BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
United Kingdom Statutory Instruments |
||
You are here: BAILII >> Databases >> United Kingdom Statutory Instruments >> The Data Protection (Notification and Notification Fees) Regulations 2000 No. 188 URL: http://www.bailii.org/uk/legis/num_reg/2000/uksi_2000188_en.html |
[New search] [Help]
Statutory Instruments
DATA PROTECTION
Made
31st January 2000
Laid before Parliament
7th February 2000
Coming into force
1st March 2000
Whereas the Data Protection Commissioner has submitted to the Secretary of State proposals in accordance with section 25(1) of the Data Protection Act 1998(1):
And whereas the Secretary of State has considered those proposals and has consulted the Data Protection Commissioner in accordance with sections 25(4) and 67(3)(b) of that Act:
And whereas it appears to the Secretary of State that processing of a description set out in the Schedule to these Regulations is unlikely to prejudice the rights and freedoms of data subjects:
Now, therefore, the Secretary of State, in exercise of the powers conferred on him by sections 17(3), 18(2)(2), (4) and (5), 19(2), (3), (4) and (5), 20(1), 26(1) and 67(2) of, and paragraph 2(7) and (8) of Schedule 14 to, that Act, hereby makes the following Regulations:
1. These Regulations may be cited as the Data Protection (Notification and Notification Fees) Regulations 2000 and shall come into force on 1st March 2000.
2. In these Regulations-
"the Act" means the Data Protection Act 1998;
"the register" means the register maintained by the Commissioner under section 19 of the Act.
3. Except where the processing is assessable processing for the purposes of section 22 of the Act, section 17(1) of the Act shall not apply in relation to processing-
(a)falling within one or more of the descriptions of processing set out in paragraphs 2 to 5 of the Schedule to these Regulations (being processing appearing to the Secretary of State to be unlikely to prejudice the rights and freedoms of data subjects); or
(b)which does not fall within one or more of those descriptions solely by virtue of the fact that disclosure of the personal data to a person other than those specified in the descriptions-
(i)is required by or under any enactment, by any rule of law or by the order of a court, or
(ii)may be made by virtue of an exemption from the non-disclosure provisions (as defined in section 27(3) of the Act).
4.-(1) Subject to regulations 5 and 6 below, the Commissioner shall determine the form in which the registrable particulars (within the meaning of section 16(1) of the Act) and the description mentioned in section 18(2)(b) of the Act are to be specified, including in particular the detail required for the purposes of that description and section 16(1)(c), (d), (e) and (f) of the Act.
(2) Subject to regulations 5 and 6 below, the Commissioner shall determine the form in which a notification under regulation 12 (including that regulation as modified by regulation 13) is to be specified.
5.-(1) In any case in which two or more persons carrying on a business in partnership are the data controllers in respect of any personal data for the purposes of that business, a notification under section 18 of the Act or under regulation 12 below may be given in respect of those persons in the name of the firm.
(2) Where a notification is given in the name of a firm under paragraph (1) above-
(a)the name to be specified for the purposes of section 16(1)(a) of the Act is the name of the firm, and
(b)the address to be specified for the purposes of section 16(1)(a) of the Act is the address of the firm's principal place of business.
6.-(1) In any case in which a governing body of, and a head teacher at, any school are, in those capacities, the data controllers in respect of any personal data, a notification under section 18 of the Act or under regulation 12 below may be given in respect of that governing body and head teacher in the name of the school.
(2) Where a notification is given in the name of a school under paragraph (1) above, the name and address to be specified for the purposes of section 16(1)(a) of the Act are those of the school.
(3) In this regulation, "head teacher" includes in Northern Ireland the principal of a school.
7.-(1) This regulation applies to any notification under section 18 of the Act, including a notification which, by virtue of regulation 5 or 6 above, is given in respect of more than one data controller.
(2) A notification to which this regulation applies must be accompanied by a fee of £35.
8.-(1) The time from which an entry in respect of a data controller who has given a notification under section 18 of the Act in accordance with these Regulations is to be treated for the purposes of section 17 of the Act as having been made in the register shall be determined as follows.
(2) In the case of a data controller who has given the notification by sending it by registered post or the recorded delivery service, that time is the day after the day on which it is received for dispatch by the Post Office.
(3) In the case of a data controller who has given a notification by some other means, that time is the day on which it is received by the Commissioner.
9.-(1) In any case in which the Commissioner considers under section 22(2)(a) of the Act that any of the processing to which a notification relates is assessable processing within the meaning of that section he shall, within 10 days of receipt of the notification, give a written notice to the data controller who has given the notification, acknowledging its receipt.
(2) A notice under paragraph (1) above shall indicate-
(a)the date on which the Commissioner received the notification, and
(b)the processing which the Commissioner considers to be assessable processing.
10.-(1) The Commissioner shall, as soon as practicable and in any event within a period of 28 days after making an entry in the register under section 19(1)(b) of the Act or amending an entry in the register under section 20(4) of the Act, give the data controller to whom the register entry relates notice confirming the register entry.
(2) A notice under paragraph (1) above shall include a statement of-
(a)the date on which-
(i)in the case of an entry made under section 19(1)(b) of the Act, the entry is treated as having been included by virtue of regulation 8 above, or
(ii)in the case of an entry made under section 20(4) of the Act, the notification was received by the Commissioner;
(b)the particulars entered in the register, or the amendment made, in pursuance of the notification; and
(c)in the case of a notification under section 18 of the Act, the date by which the fee payable under regulation 14 below must be paid in order for the entry to be retained in the register as provided by section 19(4) of the Act.
11. In addition to the matters mentioned in section 19(2)(a) of the Act, the Commissioner may include in a register entry-
(a)a registration number issued by the Commissioner in respect of that entry;
(b)the date on which the entry is treated, by virtue of regulation 8 above, as having been included in pursuance of a notification under section 18 of the Act;
(c)the date on which the entry falls or may fall to be removed by virtue of regulation 14 or 15 below; and
(d)information additional to the registrable particulars for the purpose of assisting persons consulting the register to communicate with any data controller to whom the entry relates concerning matters relating to the processing of personal data.
12.-(1) Subject to regulation 13 below, every person in respect of whom an entry is for the time being included in the register is under a duty to give the Commissioner a notification specifying any respect in which-
(a)that entry becomes inaccurate or incomplete as a statement of his current registrable particulars, or
(b)the general description of measures notified under section 18(2)(b) of the Act or, as the case may be, that description as amended in pursuance of a notification under this regulation, becomes inaccurate or incomplete,
and setting out the changes which need to be made to that entry or general description in order to make it accurate and complete.
(2) Such a notification must be given as soon as practicable and in any event within a period of 28 days from the date on which the entry or, as the case may be, the general description, becomes inaccurate or incomplete.
(3) References in this regulation to an entry being included in the register include any entry being treated under regulation 8 above as being so included.
13.-(1) This regulation applies to persons in respect of whom an entry in the register has been made under paragraph 2(6) of Schedule 14 to the Act.
(2) In the case of a person to whom this regulation applies, the duty imposed by regulation 12 above shall be modified so as to have effect as follows.
(3) Every person in respect of whom an entry is for the time being included in the register is under a duty to give the Commissioner a notification specifying-
(a)his name and address, in any case in which a change to his name or address results in the entry in respect of him no longer including his current name and address;
(b)to the extent to which the entry relates to eligible data-
(i)a description of any eligible data being or to be processed by him or on his behalf, in any case in which such processing is of personal data of a description not included in that entry;
(ii)a description of the category or categories of data subject to which eligible data relate, in any case in which such category or categories are of a description not included in that entry;
(iii)a description of the purpose or purposes for which eligible data are being or are to be processed in any case in which such processing is for a purpose or purposes of a description not included in that entry;
(iv)a description of the source or sources from which he intends or may wish to obtain eligible data, in any case in which such obtaining is from a source of a description not included in that entry;
(v)a description of any recipient or recipients to whom he intends or may wish to disclose eligible data, in any case in which such disclosure is to a recipient or recipients of a description not included in that entry; and
(vi)the names, or a description of, any countries or territories outside the United Kingdom to which he directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, eligible data, in any case in which such transfer would be to a country or territory not named or described in that entry; and
(c)to the extent to which sub-paragraph (b) above does not apply, any respect in which the entry is or becomes inaccurate or incomplete as-
(i)a statement of his current registrable particulars to the extent mentioned in section 16(1)(c), (d) and (e) of the Act;
(ii)a description of the source or sources from which he currently intends or may wish to obtain personal data; and
(iii)the names or a description of any countries or territories outside the United Kingdom to which he currently intends or may wish directly or indirectly to transfer personal data;
and setting out the changes which need to be made to that entry in order to make it accurate and complete in those respects.
(4) Such a notification must be given as soon as practicable and in any event within a period of 28 days from the date on which-
(a)in the case of a notification under paragraph (3)(a) above, the entry no longer includes the current name and address;
(b)in the case of a notification under paragraph (3)(b) above, the specified practice or intentions are in the particulars there mentioned of a description not included in the entry; and
(c)in the case of a notification under paragraph (3)(c) above, the entry becomes inaccurate or incomplete in the particulars there mentioned.
(5) For the purposes of this regulation, personal data are "eligible data" at any time if, and to the extent that, they are at that time subject to processing which was already under way immediately before 24th October 1998.
14.-(1) This regulation applies to any entry in respect of a person which is for the time being included, or by virtue of regulation 8 is treated as being included, in the register, other than an entry to which regulation 15 below applies.
(2) In relation to an entry to which this regulation applies, the fee referred to in section 19(4) of the Act is £35.
15.-(1) This regulation applies to any entry in respect of a person which is for the time being included in the register under paragraph 2(6) of Schedule 14 to the Act or, as the case may be, such an entry as amended in pursuance of regulation 12 (including that regulation as modified by regulation 13).
(2) Section 19(4) and (5) of the Act applies to entries to which this regulation applies subject to the modifications in paragraph (3) below.
(3) Section 19(4) and (5) of the Act shall be modified so as to have effect as follows-
"(4) No entry shall be retained in the register after-
(a)the end of the registration period, or
(b)24th October 2001, or
(c)the date on which the data controller gives a notification under section 18 of the Act,
whichever occurs first.
(5) In subsection (4) "the registration period" has the same meaning as in paragraph 2(2) of Schedule 14.".
Mike O'Brien
Parliamentary Under-Secretary of State
Home Office
31st January 2000
Regulation 3
1. In this Schedule-
"exempt purposes" in paragraphs 2 to 4 shall mean the purposes specified in sub-paragraph (a) of those paragraphs and in paragraph 5 shall mean the purposes specified in sub-paragraph (b) of that paragraph;
"staff" includes employees or office holders, workers within the meaning given in section 296 of the Trade Union and Labour Relations (Consolidation) Act 1992(3), persons working under any contract for services, and volunteers.
2. The processing-
(a)is for the purposes of appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the data controller;
(b)is of personal data in respect of which the data subject is-
(i)a past, existing or prospective member of staff of the data controller; or
(ii)any person the processing of whose personal data is necessary for the exempt purposes;
(c)is of personal data consisting of the name, address and other identifiers of the data subject or information as to-
(i)qualifications, work experience or pay; or
(ii)other matters the processing of which is necessary for the exempt purposes;
(d)does not involve disclosure of the personal data to any third party other than-
(i)with the consent of the data subject; or
(ii)where it is necessary to make such disclosure for the exempt purposes; and
(e)does not involve keeping the personal data after the relationship between the data controller and staff member ends, unless and for so long as it is necessary to do so for the exempt purposes.
3. The processing-
(a)is for the purposes of advertising or marketing the data controller's business, activity, goods or services and promoting public relations in connection with that business or activity, or those goods or services;
(b)is of personal data in respect of which the data subject is-
(i)a past, existing or prospective customer or supplier; or
(ii)any person the processing of whose personal data is necessary for the exempt purposes;
(c)is of personal data consisting of the name, address and other identifiers of the data subject or information as to other matters the processing of which is necessary for the exempt purposes;
(d)does not involve disclosure of the personal data to any third party other than-
(i)with the consent of the data subject; or
(ii)where it is necessary to make such disclosure for the exempt purposes; and
(e)does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes.
4.-(1) The processing-
(a)is for the purposes of keeping accounts relating to any business or other activity carried on by the data controller, or deciding whether to accept any person as a customer or supplier, or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by or to the data controller in respect of those transactions, or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity;
(b)is of personal data in respect of which the data subject is-
(i)a past, existing or prospective customer or supplier; or
(ii)any person the processing of whose personal data is necessary for the exempt purposes;
(c)is of personal data consisting of the name, address and other identifiers of the data subject or information as to-
(i)financial standing; or
(ii)other matters the processing of which is necessary for the exempt purposes;
(d)does not involve disclosure of the personal data to any third party other than-
(i)with the consent of the data subject; or
(ii)where it is necessary to make such disclosure for the exempt purposes; and
(e)does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes.
(2) Sub-paragraph (1)(c) shall not be taken as including personal data processed by or obtained from a credit reference agency.
5. The processing-
(a)is carried out by a data controller which is a body or association which is not established or conducted for profit;
(b)is for the purposes of establishing or maintaining membership of or support for the body or association, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it;
(c)is of personal data in respect of which the data subject is-
(i)a past, existing or prospective member of the body or organisation;
(ii)any person who has regular contact with the body or organisation in connection with the exempt purposes; or
(iii)any person the processing of whose personal data is necessary for the exempt purposes;
(d)is of personal data consisting of the name, address and other identifiers of the data subject or information as to-
(i)eligibility for membership of the body or association; or
(ii)other matters the processing of which is necessary for the exempt purposes;
(e)does not involve disclosure of the personal data to any third party other than-
(i)with the consent of the data subject; or
(ii)where it is necessary to make such disclosure for the exempt purposes; and
(f)does not involve keeping the personal data after the relationship between the data controller and data subject ends, unless and for so long as it is necessary to do so for the exempt purposes.
(This note is not part of the Regulations)
These Regulations set out a number of arrangements in respect of the giving of notifications to the Data Protection Commissioner by data controllers under Part III of the Data Protection Act 1998.
Regulation 3 makes provision exempting data controllers carrying out certain processing from the need to notify. The descriptions of the exempt processing operations are set out in the Schedule to the Regulations, and cover processing operations involving staff administration, advertising, marketing and public relations, accounts and record keeping and certain processing operations carried out by non profit-making organisations. Exemption from notification is lost if the processing falls within any description of assessable processing specified by the Secretary of State under section 22 of the Act.
Regulation 4 makes general provision for the form of all such notifications to be determined by the Commissioner. Regulations 5 and 6 make special provision in two cases where there is more than one data controller in respect of personal data; regulation 5 provides for notification by business partners to be in the name of the partnership, and regulation 6 for notification by the governing body and head teacher of a school to be in the name of the school.
Regulation 7 prescribes fees to accompany a notification under section 18 of the Act. A fee of £35 is prescribed.
Regulation 8 provides that an entry in the register of notifications maintained by the Commissioner under section 19 of the Act is to be taken to have been made, for the purposes of avoiding the prohibition in section 17 of the Act on processing without a register entry, in the case of a notification sent by registered post or recorded delivery service on the day after the day it was received by the Post Office, and in any other case on the day it was received by the Commissioner.
Regulation 9 requires the Commissioner to give written notice to a data controller acknowledging receipt of any notification which he considers relates to assessable processing within the meaning of section 22 of the Act. The notice must be given within 10 days of receipt of the notification and must indicate the date of receipt and the processing considered to be assessable processing.
Regulation 10 requires the Commissioner to give notice to a data controller confirming his register entry. The notice must be given as soon as practicable and in any event within 28 days of making a register entry under section 19 of the Act or of amending it under section 20. It must contain the date on which the entry is deemed by regulation 8 to have been made or as the case may be the date of alteration, the particulars entered or amended, and, in the case of a notification under section 18, the date on which the fee provided for by regulation 14 falls due.
Regulation 11 authorises the Commissioner to include certain matters in a register entry additional to the registrable particulars set out in section 16 of the Act. Those matters are a registration number, the deemed date of the entry provided by regulation 8, the date on which the entry may lapse under regulation 14 or 15, and additional information for the purpose of assisting communication about data protection matters between persons consulting the register and the data controller.
Regulation 12 imposes on everyone who has a register entry a duty to notify the Commissioner of any respect in which the entry becomes an inaccurate or incomplete statement of his current registrable particulars or in which the latest description of security matters given under section 18(2)(b) of the Act becomes inaccurate or incomplete. The notification must set out the changes which need to be made to ensure accuracy and completeness, and be given as soon as practicable and in any event within 28 days from the time when the inaccuracy or incompleteness arises. Regulation 12 is modified by regulation 13 in its application to persons who have a register entry by virtue of the manner in which the Act's transitional provisions operate on entries in the register maintained under section 4 of the Data Protection Act 1984. In these cases, the duty under regulation 12 varies according to the extent to which the entry relates to data which are subject to processing which was already under way immediately before 24th October 1998. In respect of such data, the notification must specify certain aspects of processing which are not from time to time included in the existing register entry; in other cases it must specify any respect in which the entry becomes inaccurate or incomplete in certain respects, and set out the changes needed to ensure accuracy and completeness.
Regulation 14 provides that, other than in the transitional circumstances addressed in regulation 15, the fee to be paid annually to secure retention of a registered entry is £35.
Regulation 15 provides for the retention of register entries included by virtue of the manner in which the Act's transitional provisions operate on entries in the register maintained under section 4 of the Data Protection Act 1984; these are to be retained until the end of the defined registration period, or 24th October 2001, or the date on which notification is given under section 18 of the Act, whichever occurs first.
This Order contributes to the implementation of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
A Regulatory Impact Assessment was prepared for the Data Protection Bill as it was then and the statutory instruments to be made under it, and was placed in the libraries of both Houses of Parliament. The Regulatory Impact Assessment is now available on the internet at www.homeoffice.gov.uk. Alternatively, copies can be obtained by post from the Home Office, LGDP Unit, 50 Queen Anne's Gate, London SW1H 9AT.
The powers in section 18(2) are extended by sections 18(3) and 20(3).