Data Protection Act 1998
1998 Chapter 29 - continued

back to previous text
 
  PART IV
  EXEMPTIONS
Preliminary.     27. - (1) References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.
 
      (2) In this Part "the subject information provisions" means-
 
 
    (a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1, and
 
    (b) section 7.
      (3) In this Part "the non-disclosure provisions" means the provisions specified in subsection (4) to the extent to which they are inconsistent with the disclosure in question.
 
      (4) The provisions referred to in subsection (3) are-
 
 
    (a) the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3,
 
    (b) the second, third, fourth and fifth data protection principles, and
 
    (c) sections 10 and 14(1) to (3).
      (5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.
 
National security.     28. - (1) Personal data are exempt from any of the provisions of-
 
 
    (a) the data protection principles,
 
    (b) Parts II, III and V, and
 
    (c) section 55,
  if the exemption from that provision is required for the purpose of safeguarding national security.
 
      (2) Subject to subsection (4), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in subsection (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact.
 
      (3) A certificate under subsection (2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.
 
      (4) Any person directly affected by the issuing of a certificate under subsection (2) may appeal to the Tribunal against the certificate.
 
      (5) If on an appeal under subsection (4), the Tribunal finds that, applying the principles applied by the court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may allow the appeal and quash the certificate.
 
      (6) Where in any proceedings under or by virtue of this Act it is claimed by a data controller that a certificate under subsection (2) which identifies the personal data to which it applies by means of a general description applies to any personal data, any other party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question and, subject to any determination under subsection (7), the certificate shall be conclusively presumed so to apply.
 
      (7) On any appeal under subsection (6), the Tribunal may determine that the certificate does not so apply.
 
      (8) A document purporting to be a certificate under subsection (2) shall be received in evidence and deemed to be such a certificate unless the contrary is proved.
 
      (9) A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (2) shall in any legal proceedings be evidence (or, in Scotland, sufficient evidence) of that certificate.
 
      (10) The power conferred by subsection (2) on a Minister of the Crown shall not be exercisable except by a Minister who is a member of the Cabinet or by the Attorney General or the Lord Advocate.
 
      (11) No power conferred by any provision of Part V may be exercised in relation to personal data which by virtue of this section are exempt from that provision.
 
      (12) Schedule 6 shall have effect in relation to appeals under subsection (4) or (6) and the proceedings of the Tribunal in respect of any such appeal.
 
Crime and taxation.     29. - (1) Personal data processed for any of the following purposes-
 
 
    (a) the prevention or detection of crime,
 
    (b) the apprehension or prosecution of offenders, or
 
    (c) the assessment or collection of any tax or duty or of any imposition of a similar nature,
  are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3) and section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.
 
      (2) Personal data which-
 
 
    (a) are processed for the purpose of discharging statutory functions, and
 
    (b) consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1),
  are exempt from the subject information provisions to the same extent as personal data processed for any of the purposes mentioned in that subsection.
 
      (3) Personal data are exempt from the non-disclosure provisions in any case in which-
 
 
    (a) the disclosure is for any of the purposes mentioned in subsection (1), and
 
    (b) the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection.
      (4) Personal data in respect of which the data controller is a relevant authority and which-
 
 
    (a) consist of a classification applied to the data subject as part of a system of risk assessment which is operated by that authority for either of the following purposes-
 
      (i) the assessment or collection of any tax or duty or any imposition of a similar nature, or
 
      (ii) the prevention or detection of crime, or apprehension or prosecution of offenders, where the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds, and
 
    (b) are processed for either of those purposes,
  are exempt from section 7 to the extent to which the exemption is required in the interests of the operation of the system.
 
      (5) In subsection (4)-
 
 
    "public funds" includes funds provided by any Community institution;
 
    "relevant authority" means-
 
      (a) a government department,
 
      (b) a local authority, or
 
      (c) any other authority administering housing benefit or council tax benefit.
Health, education and social work.     30. - (1) The Secretary of State may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data consisting of information as to the physical or mental health or condition of the data subject.
 
      (2) The Secretary of State may by order exempt from the subject information provisions, or modify those provisions in relation to-
 
 
    (a) personal data in respect of which the data controller is the proprietor of, or a teacher at, a school, and which consist of information relating to persons who are or have been pupils at the school, or
 
    (b) personal data in respect of which the data controller is an education authority in Scotland, and which consist of information relating to persons who are receiving, or have received, further education provided by the authority.
      (3) The Secretary of State may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data of such other descriptions as may be specified in the order, being information-
 
 
    (a) processed by government departments or local authorities or by voluntary organisations or other bodies designated by or under the order, and
 
    (b) appearing to him to be processed in the course of, or for the purposes of, carrying out social work in relation to the data subject or other individuals;
  but the Secretary of State shall not under this subsection confer any exemption or make any modification except so far as he considers that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work.
 
      (4) An order under this section may make different provision in relation to data consisting of information of different descriptions.
 
      (5) In this section-
 
 
    "education authority" and "further education" have the same meaning as in the Education (Scotland) Act 1980 ("the 1980 Act"), and
 
    "proprietor"-
 
      (a) in relation to a school in England or Wales, has the same meaning as in the Education Act 1996,
 
      (b) in relation to a school in Scotland, means-
 
      (i) in the case of a self-governing school, the board of management within the meaning of the Self-Governing Schools etc. (Scotland) Act 1989,
 
      (ii) in the case of an independent school, the proprietor within the meaning of the 1980 Act,
 
      (iii) in the case of a grant-aided school, the managers within the meaning of the 1980 Act, and
 
      (iv) in the case of a public school, the education authority within the meaning of the 1980 Act, and
 
      (c) in relation to a school in Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986 and includes, in the case of a controlled school, the Board of Governors of the school.
Regulatory activity.     31. - (1) Personal data processed for the purposes of discharging functions to which this subsection applies are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.
 
      (2) Subsection (1) applies to any relevant function which is designed-
 
 
    (a) for protecting members of the public against-
 
      (i) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate,
 
      (ii) financial loss due to the conduct of discharged or undischarged bankrupts, or
 
      (iii) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity,
 
    (b) for protecting charities against misconduct or mismanagement (whether by trustees or other persons) in their administration,
 
    (c) for protecting the property of charities from loss or misapplication,
 
    (d) for the recovery of the property of charities,
 
    (e) for securing the health, safety and welfare of persons at work, or
 
    (f) for protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work.
      (3) In subsection (2) "relevant function" means-
 
 
    (a) any function conferred on any person by or under any enactment,
 
    (b) any function of the Crown, a Minister of the Crown or a government department, or
 
    (c) any other function which is of a public nature and is exercised in the public interest.
      (4) Personal data processed for the purpose of discharging any function which-
 
 
    (a) is conferred by or under any enactment on-
 
      (i) the Parliamentary Commissioner for Administration,
 
      (ii) the Commission for Local Administration in England, the Commission for Local Administration in Wales or the Commissioner for Local Administration in Scotland,
 
      (iii) the Health Service Commissioner for England, the Health Service Commissioner for Wales or the Health Service Commissioner for Scotland,
 
      (iv) the Welsh Administration Ombudsman,
 
      (v) the Assembly Ombudsman for Northern Ireland, or
 
      (vi) the Northern Ireland Commissioner for Complaints, and
 
    (b) is designed for protecting members of the public against-
 
      (i) maladministration by public bodies,
 
      (ii) failures in services provided by public bodies, or
 
      (iii) a failure of a public body to provide a service which it was a function of the body to provide,
 
    are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.
      (5) Personal data processed for the purpose of discharging any function which-
 
 
    (a) is conferred by or under any enactment on the Director General of Fair Trading, and
 
    (b) is designed-
 
      (i) for protecting members of the public against conduct which may adversely affect their interests by persons carrying on a business,
 
      (ii) for regulating agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or
 
      (iii) for regulating conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market,
 
    are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.
 
 
 
  continue previous section contents
  Other UK Acts |  Home |  Scotland Legislation |  Wales Legislation |  Northern Ireland Legislation |  Her Majesty's Stationery Office

We welcome your comments on this site
© Crown copyright 1998
Prepared 24 July 1998