This paper seeks comments on the subject access arrangements under the Data Protection Act 1998. The consultation is aimed at individuals, who have the right of access under the 1998 Act (data subjects); and organisations which are the recipients of subject access requests (data controllers), throughout the UK. The consultation is being conducted in line with the Code of Practice on Written Consultation issued by the Cabinet Office. It falls within the scope of the Code. The Code criteria set out in the General principles of consultationsection of this document are being followed.
No initial impact assessment has been prepared, since the consultation paper makes no proposals. Its purpose is to seek views on the current arrangements.
Copies of the consultation paper are being sent to all organisations on the Lord Chancellor's Department's data protection mailing list.
Please send your response by 31 January 2003 to:
Yassin Yassin
Lord Chancellor's Department
Freedom of Information and Data Protection Division
Room 151
Selborne House
54-60 Victoria Street
London SW1E 6QW
Tel: 020-7210 2668
Fax: 020-7210 1415
E-mail: Yassin Yassin
Representative groups are asked to give a summary of the people and/or organisations they represent when they respond.
The Department may wish to publish responses to this consultation paper in due course. Please ensure your response is marked clearly if you wish your response to be kept confidential or if you do not wish to be identified as a respondent. The substance of confidential responses will be included, in a non-attributable form, in any summary of comments received.
This consultation paper may be freely copied. Alternatively, further copies can be obtained from Yassin Yassin at the above address.
1. The right for individuals to gain access to the personal data that organisations hold about them - the right of "subject access" - is one of the pivotal provisions of any data protection regime. It is the means by which individuals are able to check whether the data themselves are correct and whether they are being processed in accordance with the data protection rules. It thus provides the opportunity for the exercise of further rights, such as that to seek the rectification of inaccurate data.
2. Both of the international data protection instruments by which the UK is bound – the 1981 Council of Europe Convention on Data Protection (the Convention), and the 1995 EC Data Protection Directive ( 95/46/EC - the Directive) - require individuals to be enabled to exercise this right. The Data Protection Act 1998 (the 1998 Act), which was brought into force on 1 March 2000, gives effect to the Convention and the Directive in the UK. Its subject access arrangements are modelled closely on those created by the UK's earlier data protection legislation, the Data Protection Act 1984 (the 1984 Act).
3. The responses received to the Government's autumn 2000 post-implementation appraisal of the 1998 Act suggest that there is some concern about the subject access arrangements, especially the scope of the exemptions (see Annex A). While the arrangements themselves closely follow those under the 1984 Act, two factors in particular may have influenced the way in which they operate in practice:
the broader scope of the 1998 Act compared with that of the 1984 Act, in particular the inclusion of certain manually held records;
the sweeping technological advances that have been made in recent years, not the least of which is the widespread adoption of e-mail systems.
4. As far as public authorities are concerned, a further relevant development is the enactment of the Freedom of Information Act 2000 (the FOI Act) whose provisions interact closely with those of the 1998 Act where requests for information including personal data are concerned. The provisions of the 1998 Act and those of the FOI Act do not match in all respects. For example, the access fee, the time limit for responding to requests and the scope of the exemptions are different. These inconsistencies could lead to some odd results in practice. The individual access provisions of the FOI Act are due to come into force in January 2005. At the same time, the FOI Act will extend the subject access right under the 1998 Act in its application to manual records. At present, with limited exceptions, the only manually-held personal data to which the right applies are those held in structured filing systems. The FOI Act will extend the right so that it covers personal data in all manual records held by public authorities.
5. Having regard to these factors, the Government has decided that it would be appropriate to review the subject access arrangements under the 1998 Act. The Government's starting point is that the right of subject access must remain one of the central pillars of the UK's data protection regime. Not only does it ensure transparency and promote compliance with the data protection rules, it also encourages the efficient management of personal data. The purpose of the review is solely to assess whether the practical arrangements made by the 1998 Act for the exercise of the right continue to operate satisfactorily or whether any "running" adjustments are needed to take account of legal and technological changes.
6. In launching the review, the Government recognises and respects the requirements of the Convention and the Directive. It notes, however, that the European Commission are currently preparing a report on the implementation of the Directive in the EU Member States, which may lead to proposals for amending the Directive. The Government has responded to a questionnaire from the Commission about the implementation of the Directive in the UK.
7. The first part of this consultation paper seeks information from data subjects and data controllers about their experience with the present subject access arrangements. The following parts seek information from data subjects and data controllers regarding the main components of the arrangements. Where comparable information is available, reference is made to the arrangements in other Member States of the European Union. Since the legal framework in other countries is different from that in the UK, these references should be treated with caution. They should be regarded only as an indicative guide. Each section also sets out a number of questions. These are not intended to be exhaustive. The Government would also welcome any other comments that respondents might wish to make.
8. The paper is concerned only with the standard arrangements for subject access. Under the 1998 Act, special arrangements apply to the fee and/or the time-limit for dealing with requests for subject access to manually-held health records, education records and files held by credit reference agencies. This paper does not deal with those special arrangements. Subject access to health records is one of the matters currently being considered by the Health Records and Data Protection Review Group established by the Department of Health.
9. Paragraph four mentions the Freedom of Information Act. Different arrangements also apply to access to environmental information. The Department of Environment, Food and Rural Affairs are currently carrying out a separate consultation exercise on the Environmental Information Regulations. Proposed new Regulations can be found on DEFRA's website. As noted in that consultation, the Government is considering how to approach requirements in relation to information, which is both environmental and personal. Respondents to this consultation paper on subject access may wish to raise any points that they consider to be relevant to that relationship, insofar as it affects subject access.
10. The Government has limited factual information about the way in which the subject access arrangements operate in practice. To help it form a better view of the position, the Government would welcome some general information from those who have made or responded to subject access requests.
| Some Questions (a) Data Subjects 1.1 Did you find any problems in getting the information you sought? If so what were they? (b) Data Controllers 1.2 Approximately how many subject access requests have you received in the last twelve months? How does this compare with the position under the 1984 Act? 1.3 What is the approximate average cost to your organisation of dealing with a request? How does this compare with the position under the 1984 Act? 1.4 Do you find any problems in dealing with subject access requests? If so, what are they? THESE QUESTIONS ARE INTENDED ONLY AS A GUIDE. PLEASE FEEL FREE TO ADD ANY FURTHER COMMENTS |
11. Both the Convention and the Directive require subject access to be available "without excessive...expense". This is interpreted as meaning without excessive expense to the data subject.
12. The maximum fee that may be charged under the 1998 Act is £10. This amount has been unchanged since the 1984 Act came fully into force in 1987. The fee was not primarily intended to allow organisations to recover their costs in providing access. Its primary purpose was to mark the fact that costs were involved in providing access and thus to deter frivolous requests.
13. The total amount chargeable for subject access was affected by an unrelated procedural change made by the 1998 Act. Under the 1984 Act, registration with the Data Protection Registrar (now the Information Commissioner) was mandatory. Organisations could have more than one register entry, and some organisations did. Subject access requests were dealt with by reference to register entries, and a separate fee was chargeable for each register entry. Thus a data subject seeking access to data which were held by a single organisation but covered by three register entries could be charged access fees totalling £30. The 1998 Act broke the link between subject access and notification (as registration is now known) since notification is not mandatory in all cases. Moreover, under the 1998 Act organisations may only have one register entry. This means that a single subject access request now covers all the data held by an organisation, and that only one £10 fee may be charged.
14. Under the FOI Act the Lord Chancellor has the power to set
by regulations the maximum access fee, and the manner in which any fee is
to be calculated. Draft regulations [
]
have been published on the Lord Chancellor's Department's website. Very
broadly the proposal (which is subject to change) is that a public authority
may charge:
10 per cent of the cost of the time taken to locate the information sought, up to a cost limit of £550 – which equates to a maximum fee of £55; and
the full costs of actual disbursements, such as photocopying, postage and packing.
(If the calculation under the first element would lead to costs of more than £550, there is no obligation to provide the information. If the information is provided, the full costs incurred over the £550 cost limit may also be charged.)
15. Practice in charging for subject access in other Member States varies. The following are among the models found.
Access is free of charge. A fee, to cover the immediate costs of providing the information, is payable if a further request is made within 12 months.
A fee, to cover the immediate costs of providing the information, is payable only if the information obtained can be used for commercial purposes.
A fee is payable only if the controller is not processing the applicant's data.
A modest maximum fee (e.g. €20) is payable.
A fee not exceeding the cost of copying the information is payable.
The fee is reimbursed if the data need amending or are being processed unlawfully.
| Some Questions for both data subjects and data controllers 2.1 Should there continue to be a subject access fee or should the fee be abolished? If a fee is to be retained: 2.2 Should there be an absolute maximum, as now? If so, what should the level be? 2.3 Should cost recovery be permissible? If so, which costs should it cover? Should there be a maximum? 2.4 Should the arrangements for the subject access fee under the 1998 Act and the fee for individual access under the FOI Act be the same? THESE QUESTIONS ARE INTENDED ONLY AS A GUIDE. PLEASE FEEL FREE TO ADD ANY FURTHER COMMENTS |
16. Both the Convention and the Directive require access to be provided "without excessive delay".
17. The 1998 Act requires requests to be dealt with "promptly" and in any event within 40 days. The 40 day period begins on the day on which the data controller has all the information he needs to identify the applicant and to locate the data requested, along with the fee, if any. The 40 day limit has been unchanged since the implementation of the 1984 Act. However, the requirement for promptness was newly introduced by the 1998 Act.
18. Under the FOI Act, a public authority is required to deal with requests "promptly" and in any event not later than the twentieth working day following the receipt of the request.
19. As with the fee, there are different models within the EU. They include the following.
Time limits of 15 days, 4 weeks, 45 days and 8 weeks.
A target of 4 weeks. If the information has not been provided by then, the controller must write telling the applicant when it can be expected.
A target of one month, with a fall-back 4 months target if there are "special reasons".
Provision of the information "without undue delay", backed by a limit of 3 months.
| Some Questions for both data subjects and data controllers 3.1 Is the 40 day time limit appropriate or should it be changed? 3.2 If it should be changed, what should the time limit be? 3.3 Should there be special arrangements for time-consuming cases? If so, what should they be? 3.4 Should the time limit under the 1998 Act and that under the FOI Act be the same? THESE QUESTIONS ARE INTENDED ONLY AS A GUIDE. PLEASE FEEL FREE TO ADD ANY FURTHER COMMENTS |
20. Neither the Convention nor the Directive makes express provision about the form of the data subject's request.
21. Anecdotal evidence suggests that locating the personal data to which the person making the request is entitled can be highly resource-intensive. Section 7(3) of the 1998 Act provides that the data controller is not required to comply with a subject access request unless he has received (among other things) such information as he reasonably requires to locate the information sought. A similar provision was previously found in the 1984 Act. Following an amendment made by the FOI Act, the data controller must inform the person making the request if he requires further information to locate the information.
22. Given the range and complexity of many organisations' holdings of personal data, a provision of this kind helps the data controller by allowing him to focus his search, thus sparing unnecessary effort and cost. It can also benefit the data subject, since a focussed search should produce the specific information sought more quickly. However, it presupposes that the data subject has a certain knowledge of the circumstances in which his personal data are being processed.
23. Some Member States make provision to the same broad effect.
The applicant must co-operate reasonably to prevent unwarranted and disproportionate effort by the data controller.
The applicant must supply sufficient search criteria.
The applicant must specify the type of information to which the request relates.
| Some Questions for both data subjects and data controllers 4.1 Should it continue to be possible for the data controller to require the data subject to provide information to help the data controller locate the information sought? 4.2 If the provision remains, should there be any limits on the information required by the data controller? If so, what should they be? 4.3 What other provision could be made to help focus the search? THESE QUESTIONS ARE INTENDED ONLY AS A GUIDE. PLEASE FEEL FREE TO ADD ANY FURTHER COMMENTS |
24. Both the Convention and the Directive require data subjects to be able to obtain "the communication to [the data subjects] in an intelligible form" of the data about them that are undergoing processing.
25. Electronic means of communication, in particular e-mail, are increasingly common. The normal rule under the 1998 Act is that a copy of the personal data must be supplied in permanent form. (In this paper this is referred to as a "hard copy".) The personal data may be provided in another form if
(a) the supply of a hard copy is impossible or would involve disproportionate
effort; or
(b) the applicant agrees.
It is important to note that the personal data must always be provided. The "disproportionate effort" test applies only to the way in which access is given.
26. The rule requiring the provision of a hard copy of the personal data was established by the 1984 Act. However, in that Act it was an invariable rule. The flexibility permitted by the 1998 Act was newly introduced by that Act.
27. Other Member States' laws do not always expressly refer to the applicant's request being met by the provision of a copy of the personal data. The forms in which access may be given include the following.
The provision of written information about the personal data.
Communication in an intelligible form of the personal data.
A full and clear summary of the personal data, in writing.
An opportunity for the applicant to inspect the data. A hard copy need only be provided upon request.
The provision of the personal data in writing, but, with the applicant's consent, permitting the provision of the personal data orally, or providing an opportunity to inspect and take copies.
| Some Questions for both data subjects and data controllers 5.1 Should the basic rule be that a hard copy of the personal data sought must be provided to the applicant? If not, what should the rule be? 5.2 Are there any additional circumstances (ie besides impossibility, disproportionate effort and the applicant's agreement) in which the data controller should be able to provide the personal data sought otherwise than through a hard copy? THESE QUESTIONS ARE INTENDED ONLY AS A GUIDE. PLEASE FEEL FREE TO ADD ANY FURTHER COMMENTS |
28. The Convention and the Directive require individuals to be able to obtain the information they seek "at reasonable intervals".
29. The 1998 Act provides that a data controller does not have to comply with a subsequent similar or identical request from an individual unless "a reasonable interval" has elapsed since the data controller dealt with the previous request. It says that in considering what is a "reasonable interval" regard shall be had to "the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered". There is no set period within which repeat requests are prohibited.
30. Other Member States deal with frequent requests from the same individual in a variety of ways.
A "reasonable" period must elapse between requests.
There must be a period (3 months, 6 months) between requests, unless more frequent requests can be justified by the applicant.
First requests are free, subsequent requests within a period (e.g 12 months) can be charged for.
Requests may be made only once a year.
Requests clearly abusing the system (e.g. by their frequency or repetitive nature) may be refused.
| Some Questions for both data subjects and data controllers 6.1 Should there be a fixed period within which repeat applications do not have to be accepted, or a full cost-recovery fee can be charged? If so what should the period be? 6.2 If there is to be such a period, should there be an exception for repeat applications made in special circumstances? If so, in what circumstances? THESE QUESTIONS ARE INTENDED ONLY AS A GUIDE. PLEASE FEEL FREE TO ADD ANY FURTHER COMMENTS |
31. The Convention and the Directive permit exemptions (or derogations) from the subject access right subject to certain restrictions.
32. Article 9.1 of the Convention says that derogation is permissible when it is:
"provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of:
(a) protecting State security, public safety, the monetary interests
of the State or the suppression of criminal offences;
(b) protecting the data subject or the rights and freedoms of others."
Article 9.2 provides an exemption for processing for the purpose of statistics or scientific research "where there is obviously no risk of an infringement of the privacy of the data subjects".
33. Article 13.1 of the Directive permits exemption where it
"constitutes a necessary measure to safeguard:
(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection and prosecution of criminal
offences, or of breaches of ethics for regulated professions;
(e) an important economic or financial interest of a Member State or
of the European Union, including monetary, budgetary and taxation matters;
(f) a monitoring, inspection or regulatory function connected, even
occasionally, with the exercise of official authority in cases referred
to in (c), (d) and (e);
(g) the protection of the data subject or of the rights and freedoms
of others."
Article 13.2 provides a limited exemption in relation to the processing of personal data for the purposes of scientific research and the purpose of creating statistics.
34. The approach adopted to the provision of exemptions in the 1998 Act closely follows that in the 1984 Act. For the most part, the Act sets out the precise circumstances in which exemptions are available. Prescribing the exemptions in this way (as opposed, for example, to merely copying into the UK law the general categories found in the Directive and allowing data controllers to decide when the exemption is available) means that the scope of the exemptions is closely defined. This approach acts as a safeguard both for data subjects, since it places clear limits on the scope for derogating from the subject access right, and for data controllers, since it provides greater certainty about the limits of the availability of the exemptions. In some cases the exemptions are subject to a further restriction, since they are expressed as being available only on a case by case basis.
35. A list of the exemptions available under the 1998 Act is at Annex B. This identifies not only the provisions of the Act which themselves set out exemptions, but also those provisions which permit the Lord Chancellor to make orders providing further exemptions. It should be noted that the Act contains no general power for the Lord Chancellor to provide additional exemptions by order. To create any new exemptions not covered by the specific provisions mentioned, all of which are restricted in their scope, fresh primary legislation would be needed.
36. For the purpose of comparison, a list of the exemptions under the FOI Act is at Annex C.
37. As noted in the introduction to this paper, information about the position in other Member States should always be treated with caution. There are particular difficulties with comparisons of the availability of exemptions since the general approach to the provision of exemptions varies in other Member States. Some Member States' laws appear to rely to a greater degree than does the 1998 Act on copying directly, without elaboration, the relevant provisions of Article 13 of the Directive. In others, the position appears to be that some exemptions are provided for in laws other than the data protection law. Even where exemptions appear on the face of the data protection law, because of differences in legal tradition it cannot necessarily be taken that they have the same effect as seemingly comparable exemptions in the 1998 Act. That said, it appears that some Member States have made provision for very few express exemptions. It is, therefore, difficult to give a useful overview. However, the following are among those specific exemptions apparently available in one or more other Member States which are not available, at least in the same terms, under the 1998 Act.
Personal data in "running text", provided that the text has not been held as a draft for more than a year, and that the personal data have not been disclosed to third parties.
Personal data processed on behalf of the public administration in the course of its administrative procedures, to the same extent as exemptions applying under the law on public access to official documents.
Records of courts' deliberations.
Where there are overriding public interests (which are defined as including, among other things, protection of the Member State's constitutional institutions, and important external policy interests of the Member State or the EU).
In the private sector, where the data are stored for the data controller's own purposes, the data are taken from generally accessible sources and providing access would impair the controller's business disproportionately (ie compared with the data subject's interest in gaining access).
| Some Questions for both data subjects and data controllers 7.1 Are any additional exemptions needed in the UK? If so, what should they cover? 7.2 Is there a case for more closely aligning the subject access exemptions under the 1998 Act with the exemptions under the FOI Act? THESE QUESTIONS ARE INTENDED ONLY AS A GUIDE. PLEASE FEEL FREE TO ADD ANY FURTHER COMMENTS |
We would welcome responses to the following questions set out in this consultation paper:
| 1. The arrangements in operation (a) Data Subjects If you have made a subject access request under the 1998 Act: 1.1 Did you find any problems in getting the information you sought? If so what were they? (b) Data Controllers 1.2 Approximately how many subject access requests have you received in the last twelve months? How does this compare with the position under the 1984 Act? 1.3 What is the approximate average cost to your organisation of dealing with a request? How does this compare with the position under the 1984 Act? 1.4 Do you find any problems in dealing with subject access requests? If so, what are they? Questions for both data subjects and data controllers 2. Subject access fee 2.1 Should there continue to be a subject access fee or should the fee be abolished? If a fee is to be retained: 2.2 Should there be an absolute maximum, as now? If so, what should the level be? 2.3 Should cost recovery be permissible? If so, which costs should it cover? Should there be a maximum? 2.4 Should the arrangements for the subject access fee under the 1998 Act and the fee for individual access under the FOI Act be the same? 3. Response time 3.1 Is the 40 day time limit appropriate or should it be changed? 3.2 If it should be changed, what should the time limit be? 3.3 Should there be special arrangements for time-consuming cases or bulk applications? If so, what should they be? 3.4 Should the time limit under the 1998 Act and that under the FOI Act be the same? 4. Locating the information sought 4.1 Should it continue to be possible for the data controller to require the data subject to provide information to help the data controller locate the information sought? 4.2 If the provision remains, should there be any limits on the information required by the data controller? If so, what should they be? 4.3 What other provision could be made to help focus the search? 5. Method of providing information 5.1 Should the basic rule be that a hard copy of the personal data sought must be provided to the applicant? If not, what should the rule be? 5.2 Are there any additional circumstances (ie besides impossibility, disproportionate effort and the applicant's agreement) in which the data controller should be able to provide the personal data sought otherwise than through a hard copy? 6. Frequency of requests 6.1 Should there be a fixed period within which repeat applications do not have to be accepted, or a full cost-recovery fee can be charged? If so what should the period be? 6.2 If there is to be such a period, should there be an exception for repeat applications made in special circumstances? If so, in what circumstances? 7. Exemptions 7.1 Are any additional exemptions needed in the UK? If so, what should they cover? 7.2 Is there a case for more closely aligning the subject access exemptions under the 1998 Act with the exemptions under the FOI act? THESE QUESTIONS ARE INTENDED ONLY AS A GUIDE. PLEASE FEEL FREE TO ADD ANY FURTHER COMMENTS |
Please give
• The name of your organisation
• The Address
• The name of a contact
• A contact telephone number
• If you are a representative group please give a summary of the people and/or organisations you represent.
Please send your completed response to:
Yassin Yassin
Lord Chancellor's Department
Freedom of Information and Data Protection Division
Room 151
Selborne House
54-60 Victoria Street
London SW1E 6QW
Tel: 020-7210 2668
Fax: 020-7210 1415
Email: Yassin Yassin
If you have any complaints or comments about the consultation process, you should contact the Lord Chancellor's Department's consultation co-ordinator, Laurence Fiddler, on 020-7210 8516 or email him at Laurence Fiddler. Alternatively, you may wish to write to the address below:
Laurence Fiddler
Consultation Co-ordinator,
Room 8.23
Lord Chancellor's Department
Selborne House
54-60 Victoria Street
London SW1E 6QW
The criteria in the Code of Practice on Written Consultation issued by the Cabinet Office are as follows:
| A | Timing of consultation should be built into the planning process for a policy or service from the start, so that it has the best prospect of improving the proposals concerned, and so that sufficient time is left for it at each stage. | |
| B | It should be clear who is being consulted, about what questions, in what timescale and for what purpose. | |
| C | A consultation document should be as simple and concise as possible. It should include a summary, in two pages at most, of the main questions it seeks views on. It should make it as easy as possible for readers to respond, make contact or complain. | |
| D | Documents should be made widely available, with the fullest use of electronic means (though not to the exclusion of others), and effectively drawn to the attention of all interested groups and individuals. | |
| E | Sufficient time should be allowed for considered responses from all groups with an interest. Twelve weeks should be the standard minimum period for a consultation. | |
| F | Responses should be carefully and open-mindedly analysed, and the results made widely available, with an account of the views expressed, and reasons for decisions finally taken. | |
| G | Departments should monitor and evaluate consultations, designating a consultation co-ordinator who will ensure the lessons are disseminated. |
4. Data Subjects' Rights
(a) Are the rights of data subjects sufficiently clear?
The majority of respondents felt that the rights of data subjects were sufficiently clear. Some controllers were concerned about being swamped by subject access requests. However, other respondents thought that the rights were not sufficiently publicised.
Clarification was sought of certain terms and concepts: "reasonable" (s.7 (4) - (6)); "unwarranted substantial damage or substantial distress" (s.10 (1)); and the scope of the right to prevent direct marketing.
Some extension of existing rights was suggested. For example, data subjects should be entitled to be informed of their right to object to fully automated decisions being made about them. There should be a right to compensation where breaches of the Act result in distress.
(b) Are the revised arrangements for subject access satisfactory?
There was concern about the level of the subject access fee. Some respondents felt that the present fee was too low compared to what was often a large amount of work involved in providing access. There was particular concern about the arrangements in the health sector. Some felt the £50 maximum for access to manual health records disadvantaged data subjects. Others were concerned about the possible reduction to £10 from October 2001. [Note: An order has been made retaining the fee at £50 for the time being. The Government will work with the Information Commissioner, in consultation with other key interests, with the aim of finding a long-term solution.]
(c) Is the scope of the exemptions from subject access satisfactory?
Suggestions were made for clarification and/or extension of the present arrangements for:
the definition of "likely to prejudice" in s.29 (1);
the national security exemption;
the position in relation to references given and received;
fraud prevention;
lawful investigations;
information provided in confidence;
back up and audit data;
commercially confidential information.
| Section 28: | Provides an exemption to protect national security. | |
| Section 29:( * ) | Covers personal data processed for: (a) the prevention or detection of crime; (b) the apprehension or prosecution of offenders, or (c) the assessment or collection of any tax or duty or of any imposition of a similar nature. |
|
| Section 30:( * ) | Provides powers for the Lord Chancellor to make orders providing exemptions in relation to health, education and social work records. Orders relating to all three categories of record have been made. | |
| Section 31:( * ) | Covers personal data processed for the purposes of discharging a wide range of regulatory functions. | |
| Section 32: | Covers personal data processed for journalistic, literary or artistic purposes. | |
| Section 33: | Covers personal data processed only for research, statistical or historical purposes, subject to certain conditions. | |
| Section 34: | Covers personal data which are statutorily made available to the public. | |
| Section 38: | Provides a power for the Lord Chancellor to make orders providing exemptions where disclosure of information is statutorily prohibited or restricted, subject to certain conditions. | |
| Schedule 7 | ||
| Paragraph 1: | Covers confidential references given by data controllers in relation to education, employment or the provision of services. | |
| Paragraph 2:( * ) | Provides an exemption to protect the combat effectiveness of the armed forces. | |
| Paragraph 3: | Covers personal data processed for the purposes of making appointments of judges and QCs, and the conferring of honours or dignities. | |
| Paragraph 4: | Provides a power for the Lord Chancellor to make orders providing exemptions in relation to Crown appointments. An order designating a limited number of appointments has been made. | |
| Paragraph 5:( * ) | Covers personal data processed for the purposes of management forecasting or management planning. | |
| Paragraph 6:( * ) | Provides an exemption for personal data processed for corporate finance services. | |
| Paragraph 7:( * ) | Covers personal data consisting of records of the data controller's intentions in relation to negotiations with the data subject. | |
| Paragraph 8: | Modifies the 40 day maximum period for dealing with subject access requests in relation to examination marks. | |
| Paragraph 9: | Covers examination scripts. | |
| Paragraph 10: | Covers personal data in respect of which legal professional privilege could be claimed. Legal advice is that this exemption covers legal advice given by Departments' in-house lawyers. | |
| Paragraph 11: | Provides an exemption for circumstances in which by granting access a person would incriminate himself in respect of an offence other than one under the 1998 Act. | |
| * Note::Exemptions including "case by case" restriction |
||
The following are absolute exemptions ( i.e. there is no duty to consider where the public interest lies).
| Section 21: | Information accessible to the applicant by other means. | |
| Section 23: | Information supplied by or relating to bodies dealing with security matters. | |
| Section 32: | Court records. | |
| Section 34: | Parliamentary privilege. | |
| Section 40: | Personal information ( 1 ). | |
| Section 41 | Information supplied in confidence. | |
| Section 44: | Information subject to a prohibition on disclosure. | |
| The following exemptions are subject to a public interest test (ie they are available where the public interest in maintaining the exemption outweighs the public interest in disclosure). |
||
| Section 22: | Information intended for future publication. | |
| Section 24: | National security (but see section 23). | |
| Section 26: | Defence. | |
| Section 27: | International relations. | |
| Section 28: | Relations between administrations in the UK. | |
| Section 29: | The economy. | |
| Section 30: | Investigations and proceeding conducted by public authorities. | |
| Section 31: | Law enforcement. | |
| Section 33: | Audit functions. | |
| Section 35: | Formulation of government policy. | |
| Section 36: | Prejudice to the effective conduct of public affairs. | |
| Section 37: | Communications with Her Majesty, etc. and honours. | |
| Section 38: | Health and safety . | |
| Section 39: | Environmental information ( 2 ). | |
| Section 42: | Legal professional privilege. | |
| Section 43: | Commercial interests. | |
| Notes: 1. Access is given in accordance with the rules in the Data Protection Act 1998. 2. Regulations covering environmental information may be made under section 74. |
||