Data Protection Act 1998

Data Protection Act 1998 is up to date with all changes known to be in force on or before 18 September 2024. There are changes that may be brought into force at a future date.

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the affected provisions when you open the content using the Table of Contents below.

Changes and effects yet to be applied to :

Pt. 3 omitted by 2017 c. 30s. 111(2)
s. 20(2) words repealed by 2009 c. 25Sch. 20para. 4(a)Sch. 23Pt. 8
s. 20(2)(a) words inserted by 2009 c. 25Sch. 20para. 4(b)
s. 20(2)(b) words inserted by 2009 c. 25Sch. 20para. 4(d)
s. 31(6) words inserted by 2006 c. 44s. 14(10)
s. 33A(1)(e) omitted by 2017 c. 30s. 111(3)
s. 69(1)(h) words omitted by 2017 c. 16Sch. 5para. 6 (This amendment not applied to legislation.gov.uk. The Act was repealed at 25.5.2018 by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 44 (with ss. 117, 209, 210, Sch. 20 paras. 2-9, 17-25, 27-46, 53, 54, 58); S.I. 2018/625, reg. 2(1)(g))
s. 69(1)(h) words substituted by 2017 c. 16Sch. 5para. 47(g) (This amendment not applied to legislation.gov.uk. The Act was repealed at 25.5.2018 by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 44 (with ss. 117, 209, 210, Sch. 20 paras. 2-9, 17-25, 27-46, 53, 54, 58); S.I. 2018/625, reg. 2(1)(g))
s. 69(3)(f) words omitted by 2012 c. 7Sch. 14para. 74
s. 71 words omitted by 2017 c. 30s. 111(4)
Sch. 5 para. 9(1) words inserted by 2017 c. 30s. 111(6)
Sch. 9 para. 1(1) words inserted by 2003 c. 39Sch. 4para. 8
Sch. 12 para. 4 Table words repealed by 2001 asp 10Sch. 10para. 26
Sch. 12 para. 5(3) words repealed by 2001 asp 10Sch. 10para. 26
Sch. 14 para. 2 omitted by 2017 c. 30s. 111(7)

Changes and effects yet to be applied to the whole Act associated Parts and Chapters:

Whole provisions yet to be inserted into this Act (including any effects on those provisions):

s. 20(2)(aa) inserted by 2009 c. 25Sch. 20para. 4(c)
s. 31(4)(a) (va) inserted by 2016 c. 21 (N.I.)Sch. 3para. 13
s. 55(2)(ca) inserted by 2008 c. 4s. 78
Sch. 1 Pt. 2 para. 5(b) and word omitted by 2017 c. 30s. 111(5)

Introductory Text
Part I Preliminary
1. 1.Basic interpretative provisions.
2. 2.Sensitive personal data.
3. 3.The special purposes.
4. 4.The data protection principles.
5. 5.Application of Act.
6. 6.The Commissioner . . . .
1. 7.Right of access to personal data.
2. 8.Provisions supplementary to section 7.
3. 9.Application of section 7 where data controller is credit reference agency.
4. 9A.Unstructured personal data held by public authorities.
5. 10.Right to prevent processing likely to cause damage or distress.
6. 11.Right to prevent processing for purposes of direct marketing.
7. 12.Rights in relation to automated decision-taking.
8. 12A.Rights of data subjects in relation to exempt manual data.
9. 13.Compensation for failure to comply with certain requirements.
10. 14.Rectification, blocking, erasure and destruction.
11. 15.Jurisdiction and procedure.
1. 16.Preliminary.
2. 17.Prohibition on processing without registration.
3. 18.Notification by data controllers.
4. 19.Register of notifications.
5. 20.Duty to notify changes.
6. 21.Offences.
7. 22.Preliminary assessment by Commissioner.
8. 23.Power to make provision for appointment of data protection supervisors.
9. 24.Duty of certain data controllers to make certain information available.
10. 25.Functions of Commissioner in relation to making of notification regulations.
11. 26.Fees regulations.
1. 27.Preliminary.
2. 28.National security.
3. 29.Crime and taxation.
4. 30.Health, education and social work.
5. 31.Regulatory activity.
6. 32.Journalism, literature and art.
7. 33.Research, history and statistics.
8. 33A.Manual data held by public authorities.
9. 34.Information available to the public by or under enactment.
10. 35.Disclosures required by law or made in connection with legal proceedings etc.
11. 35A.Parliamentary privilege.
12. 36.Domestic purposes.
13. 37.Miscellaneous exemptions.
14. 38.Powers to make further exemptions by order.
15. 39.Transitional relief.
1. 40.Enforcement notices.
2. 41.Cancellation of enforcement notice.
3. 41A.Assessment notices
4. 41B.Assessment notices: limitations
5. 41C.Code of practice about assessment notices
6. 42.Request for assessment.
7. 43.Information notices.
8. 44.Special information notices.
9. 45.Determination by Commissioner as to the special purposes.
10. 46.Restriction on enforcement in case of processing for the special purposes.
11. 47.Failure to comply with notice.
12. 48.Rights of appeal.
13. 49.Determination of appeals.
14. 50.Powers of entry and inspection.
1. Functions of Commissioner
  1. 51.General duties of Commissioner.
  2. 52.Reports and codes of practice to be laid before Parliament.
  3. 52A.Data-sharing code
  4. 52AA.Direct marketing code
  5. 52B.data-sharing and direct marketing codes: procedure
  6. 52C.Alteration or replacement of data-sharing and direct marketing codes
  7. 52D.Publication of data-sharing and direct marketing codes
  8. 52E.Effect of data-sharing and direct marketing codes
  9. 53.Assistance by Commissioner in cases involving processing for the special purposes.
  10. 54.International co-operation.
  11. 54A.Inspection of overseas information systems
  1. 55.Unlawful obtaining etc. of personal data.
  1. 55A.Power of Commissioner to impose monetary penalty
  2. 55B.Monetary penalty notices: procedural rights
  3. 55C.Guidance about monetary penalty notices
  4. 55D.Monetary penalty notices: enforcement
  5. 55E.Notices under sections 55A and 55B: supplemental
  1. 56.Prohibition of requirement as to production of certain records.
  2. 57.Avoidance of certain contractual terms relating to health records.
  1. 58.Disclosure of information.
  2. 59.Confidentiality of information.
  1. 60.Prosecutions and penalties.
  2. 61.Liability of directors etc.
  1. 62.Amendments of Consumer Credit Act 1974.
  1. 63.Application to Crown.
  2. 63A.Application to Parliament.
  3. 64.Transmission of notices etc. by electronic or other means.
  4. 65.Service of notices by Commissioner.
  5. 66.Exercise of rights in Scotland by children.
  6. 67.Orders, regulations and rules.
  7. 68.Meaning of “accessible record”.
  8. 69.Meaning of “health professional”.
  9. 70.Supplementary definitions.
  10. 71.Index of defined expressions.
  11. 72.Modifications of Act.
  12. 73.Transitional provisions and savings.
  13. 74.Minor and consequential amendments and repeals and revocations.
  14. 75.Short title, commencement and extent.
  1. SCHEDULE 1The data protection principles
    1. Part I The principles
      1. 1.Personal data shall be processed fairly and lawfully and, in.
      2. 2.Personal data shall be obtained only for one or more.
      3. 3.Personal data shall be adequate, relevant and not excessive in.
      4. 4.Personal data shall be accurate and, where necessary, kept up.
      5. 5.Personal data processed for any purpose or purposes shall not.
      6. 6.Personal data shall be processed in accordance with the rights.
      7. 7.Appropriate technical and organisational measures shall be taken against unauthorised.
      8. 8.Personal data shall not be transferred to a country or.
      1. The first principle
        
        1.(1) In determining for the purposes of the first principle.
        
        2.(1) Subject to paragraph 3, for the purposes of the.
        
        3.(1) Paragraph 2(1)(b) does not apply where either of the.
        
        4.(1) Personal data which contain a general identifier falling within.
        
        5.The purpose or purposes for which personal data are obtained.
        
        6.In determining whether any disclosure of personal data is compatible.
        
        7.The fourth principle is not to be regarded as being.
        
        8.A person is to be regarded as contravening the sixth.
        
        9.Having regard to the state of technological development and the.
        
        10.The data controller must take reasonable steps to ensure the.
        
        11.Where processing of personal data is carried out by a.
        
        12.Where processing of personal data is carried out by a.
        
        13.An adequate level of protection is one which is adequate.
        
        14.The eighth principle does not apply to a transfer falling.
        
        15.(1) Where— (a) in any proceedings under this Act any.
        
        1.The data subject has given his consent to the processing.
        
        2.The processing is necessary— (a) for the performance of a.
        
        3.The processing is necessary for compliance with any legal obligation.
        
        4.The processing is necessary in order to protect the vital.
        
        5.The processing is necessary— (a) for the administration of justice.
        
        6.(1) The processing is necessary for the purposes of legitimate.
        
        7.The processing is necessary for the purposes of making a.
        
        1.The data subject has given his explicit consent to the.
        
        2.(1) The processing is necessary for the purposes of exercising.
        
        3.The processing is necessary— (a) in order to protect the.
        
        4.The processing— (a) is carried out in the course of.
        
        5.The information contained in the personal data has been made.
        
        6.The processing— (a) is necessary for the purpose of, or.
        
        7.(1) The processing is necessary— (a) for the administration of.
        
        7A.(1) The processing— (a) is either— (i) the disclosure of.
        
        7B.The processing is necessary for the purposes of making a.
        
        8.(1) The processing is necessary for medical purposes and is.
        
        9.(1) The processing— (a) is of sensitive personal data consisting.
        
        10.The personal data are processed in circumstances specified in an.
        
        1.The data subject has given his consent to the transfer.
        
        2.The transfer is necessary— (a) for the performance of a.
        
        3.The transfer is necessary— (a) for the conclusion of a.
        
        4.(1) The transfer is necessary for reasons of substantial public.
        
        5.The transfer— (a) is necessary for the purpose of, or.
        
        6.The transfer is necessary in order to protect the vital.
        
        7.The transfer is of part of the personal data on.
        
        8.The transfer is made on terms which are of a.
        
        9.The transfer has been authorised by the Commissioner as being.
        
        Part I The Commissioner
        
        Status and capacity
        
        1.(1) The corporation sole by the name of the Data.
        
        2.(1) Subject to the provisions of this paragraph, the Commissioner.
        
        3.(1) There shall be paid— (a) to the Commissioner such.
        
        4.(1) The Commissioner— (a) shall appoint a deputy commissioner or.
        
        5.(1) The deputy commissioner or deputy commissioners shall perform the.
        
        6.The application of the seal of the Commissioner shall be.
        
        7.Any document purporting to be an instrument issued by the.
        
        8.The Secretary of State may make payments to the Commissioner.
        
        9.(1) All fees and other sums received by the Commissioner.
        
        10.(1) It shall be the duty of the Commissioner—
        
        11.Paragraphs 1(1), 6 and 7 do not extend to Scotland.
        
        Tenure of office
        
        12.(1) Subject to the following provisions of this paragraph, a.
        
        13.The Secretary of State shall pay to the members of.
        
        14.The Secretary of State may provide the Tribunal with such.
        
        15.Such expenses of the Tribunal as the Secretary of State.
        
        16.Any reference in any enactment, instrument or other document to.
        
        17.Any reference in this Act or in any instrument under.
        
        Hearing of appeals
        
        1.For the purpose of hearing and determining appeals or any.
        
        2.(1) The Lord Chancellor shall from time to time designate.
        
        3.(1) The Tribunal shall be duly constituted—
        
        4.(1) Subject to any rules made under paragraph 7, the.
        
        5.The determination of any question before the Tribunal when constituted.
        
        6.(1) Subject to any rules made under paragraph 7, the.
        
        7.(1) Tribunal Procedure Rules may make provision for regulating the.
        
        8.(1) If any person is guilty of any act or.
        
        Confidential references given by the data controller
        
        1.Personal data are exempt from section 7 if they consist.
        
        2.Personal data are exempt from the subject information provisions in.
        
        3.Personal data processed for the purposes of—
        
        4.(1) The Secretary of State may by order exempt from.
        
        5.Personal data processed for the purposes of management forecasting or.
        
        6.(1) Where personal data are processed for the purposes of.
        
        7.Personal data which consist of records of the intentions of.
        
        8.(1) Section 7 shall have effect subject to the provisions.
        
        9.(1) Personal data consisting of information recorded by candidates during.
        
        10.Personal data are exempt from the subject information provisions if.
        
        11.(1) A person need not comply with any request or.
        
        Part I Interpretation of Schedule
        
        1.(1) For the purposes of this Schedule, personal data are.
        
        Manual data
        
        2.(1) Eligible manual data, other than data forming part of.
        
        3.(1) This paragraph applies to— (a) eligible manual data forming.
        
        4.(1) This paragraph applies to eligible manual data which consist.
        
        5.During the first transitional period, for the purposes of this.
        
        6.(1) Subject to sub-paragraph (2), eligible automated data processed by.
        
        7.Eligible automated data processed by an unincorporated members’ club and.
        
        8.Eligible automated data processed by a data controller only for.
        
        9.Neither paragraph 7 nor paragraph 8 applies to personal data.
        
        10.It shall be a condition of the exemption of any.
        
        11.Data to which paragraph 10 applies may be disclosed—
        
        12.Eligible automated data which are processed only for the purpose.
        
        13.(1) During the first transitional period, eligible automated data are.
        
        14.(1) This paragraph applies to— (a) eligible manual data which.
        
        14A.(1) This paragraph applies to personal data which fall within.
        
        15.In this Part of this Schedule “the relevant conditions” has.
        
        16.(1) Eligible manual data which are processed only for the.
        
        17.(1) After 23rd October 2001 eligible automated data which are.
        
        18.For the purposes of this Part of this Schedule personal.
        
        19.Processing which was already under way immediately before 24th October.
        
        Issue of warrants
        
        1.(1) If a circuit judge or a District Judge (Magistrates'.
        
        2.(1) A judge shall not issue a warrant under this.
        
        3.A judge who issues a warrant under this Schedule shall.
        
        4.A person executing a warrant issued under this Schedule may.
        
        5.A warrant issued under this Schedule shall be executed at.
        
        6.If the person who occupies the premises in respect of.
        
        7.(1) A person seizing anything in pursuance of a warrant.
        
        8.The powers of inspection and seizure conferred by a warrant.
        
        9.(1) Subject to the provisions of this paragraph, the powers.
        
        10.If the person in occupation of any premises in respect.
        
        11.A warrant issued under this Schedule shall be returned to.
        
        12.Any person who— (a) intentionally obstructs a person in the.
        
        13.In this Schedule “premises” includes any vessel, vehicle, aircraft or.
        
        14.In the application of this Schedule to Scotland—
        
        15.In the application of this Schedule to Northern Ireland—
        
        16.An explanation given, or information provided, by a person in.
        
        1.In this Schedule “applicant” and “proceedings” have the same meaning.
        
        2.The assistance provided under section 53 may include the making.
        
        3.Where assistance is provided with respect to the conduct of.
        
        4.Where the Commissioner provides assistance in relation to any proceedings.
        
        5.In England and Wales or Northern Ireland, the recovery of.
        
        6.In Scotland, the recovery of such expenses (as taxed or.
        
        Meaning of “educational record”
        
        1.For the purposes of section 68 “educational record” means any.
        
        2.This paragraph applies to any record of information which—
        
        3.The schools referred to in paragraph 2(a) are—
        
        4.The persons referred to in paragraph 2(c) are—
        
        4A.In paragraphs 3 and 4 “ local authority ” has.
        
        5.This paragraph applies to any record of information which is.
        
        6.For the purposes of paragraph 5— (a) “education authority” means.
        
        7.(1) This paragraph applies to any record of information which—.
        
        8.The persons referred to in paragraph 7(1) are—
        
        9.(1) Until the appointed day within the meaning of section.
        
        Meaning of “accessible public record”
        
        1.For the purposes of section 68 “accessible public record” means.
        
        2.The following is the Table referred to in paragraph 1(a).
        
        3.(1) The following provisions apply for the interpretation of the.
        
        4.The following is the Table referred to in paragraph 1(b).
        
        5.(1) The following provisions apply for the interpretation of the.
        
        6.The following is the Table referred to in paragraph 1(c).
        
        7.(1) This paragraph applies for the interpretation of the Table.
        
        1.After section 12 there is inserted— Rights of data subjects.
        
        2.In section 32— (a) in subsection (2) after “section 12”.
        
        3.In section 34 for “section 14(1) to (3)” there is.
        
        4.In section 53(1) after “12(8)” there is inserted “ .
        
        5.In paragraph 8 of Part II of Schedule 1, the.
        
        Interpretation
        
        1.In this Schedule— “the 1984 Act” means the Data Protection.
        
        2.(1) Subject to sub-paragraphs (4) and (5) any person who.
        
        3.(1) The repeal of section 21 of the 1984 Act.
        
        4.The repeal of section 22 of the 1984 Act (compensation.
        
        5.The repeal of section 24 of the 1984 Act (rectification.
        
        6.Subsection (3)(b) of section 14 does not apply where the.
        
        7.(1) If, immediately before the commencement of section 40—
        
        8.(1) If, immediately before the commencement of section 40—
        
        9.The Commissioner may serve an enforcement notice under section 40.
        
        10.Subsection (5)(b) of section 40 does not apply where the.
        
        11.The Commissioner may serve an information notice under section 43.
        
        12.Where by virtue of paragraph 11 an information notice is.
        
        13.(1) In section 43(8), section 44(9) and paragraph 11 of.
        
        14.The repeal of Schedule 4 to the 1984 Act does.
        
        15.The repeal of section 36(2) of the 1984 Act does.
        
        16.In dealing with a complaint under section 36(2) of the.
        
        17.(1) The repeal of any provision of the Access to.
        
        18.(1) The revocation of any provision of the Access to.
        
        19.(1) The repeal of the personal files enactments does not.
        
        20.Section 62 does not affect the application of section 158.
        
        Public Records Act 1958 (c. 51)
        
        1.(1) In Part II of the Table in paragraph 3.
        
        2.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        
        3.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        
        4.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        
        5.(1) Part II of Schedule 1 to the House of.
        
        6.(1) Part II of Schedule 1 to the Northern Ireland.
        
        7.In Schedule 2 of the Representation of the People Act.
        
        8.In section 2(1) of the Access to Medical Reports Act.
        
        9.(1) Section 5 of the Football Spectators Act 1989 (national.
        
        10.Schedule 2 to the Education (Student Loans) Act 1990 (loans.
        
        11.For section 2 of the Access to Health Records Act.
        
        12.In section 3(4) of that Act (cases where fee may.
        
        13.In section 5(3) of that Act (cases where right of.
        
        14.In Article 4 of the Access to Personal Files and.
        
        15.In Article 6(1) of that Order (interpretation), in the definition.
        
        16.In Part 1 of Schedule 1 to the Tribunals and.
        
        17.For paragraphs (1) and (2) of Article 4 of the.
        
        18.In Article 5(4) of that Order (cases where fee may.
        
        19.In Article 7 of that Order (cases where right of.
        
        Part I Repeals
        
        . . . . . . . . . .
        
        . . . . . . . . . .