Cabinet Office Homepage

Cabinet Office website
|

Main navigation

In section navigation

Data Protection Act 1998:

Standards and Best Practice Handbook for Government Departments

Annex B

Model Departmental Guidance on the Data Protection Act 1998

In the [……department] the co-ordination of compliance with the Data Protection Act 1998 (the DPA) rests with [the DP Unit]. The [Data Protection Officer/Co-ordinator] for the Department is the [……….]. The [DP Unit] must be informed of all subject access requests and will provide help and advice in dealing with cases (contact details are at the end of this guidance).

2. The DPA came into force on 1 March 2000, replacing the 1984 Data Protection Act. It sets out rules for processing “personal data”, particularly that held on computers, but it also applies to some manual (largely paper) records. The essential features of the DPA are that it:

3. In practical terms, personal data means any information relating to an identifiable living individual held electronically and some material held on paper.

4. Anyone who holds and processes personal data must comply with the data protection principles and the other requirements of the DPA. This means that anyone in the […department] who is responsible for personal data must ensure that it is processed in a way which conforms to data protection legislation, and is registered, where appropriate, with the IC. [The position of the Non-Departmental Public Bodies (NDPBs) sponsored by the […department] will need to be considered, as they may need to be notified separately. [The Department’s Executive Agencies will usually be included in the department’s notification.]

5. The following provides a summary of the more important parts of the legislation and includes guidance on how to handle requests for information (“subject access requests”) under the DPA.

The data protection principles

6. A copy of the eight principles, as they appear in the DPA, is at ‘Appendix A’. In brief, the principles lay down that all data must:

Exemptions

7. In certain circumstances, personal data do not have to be processed in accordance with the data protection principles or disclosed to the data subject in response to a subject access request. It is important to check the exact terms of any exemption before seeking to rely on it as each exemption is expressed to apply to specific provisions and in specific circumstances only. The meaning and extent of the exemptions are not always self-evident or easy to follow, and in cases of doubt, guidance should be sought from [the DP unit]. The primary exemptions concern:

8. There is no exemption for policy advice or internal discussion, international relations or effective management of the economy. This means that information other than personal data which is exempt from disclosure under the Code of Practice on Access to Government Information or Freedom of Information legislation, by virtue of the “policy development” exemption, may be disclosable under the DPA (although other exemptions, such as the research exemption in section 33 may offer some relief). Merely because information was given in confidence, or a document bears a departmental security marking, is no guarantee that the information may not be disclosed.

Data Protection and the […department]

9. The […department] currently has a number of purposes (ie purposes for which personal data held by it are being processed) registered with the IC, which can be inspected on her website under “Register of Data”. The Department’s registration number is [……….]. The [DP Unit] must continue to notify the IC of any significant changes which would affect our current registration, whether this consists of new databases being used, existing ones no longer being maintained, or amendments to the purposes for which current ones are registered. As the IC only wishes to know in broad terms of our data holdings, she will not be informed automatically of every individual dataset. If in doubt, [the DP Unit] should be consulted on any changes.

10. Personal data held by the [………department] may cover departmental staff (both present and past), the public and private sectors and the public in general. This includes, for example, lists of contractors and lists of contacts with whom consultation might take place. Requests for details of personal data can come from any of these sources, and all must be treated in accordance with the law.

11. Departmental staff will have the same rights to be informed of information held about them as any other member of the public. As well as their existing rights covering electronically held data, they are also able to be informed of manual data held on them in a relevant filing system; in practice this will mean personal and pay files. Access must be given promptly and in any case within 40 days of receipt of a request for access. All requests must be made in writing to [the Personnel Unit]. [……….] contains further details.]

How to handle a request for information under the DPA

12. Requests for information must be made in writing, which includes electronic means such as email or fax. If a request is received by any other means, such as by telephone, the enquirer should be informed that the department will only respond to a written request. If a letter is received in the department asking for subject access, it must be passed immediately (with the exception of staff requests) to [the DP Unit] to co-ordinate subsequent actions. The 40 calendar days allowed for replying to the request starts on the day the request is received in the department (or, if later, the first day on which the department has both the required fee and the information necessary to satisfy itself as to the identity of the enquirer and to locate the information sought).

13. An enquirer may make a request in the form of “give me all information held on me by the department”. In practice, such an application may be too wide to be valid. Under the DPA, we are not required to comply with an access request unless the enquirer supplies such information as we may reasonably require in order to locate the information. This means that they may be required to specify what sort of information they think we may hold, where it may be held, and any other information which may be helpful in locating it. For instance, if they are requesting access to emails, we may require them to specify the name of the author or recipient, the subject matter and the dates when they may have been sent. The [DP Unit] will decide whether more information is required in order to narrow down the search. If so, they will write to the applicant asking for the information. If no reply is received, no further action will be taken. If adequate information is received, a search will be commissioned and the 40 day period will run from when the further information is received. The department may also require the applicant to provide proof of identity. If no reply is received, or no acceptable proof is furnished, no further action will be taken

14. [The DP Unit] will determine which parts of the Department it considers most likely to be holding any data and will issue a commissioning note to those areas to carry out a search for any references to the data subject. [The DP Unit] will assess what material should be disclosed and will draft a reply, in consultation with the areas holding the references. Insofar as the Department holds any information which is required to be disclosed under the DOA, the enquirer will be sent a copy of the information held about him, a description of why the information is processed, and details of anyone it may be passed to or seen by.

15. A request may be received for information which mentions the DPA, but which concerns information that is not personal to the enquirer. In such a case the enquirer should be informed that the information sought cannot be released to him under that DPA. It may, however, be appropriate to consider the request under the Code of Practice on Access to Government Information. Further details about the Code of Practice can be found [……….]. Guidance should nevertheless be obtained from [DP Unit/COP Unit] before an enquirer is informed that it would be more appropriate to consider the request under the terms of the Code of Practice.

Fees

16. The DPA provides that up to £10 may be charged as a fee for providing information to a data subject. At present [it is/is not] departmental policy to make a charge for the provision of information in response to requests received under the DPA.

Further information

17. Any queries about data protection in the [….department] should be addressed to [DP Unit]. A note on definitions can be found at “Appendix B”. Further information can also be found on the IC’s website on www.dataprotection.gov.uk[External website].

[DP contacts in this department are: ……….……….]

Appendix A to Annex B

The Data Protection Principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met; and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Appendix B to Annex B

Definitions

Meaning of “data”
Under the Data Protection Act 1998 (the Act), data means information which:

2. ‘Personal data’ is defined as;

“data which relate to a living individual who can be identified-

from those data, or

from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”

3. It covers information about identifiable living individuals and includes both facts and opinions about the individual. It does not cover the use of information that relates to non-identifiable individuals or to information that is not about individual people. Nor does it include information about people that has been anonymised.

4. The definition of personal data means that the remit of the Act is very wide. It does not only cover information held on large electronic databases. Any electronically held material which refers to a named individual will be caught by the DPA, which includes all such references on a personal computer (PC). Personal information contained in documents, files, folders, minutes and letters held on a PC will be caught. Personalised directories held on a PC which contain names, telephone numbers, email addresses, diary entries etc will fall within the scope of the DPA - as will contact details in a manuscript address book. Similarly, emails still held electronically will also be caught. Information collected on a website, such as responses to a questionnaire, or signatures on a petition is also likely to be covered. Closed circuit TV footage constitutes personal data. Data subjects will have the right of access to all of these, so it is important to ensure that anything committed to record is accurate and relevant. It is also essential that data should be deleted once it is no longer needed.

Paper/ Manual records
5. The DPA applies to manual records (which includes paper records) containing information which is recorded as part of a “relevant filing system”. The definition means that a significant amount of manual data may fall within the scope of the DPA.

6. “Relevant filing system” is defined as;

“any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.”

7. The precise meaning of “relevant filing system” will only be established over time through the accumulation of case law. The Information Commissioner (IC) has suggested that in deciding whether information falls within the definition, the following should be considered:

8. There are two elements to the definition. Firstly, it must be relatively easy to locate the relevant file, and secondly, there must be an internal structure to the file to allow specific information relating to an individual to be easily located. The first element requires a file series which is ordered in alphabetical (or other logical) order. Where the name of the individual (or a reference number or other identifier uniquely identifying him) is clearly contained in the title of the file, so that references to the individual can be easily located, a file would clearly satisfy the first element. However, even if a file were to bear a subject title such as “disciplinary proceedings” rather than the name of an individual, but within that file separate folders were held on particular individuals, that file would probably come within the scope of the Act, making personal information held on it potentially disclosable. Any set of files may constitute a filing system; they need not be registered files.

9. To fulfil the second element – possessing an internal structure - the contents of a file must be ordered in such a way that specific information about the data subject can be readily extracted. This would exclude many files where the contents are simply filed in chronological order. There must be greater organisation, such as dividers separating different subject areas within the file or an index or logical sequence. If either of these elements is not fulfilled, the filing system will not come within the scope of the Act, and need not be searched. Do not assume, simply because you know where a particular document is filed, that the information is “readily accessible”. The important question is whether a person unfamiliar with your filing system could locate the information easily.

10. Transitional arrangements mean that manual records held in a “relevant filing system” before 24 October 1998 are exempt until 2007 from certain requirements, such as those relating to adequacy, relevance and accuracy.

11. Paper records may be notified to the IC although there is no legal requirement to do so. The […department] [does/does not notify] such records separately.

The data controller
12. The data controller is the person or organisation who determines the purposes for which and the manner in which any personal data are processed, regardless of whether or not those data have to be registered. In practice, it is likely to be the department, rather than an individual official, who is the data controller.

Processing personal data
13. Processing of personal data may only be carried out where one of the following conditions in Schedule 2 to the Act has been met:

14. Processing is broadly defined and takes place when any operation or set of operations is carried out on personal data. In practice, virtually any action will amount to processing, including simply holding the data. It is essential that the department can identify valid grounds for holding personal data. A data subject has the right to ask the identity of the data controller and to be told why information is being, or is to be, processed.

Sensitive data
15. The DPA makes specific provision for the holding and processing of sensitive personal data. Sensitive data includes: racial or ethnic origin; political opinions; religious or similar beliefs; trade union membership; health; sexual life; criminal proceedings or convictions. Sensitive data can only be processed under strict conditions (which must be met in addition to the conditions set out in paragraph 13). The conditions are, in summary:

16. A full list of the conditions is set out in Schedule 3 to the DPA and the Data Protection (Processing of Sensitive Personal Data) Order 2000, and can be obtained from [DP Unit]. Legal advice should be taken before seeking to rely on any of these provisions.

Notification
17. Under the DPA, data controllers are required to notify their data holdings to the IC (although some holdings are exempted). Most controllers need to notify the IC, in broad terms, of the purposes of their holdings and processing, the personal data being processed, the recipients of the personal data processed and any places overseas to which the data may be transferred. This information is made publicly available in a register on the IC’s website.

18. Notifications need to be renewed annually. Within […..department] notifications and amendments to notifications are co-ordinated by sending them through [DP Unit].

Security of data holdings
19. The DPA requires that data controllers must take appropriate technical or organisational measures to prevent the unauthorised or unlawful, processing or disclosure, of data. Where a controller uses the services of a data processor (someone other than an employee of the controller who processes data on his behalf) the security arrangements must be part of a written agreement between the two. A model contract drawn up by the Treasury Solicitor’s Department is available from [DP Unit].

Rights of individuals
20. The DPA provides for individuals to find out what information is held about them on electronic and on certain manual (primarily paper) records. The DPA allows individuals to apply to the Court to order a data controller to rectify, block, erase or destroy personal details if they are inaccurate or contain expressions of opinion which are based on inaccurate data. (There are however exemptions for some manual records until 2007.)

21. A data subject can ask a data controller to stop, or request that they do not begin, processing personal data where it is causing, or is likely to cause, unwarranted substantial damage or distress to themselves or anyone else. A data subject can ask a data controller to ensure that no decision which significantly affects him is based solely on processing personal data by automatic means (with some exemptions). A data subject can also claim compensation from a data controller for damage, or damage and distress, caused by any breach of the DPA.

Data Protection Handbook [PDF, 710KB]

[Top]

In section navigation