Data Protection Bill [H.L.]
|
| |
|
A
B I L L
[AS AMENDED IN STANDING COMMITTEE D]
INTITULED
An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.
BE IT ENACTED by the Queen's most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:- |
|
PART I |
|
PRELIMINARY |
Basic interpretative provisions. |
1. - (1) In this Act, unless the context otherwise requires- |
|
"data" means information which- |
|
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
|
|
(b) is recorded with the intention that it should be processed by means of such equipment,
|
|
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
|
|
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68;
|
|
"data controller" means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed; |
|
"data processor", in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller; |
|
"data subject" means an individual who is the subject of personal data; |
|
"personal data" means data which relate to a living individual who can be identified- |
|
|
|
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
|
|
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual; |
|
"processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including- |
|
(a) organisation, adaptation or alteration of the information or data,
|
|
(b) retrieval, consultation or use of the information or data,
|
|
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
|
|
(d) alignment, combination, blocking, erasure or destruction of the information or data;
|
|
"relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. |
|
(2) In this Act, unless the context otherwise requires- |
|
(a) "obtaining" or "recording", in relation to personal data, includes obtaining or recording the information to be contained in the data, and |
|
(b) "using" or "disclosing", in relation to personal data, includes using or disclosing the information contained in the data. |
|
(3) In determining for the purposes of this Act whether any information is recorded with the intention- |
|
(a) that it should be processed by means of equipment operating automatically in response to instructions given for that purpose, or |
|
(b) that it should form part of a relevant filing system, |
|
it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area. |
|
(4) Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller. |
|
(5) A person who- |
|
(a) discloses personal data to a person in a country or territory, or |
|
(b) otherwise makes the information contained in the data available to a person in a country or territory, |
|
is to be taken to transfer the data to that country or territory. |
|
(6) A data controller is not to be treated as transferring personal data outside the European Economic Area if the circumstances are such that, by virtue of section 5(1), this Act will continue to apply to the processing of the data after the transfer. |
Sensitive personal data. |
2. In this Act "sensitive personal data" means personal data consisting of information as to- |
|
(a) the racial or ethnic origin of the data subject, |
|
(b) his political opinions, |
|
(c) his religious beliefs or other beliefs of a similar nature, |
|
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), |
|
(e) his physical or mental health or condition, |
|
|
|
(g) the commission or alleged commission by him of any offence, or |
|
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. |
The special purposes. |
3. In this Act "the special purposes" means any one or more of the following- |
|
(a) the purposes of journalism, |
|
(b) artistic purposes, and |
|
|
The data protection principles. |
4. - (1) References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1. |
|
(2) Those principles are to be interpreted in accordance with Part II of Schedule 1. |
|
(3) Schedule 2 (which applies to all personal data) and Schedule 3 (which applies only to sensitive personal data) set out conditions applying for the purposes of the first principle; and Schedule 4 sets out cases in which the eighth principle does not apply. |
|
(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. |
Application of Act. |
5. - (1) Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if- |
|
(a) the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or |
|
(b) the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom. |
|
(2) A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom. |
|
(3) For the purposes of subsections (1) and (2), each of the following is to be treated as established in the United Kingdom- |
|
(a) an individual who is ordinarily resident in the United Kingdom, |
|
(b) a body incorporated under the law of, or of any part of, the United Kingdom, |
|
(c) a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and |
|
(d) any person who does not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom- |
|
(i) an office, branch or agency through which he carries on any activity, or
|
|
|
|
and the reference to establishment in any other EEA State has a corresponding meaning. |
The Commissioner and the Tribunal. |
6. - (1) The office originally established by section 3(1)(a) of the Data Protection Act 1984 as the office of Data Protection Registrar shall continue to exist for the purposes of this Act but shall be known as the office of Data Protection Commissioner; and in this Act the Data Protection Commissioner is referred to as "the Commissioner". |
|
(2) The Commissioner shall be appointed by Her Majesty by Letters Patent. |
|
(3) For the purposes of this Act there shall continue to be a Data Protection Tribunal (in this Act referred to as "the Tribunal"). |
|
(4) The Tribunal shall consist of- |
|
(a) a chairman appointed by the Lord Chancellor after consultation with the Lord Advocate, |
|
(b) such number of deputy chairmen so appointed as the Lord Chancellor may determine, and |
|
(c) such number of other members appointed by the Secretary of State as he may determine. |
|
(5) The members of the Tribunal appointed under subsection (4)(a) and (b) shall be- |
|
(a) persons who have a 7 year general qualification, within the meaning of section 71 of the Courts and Legal Services Act 1990, |
|
(b) advocates or solicitors in Scotland of at least 7 years' standing, or |
|
(c) members of the bar of Northern Ireland or solicitors of the Supreme Court of Northern Ireland of at least 7 years' standing. |
|
(6) The members of the Tribunal appointed under subsection (4)(c) shall be- |
|
(a) persons to represent the interests of data subjects, and |
|
(b) persons to represent the interests of data controllers. |
|
(7) Schedule 5 has effect in relation to the Commissioner and the Tribunal. |