

then—

(I)if the request is under paragraph (b)(i)of this subsection, the data controller—

(A) shall, where the data are kept only for the purpose aforesaid, as soon as may be and in any event not more than 40 days after the request has been given or sent to him or her, erase the data, and

(B) shall not, where the data are kept for that purpose and other purposes, process the data for that purpose after the expiration of the period aforesaid,

(II) if the request is under paragraph (b)(ii) of this subsection, as soon as may be and in any event not more than 40 days after the request has been given or sent to the data controller, he or she—

(A) shall, where the data are kept only for the purpose aforesaid, erase the data, and

(B) shall, where the data are kept for that purpose and other purposes, cease processing the data for that purpose,

and

(III) the data controller shall notify the data subject in writing accordingly and, where appropriate, inform him or her of those other purposes.

(8) Where a data controller anticipates that personal data, including personal data that is required by law to be made available to the public, kept by him or her will be processed for the purposes of direct marketing, the data controller shall inform the persons to whom the data relates that they may object, by means of a request in writing to the data controller and free of charge, to such processing.”.

4 Provisions in relation to processing.

4.—The following sections are inserted in the Principal Act after section 2: