 | |
| |
PART II |
| |
RIGHTS OF DATA SUBJECTS AND OTHERS |
| Right of access to personal data. |
7. - (1) Subject to the following provisions of this section and to section 8, an individual is entitled-
|
| |
(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller, |
| |
(b) if that is the case, to be given by the data controller a description of- |
| |
(i) the personal data of which that individual is the data subject,
|
| |
(ii) the purposes for which they are being or are to be processed, and
|
| |
(iii) the recipients or classes of recipients to whom they are or may be disclosed,
|
| |
(c) to have communicated to him in an intelligible form- |
| |
(i) the information constituting any personal data of which that individual is the data subject, and
|
| |
(ii) any information available to the data controller as to the source of those data, and
|
| |
(d) where the processing by automatic means of personal data of which that individual is the data subject has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking. |
| |
(2) A data controller is not obliged to supply any information under subsection (1) except in response to a request in writing and on payment of such fee (not exceeding the prescribed maximum) as he may require.
|
| |
(3) A data controller is not obliged to comply with a request under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks.
|
| |
(4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless-
|
| |
(a) the other individual has consented to the disclosure of the information to the person making the request, |
| |
(b) the information is contained in a health record and the other individual is a health professional who has compiled or contributed to that health record, or |
| |
(c) it is reasonable in all the circumstances to comply with the request without the consent of the other individual. |
| |
(5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
|
| |
(6) In determining for the purposes of subsection (4)(c) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to-
|
| |
(a) any duty of confidentiality owed to the other individual, |
| |
(b) any steps taken by the data controller with a view to seeking the consent of the other individual, |
| |
(c) whether the other individual is capable of giving consent, and |
| |
(d) any express refusal of consent by the other individual. |
| |
(7) An individual making a request under this section to a credit reference agency may specify that his request is limited to personal data consisting of information as to his financial standing.
|
| |
(8) Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.
|
| |
(9) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.
|
| |
(10) In this section-
|
| |
"credit reference agency" has the same meaning as in the Consumer Credit Act 1974; |
| |
"health record" means a record which- |
| |
(a) consists of information relating to the physical or mental health or condition of the data subject, and
|
| |
(b) has been made by or on behalf of a health professional in connection with the care of that individual;
|
| |
"the prescribed maximum" means such amount as may be prescribed by the Secretary of State by regulations; |
| |
"the prescribed period" means forty days or such other period as may be so prescribed; |
| |
"the relevant day", in relation to a request under this section, means the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3). |
| |
(11) Different amounts or periods may be prescribed under this section in relation to different cases.
|
| Provisions supplementary to section 7. |
8. - (1) The Secretary of State may by regulations provide that, in such cases as may be prescribed, a request for information under any provision of subsection (1) of section 7 is to be treated as extending also to information under other provisions of that subsection.
|
| |
(2) The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless-
|
| |
(a) the supply of such a copy is not possible or would involve disproportionate effort, or |
| |
(b) the data subject agrees otherwise; |
| |
and where any of the information referred to in section 7(1)(c)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.
|
| |
(3) Where a data controller has previously complied with a request made under section 7 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
|
| |
(4) In determining for the purposes of subsection (3) whether requests under section 7 are made at reasonable intervals, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.
|
| |
(5) Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.
|
| |
(6) The information to be supplied pursuant to a request under section 7 must be supplied by reference to the data in question at the time when the request is received except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.
|
| |
(7) For the purposes of section 7(4) and (5) another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.
|
| Right to prevent processing likely to cause damage or distress. |
9. - (1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons-
|
| |
(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and |
| |
(b) that damage or distress is or would be unwarranted. |
| |
(2) Subsection (1) does not apply-
|
| |
(a) in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or |
| |
(b) in such other cases as may be prescribed by the Secretary of State by order. |
| |
(3) The data controller must within 21 days of receiving a notice under subsection (1) ("the data subject notice") give the individual who gave it a written notice-
|
| |
(a) stating that he has complied or intends to comply with the data subject notice, or |
| |
(b) stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it. |
| |
(4) If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.
|
| |
(5) The failure by a data subject to exercise the right conferred by subsection (1) or section 10(1) does not affect any other right conferred on him by this Part.
|
| Right to prevent processing for purposes of direct marketing. |
10. - (1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
|
| |
(2) The data controller must within 21 days of receiving a notice under subsection (1) ("the data subject notice") give the individual who gave it a written notice specifying the steps that he has taken or intends to take to comply with the data subject notice.
|
| |
(3) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the requirement, the court may order him to take such steps for complying with the requirement as the court thinks fit.
|
| |
(4) In this section "direct marketing" means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
|
| Compensation for failure to comply with certain requirements. |
11. - (1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
|
| |
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if-
|
| |
(a) the individual also suffers damage by reason of the contravention, or |
| |
(b) the contravention relates to the processing of personal data for the special purposes. |
| |
(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
|
