TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

UNITED KINGDOM

 

The Information Commissioner’s Office Website: http://www.ico.gov.uk/

 

The Data Protection Act 1998 (as amended): http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1

 

What needs to be done prior to collection?

 

NOTIFY INFORMATION COMMISSIONER’S OFFICE

 

Article 16 –The ‘Registerable Particulars’

 

  1. In this part the ‘Registerable Particulars’, in relation to a data controller, means –
    1. His name and address
    2. If he has nominated a representative for the purposes of this Act, the name and address of the representative
    3. A description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which they relate
    4. A description of the purpose or purposes for which the data are being or are to be processed
    5. A description of any recipient or recipients to whom the data controller intends or may wish to disclose the data
    6. The names or a description of any countries or territories outside the EEA to which the data controller directly or indirectly transfers, or intends or may with to directly or indirectly transfer, the data

ff.    Where the data controller is a public authority, a statement of that fact

 

Section 17 – Prohibition on processing without Registration

 

Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under section 19 (or is treated by notification regulations made by virtue of section 19 (3) as being so included)

 

Section 18 – Notification by Data Controllers

 

Any data controller who wishes to be included in the Register maintained under section 19 shall give a notification to the Commissioner under this section.

 

A notification under this section must specify in accordance with notification regulations –

  1. The Registerable particulars, and
  2. A general description of measures to be taken for the purpose of complying with the seventh data protection principle (see Schedule 1)

 

The notification must be accompanied by such fee as may be prescribed by fess regulations

 

Article 19 – Register of Notifications

 

The Commissioner shall –

  1. Maintain a register of persons who have given notification under section 18, and
  2. Make an entry in the register in pursuance of each notification received by him under that section from a person in respect of whom no entry as data controller was for the time being included in the register

 

 

 

 

 

Article 20 – Duty to Notify changes

 

Notification regulations shall include provision imposing on every person in respect of whom an entry as a data controller is for the time being included in the register maintained under section 19 a duty to notify the Commissioner, in such circumstances and at such time or times and in such form as may be prescribed, such matters relating to the Registerable particulars

 

CONTACT THE DATA SUBJECT

 

Section 7 – The Data Subjects Right of access to personal data

 

(1)     Subject to the following provisions of this section and to sections 8, 9 and 9A, an individual is entitled –

a.       To be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

b.       If that is the case, to be given by the data controller a description of –

                                                               i.      The personal data of which that individual is the data subject

                                                             ii.      The purposes for which they are being or are to be processed, and

                                                           iii.      The recipients or classes of recipients to whom they may be disclosed

c.        To have communicated to him in an intelligible form –

                                                               i.      The information constituting any personal data of which that individual is the data subject, and

                                                             ii.      Any information available to the data controller as to the source of those data, and

d.       Where the processing by automatic means of personal data of which the individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision taking

 

(2)     A data controller is not obliged to supply any information under subsection (1) unless he has received –

a.       A request in writing, and

b.       Except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require

 

(3)     Where the data controller –

a.       Reasonably requires further information in order to satisfy himself as to the identity of the person making a request under this section and to locate the information which that person seeks, and

b.       Has informed him of that requirement

The data controller is not obliged to comply with the request unless he has that further information

 

(4)     Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless –

a.       The other individual has consented to the disclosure of the information to the person making the request, or

b.       It is reasonable in all the circumstances to comply with the request without the consent of the other individual

 

(5)     In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by omission of names or other identifying particulars or otherwise

 

(6)     In determining for the purposes of subsection 4 (b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to –

 

a.       Any duty of confidentiality owed to the other individual

b.       Any steps taken by the data controller with a view to seeking the consent of the other individual

c.        Whether the other individual is capable of giving consent, and

d.       Any express refusal of consent by the other individual

 

(7)     An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed prescription

 

(8)     Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day

 

[See this section for further definitions]

 

What needs to be done prior to shipping?

 

Schedule 1 – the data protection principles

 

The eighth principle:

Personal Data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

 

13. An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to –

(a)     The nature of the personal data,

(b)     The country or territory of origin of the information contained in the data,

(c)     The country or territory of final destination of that information,

(d)     The purposes for which and period during which the data are intended to be processed,

(e)     The law in force in the country or territory in question,

(f)      The international obligations of that territory or country,

(g)     Any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and

(h)     Any security measures taken in respect of the data in that country or territory

 

14. The eighth principle does not apply to a transfer falling within any paragraph of Schedule 4, except in such circumstances and to such extent as the Secretary of State may provide

 

15. Where –

(a)     In any proceedings under this Act any question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the European Economic Area, and

(b)     A Community finding has been made in relation to transfers of the kind in question

That question is to be determined in accordance with that finding.

 

Schedule 4 – cases where the eighth principle does not apply

 

  1. The data subject has given his consent to the transfer
  2. The transfer is necessary
    1. For the performance of a contract between the data subject and the data controller, or
    2. For the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller
  3. The transfer is necessary –
    1. For the conclusion of a contract between the data controller and a person other than the data subject which –

                                                               i.      Is entered into at the request of the data subject, or

                                                             ii.      Is in the interests of the data subject, or

    1. For the performance of such a contract

 

  1. The transfer is necessary for reasons of substantial public interest. The Secretary of State may be order specify circumstances in which a transfer is to be taken to be necessary for reasons of substantial public interest and circumstances in which a transfer is not to be taken to be necessary for reasons of substantial public interest
  2. The transfer –
    1. Is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
    2. In necessary for the purpose of obtaining legal advice,
    3. Is otherwise necessary for the purposes of establishing, exercising of defending legal rights
  3. The transfer is necessary in order to protect the vital interests of the data subject
  4. The transfer is part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer
  5. The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects
  6. The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects

 

                                      

What are the sanctions for non-compliance?

 

Section 13 – Compensation for failure to comply with certain requirements

 

  1. An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage

 

  1. An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if –
    1. The individual also suffers damage by reason of the contravention, or
    2. The contravention relates to the processing of personal data for the special purposes

 

  1. In proceedings brought against a person by virtue of this section, it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.

 

Article 14 – Rectification, Blocking, Erasure and Destruction

 

If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.

 

Section 21 – Offences (linked to section 16 to section 20)

 

  1. If section 17 (1) is contravened, the data controller is guilty of an offence
  2. any person who fails to comply with the duty imposed by notification regulation made by virtue of section 20 (1) is guilty of an offence
  3. it shall be a defence for a person charged with an offence under subsection (2) to show that he exercised all due diligence to comply with the duty

 

 

Also see:

-          Section 40 – Enforcement Notices

-          Section 41A-41C – Assessment Notices

-          Section 42 – Request for Assessment

-          Section 47 – Failure to comply with a Notice

-          Section 55A-55E – Monetary Penalties

-           

 

Please refer to the Information Commissioner’s Office Website for further details on the Statute

 
© TRILANTIC - All rights reserved. | Disclaimer | Client Login