Statutory Instruments
2000 No. 188
DATA PROTECTION
The Data Protection (Notification and Notification Fees) Regulations 2000
Made
31st January 2000
Laid before Parliament
7th February 2000
Coming into force
1st March 2000
Whereas the Data Protection Commissioner has submitted to the Secretary of State proposals in accordance with section 25(1) of the Data Protection Act 1998( 1 ):
And whereas the Secretary of State has considered those proposals and has consulted the Data Protection Commissioner in accordance with sections 25(4) and 67(3)(b) of that Act:
And whereas it appears to the Secretary of State that processing of a description set out in the Schedule to these Regulations is unlikely to prejudice the rights and freedoms of data subjects:
Now, therefore, the Secretary of State, in exercise of the powers conferred on him by sections 17(3), 18(2)( 2 ), (4) and (5), 19(2), (3), (4) and (5), 20(1), 26(1) and 67(2) of, and paragraph 2(7) and (8) of Schedule 14 to, that Act, hereby makes the following Regulations:
Citation and commencement
1. These Regulations may be cited as the Data Protection (Notification and Notification Fees) Regulations 2000 and shall come into force on 1st March 2000.
Interpretation
2. In these Regulations—
“the Act” means the Data Protection Act 1998;
“the register” means the register maintained by the Commissioner under section 19 of the Act.
Exemptions from notification
3. Except where the processing is assessable processing for the purposes of section 22 of the Act, section 17(1) of the Act shall not apply in relation to processing—
(a) falling within one or more of the descriptions of processing set out in paragraphs 2 to 5 of the Schedule to these Regulations (being processing appearing to the Secretary of State to be unlikely to prejudice the rights and freedoms of data subjects); or
(b) which does not fall within one or more of those descriptions solely by virtue of the fact that disclosure of the personal data to a person other than those specified in the descriptions—
(i) is required by or under any enactment, by any rule of law or by the order of a court, or
(ii) may be made by virtue of an exemption from the non-disclosure provisions (as defined in section 27(3) of the Act).
Form of giving notification
4. —(1) Subject to regulations 5 and 6 below, the Commissioner shall determine the form in which the registrable particulars (within the meaning of section 16(1) of the Act) and the description mentioned in section 18(2)(b) of the Act are to be specified, including in particular the detail required for the purposes of that description and section 16(1)(c), (d), (e) and (f) of the Act.
(2) Subject to regulations 5 and 6 below, the Commissioner shall determine the form in which a notification under regulation 12 (including that regulation as modified by regulation 13) is to be specified.
Notification in respect of partnerships
5. —(1) In any case in which two or more persons carrying on a business in partnership are the data controllers in respect of any personal data for the purposes of that business, a notification under section 18 of the Act or under regulation 12 below may be given in respect of those persons in the name of the firm.
(2) Where a notification is given in the name of a firm under paragraph (1) above—
(a) the name to be specified for the purposes of section 16(1)(a) of the Act is the name of the firm, and
(b) the address to be specified for the purposes of section 16(1)(a) of the Act is the address of the firm’s principal place of business.
Notification in respect of the governing body of, and head teacher at, any school
6. —(1) In any case in which a governing body of, and a head teacher at, any school are, in those capacities, the data controllers in respect of any personal data, a notification under section 18 of the Act or under regulation 12 below may be given in respect of that governing body and head teacher in the name of the school.
(2) Where a notification is given in the name of a school under paragraph (1) above, the name and address to be specified for the purposes of section 16(1)(a) of the Act are those of the school.
(3) In this regulation, “head teacher” includes in Northern Ireland the principal of a school.
Fees to accompany notification under section 18 of the Act
7. —(1) This regulation applies to any notification under section 18 of the Act, including a notification which, by virtue of regulation 5 or 6 above, is given in respect of more than one data controller.
(2) A notification to which this regulation applies must be accompanied by a fee of £35.
Date of entry in the register
8. —(1) The time from which an entry in respect of a data controller who has given a notification under section 18 of the Act in accordance with these Regulations is to be treated for the purposes of section 17 of the Act as having been made in the register shall be determined as follows.
(2) In the case of a data controller who has given the notification by sending it by registered post or the recorded delivery service, that time is the day after the day on which it is received for dispatch by the Post Office.
(3) In the case of a data controller who has given a notification by some other means, that time is the day on which it is received by the Commissioner.
Acknowledgment of receipt of notification in the case of assessable processing
9. —(1) In any case in which the Commissioner considers under section 22(2)(a) of the Act that any of the processing to which a notification relates is assessable processing within the meaning of that section he shall, within 10 days of receipt of the notification, give a written notice to the data controller who has given the notification, acknowledging its receipt.
(2) A notice under paragraph (1) above shall indicate—
(a) the date on which the Commissioner received the notification, and
(b) the processing which the Commissioner considers to be assessable processing.
Confirmation of register entries
10. —(1) The Commissioner shall, as soon as practicable and in any event within a period of 28 days after making an entry in the register under section 19(1)(b) of the Act or amending an entry in the register under section 20(4) of the Act, give the data controller to whom the register entry relates notice confirming the register entry.
(2) A notice under paragraph (1) above shall include a statement of—
(a) the date on which—
(i) in the case of an entry made under section 19(1)(b) of the Act, the entry is treated as having been included by virtue of regulation 8 above, or
(ii) in the case of an entry made under section 20(4) of the Act, the notification was received by the Commissioner;
(b) the particulars entered in the register, or the amendment made, in pursuance of the notification; and
(c) in the case of a notification under section 18 of the Act, the date by which the fee payable under regulation 14 below must be paid in order for the entry to be retained in the register as provided by section 19(4) of the Act.
Additional information in register entries
11. In addition to the matters mentioned in section 19(2)(a) of the Act, the Commissioner may include in a register entry—
(a) a registration number issued by the Commissioner in respect of that entry;
(b) the date on which the entry is treated, by virtue of regulation 8 above, as having been included in pursuance of a notification under section 18 of the Act;
(c) the date on which the entry falls or may fall to be removed by virtue of regulation 14 or 15 below; and
(d) information additional to the registrable particulars for the purpose of assisting persons consulting the register to communicate with any data controller to whom the entry relates concerning matters relating to the processing of personal data.
Duty to notify changes to matters previously notified
12. —(1) Subject to regulation 13 below, every person in respect of whom an entry is for the time being included in the register is under a duty to give the Commissioner a notification specifying any respect in which—
(a) that entry becomes inaccurate or incomplete as a statement of his current registrable particulars, or
(b) the general description of measures notified under section 18(2)(b) of the Act or, as the case may be, that description as amended in pursuance of a notification under this regulation, becomes inaccurate or incomplete,
and setting out the changes which need to be made to that entry or general description in order to make it accurate and complete.
(2) Such a notification must be given as soon as practicable and in any event within a period of 28 days from the date on which the entry or, as the case may be, the general description, becomes inaccurate or incomplete.
(3) References in this regulation to an entry being included in the register include any entry being treated under regulation 8 above as being so included.
Duty to notify changes—transitional modifications
13. —(1) This regulation applies to persons in respect of whom an entry in the register has been made under paragraph 2(6) of Schedule 14 to the Act.
(2) In the case of a person to whom this regulation applies, the duty imposed by regulation 12 above shall be modified so as to have effect as follows.
(3) Every person in respect of whom an entry is for the time being included in the register is under a duty to give the Commissioner a notification specifying—
(a) his name and address, in any case in which a change to his name or address results in the entry in respect of him no longer including his current name and address;
(b) to the extent to which the entry relates to eligible data—
(i) a description of any eligible data being or to be processed by him or on his behalf, in any case in which such processing is of personal data of a description not included in that entry;
(ii) a description of the category or categories of data subject to which eligible data relate, in any case in which such category or categories are of a description not included in that entry;
(iii) a description of the purpose or purposes for which eligible data are being or are to be processed in any case in which such processing is for a purpose or purposes of a description not included in that entry;
(iv) a description of the source or sources from which he intends or may wish to obtain eligible data, in any case in which such obtaining is from a source of a description not included in that entry;
(v) a description of any recipient or recipients to whom he intends or may wish to disclose eligible data, in any case in which such disclosure is to a recipient or recipients of a description not included in that entry; and
(vi) the names, or a description of, any countries or territories outside the United Kingdom to which he directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, eligible data, in any case in which such transfer would be to a country or territory not named or described in that entry; and
(c) to the extent to which sub-paragraph (b) above does not apply, any respect in which the entry is or becomes inaccurate or incomplete as—
(i) a statement of his current registrable particulars to the extent mentioned in section 16(1)(c), (d) and (e) of the Act;
(ii) a description of the source or sources from which he currently intends or may wish to obtain personal data; and
(iii) the names or a description of any countries or territories outside the United Kingdom to which he currently intends or may wish directly or indirectly to transfer personal data;
and setting out the changes which need to be made to that entry in order to make it accurate and complete in those respects.
(4) Such a notification must be given as soon as practicable and in any event within a period of 28 days from the date on which—
(a) in the case of a notification under paragraph (3)(a) above, the entry no longer includes the current name and address;
(b) in the case of a notification under paragraph (3)(b) above, the specified practice or intentions are in the particulars there mentioned of a description not included in the entry; and
(c) in the case of a notification under paragraph (3)(c) above, the entry becomes inaccurate or incomplete in the particulars there mentioned.
(5) For the purposes of this regulation, personal data are “eligible data” at any time if, and to the extent that, they are at that time subject to processing which was already under way immediately before 24th October 1998.
Retention of register entries
14. —(1) This regulation applies to any entry in respect of a person which is for the time being included, or by virtue of regulation 8 is treated as being included, in the register, other than an entry to which regulation 15 below applies.
(2) In relation to an entry to which this regulation applies, the fee referred to in section 19(4) of the Act is £35.
Retention of register entries—transitional provisions
15. —(1) This regulation applies to any entry in respect of a person which is for the time being included in the register under paragraph 2(6) of Schedule 14 to the Act or, as the case may be, such an entry as amended in pursuance of regulation 12 (including that regulation as modified by regulation 13).
(2) Section 19(4) and (5) of the Act applies to entries to which this regulation applies subject to the modifications in paragraph (3) below.
(3) Section 19(4) and (5) of the Act shall be modified so as to have effect as follows—
“ (4) No entry shall be retained in the register after—
(a) the end of the registration period, or
(b) 24th October 2001, or
(c) the date on which the data controller gives a notification under section 18 of the Act,
whichever occurs first.
(5) In subsection (4) “the registration period” has the same meaning as in paragraph 2(2) of Schedule 14. ” .
Mike O'Brien
Parliamentary Under-Secretary of State
Home Office
31st January 2000
Regulation 3
SCHEDULE PROCESSING TO WHICH SECTION 17(1) DOES NOT APPLY
Interpretation
1. In this Schedule—
“exempt purposes” in paragraphs 2 to 4 shall mean the purposes specified in sub-paragraph (a) of those paragraphs and in paragraph 5 shall mean the purposes specified in sub-paragraph (b) of that paragraph;
“staff” includes employees or office holders, workers within the meaning given in section 296 of the Trade Union and Labour Relations (Consolidation) Act 1992( 3 ), persons working under any contract for services, and volunteers.
Staff administration exemption
2. The processing—
(a) is for the purposes of appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the data controller;
(b) is of personal data in respect of which the data subject is—
(i) a past, existing or prospective member of staff of the data controller; or
(ii) any person the processing of whose personal data is necessary for the exempt purposes;
(c) is of personal data consisting of the name, address and other identifiers of the data subject or information as to—
(i) qualifications, work experience or pay; or
(ii) other matters the processing of which is necessary for the exempt purposes;
(d) does not involve disclosure of the personal data to any third party other than—
(i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt purposes; and
(e) does not involve keeping the personal data after the relationship between the data controller and staff member ends, unless and for so long as it is necessary to do so for the exempt purposes.
Advertising, marketing and public relations exemption
3. The processing—
(a) is for the purposes of advertising or marketing the data controller’s business, activity, goods or services and promoting public relations in connection with that business or activity, or those goods or services;
(b) is of personal data in respect of which the data subject is—
(i) a past, existing or prospective customer or supplier; or
(ii) any person the processing of whose personal data is necessary for the exempt purposes;
(c) is of personal data consisting of the name, address and other identifiers of the data subject or information as to other matters the processing of which is necessary for the exempt purposes;
(d) does not involve disclosure of the personal data to any third party other than—
(i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt purposes; and
(e) does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes.
Accounts and records exemption
4. —(1) The processing—
(a) is for the purposes of keeping accounts relating to any business or other activity carried on by the data controller, or deciding whether to accept any person as a customer or supplier, or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by or to the data controller in respect of those transactions, or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity;
(b) is of personal data in respect of which the data subject is—
(i) a past, existing or prospective customer or supplier; or
(ii) any person the processing of whose personal data is necessary for the exempt purposes;
(c) is of personal data consisting of the name, address and other identifiers of the data subject or information as to—
(i) financial standing; or
(ii) other matters the processing of which is necessary for the exempt purposes;
(d) does not involve disclosure of the personal data to any third party other than—
(i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt purposes; and
(e) does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes.
(2) Sub-paragraph (1)(c) shall not be taken as including personal data processed by or obtained from a credit reference agency.
Non profit-making organisations exemptions
5. The processing—
(a) is carried out by a data controller which is a body or association which is not established or conducted for profit;
(b) is for the purposes of establishing or maintaining membership of or support for the body or association, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it;
(c) is of personal data in respect of which the data subject is—
(i) a past, existing or prospective member of the body or organisation;
(ii) any person who has regular contact with the body or organisation in connection with the exempt purposes; or
(iii) any person the processing of whose personal data is necessary for the exempt purposes;
(d) is of personal data consisting of the name, address and other identifiers of the data subject or information as to—
(i) eligibility for membership of the body or association; or
(ii) other matters the processing of which is necessary for the exempt purposes;
(e) does not involve disclosure of the personal data to any third party other than—
(i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt purposes; and
(f) does not involve keeping the personal data after the relationship between the data controller and data subject ends, unless and for so long as it is necessary to do so for the exempt purposes.
The powers in section 18(2) are extended by sections 18(3) and 20(3).