TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

What Needs to be Done Prior to Collection


Contact the data subject

Contact the ICO


Right of access to personal data


7 (1) Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled—

(a) to be informed by any data controller whether personal data of which that individual is the data subject is being processed by or on behalf of that data controller,

(b) if that is the case, to be given by the data controller a description of—

(i) the personal data of which that individual is the data subject,

(ii) the purposes for which it is being or is to be processed, and

(iii) the recipients or classes of recipients to whom it is or may be disclosed,

(c) to have communicated to him in an intelligible form—

(i) the information constituting any personal data of which that individual is the data subject, and

(ii) any information available to the data controller as to the source of that data, and

(d) where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.

(2) A data controller is not obliged to supply any information under subsection (1) unless he has received—

(a) a request in writing, and

(b) except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.

(3) A data controller is not obliged to comply with a request under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks.

(4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless—

(a) the other individual has consented to the disclosure of the information to the person making the request, or

(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

(5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to—

(a) any duty of confidentiality owed to the other individual,

(b) any steps taken by the data controller with a view to seeking the consent of the other individual,

(c) whether the other individual is capable of giving consent, and

(d) any express refusal of consent by the other individual.

(7) An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description.

(8) Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.

(9) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.

(10) In this section—

· “prescribed” means prescribed by the Secretary of State by regulations;

· “the prescribed maximum” means such amount as may be prescribed;

· “the prescribed period” means forty days or such other period as may be prescribed;

· “the relevant day”, in relation to a request under this section, means the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3).

(11) Different amounts or periods may be prescribed under this section in relation to different cases


Contact the ICO


17 Prohibition on processing without registration


(1) Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under section 19 (or is treated by notification regulations made by virtue of section 19(3) as being so included).

(2) Except where the processing is assessable processing for the purposes of section 22, subsection (1) does not apply in relation to personal data consisting of information which falls neither within paragraph (a) of the definition of “data” in section 1(1) nor within paragraph (b) of that definition.

(3) If it appears to the Secretary of State that processing of a particular description is unlikely to prejudice the rights and freedoms of data subjects, notification regulations may provide that, in such cases as may be prescribed, subsection (1) is not to apply in relation to processing of that description.

(4) Subsection (1) does not apply in relation to any processing whose sole purpose is the maintenance of a public register.


18 Notification by data controllers


(1) Any data controller who wishes to be included in the register maintained under section 19 shall give a notification to the Commissioner under this section.

(2) A notification under this section must specify in accordance with notification regulations—

(a) the registrable particulars, and

(b) a general description of measures to be taken for the purpose of complying with the seventh data protection principle.

(3) Notification regulations made by virtue of subsection (2) may provide for the determination by the Commissioner, in accordance with any requirements of the regulations, of the form in which the registrable particulars and the description mentioned in subsection (2) (b) are to be specified, including in particular the detail required for the purposes of section 16(1) (c), (d), (e) and (f) and subsection (2) (b).

(4) Notification regulations may make provision as to the giving of notification—

(a) by partnerships, or

(b) in other cases where two or more persons are the data controllers in respect of any personal data.

(5) The notification must be accompanied by such fee as may be prescribed by fees regulations.

(6) Notification regulations may provide for any fee paid under subsection (5) or section 19(4) to be refunded in prescribed circumstances


19 Register of notifications


(1) The Commissioner shall—

(a) maintain a register of persons who have given notification under section 18, and

(b) make an entry in the register in pursuance of each notification received by him under that section from a person in respect of whom no entry as data controller was for the time being included in the register.

(2) Each entry in the register shall consist of—

(a) the registrable particulars notified under section 18 or, as the case requires, those particulars as amended in pursuance of section 20(4), and

(b) such other information as the Commissioner may be authorised or required by notification regulations to include in the register.

(3) Notification regulations may make provision as to the time as from which any entry in respect of a data controller is to be treated for the purposes of section 17 as having been made in the register.

(4) No entry shall be retained in the register for more than the relevant time except on payment of such fee as may be prescribed by fees regulations.

(5) In subsection (4) “the relevant time” means twelve months or such other period as may be prescribed by notification regulations; and different periods may be prescribed in relation to different cases.

(6) The Commissioner—

(a) shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and

(b) may provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate.

(7) The Commissioner shall, on payment of such fee, if any, as may be prescribed by fees regulations, supply any member of the public with a duly certified copy in writing of the particulars contained in any entry made in the register.
© TRILANTIC - All rights reserved. | Disclaimer | Client Login