House of Commons portcullis
House of Commons
Session 1997-98
Internet Publications
Other Bills before Parliament
Arrangement of Clauses (Contents)

Data Protection Bill [H.L.]
  The Bill gives effect to the requirements of Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the Directive"). Member states must have legislation giving effect to the Directive in place by 24th October 1998. The Bill repeals the Data Protection Act 1984. It extends data protection controls to cover certain manual, as well as computerised, personal data; attaches conditions to processing, including additional ones for sensitive data; strengthens individuals' rights, in particular the rights to be told about processing, to obtain copies of data and to secure judicial remedies; replaces registration with notification; and makes transitional provision.
  Clauses 1, 2 and 3 define the main terms used in the Bill. Clause 4 introduces Schedules 2 to 4 and requires a data controller to comply with the data protection principles. Part I of Schedule 1 sets out the data protection principles and Part II of that Schedule makes provision for their interpretation. Schedule 2 sets out the conditions which must be satisfied before any personal data may be processed. Schedule 3 sets out additional conditions for the processing of sensitive personal data. Schedule 4 sets out the circumstances in which personal data may be transferred to countries with an inadequate level of data protection outside the EEA.
  Clause 5 deals with the geographical scope of the Bill. Clause 6 and Schedule 5 provide for the Data Protection Registrar and the Data Protection Tribunal to continue, with the Registrar renamed the Data Protection Commissioner ("the Commissioner").
  Clauses 7 and 8 provide for an individual to be able to gain access to personal data in respect of which he is the data subject including data held by credit reference agencies. Clause 9 provides for an individual in certain circumstances to prevent processing of personal data about him where the processing may cause damage or distress. Clause 10 provides for an individual to prevent the processing of personal data about him for direct marketing purposes.
  Clause 11 enables an individual to seek compensation for damage or distress caused by a data controller's failure to comply with the requirements of the Bill. Clause 12 gives a court power, on the application of a data subject, to order the rectification, blocking, erasure or destruction of inaccurate personal data about the data subject. Clause 13 gives individuals the right, subject to exemptions, to prevent decisions significantly affecting them being made by fully automated means. Clause 14 deals with the jurisdiction of the court and procedure in relation to Part II of the Bill.
  Clause 15 sets out a broad description of the information which a data controller must notify to the Commissioner and defines certain terms used in Part III. Clauses 16 and 17 have the effect of requiring a data controller to notify the Commissioner before processing certain personal data. Exemptions may be made by order. Clause 17 also allows voluntary notification by a data controller who would otherwise be exempt; and provides for the form of and fee for notification to be prescribed in notification regulations.
  Clause 18 requires the Commissioner to maintain a register of notified information (except information relating to security measures) and make it publicly available, and enables further provisions in respect of notification to be made by order. Clause 19 requires notification regulations to make provision in respect of the notification of changes to notified information. Clause 20 makes it an offence for a data controller to fail to comply with the obligations imposed by Clauses 16 and 19.
  Clause 21 establishes a procedure for processing which involves particular risks to individuals to be checked by the Commissioner for compliance with the data protection principles before the processing may begin.
  Clause 22 permits the Secretary of State to make an order allowing a data controller to appoint an independent data protection supervisor and to modify the notification requirements accordingly.
  Clause 23 provides that, for certain processing which has not been notified, a data controller must make available to any person on request and free of charge the same information as would otherwise appear on the register. Failure to respond to a written request is an offence.
  Clause 24 requires the Commissioner to submit to the Secretary of State proposals for the notification regulations and requires the Secretary of State to take account of the Commissioner's views before making notification regulations. Clause 25 makes provision in relation to fees regulations for Part III.
  Clause 26 makes preliminary provision in relation to exemptions and defines the subject information provisions and non-disclosure provisions.
  Clause 27 exempts from the data protection principles, Parts II, III and V and Clause 54 personal data processed for national security purposes, as certified by a Minister of the Crown and provides for appeals against the certificate to the Data Protection Tribunal in accordance with Schedule 6. Clause 28 makes provision exempting from the subject information and non-disclosure provisions personal data relating to preventing or detecting crime, apprehending or prosecuting offenders and assessing or collecting tax and duty.
  Clause 29 provides for the Secretary of State by order to exempt from or modify the subject information provisions in relation to personal data processed for the purposes of health and social work. Clause 30 makes provision exempting from the subject information provisions certain public functions designed to protect the public against financial loss due to misconduct, to protect charities' property or to protect health and safety at work.
  Clause 31 makes provision exempting from the data protection principles except the seventh principle and from Clauses 7, 9, 12 and 13 personal data processed for journalistic, artistic or literary purposes ("special purposes") with a view to publication where the publication is in the public interest and it is not compatible with the special purposes to comply with those provisions.
  Clause 32 makes special provision in relation to processing for research (including statistical and historical) purposes. Clause 33 exempts from the subject information and non-disclosure provisions and from the fourth data protection principle and Clause 12 personal data which are required by any enactment to be published.
  Clause 34 ensures that the data protection principles do not prevent disclosures required under an enactment or by order of a court. It provides a non-disclosure exemption where the disclosure is made in connection with legal proceedings. Clause 35 exempts from the data protection principles and from Parts II and III personal data which an individual holds for personal, family or household purposes.
  Clause 36 introduces Schedule 7 which provides exemptions relating to confidential references, the armed forces, judicial appointments and honours, Crown employment and Crown or ministerial appointments, management forecasts etc, negotiations, examination marks and scripts, human embryology, legal professional privilege and self-incrimination. Clause 37 allows the Secretary of State to make further exemptions from the subject information and non-disclosure provisions by order where necessary to safeguard data subjects' interests or the rights and freedoms of other individuals.
  Clause 38 introduces Schedule 8 which provides transitional exemptions for processing already under way immediately before 24th October 1998.
  Clause 39 empowers the Commissioner to issue an enforcement notice if satisfied that a data controller has contravened the data protection principles, and sets out the procedural arrangements. Clause 40 deals with cancellation of enforcement notices.
  Clause 41 enables the Commissioner to assess the processing of personal data for compliance with the data protection principles, following a request to do so from a data subject.
  Clause 42 empowers the Commissioner to issue an information notice requesting relevant details from a data controller either following a request under Clause 41 or to determine whether the data controller is complying with the data protection principles.
  Clause 43 empowers the Commissioner to issue a special information notice requesting specific information, to ascertain whether personal data are being processed only for special purposes with a view to publication, if either the Commissioner has received a request under Clause 41 or if he suspects that personal data are not being so processed.
  Clause 44 enables the Commissioner where it appears to him that personal data are not being processed for special purposes, to make a determination to that effect .
  Clause 45 restricts the power of the Commissioner to serve an enforcement notice on data controllers carrying out processing for special purposes.
  Clause 46 makes failing to comply with an enforcement notice, an information notice or a special information notice an offence and also makes supplying false information in response to any such notice an offence.
  Clauses 47 and 48 and Schedule 6 deal with appeals to the Data Protection Tribunal against the Commissioner's decisions. Clause 49 introduces Schedule 9 which enables the Commissioner to obtain a warrant authorising the entry of premises and inspection of equipment and material.
  Clause 50 sets out the Commissioner's powers and duties in relation to the promotion of good data protection practice and the dissemination of information about data processing. It allows him to charge for the provision of services.
  Clause 51 requires the Commissioner to submit to Parliament annual reports and such codes of practice as the Secretary of State directs him to prepare.
  Clause 52, which is supplemented by Schedule 10, gives the Commissioner power to assist individuals who bring court proceedings in cases where the special procedure for processing for special purposes applies.
  Clause 53 provides that the Commissioner shall continue to be the United Kingdom authority for the purposes of the Council of Europe Convention on Data Protection and designates the Commissioner as the supervisory authority for the purposes of the Directive. It allows the Secretary of State by order to require the Commissioner to fulfil certain functions to enable the UK to implement international obligations and to assist a data protection authority operating in a colony. It also makes provision with respect to the cooperation by the Commissioner with the European Commission and the supervisory authorities in other EEA states.
  Clause 54 makes it an offence for a person knowingly or recklessly to obtain, disclose or procure personal data without the consent of a data controller provided certain circumstances do not apply. Clause 55 provides that no enactment or rule of law shall prevent the disclosure of any information to the Commissioner or the Tribunal. Clause 56 places a duty of confidentiality, subject to criminal sanction, on the Commissioner and his staff.
  Clause 57 deals with the right to institute proceedings and provides penalties for offences under the Bill. Clause 58 concerns the liability of directors for offences committed by bodies corporate. Clause 59 amends sections 158 to 160 of the Consumer Credit Act 1974 and transfers from the Director General of Fair Trading to the Commissioner certain supervisory functions under that Act in relation to personal data. Clause 60 makes provision in respect of the application of the Bill to the Crown.
  Clause 61 deals with the service of notices by the Commissioner. Clause 62 deals with the exercise of rights in Scotland by children. Clause 63 states the procedure for the making of orders, regulations and rules under the Bill. Clauses 64 and 65 contain further definitions and an index to the definitions found in the Bill. Clause 66 introduces Schedule 11 which modifies the rights of data subjects in relation to certain inaccurate manual data which fall within certain transitional exemptions. Clause 67 introduces Schedule 12 which makes transitional provisions and savings. Clause 68 introduces Schedules 13 (minor and consequential amendments) and 14 (repeals and revocations). Clause 69 deals with the short title, commencement and extent.
 Financial effects of the Bill
  The costs in a full year of the Data Protection Commissioner and his office, together with the Tribunal, are estimated to be £3.7m at current prices. The transitional costs could be up to £0.8m. These expenses will be met from the Home Office budget and recovered through notification fees under Part III and other charges.
  The Bill will impose costs on central and local government. The start-up element is estimated to be £194m, including £104m for schools and other local authority expenditure. Their recurring annual costs are estimated at £75m, including £29m for schools and other local authority spending.
  The estimates depend on assumptions about how the provisions will apply in a large number of particular cases.
  The most significant public sector costs are expected to arise from Clause 1(1) extending the law to some manual data, the requirement to give information to data subjects when data are collected imposed by paragraph 3 of Part II of Schedule 1 and the criteria for processing sensitive data established by Schedule 3.
  The additional costs will be absorbed within existing resources and therefore will not lead to an overall increase in public expenditure.
 Effects on public service staffing
  Implementing the Bill will require diversion of up to three Home Office staff years from other duties. No continuing increase in the Department's staff is expected to be necessary.
  The additional transitional work of the Office of the Commissioner is likely to require up to six staff years. Existing staff would be deployed from other functions, and replaced meanwhile by temporary staff. No continuing manpower implications are expected.
  Increased use of the Data Protection Tribunal is not expected to have significant staffing implications. The Chairman, deputy chairmen and members are called upon only as necessary and paid a daily rate plus expenses.
 Business Compliance Cost Assessment
  The Bill has cost implications for the private and voluntary sectors. The start-up costs for business are estimated at £836m and the recurring costs at £630m. For the voluntary sector the estimated costs are £120m start-up and £37m recurring. A Regulatory Appraisal including a Compliance Cost Assessment has been drawn up by the Home Office and has been placed in the Libraries of both Houses. Copies are available to the public from Colin McGrath, Room 1173, Home Office, Queen Anne's Gate, London, SW1H 9AT.
House of Commons home page Houses of Parliament home page House of Lords home page search page enquiries

© Parliamentary copyright 1998
Prepared 26 March 1998