Data Protection Act 2002
c i e
AT 2 of 2002
DATA PROTECTION ACT 2002
Data Protection Act 2002 Index
c AT 2 of 2002 Page 3
c i e
DATA PROTECTION ACT 2002
Index Section Page
PART 1 PRELIMINARY 7
1 Basic interpretative provisions ..................................................................................... 7
2 The data protection principles ...................................................................................... 9
3 Application of Act......................................................................................................... 10
4 The Tribunal .................................................................................................................. 10
PART 2 RIGHTS OF DATA SUBJECTS AND OTHERS 11
5 Right of access to personal data .................................................................................. 11
6 Provisions supplementary to section 5 ...................................................................... 13
7 Application of section 5: credit reference agencies .................................................. 14
7A Unstructured personal data held by public authorities .......................................... 15
8 Right to prevent processing likely to cause damage or distress ............................ 15
9 Right to prevent processing for purposes of direct marketing .............................. 16
10 Rights in relation to automated decision-taking ...................................................... 16
11 Compensation for failure to comply with certain requirements ........................... 18
12 Rectification, blocking, erasure and destruction ...................................................... 18
PART 3 NOTIFICATION BY DATA CONTROLLERS 19
13 Preliminary .................................................................................................................... 19
14 Prohibition on processing without registration ....................................................... 20
15 Notification by data controllers .................................................................................. 21
16 Register of notifications ............................................................................................... 21
17 Duty to notify changes ................................................................................................. 22
18 Offences .......................................................................................................................... 23
19 Preliminary assessment by Information Commissioner ......................................... 23
20 Reference of notification to Tribunal ......................................................................... 24
21 Power to make provision for appointment of data supervisors ............................ 25
22 Duty of certain data controllers to make certain information available ............... 25
PART 4 EXEMPTIONS 26
23 Preliminary .................................................................................................................... 26
Index Data Protection Act 2002
Page 4 AT 2 of 2002 c
24 National security .......................................................................................................... 27
25 Crime and taxation ....................................................................................................... 28
26 Health, education and social work ............................................................................ 29
27 Regulatory activity ....................................................................................................... 30
28 Journalism, literature and art ..................................................................................... 31
29 Research, history and statistics ................................................................................... 32
29A Manual data held by public authorities .................................................................... 33
30 Information available to the public by or under statutory provision ................... 33
31 Disclosures required by law or made in connection with legal proceedings
etc. ................................................................................................................................... 34
32 Tynwald privilege ........................................................................................................ 34
33 Domestic purposes ....................................................................................................... 34
34 Miscellaneous exemptions .......................................................................................... 34
35 Powers to make further exemptions by order .......................................................... 35
PART 5 ENFORCEMENT 35
36 Enforcement notices ..................................................................................................... 35
37 Cancellation of enforcement notice ........................................................................... 37
38 Request for assessment ................................................................................................ 37
39 Information notices ...................................................................................................... 38
40 Special information notices ......................................................................................... 39
41 Determination by Information Commissioner as to the special purposes ........... 41
42 Restriction on enforcement in case of processing for the special purposes ......... 41
43 Failure to comply with notice ..................................................................................... 42
44 Rights of appeal ............................................................................................................ 42
45 Determination of appeals ............................................................................................ 43
46 Powers of entry and inspection .................................................................................. 44
PART 6 MISCELLANEOUS AND GENERAL 44
Functions of Information Commissioner 44
47 General duties of Information Commissioner ......................................................... 44
48 Reports and codes of practice to be laid before Tynwald ....................................... 45
49 International co-operation ........................................................................................... 45
Unlawful obtaining etc. of personal data 46
50 Unlawful obtaining etc. of personal data .................................................................. 46
Records obtained under data subject’s right of access 47
51 Prohibition of requirement as to production of certain records ............................ 47
52 Avoidance of certain contractual terms relating to health records ....................... 49
Information provided to Information Commissioner or Tribunal 50
53 Disclosure of information ............................................................................................ 50
54 [Repealed] ...................................................................................................................... 50
General provisions relating to offences 50
55 Prosecutions and penalties.......................................................................................... 50
56 Liability of directors etc. .............................................................................................. 51
Data Protection Act 2002 Index
c AT 2 of 2002 Page 5
Supply and inspection of copies of public registers 51
57 Registers of electors etc. ............................................................................................... 51
General 51
58 Application to Government ........................................................................................ 51
59 Application to Tynwald ............................................................................................... 52
60 Service of notices by Information Commissioner .................................................... 52
61 Orders, rules and regulations ..................................................................................... 52
62 Interpretation ................................................................................................................. 53
63 Index of defined expressions....................................................................................... 56
64 Transitional exemptions and modifications.............................................................. 57
65 Transitional provisions and savings .......................................................................... 57
66 Minor and consequential amendments etc ............................................................... 57
67 Short title and commencement ................................................................................... 57
SCHEDULE 1 59
THE DATA PROTECTION PRINCIPLES 59
SCHEDULE 2 66
CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE:
PROCESSING OF ANY PERSONAL DATA 66
SCHEDULE 3 67
CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE:
PROCESSING OF SENSITIVE PERSONAL DATA 67
SCHEDULE 4 73
CASES WHERE THE EIGHTH PRINCIPLE DOES NOT APPLY 73
SCHEDULE 5 74
THE TRIBUNAL 74
SCHEDULE 6 75
APPEALS AND REFERENCES 75
SCHEDULE 7 76
MISCELLANEOUS EXEMPTIONS 76
SCHEDULE 8 80
POWERS OF ENTRY AND INSPECTION 80
SCHEDULE 9 83
REGISTERS OF ELECTORS ETC. 83
Index Data Protection Act 2002
Page 6 AT 2 of 2002 c
SCHEDULE 10 83
EXEMPTIONS AND MODIFICATIONS HAVING EFFECT BEFORE 24TH
OCTOBER 2007 83
SCHEDULE 11 86
TRANSITIONAL PROVISIONS AND SAVINGS 86
SCHEDULE 12 91
AMENDMENT OF ENACTMENTS 91
SCHEDULE 13 91
ENACTMENTS REPEALED 91
ENDNOTES 93
TABLE OF LEGISLATION HISTORY 93
TABLE OF RENUMBERED PROVISIONS 93
TABLE OF ENDNOTE REFERENCES 93
Data Protection Act 2002 Section 1
c AT 2 of 2002 Page 7
c i e
DATA PROTECTION ACT 2002
Received Royal Assent: 10 December 2002
Passed: 10 December 2002
Commenced: See endnotes
AN ACT
to make new provision for the regulation of the processing of
information relating to individuals, including the obtaining, holding, use or
disclosure of such information.
GENERAL NOTE: see SD352/09 Rules of the High Court of Justice 2009 Sch 15.1
para 3 reproduced below:
“3. In any statutory provision a reference to a petition of doleance shall be
construed as an application to the court in accordance with —
(a) Chapter 9 of Part 13 (review of detention),
(b) rule 14.16 (appeal by way of case stated), or
(c) Chapter 2 of Part 14 (review of lawfulness of decision etc.),
as the case may require.”
PART 1 PRELIMINARY
1 Basic interpretative provisions
[P1998/29/1-3]
(1) In this Act —
“data
” means information which —
(a) is being processed by means of equipment operating
automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by
means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention
that it should form part of a relevant filing system,
(d) does not fall within paragraph (a), (b) or (c) but forms part of an
accessible record, or
Section 1 Data Protection Act 2002
Page 8 AT 2 of 2002 c
(e) does not fall within paragraph (a) to (d) but is recorded
information held by a public authority;1
“data controller
” means, subject to subsection (4), a person who (either alone or
jointly or in common with other persons) determines the purposes for
which and the manner in which any personal data are, or are to be,
processed;
“data processor
”, in relation to personal data, means any person (other than an
employee of the data controller) who processes the data on behalf of the
data controller;
“data subject
” means an individual who is the subject of personal data;
“held
” by a public authority, in relation to information covered by paragraph
(e) of the definition of “data”, is to be interpreted in accordance with the
Freedom of Information Act 2015;2
“personal data
” means data which relate to a living individual who can be
identified —
(a) from those data, or
(b) from those data and other information which is in the possession of, or is
likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any
indication of the intentions of the data controller or any other person in
respect of the individual;
“processing
”, in relation to information or data, means obtaining, recording or
holding the information or data or carrying out any operation or set of
operations on the information or data, including —
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission,
dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the
information or data;
“public authority
” has the same meaning as in the Freedom of Information Act
2015;3
“relevant filing system
” means any set of information relating to individuals to
the extent that, although the information is not processed by means of
equipment operating automatically in response to instructions given for
that purpose, the set is structured, either by reference to individuals or
by reference to criteria relating to individuals, in such a way that specific
information relating to a particular individual is readily accessible;
“sensitive personal data
” means personal data consisting of information
as to —
Data Protection Act 2002 Section 2
c AT 2 of 2002 Page 9
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of
the Trade Unions Act 1991),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have
been committed by him, the disposal of such proceedings or the
sentence of any court in such proceedings;
“the special purposes
” means any one or more of the following —
(a) the purposes of journalism,
(b) artistic purposes, and
(c) literary purposes.
(2) In this Act —
(a) “obtaining
” or “recording
”, in relation to personal data, includes
obtaining or recording the information to be contained in the data,
and
(b) “using
” or “disclosing
”, in relation to personal data, includes
using or disclosing the information contained in the data.
(3) In determining for the purposes of this Act whether any information is
recorded with the intention —
(a) that it should be processed by means of equipment operating
automatically in response to instructions given for that purpose,
or
(b) that it should form part of a relevant filing system,
it is immaterial that it is intended to be so processed or to form part of
such a system only after being transferred to a country or territory
outside the Island.
(4) Where personal data are processed only for purposes for which they are
required by or under any enactment to be processed, the person on
whom the obligation to process the data is imposed by or under that
enactment is for the purposes of this Act the data controller.
2 The data protection principles
[P1998/29/4]
(1) References in this Act to the data protection principles are to the
principles set out in Part 1 of Schedule 1.
Section 3 Data Protection Act 2002
Page 10 AT 2 of 2002 c
(2) Those principles are to be interpreted in accordance with Part 2 of
Schedule 1.
(3) Schedule 2 (which applies to all personal data) and Schedule 3 (which
applies only to sensitive personal data) set out conditions applying for
the purposes of the first principle (fair and lawful processing); and
Schedule 4 sets out cases in which the eighth principle does not apply.
(4) Subject to section 23(1), it is the duty of a data controller to comply with
the data protection principles in relation to all personal data with respect
to which he is the data controller.
3 Application of Act
[P1998/29/5]
(1) Except as otherwise provided by or under section 49, this Act applies to a
data controller in respect of any data only if —
(a) the data controller is established in the Island and the data are
processed in the context of that establishment, or
(b) the data controller is not established in the Island but uses
equipment in the Island for processing the data otherwise than for
the purposes of transit through the Island.
(2) A data controller falling within subsection (1)(b) must nominate for the
purposes of this Act a representative established in the Island.
(3) For the purposes of subsections (1) and (2), each of the following is to be
treated as established in the Island —
(a) an individual who is ordinarily resident in the Island,
(b) a body incorporated under the law of the Island,
(c) a partnership or other unincorporated association formed under
the law of the Island, and
(d) any person who does not fall within paragraph (a), (b) or (c) but
maintains in the Island —
(i) an office, branch or agency through which he carries on
any activity, or
(ii) a regular practice.
4 The Tribunal
4
[P1998/29/6]
(1) [Repealed]5
(2) [Repealed]6
(3) For the purposes of this Act there shall continue to be an Isle of Man
Data Protection Tribunal (in this Act referred to as “the Tribunal
”).
Data Protection Act 2002 Section 5
c AT 2 of 2002 Page 11
(4) The Tribunal is to consist of a chairman and 2 other members, appointed
in accordance with the Tribunals Act 2006.7
(5) [Repealed]8
(6) Schedule 5 has effect in relation to the Tribunal.9
PART 2 RIGHTS OF DATA SUBJECTS AND OTHERS
5 Right of access to personal data
[P1998/29/7 and 15, P2000/36/6/1]
(1) Subject to the following provisions of this section and to sections 6, 7 and
7A, an individual is entitled —
(a) to be informed by any data controller whether personal data of
which that individual is the data subject are being processed by or
on behalf of that data controller,
(b) if that is the case, to be given by the data controller a
description of —
(i) the personal data of which that individual is the data
subject,
(ii) the purposes for which they are being or are to be
processed, and
(iii) the recipients or classes of recipients to whom they are or
maybe disclosed,
(c) to have communicated to him in an intelligible form —
(i) the information constituting any personal data of which
that individual is the data subject, and
(ii) any information available to the data controller as to the
source of those data, and
(d) where the processing by automatic means of personal data of
which that individual is the data subject for the purpose of
evaluating matters relating to him such as, for example, his
performance at work, his creditworthiness, his reliability or his
conduct, has constituted or is likely to constitute the sole basis for
any decision significantly affecting him, to be informed by the
data controller of the logic involved in that decision-taking.10
(2) A data controller is not obliged to supply any information under
subsection (1) unless he has received —
(a) a request in writing, and
(b) except in prescribed cases, such fee (not exceeding the prescribed
maximum) as he may require.
(3) Where a data controller —
Section 5 Data Protection Act 2002
Page 12 AT 2 of 2002 c
(a) reasonably requires further information in order to satisfy himself
as to the identity of the person making a request under this
section and to locate the information which that person seeks, and
(b) has informed him of that requirement,
the data controller is not obliged to comply with the request unless he is
supplied with that further information.
(4) Where a data controller cannot comply with the request without
disclosing information relating to another individual who can be
identified from that information, he is not obliged to comply with the
request unless —
(a) the other individual has consented to the disclosure of the
information to the person making the request, or
(b) it is reasonable in all the circumstances to comply with the request
without the consent of the other individual.
(5) In subsection (4) the reference to information relating to another
individual includes a reference to information identifying that individual
as the source of the information sought by the request; and that
subsection is not to be construed as excusing a data controller from
communicating so much of the information sought by the request as can
be communicated without disclosing the identity of the other individual
concerned, whether by the omission of names or other identifying
particulars or otherwise.
(6) In determining for the purposes of subsection (4)(b) whether it is
reasonable in all the circumstances to comply with the request without
the consent of the other individual concerned, regard shall be had, in
particular, to —
(a) any duty of confidentiality owed to the other individual,
(b) any steps taken by the data controller with a view to seeking the
consent of the other individual,
(c) whether the other individual is capable of giving consent, and
(d) any express refusal of consent by the other individual.
(7) An individual making a request under this section may, in such cases as
may be prescribed, specify that his request is limited to personal data of
any prescribed description.
(8) Subject to subsection (4), a data controller shall comply with a request
under this section promptly and in any event before the end of the
prescribed period beginning with the relevant day.
(9) If the High Court is satisfied on the application of any person who has
made a request under this section that the data controller in question has
failed to comply with the request in contravention of those provisions,
the court may —
Data Protection Act 2002 Section 6
c AT 2 of 2002 Page 13
(a) order him to comply with the request; and
(b) if the court is satisfied that the failure was unjustified and that the
data controller knew or ought to have known that it was
unjustified, impose on him a penalty of such amount (not
exceeding £5,000) as the court thinks fit.
(10) For the purpose of determining any question whether an applicant under
subsection (9) is entitled to the information which he seeks (including
any question whether any relevant data are exempt from that section by
virtue of Part 4) the High Court may require —
(a) the information constituting any data processed by or on behalf of
the data controller, and
(b) any information as to the logic involved in any decision-taking as
mentioned in subsection (1)(d),
to be made available for its own inspection but shall not, pending the
determination of that question in the applicant’s favour, require the
information sought by the applicant to be disclosed to him or his
representatives whether by discovery or otherwise.
(11) A penalty imposed under subsection (9)(b) shall be applicable as a fine
imposed by a criminal court.
(12) In this section —
“prescribed” means prescribed by the Council of Ministers by regulations;
“the prescribed maximum” means such amount as may be prescribed;
“the prescribed period” means 40 days or such other period as may be
prescribed;
“the relevant day”, in relation to a request under this section, means the day on
which the data controller receives the request or, if later, the first day on
which the data controller has both the required fee and the information
referred to in subsection (3).
6 Provisions supplementary to section 5
[P1998/29/8]
(1) The Council of Ministers may by regulations provide that, in such cases
as may be prescribed, a request for information under any provision of
subsection (1) of section 5 is to be treated as extending also to
information under other provisions of that subsection.
(2) The obligation imposed by section 5(1)(c)(i) must be complied with by
supplying the data subject with a copy of the information in permanent
form unless —
(a) the supply of such a copy is not possible or would involve
disproportionate effort, or
(b) the data subject agrees otherwise;
Section 7 Data Protection Act 2002
Page 14 AT 2 of 2002 c
and where any of the information referred to in section 5(1)(c)(i) is
expressed in terms which are not intelligible without explanation the
copy must be accompanied by an explanation of those terms.
(3) Where a data controller has previously complied with a request made
under section 5 by an individual, the data controller is not obliged to
comply with a subsequent identical or similar request under that section
by that individual unless a reasonable interval has elapsed between
compliance with the previous request and the making of the current
request.
(4) In determining for the purposes of subsection (3) whether requests under
section 5 are made at reasonable intervals, regard shall be had to the
nature of the data, the purpose for which the data are processed and the
frequency with which the data are altered.
(5) Section 5(1)(d) is not to be regarded as requiring the provision of
information as to the logic involved in any decision-taking if, and to the
extent that, the information constitutes a trade secret.
(6) The information to be supplied pursuant to a request under section 5
must be supplied by reference to the data in question at the time when
the request is received, except that it may take account of any
amendment or deletion made between that time and the time when the
information is supplied, being an amendment or deletion that would
have been made regardless of the receipt of the request.
(7) For the purposes of section 5(4) and (5) another individual can be
identified from the information being disclosed if he can be identified
from that information, or from that and any other information which, in
the reasonable belief of the data controller, is likely to be in, or to come
into, the possession of the data subject making the request.
7 Application of section 5: credit reference agencies
[P1998/29/9]
(1) Where the data controller is a credit reference agency, section 5 has effect
subject to the provisions of this section.
(2) An individual making a request under section 5 may limit his request to
personal data relevant to his financial standing, and shall be taken to
have so limited his request unless the request shows a contrary intention.
(3) Where the data controller receives a request under section 5 in a case
where personal data of which the individual making the request is the
data subject are being processed by or on behalf of the data controller,
the obligation to supply information under that section includes an
obligation to give the individual making the request a statement, in such
form as may be prescribed by the Council of Ministers by regulations, of
such of the individual’s rights under this Act as are specified in the form.
Data Protection Act 2002 Section 8
c AT 2 of 2002 Page 15
7A Unstructured personal data held by public authorities
(1) A public authority is not obliged to comply with section 5(1) in relation
to unstructured personal data unless the request under that section
contains a description of the data.
(2) Even if the data are described by the data subject in the request, a public
authority is not obliged to comply with section 5(1) in relation to
unstructured personal data if the public authority estimates that the cost
of complying with the request so far as relating to those data would
exceed the limit prescribed under subsection (4).
(3) Subsection (2) does not exempt the public authority from its obligation to
comply with section 5(1)(a) in relation to the unstructured personal data
unless the estimated cost of complying with that paragraph alone in
relation to those data would exceed the limit prescribed under subsection
(4).
(4) The Council of Ministers may, by regulations, prescribe an amount to be
the limit for the purposes subsections (2) and (3).
(5) Any estimate for the purposes of this section must be made in
accordance with regulations under section 68 of the Freedom of
Information Act 2015 (fees).
(6) In this section “unstructured personal data” means any personal data
falling within paragraph (e) of the definition of “data” in section 1(1),
other than information that is recorded as part of, or with the intention
that it should form part of, any set of information relating to individuals
to the extent that the set is structured by reference to individuals or by
reference to criteria relating to individuals.11
8 Right to prevent processing likely to cause damage or distress
[P1998/29/10]
(1) Subject to subsection (2), an individual is entitled at any time by notice in
writing to a data controller to require the data controller at the end of
such period as is reasonable in the circumstances to cease, or not to
begin, processing, or processing for a specified purpose or in a specified
manner, any personal data in respect of which he is the data subject, on
the ground that, for specified reasons —
(a) the processing of those data or their processing for that purpose
or in that manner is causing or is likely to cause substantial
damage or substantial distress to him or to another, and
(b) that damage or distress is or would be unwarranted.
(2) Subsection (1) does not apply —
(a) in a case where any of the conditions in paragraphs 1 to 4 of
Schedule 2 is met, or
Section 9 Data Protection Act 2002
Page 16 AT 2 of 2002 c
(b) in such other cases as may be prescribed by the Council of
Ministers by order.
(3) The data controller must within 21 days of receiving a notice under
subsection (1) (“the data subject notice”) give the individual who gave it
a written notice —
(a) stating that he has complied or intends to comply with the data
subject notice, or
(b) stating his reasons for regarding the data subject notice as to any
extent unjustified and the extent (if any) to which he has complied
or intends to comply with it.
(4) If the High Court is satisfied, on the application of any person who has
given a notice under subsection (1) which appears to the court to be
justified (or to be justified to any extent), that the data controller in
question has failed to comply with the notice, the court may order him to
take such steps for complying with the notice (or for complying with it to
that extent) as the court thinks fit.
(5) The failure by a data subject to exercise the right conferred by
subsection (1) or section 9(1) does not affect any other right conferred on
him by this Part.
9 Right to prevent processing for purposes of direct marketing
[P1998/29/11]
(1) An individual is entitled at any time by notice in writing to a data
controller to require the data controller at the end of such period as is
reasonable in the circumstances to cease, or not to begin, processing for
the purposes of direct marketing personal data in respect of which he is
the data subject.
(2) If the High Court is satisfied, on the application of any person who has
given a notice under subsection (1), that the data controller has failed to
comply with the notice, the court may order him to take such steps for
complying with the notice as the court thinks fit.
(3) In this section “direct marketing” means the communication (by
whatever means) of any advertising or marketing material which is
directed to particular individuals.
10 Rights in relation to automated decision-taking
[P1998/29/12]
(1) An individual is entitled at any time, by notice in writing to any data
controller, to require the data controller to ensure that no decision taken
by or on behalf of the data controller which significantly affects that
individual is based solely on the processing by automatic means of
personal data in respect of which that individual is the data subject for
Data Protection Act 2002 Section 10
c AT 2 of 2002 Page 17
the purpose of evaluating matters relating to him such as, for example,
his performance at work, his creditworthiness, his reliability or his
conduct.
(2) Where, in a case where no notice under subsection (1) has effect, a
decision which significantly affects an individual is based solely on such
processing as is mentioned in subsection (1) —
(a) the data controller must as soon as reasonably practicable notify
the individual that the decision was taken on that basis, and
(b) the individual is entitled, within 21 days of receiving that
notification from the data controller, by notice in writing to
require the data controller to reconsider the decision or to take a
new decision otherwise than on that basis.
(3) The data controller must, within 21 days of receiving a notice under
subsection (2)(b) (“the data subject notice”) give the individual a written
notice specifying the steps that he intends to take to comply with the
data subject notice.
(4) A notice under subsection (1) does not have effect in relation to an
exempt decision; and nothing in subsection (2) applies to an exempt
decision.
(5) In subsection (4) “exempt decision” means any decision —
(a) in respect of which the conditions in subsections (6) and (7) are
met, or
(b) which is made in such other circumstances as may be prescribed
by the Council of Ministers by order.
(6) The condition in this subsection is that the decision —
(a) is taken in the course of steps taken —
(i) for the purpose of considering whether to enter into a
contract with the data subject,
(ii) with a view to entering into such a contract, or
(iii) in the course of performing such a contract, or
(b) is authorised or required by or under any enactment.
(7) The condition in this subsection is that either —
(a) the effect of the decision is to grant a request of the data subject,
or
(b) steps have been taken to safeguard the legitimate interests of the
data subject (for example, by allowing him to make
representations).
(8) If the High Court is satisfied on the application of a data subject that a
person taking a decision in respect of him (“the responsible person”) has
failed to comply with subsection (1) or (2)(b), the court may order the
responsible person to reconsider the decision, or to take a new decision
Section 11 Data Protection Act 2002
Page 18 AT 2 of 2002 c
which is not based solely on such processing as is mentioned in
subsection (1).
(9) An order under subsection (8) shall not affect the rights of any person
other than the data subject and the responsible person.
11 Compensation for failure to comply with certain requirements
[P1998/29/13]
(1) An individual who suffers damage by reason of any contravention by a
data controller of any of the requirements of this Act is entitled to
compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a
data controller of any of the requirements of this Act is entitled to
compensation from the data controller for that distress if —
(a) the individual also suffers damage by reason of the contravention,
or
(b) the contravention relates to the processing of personal data for the
special purposes, or
(c) the contravention consists of a failure to comply with a request
under section 5 in the circumstances specified in section 5(9)(b).
(3) In proceedings brought against a person by virtue of this section it is a
defence to prove that he had taken such care as in all the circumstances
was reasonably required to comply with the requirement concerned.
12 Rectification, blocking, erasure and destruction
[P1998/29/14]
(1) If the High Court is satisfied on the application of a data subject that
personal data of which the applicant is the subject are inaccurate, the
court may order the data controller to rectify, block, erase or destroy
those data and any other personal data in respect of which he is the data
controller and which contain an expression of opinion which appears to
the court to be based on the inaccurate data.
(2) Subsection (1) applies whether or not the data accurately record
information received or obtained by the data controller from the data
subject or a third party but where the data accurately record such
information, then —
(a) if the requirements mentioned in paragraph 15 of Schedule 1 have
been complied with, the High Court may, instead of making an
order under subsection (1), make an order requiring the data to be
supplemented by such statement of the true facts relating to the
matters dealt with by the data as the court may approve, and
(b) if all or any of those requirements have not been complied with,
the High Court may, instead of making an order under that
Data Protection Act 2002 Section 13
c AT 2 of 2002 Page 19
subsection, make such order as it thinks fit for securing
compliance with those requirements with or without a further
order requiring the data to be supplemented by such a statement
as is mentioned in paragraph (a).
(3) Where the High Court —
(a) makes an order under subsection (1), or
(b) is satisfied on the application of a data subject that personal data
of which he was the data subject and which have been rectified,
blocked, erased or destroyed were inaccurate,
it may, where it considers it reasonably practicable, order the data
controller to notify third parties to whom the data have been disclosed of
the rectification, blocking, erasure or destruction.
(4) If the High Court is satisfied on the application of a data subject —
(a) that he has suffered damage by reason of any contravention by a
data controller of any of the requirements of this Act in respect of
any personal data, in circumstances entitling him to compensation
under section 11, and
(b) that there is a substantial risk of further contravention in respect
of those data in such circumstances,
the court may order the rectification, blocking, erasure or destruction of
any of those data.
(5) Where the court makes an order under subsection (4) it may, where it
considers it reasonably practicable, order the data controller to notify
third parties to whom the data have been disclosed of the rectification,
blocking, erasure or destruction.
(6) In determining whether it is reasonably practicable to require such
notification as is mentioned in subsection (3) or (5) the court shall have
regard, in particular, to the number of persons who would have to be
notified.
PART 3 NOTIFICATION BY DATA CONTROLLERS
13 Preliminary
[P1998/29/16]
(1) In this Part “the registrable particulars
”, in relation to a data controller,
means —
(a) his name and address,
(b) if he has nominated a representative for the purposes of this Act,
the name and address of the representative,
Section 14 Data Protection Act 2002
Page 20 AT 2 of 2002 c
(c) a description of the personal data being or to be processed by or
on behalf of the data controller and of the category or categories
of data subject to which they relate,
(d) a description of the purpose or purposes for which the data are
being or are to be processed,
(e) a description of any recipient or recipients to whom the data
controller intends or may wish to disclose the data, and
(f) the names, or a description of, any countries or territories outside
the Island to which the data controller directly or indirectly
transfers, or intends or may wish directly or indirectly to transfer,
the data.
(2) In this Part —
“fees regulations
” means regulations made by the Treasury under section 15(5)
or 16(4) or (7);
“notification regulations
” means regulations made by the Council of Ministers
under the other provisions of this Part;
“prescribed
”, except where used in relation to fees regulations, means
prescribed by notification regulations.
(3) For the purposes of this Part, so far as it relates to the addresses of data
controllers —
(a) the address of a registered company is that of its registered office,
and
(b) the address of a person (other than a registered company)
carrying on a business is that of his principal place of business in
the Island.
14 Prohibition on processing without registration
[P1998/29/17]
(1) Subject to the following provisions of this section, personal data must not
be processed unless an entry in respect of the data controller is included
in the register maintained by the Information Commissioner under
section 16 (or is treated by notification regulations made by virtue of
section 16(3) as being so included).12
(2) Except where the processing is assessable processing for the purposes of
section 19, subsection (1) does not apply in relation to personal data
consisting of information which falls within neither paragraph (a) nor
paragraph (b) of the definition of “data” in section 1(1).
(3) If it appears to the Council of Ministers that processing of a particular
description is unlikely to prejudice the rights and freedoms of data
subjects, notification regulations may provide that, in such cases as may
Data Protection Act 2002 Section 15
c AT 2 of 2002 Page 21
be prescribed, subsection (1) is not to apply in relation to processing of
that description.
(4) Subsection (1) does not apply in relation to any processing whose sole
purpose is the maintenance of a public register.
15 Notification by data controllers
[P1998/29/18]
(1) Any data controller who wishes to be included in the register maintained
under section 16 shall give a notification to the Information
Commissioner under this section.13
(2) A notification under this section must specify in accordance with
notification regulations —
(a) the registrable particulars, and
(b) a general description of measures to be taken for the purpose of
complying with the seventh data protection principle (measures
against misuse and loss of data).
(3) Notification regulations made by virtue of subsection (2) may provide for
the determination by the Information Commissioner, in accordance with
any requirements of the regulations, of the form in which the registrable
particulars and the description mentioned in subsection (2)(b) are to be
specified, including in particular the detail required for the purposes of
section 13(1)(c), (d), (e) and (f) and subsection (2)(b).14
(4) Notification regulations may make provision as to the giving of
notification —
(a) by partnerships, or
(b) in other cases where 2 or more persons are the data controllers in
respect of any personal data.
(5) The notification must be accompanied by such fee as may be prescribed
by fees regulations.
(6) Notification regulations may provide for any fee paid under
subsection (5) or section 16(4) to be refunded in prescribed
circumstances.
16 Register of notifications
[P1998/29/19]
(1) The Information Commissioner shall —
(a) maintain a register of persons who have given notification under
section 15, and
(b) make an entry in the register in pursuance of each notification
received by him under that section from a person in respect of
Section 17 Data Protection Act 2002
Page 22 AT 2 of 2002 c
whom no entry as data controller was for the time being included
in the register.15
(2) Each entry in the register shall consist of —
(a) the registrable particulars notified under section 15 or, as the case
requires, those particulars as amended in pursuance of
section 17(4), and
(b) such other information as the Information Commissioner may be
authorised or required by notification regulations to include in the
register.16
(3) Notification regulations may make provision as to the time as from
which any entry in respect of a data controller is to be treated for the
purposes of section 14 as having been made in the register.
(4) No entry shall be retained in the register for more than the relevant time
except on payment of such fee as may be prescribed by fees regulations.
(5) In subsection (4) “the relevant time” means 12 months or such other
period as may be prescribed by notification regulations.
(6) The Information Commissioner —
(a) shall provide facilities for making the information contained in
the entries in the register available for inspection (in visible and
legible form) by members of the public at all reasonable hours and
free of charge, and
(b) may provide such other facilities for making the information
contained in those entries available to the public free of charge as
he considers appropriate.17
(7) The Information Commissioner shall, on payment of such fee, if any, as
may be prescribed by fees regulations, supply any member of the public
with a duly certified copy in writing of the particulars contained in any
entry made in the register.18
17 Duty to notify changes
[P1989/29/20]
(1) For the purpose specified in subsection (2), notification regulations shall
include provision imposing on every person in respect of whom an entry
as a data controller is for the time being included in the register
maintained under section 16 a duty to notify to the Information
Commissioner, in such circumstances and at such time or times and in
such form as may be prescribed, such matters relating to the registrable
particulars and measures taken as mentioned in section 15(2)(b) as may
be prescribed.19
(2) The purpose referred to in subsection (1) is that of ensuring, so far as
practicable, that at any time —
Data Protection Act 2002 Section 18
c AT 2 of 2002 Page 23
(a) the entries in the register maintained under section 16 contain
current names and addresses and describe the current practice or
intentions of the data controller with respect to the processing of
personal data, and
(b) the Information Commissioner is provided with a general
description of measures currently being taken as mentioned in
section 15(2)(b).20
(3) Section 15(3) has effect in relation to notification regulations made by
virtue of subsection (1) as it has effect in relation to notification
regulations made by virtue of section 15(2).
(4) On receiving any notification under notification regulations made by
virtue of subsection (1), the Information Commissioner shall make such
amendments of the relevant entry in the register maintained under
section 16 as are necessary to take account of the notification.21
18 Offences
[P1998/29/21]
(1) If section 14(1) is contravened, the data controller is guilty of an offence.
(2) Any person who fails to comply with the duty imposed by notification
regulations made by virtue of section 17(1) is guilty of an offence.
(3) It shall be a defence for a person charged with an offence under
subsection (2) to show that he exercised all due diligence to comply with
the duty.
19 Preliminary assessment by Information Commissioner
22
[P1998/29/22]
(1) In this section “assessable processing” means processing which is of a
description specified in an order made by the Council of Ministers as
appearing to it to be particularly likely —
(a) to cause substantial damage or substantial distress to data
subjects, or
(b) otherwise significantly to prejudice the rights and freedoms of
data subjects.
(2) On receiving notification from any data controller under section 15 or
under notification regulations made by virtue of section 17 the
Information Commissioner shall consider —
(a) whether any of the processing to which the notification relates is
assessable processing, and
(b) if so, whether the assessable processing is likely to comply with
the provisions of this Act.23
Section 20 Data Protection Act 2002
Page 24 AT 2 of 2002 c
(3) Subject to subsection (4), the Information Commissioner shall, within the
period of 28 days beginning with the day on which he receives a
notification which relates to assessable processing, give a notice to the
data controller stating the extent to which the Information Commissioner
is of the opinion that the processing is likely or unlikely to comply with
the provisions of this Act.24
(4) Before the end of the period referred to in subsection (3) the Information
Commissioner may, by reason of special circumstances, extend that
period on one occasion only by notice to the data controller by such
further period not exceeding 14 days as the Information Commissioner
may specify in the notice.25
(5) No assessable processing in respect of which a notification has been
given to the Information Commissioner as mentioned in subsection (2)
shall be carried on unless either —
(a) the period of 28 days beginning with the day on which the
notification is received by the Information Commissioner (or, in a
case falling within subsection (4), that period as extended under
that subsection) has elapsed, or26
(b) before the end of that period (or that period as so extended) the
data controller has received a notice from the Information
Commissioner under subsection (3) in respect of the processing.27
28
(6) Where subsection (5) is contravened, the data controller is guilty of an
offence.
(7) The Council of Ministers may by order amend subsections (3), (4) and (5)
by substituting for the number of days for the time being specified there
a different number specified in the order.
20 Reference of notification to Tribunal
(1) If it appears to the Information Commissioner that any processing of
personal data by a data controller in accordance with registrable
particulars notified under section 15 or under notification regulations
made by virtue of section 17 would contravene any of the data protection
principles, he may refer the notification to the Tribunal, specifying the
data protection principle or principles which the Information
Commissioner considers would be contravened and his reasons for
doing so.29
(2) In deciding whether to make a reference under this section, the
Information Commissioner shall consider whether the processing in
question has caused or is likely to cause any person damage or distress.30
Data Protection Act 2002 Section 21
c AT 2 of 2002 Page 25
(3) Where on a reference under this section the Tribunal is satisfied that the
processing in question would contravene any of the data protection
principles, it may direct the Information Commissioner —
(a) to cancel the relevant entry in the register, or
(b) to vary that entry to such extent as the Tribunal considers
appropriate to avoid or prevent any such contravention.31
(4) Schedule 6 shall have effect in relation to references under this section
and the proceedings of the Tribunal in respect of any such reference.
(5) Any party to a reference under this section may appeal from the decision
of the Tribunal on a point of law to the High Court.
21 Power to make provision for appointment of data supervisors
[P1998/29/23]
(1) The Council of Ministers may by order —
(a) make provision under which a data controller may appoint a
person to act as a data supervisor responsible in particular for
monitoring in an independent manner the data controller’s
compliance with the provisions of this Act, and
(b) provide that, in relation to any data controller who has appointed
a data supervisor in accordance with the provisions of the order
and who complies with such conditions as may be specified in the
order, the provisions of this Part are to have effect subject to such
exemptions or other modifications as may be specified in the
order.
(2) An order under this section may —
(a) impose duties on data supervisors in relation to the Information
Commissioner, and32
(b) confer functions on the Information Commissioner in relation to
data supervisors.33
22 Duty of certain data controllers to make certain information available
[P1998/29/24]
(1) Subject to subsection (3), where personal data are processed in a case
where —
(a) by virtue of section 14(2) or (3), section 14(1) does not apply to the
processing, and
(b) the data controller has not notified the relevant particulars in
respect of that processing under section 15,
the data controller must, within 21 days of receiving a written request
from any person, make the relevant particulars available to that person
in writing free of charge.
Section 23 Data Protection Act 2002
Page 26 AT 2 of 2002 c
(2) In this section “the relevant particulars” means the particulars referred to
in paragraphs (a) to (f) of section 13(1).
(3) This section has effect subject to any exemption conferred for the
purposes of this section by notification regulations.
(4) Any data controller who fails to comply with the duty imposed by
subsection (1) is guilty of an offence.
(5) It shall be a defence for a person charged with an offence under
subsection (4) to show that he exercised all due diligence to comply with
the duty.
PART 4 EXEMPTIONS
23 Preliminary
[P1998/29/27]
(1) References in any of the data protection principles or any provision of
Parts 2 and 3 to personal data or to the processing of personal data do
not include references to data or processing which by virtue of this Part
are exempt from that principle or other provision.
(2) In this Part “the subject information provisions
” means—
(a) the first data protection principle (fair and lawful processing) to
the extent to which it requires compliance with paragraph 10 of
Schedule 1, and
(b) section 5.
(3) In this Part “the non-disclosure provisions
”
means the provisions
specified in subsection (4) to the extent to which they are inconsistent
with the disclosure in question.
(4) The provisions referred to in subsection (3) are —
(a) the first data protection principle (fair and lawful processing),
except to the extent to which it requires compliance with the
conditions in Schedules 2 and 3,
(b) the second data protection principle (purpose for which data are
obtained and processed),
(c) the third data protection principle (adequacy and relevance of
data),
(d) the fourth data protection principle (accuracy of data),
(e) the fifth data protection principle (time for keeping data), and
(f) sections 8 and 12(1) to (3).
(5) Except as provided by this Part, the subject information provisions shall
have effect notwithstanding any statutory provision or rule of law
Data Protection Act 2002 Section 24
c AT 2 of 2002 Page 27
prohibiting or restricting the disclosure, or authorising the withholding,
of information.
24 National security
[P1998/29/28]
(1) Personal data are exempt from any of the provisions of —
(a) the data protection principles,
(b) Parts 2, 3 and 5, and
(c) section 50,
if the exemption from that provision is required for the purpose of
safeguarding national security.
(2) Subject to subsection (4), a certificate signed by the Chief Minister
certifying that exemption from all or any of the provisions mentioned in
subsection (1) is or at any time was required for the purpose there
mentioned in respect of any personal data shall be conclusive evidence of
that fact.
(3) A certificate under subsection (2) may identify the personal data to
which it applies by means of a general description and may be expressed
to have prospective effect.
(4) Any person directly affected by the issuing of a certificate under
subsection (2) may appeal to the Tribunal against the certificate.
(5) If on an appeal under subsection (4), the Tribunal finds that, applying the
principles applied by the High Court on a petition of doleance, the Chief
Minister did not have reasonable grounds for issuing the certificate, the
Tribunal may allow the appeal and quash the certificate.34
(6) Where in any proceedings under or by virtue of this Act it is claimed by a
data controller that a certificate under subsection (2) which identifies the
personal data to which it applies by means of a general description
applies to any personal data, then, subject to any determination under
subsection (7), the certificate shall be conclusively presumed so to apply.
(7) Any other party to proceedings referred to in subsection (6) may appeal
to the Tribunal on the ground that the certificate does not apply to the
personal data in question, and the Tribunal may determine that the
certificate does not so apply.
(8) A document purporting to be a certificate under subsection (2) shall be
received in evidence and deemed to be such a certificate unless the
contrary is proved.
(9) No power conferred by any provision of Part 5 may be exercised in
relation to personal data which by virtue of this section are exempt from
that provision.
Section 25 Data Protection Act 2002
Page 28 AT 2 of 2002 c
(10) Schedule 6 shall have effect in relation to appeals under subsection (4) or
(7) and the proceedings of the Tribunal in respect of any such appeal.
25 Crime and taxation
[P1998/29/29]
(1) Personal data processed for any of the following purposes —
(a) the prevention or detection of crime,
(b) the apprehension or prosecution of offenders, or
(c) the assessment or collection of any tax or duty or of any
imposition of a similar nature,
are exempt from the first data protection principle (fair and lawful
processing) (except to the extent to which it requires compliance with the
conditions in Schedules 2 and 3) and section 5 in any case to the extent to
which the application of those provisions to the data would be likely to
prejudice any of the matters mentioned in this subsection.
(2) Personal data which —
(a) are processed for the purpose of discharging statutory functions,
and
(b) consist of information obtained for such a purpose from a person
who had it in his possession for any of the purposes mentioned in
subsection (1),
are exempt from the subject information provisions to the same extent as
personal data processed for any of the purposes mentioned in that
subsection.
(3) Personal data are exempt from the non-disclosure provisions in any case
in which —
(a) the disclosure is for any of the purposes mentioned in
subsection (1), and
(b) the application of those provisions in relation to the disclosure
would be likely to prejudice any of the matters mentioned in that
subsection.
(4) Personal data in respect of which the data controller is a relevant
authority and which —
(a) consist of a classification applied to the data subject as part of a
system of risk assessment which is operated by that authority for
either of the following purposes —
(i) the assessment or collection of any tax or duty or any
imposition of a similar nature, or
(ii) the prevention or detection of crime, or apprehension or
prosecution of offenders, where the offence concerned
Data Protection Act 2002 Section 26
c AT 2 of 2002 Page 29
involves any unlawful claim for any payment out of, or
any unlawful application of, public funds, and
(b) are processed for either of those purposes,
are exempt from section 5 to the extent to which the exemption is
required in the interests of the operation of the system.
(5) In subsection (4) “relevant authority” means a Department, Statutory
Board, local authority or joint board.
26 Health, education and social work
[P1998/29/30]
(1) The Council of Ministers may by order exempt from the subject
information provisions, or modify those provisions in relation to,
personal data consisting of information as to the physical or mental
health or condition of the data subject.
(2) The Council of Ministers may by order exempt from the subject
information provisions, or modify those provisions in relation to
personal data —
(a) in respect of which the data controller is the proprietor of, or a
teacher at, a school or college, and which consist of information
relating to persons who are or have been pupils at the school or
college; or
(b) in respect of which the data controller is the Department of
Education and Children, and which consist of information
relating to persons who are or have been pupils at a school or
college maintained by that Department.35
(3) The Council of Ministers may by order exempt from the subject
information provisions, or modify those provisions in relation to,
personal data of such other descriptions as may be specified in the order,
being information —
(a) processed by the Department of Health and Social Care or by
voluntary organisations or other bodies designated by or under
the order, and36
(b) appearing to it to be processed in the course of, or for the
purposes of, carrying out social work in relation to the data
subject or other individuals;
but the Council of Ministers shall not under this subsection confer any
exemption or make any modification except so far as it considers that the
application to the data of those provisions (or of those provisions
without modification) would be likely to prejudice the carrying out of
social work.
Section 27 Data Protection Act 2002
Page 30 AT 2 of 2002 c
27 Regulatory activity
[P1998/29/31]
(1) Personal data processed for the purposes of discharging functions to
which this subsection applies are exempt from the subject information
provisions in any case to the extent to which the application of those
provisions to the data would be likely to prejudice the proper discharge
of those functions.
(2) Subsection (1) applies to any relevant function which is designed for —
(a) protecting members of the public against —
(i) financial loss due to dishonesty, malpractice or other
seriously improper conduct by, or the unfitness or
incompetence of, persons concerned in the provision of
banking, insurance, investment or other financial services
or in the management of bodies corporate,
(ii) financial loss due to the conduct of discharged or
undischarged bankrupts, or
(iii) dishonesty, malpractice or other seriously improper
conduct by, or the unfitness or incompetence of, persons
authorised to carry on any profession or other activity,
(b) protecting charities against misconduct or mismanagement
(whether by trustees or other persons) in their administration,
protecting the property of charities from loss or misapplication, or
the recovery of the property of charities,
(c) securing the health, safety and welfare of persons at work, or
protecting persons other than persons at work against risk to
health or safety arising out of or in connection with the actions of
persons at work.
(3) In subsection (2) “relevant function” means —
(a) any function conferred on any person by or under any statutory
provision, or
(b) any other function which is of a public nature and is exercised in
the public interest.
(4) Personal data processed for the purpose of discharging any function of
the Isle of Man Office of Fair Trading under the Fair Trading Act 1996 are
exempt from the subject information provisions in any case to the extent
to which the application of those provisions to the data would be likely
to prejudice the proper discharge of that function.
(5) Personal data processed for the purpose of considering a complaint
under section 26 of the Social Services Act 2011 are exempt from the
subject information provisions in any case to the extent to which the
application of those provisions to the data would be likely to prejudice
the proper discharge of that function.37
Data Protection Act 2002 Section 28
c AT 2 of 2002 Page 31
28 Journalism, literature and art
[P1998/29/32]
(1) Personal data which are processed only for the special purposes are
exempt from any provision to which this subsection relates if —
(a) the processing is undertaken with a view to the publication by
any person of any journalistic, literary or artistic material,
(b) the data controller reasonably believes that, having regard in
particular to the special importance of the public interest in
freedom of expression, publication would be in the public
interest, and
(c) the data controller reasonably believes that, in all the
circumstances, compliance with that provision is incompatible
with the special purposes.
(2) Subsection (1) relates to the provisions of —
(a) the data protection principles except the seventh data protection
principle (measures against misuse and loss of data),
(b) section 5,
(c) section 8,
(d) section 10, and
(e) section 12(1) to (3).
(3) In considering for the purposes of subsection (1)(b) whether the belief of
a data controller that publication would be in the public interest was or is
a reasonable one, regard may be had to his compliance with any code of
practice which —
(a) is relevant to the publication in question, and
(b) is designated by the Council of Ministers by order for the
purposes of this subsection.
(4) Where at any time (“the relevant time”) in any proceedings against a
data controller under section 5(9), 8(4), 10(8) or 12 or by virtue of
section 11 the data controller claims, or it appears to the High Court, that
any personal data to which the proceedings relate are being processed —
(a) only for the special purposes, and
(b) with a view to the publication by any person of any journalistic,
literary or artistic material which, at the time 24 hours
immediately before the relevant time, had not previously been
published by the data controller,
the court shall stay the proceedings until either of the conditions in
subsection (5) is met.
(5) Those conditions are —
Section 29 Data Protection Act 2002
Page 32 AT 2 of 2002 c
(a) that a determination of the Information Commissioner under
section 41 with respect to the data in question takes effect, or38
(b) in a case where the proceedings were stayed on the making of a
claim, that the claim is withdrawn.
(6) For the purposes of this Act “publish
”, in relation to journalistic, literary
or artistic material, means make available to the public or any section of
the public.
29 Research, history and statistics
[P1998/29/33]
(1) In this section —
“research purposes” includes statistical or historical purposes;
“the relevant conditions”, in relation to any processing of personal data, means
the conditions —
(a) that the data are not processed to support measures or decisions
with respect to particular individuals, and
(b) that the data are not processed in such a way that substantial
damage or substantial distress is, or is likely to be, caused to any
data subject.
(2) For the purposes of the second data protection principle (purpose for
which data are obtained and processed), the further processing of
personal data only for research purposes in compliance with the relevant
conditions is not to be regarded as incompatible with the purposes for
which they were obtained.
(3) Personal data which are processed only for research purposes in
compliance with the relevant conditions may, notwithstanding the fifth
data protection principle (time for keeping data), be kept indefinitely.
(4) Personal data which are processed only for research purposes are exempt
from section 5 if —
(a) they are processed in compliance with the relevant conditions,
and
(b) the results of the research or any resulting statistics are not made
available in a form which identifies data subjects or any of them.
(5) For the purposes of subsections (2) to (4) personal data are not to be
treated as processed otherwise than for research purposes merely
because the data are disclosed —
(a) to any person, for research purposes only,
(b) to the data subject or a person acting on his behalf,
(c) at the request, or with the consent, of the data subject or a person
acting on his behalf, or
Data Protection Act 2002 Section 30
c AT 2 of 2002 Page 33
(d) in circumstances in which the person making the disclosure has
reasonable grounds for believing that the disclosure falls within
paragraph (a), (b) or (c).
29A Manual data held by public authorities
(1) Personal data falling within paragraph (e) of the definition of “data” in
section 1(1) are exempt from —
(a) the first, second, third, fifth, seventh and eighth data protection
principles;
(b) the sixth data protection principle except so far as it relates to the
rights conferred on data subjects by sections 5 and 12;
(c) sections 8 to 10;
(d) section 11, except so far as it relates to damage caused by a
contravention of section 5 or of the fourth data protection
principle and to any distress that is also suffered by reason of that
contravention;
(e) Part 3; and
(f) section 50.
(2) Personal data that fall within paragraph (e) of the definition of “data” in
section 1(1) and relate to appointments or removals, pay, discipline,
superannuation or other personnel matters, in relation to —
(a) service in any office or employment under the Crown or under
any public authority; or
(b) service in any office or employment, or under any contract for
services, in respect of which power to take action, or to determine
or approve the action taken, in such matters is vested in the
Lieutenant Governor, any Minister or any public authority, are
also exempt from the remaining data protection principles and the
remaining provisions of Part 2,
are also exempt from the remaining data protection principles and the
remaining provisions of Part 2.39
30 Information available to the public by or under statutory provision
[P1998/29/34]
Personal data are exempt from —
(a) the subject information provisions,
(b) the fourth data protection principle (accuracy of data) and
section 12(1) to (3), and
(c) the non-disclosure provisions,
if the data consist of information which the data controller is obliged by or
under any statutory provision (other than the Freedom of Information Act 2015 or
Section 31 Data Protection Act 2002
Page 34 AT 2 of 2002 c
an enactment under that Act) to make available to the public, whether by
publishing it, by making it available for inspection, or otherwise and whether
gratuitously or on payment of a fee.40
31 Disclosures required by law or made in connection with legal
proceedings etc.
[P1998/29/35]
(1) Personal data are exempt from the non-disclosure provisions where the
disclosure is required by or under any statutory provision, by any rule of
law or by the order of a court.
(2) Personal data are exempt from the non-disclosure provisions where the
disclosure is necessary —
(a) for the purpose of, or in connection with, any legal proceedings
(including prospective legal proceedings), or
(b) for the purpose of obtaining legal advice,
or is otherwise necessary for the purposes of establishing, exercising or
defending legal rights.
32 Tynwald privilege
[P1998/29/35A, P2000/36/6/2]
Personal data are exempt from —
(a) the first data protection principle, except to the extent to which it
requires compliance with the conditions in Schedules 2 and 3,
(b) the second, third, fourth and fifth data protection principles,
(c) section 5, and
(d) sections 8 and 12(1) to (3),
if the exemption is required for the purpose of avoiding an infringement of the
privileges of Tynwald, the Council or the Keys.
33 Domestic purposes
[P1998/29/36]
Personal data processed by an individual only for the purposes of that
individual’s personal, family or household affairs (including recreational
purposes) are exempt from the data protection principles and the provisions of
Parts 2 and 3.
34 Miscellaneous exemptions
[P1998/29/37]
Schedule 7 (which confers further miscellaneous exemptions) has effect.
Data Protection Act 2002 Section 35
c AT 2 of 2002 Page 35
35 Powers to make further exemptions by order
[P1998/29/38]
(1) The Council of Ministers may by order exempt from the subject
information provisions personal data consisting of information the
disclosure of which is prohibited or restricted by or under any statutory
provision if and to the extent that it considers it necessary for the
safeguarding of the interests of the data subject or the rights and
freedoms of any other individual that the prohibition or restriction ought
to prevail over those provisions.
(2) The Council of Ministers may by order exempt from the non-disclosure
provisions any disclosures of personal data made in circumstances
specified in the order, if it considers the exemption is necessary for the
safeguarding of the interests of the data subject or the rights and
freedoms of any other individual.
PART 5 ENFORCEMENT
36 Enforcement notices
[P1998/29/40]
(1) If the Information Commissioner is satisfied that a data controller has
contravened or is contravening any of the data protection principles, the
Information Commissioner may serve him with a notice (an
“enforcement notice”) requiring him, for complying with the principle or
principles in question, to do either or both of the following —
(a) to take within such time as may be specified in the notice, or to
refrain from taking after such time as may be so specified, such
steps as are so specified, or
(b) to refrain from processing any personal data, or any personal data
of a description specified in the notice, or to refrain from
processing them for a purpose so specified or in a manner so
specified, after such time as may be so specified.41
(2) In deciding whether to serve an enforcement notice, the Information
Commissioner shall consider whether the contravention has caused or is
likely to cause any person damage or distress.42
(3) An enforcement notice in respect of a contravention of the fourth data
protection principle (accuracy of data) which requires the data controller
to rectify, block, erase or destroy any inaccurate data may also require
the data controller to rectify, block, erase or destroy any other data held
by him and containing an expression of opinion which appears to the
Information Commissioner to be based on the inaccurate data.43
(4) An enforcement notice in respect of a contravention of the fourth data
protection principle, in the case of data which accurately record
Section 36 Data Protection Act 2002
Page 36 AT 2 of 2002 c
information received or obtained by the data controller from the data
subject or a third party, may require the data controller either —
(a) to rectify, block, erase or destroy any inaccurate data and any
other data held by him and containing an expression of opinion as
mentioned in subsection (3), or
(b) to take such steps as are specified in the notice for securing
compliance with the requirements specified in paragraph 15 of
Schedule 1 and, if the Information Commissioner thinks fit, for
supplementing the data with such statement of the true facts
relating to the matters dealt with by the data as the Information
Commissioner may approve.44
(5) Where —
(a) an enforcement notice requires the data controller to rectify, block,
erase or destroy any personal data, or
(b) the Information Commissioner is satisfied that personal data
which have been rectified, blocked, erased or destroyed had been
processed in contravention of any of the data protection
principles,45
an enforcement notice may, if reasonably practicable, require the data
controller to notify third parties to whom the data have been disclosed of
the rectification, blocking, erasure or destruction; and in determining
whether it is reasonably practicable to require such notification regard
shall be had, in particular, to the number of persons who would have to
be notified.
(6) An enforcement notice must contain —
(a) a statement of the data protection principle or principles which
the Information Commissioner is satisfied have been or are being
contravened and his reasons for reaching that conclusion, and46
(b) particulars of the rights of appeal conferred by section 44.
(7) Subject to subsection (8), an enforcement notice must not require any of
the provisions of the notice to be complied with before the end of the
period within which an appeal can be brought against the notice and, if
such an appeal is brought, the notice need not be complied with pending
the determination or withdrawal of the appeal.
(8) If by reason of special circumstances the Information Commissioner
considers that an enforcement notice should be complied with as a
matter of urgency he may include in the notice a statement to that effect
and a statement of his reasons for reaching that conclusion; and in that
event subsection (7) shall not apply but the notice must not require the
provisions of the notice to be complied with before the end of the period
of 7 days beginning with the day on which the notice is served.47
Data Protection Act 2002 Section 37
c AT 2 of 2002 Page 37
(9) Notification regulations (as defined in section 13(2)) may make provision
as to the effect of the service of an enforcement notice on any entry in the
register maintained under section 16 which relates to the person on
whom the notice is served.
(10) This section has effect subject to section 42(1).
37 Cancellation of enforcement notice
[P1998/29/41]
(1) If the Information Commissioner considers that all or any of the
provisions of an enforcement notice need not be complied with in order
to ensure compliance with the data protection principle or principles to
which it relates, he may cancel or vary the notice by written notice to the
person on whom it was served.48
(2) A person on whom an enforcement notice has been served may, at any
time after the expiry of the period during which an appeal can be
brought against that notice, apply in writing to the Information
Commissioner for the cancellation or variation of that notice on the
ground that, by reason of a change of circumstances, all or any of the
provisions of that notice need not be complied with in order to ensure
compliance with the data protection principle or principles to which that
notice relates.49
38 Request for assessment
[P1998/29/42]
(1) A request may be made to the Information Commissioner by or on behalf
of any person who is, or believes himself to be, directly affected by any
processing of personal data for an assessment as to whether it is likely or
unlikely that the processing has been or is being carried out in
compliance with the provisions of this Act.50
(2) On receiving a request under this section, the Information Commissioner
shall make an assessment in such manner as appears to him to be
appropriate, unless he has not been supplied with such information as he
may reasonably require in order to —
(a) satisfy himself as to the identity of the person making the request,
and
(b) enable him to identify the processing in question.51
(3) The matters to which the Information Commissioner may have regard in
determining in what manner it is appropriate to make an assessment
include —
(a) the extent to which the request appears to him to raise a matter of
substance,
(b) any undue delay in making the request, and
Section 39 Data Protection Act 2002
Page 38 AT 2 of 2002 c
(c) whether or not the person making the request is entitled to make
an application under section 5 in respect of the personal data in
question.52
(4) Where the Information Commissioner has received a request under this
section he shall notify the person who made the request —
(a) whether he has made an assessment as a result of the request, and
(b) to the extent that he considers appropriate, having regard in
particular to any exemption from section 5 applying in relation to
the personal data concerned, of any view formed or action taken
as a result of the request.53
39 Information notices
[P1998/29/43]
(1) If the Information Commissioner —
(a) has received a request under section 38 in respect of any
processing of personal data, or
(b) reasonably requires any information for the purpose of
determining whether the data controller has complied or is
complying with the data protection principles,
he may serve the data controller with a notice (an “information notice”)
requiring the data controller, within such time as is specified in the
notice, to furnish the Information Commissioner, in such form as may be
so specified, with such information relating to the request or to
compliance with the principles as is so specified.54
(2) An information notice must contain —
(a) in a case falling within subsection (1)(a), a statement that the
Information Commissioner has received a request under
section 38 in relation to the specified processing, or55
(b) in a case falling within subsection (1)(b), a statement that the
Information Commissioner regards the specified information as
relevant for the purpose of determining whether the data
controller has complied, or is complying, with the data protection
principles and his reasons for regarding it as relevant for that
purpose.56
(3) An information notice must also contain particulars of the rights of
appeal conferred by section 44.
(4) Subject to subsection (5), the time specified in an information notice shall
not expire before the end of the period within which an appeal can be
brought against the notice and, if such an appeal is brought, the
information need not be furnished pending the determination or
withdrawal of the appeal.
Data Protection Act 2002 Section 40
c AT 2 of 2002 Page 39
(5) If by reason of special circumstances the Information Commissioner
considers that the information is required as a matter of urgency, he may
include in the notice a statement to that effect and a statement of his
reasons for reaching that conclusion; and in that event subsection (4)
shall not apply, but the notice shall not require the information to be
furnished before the end of the period of 7 days beginning with the day
on which the notice is served.57
(6) A person shall not be required by virtue of this section to furnish the
Information Commissioner with any information in respect of —
(a) any communication between an advocate and his client in
connection with the giving of legal advice to the client with
respect to his obligations, liabilities or rights under this Act, or
(b) any communication between an advocate and his client, or
between an advocate or his client and any other person, made in
connection with or in contemplation of proceedings under or
arising out of this Act (including proceedings before the Tribunal)
and for the purposes of such proceedings.58
(7) In subsection (6) references to the client of an advocate include references
to any person representing such a client.
(8) A person shall not be required by virtue of this section to furnish the
Information Commissioner with any information if the furnishing of that
information would, by revealing evidence of the commission of any
offence other than an offence under this Act, expose him to proceedings
for that offence.59
(9) The Information Commissioner may cancel an information notice by
written notice to the person on whom it was served.60
(10) This section has effect subject to section 42(3).
40 Special information notices
[P1998/29/44]
(1) If the Information Commissioner —
(a) has received a request under section 38 in respect of any
processing of personal data, or
(b) has reasonable grounds for suspecting that, in a case in which
proceedings have been stayed under section 28, the personal data
to which the proceedings relate —
(i) are not being processed only for the special purposes, or
(ii) are not being processed with a view to the publication by
any person of any journalistic, literary or artistic material
which has not previously been published by the data
controller,
Section 40 Data Protection Act 2002
Page 40 AT 2 of 2002 c
he may serve the data controller with a notice (a “special
information notice”) requiring the data controller, within such
time as is specified in the notice, to furnish the Information
Commissioner, in such form as may be so specified, with such
information as is so specified for the purpose specified in
subsection (2).61
(2) That purpose is the purpose of ascertaining —
(a) whether the personal data are being processed only for the special
purposes, or
(b) whether they are being processed with a view to the publication
by any person of any journalistic, literary or artistic material
which has not previously been published by the data controller.
(3) A special information notice must contain —
(a) in a case falling within subsection (1)(a), a statement that the
Information Commissioner has received a request under
section 38 in relation to the specified processing, or62
(b) in a case falling within subsection (1)(b), a statement of the
Information Commissioner’s grounds for suspecting that the
personal data are not being processed as mentioned in
subsection (1)(b).63
(4) A special information notice must also contain particulars of the rights of
appeal conferred by section 44.
(5) Subject to subsection (6), the time specified in a special information
notice shall not expire before the end of the period within which an
appeal can be brought against the notice and, if such an appeal is
brought, the information need not be furnished pending the
determination or withdrawal of the appeal.
(6) If by reason of special circumstances the Information Commissioner
considers that the information is required as a matter of urgency, he may
include in the notice a statement to that effect and a statement of his
reasons for reaching that conclusion; and in that event subsection (5)
shall not apply, but the notice shall not require the information to be
furnished before the end of the period of 7 days beginning with the day
on which the notice is served.64
(7) A person shall not be required by virtue of this section to furnish the
Information Commissioner with any information in respect of —
(a) any communication between an advocate and his client in
connection with the giving of legal advice to the client with
respect to his obligations, liabilities or rights under this Act, or
(b) any communication between an advocate and his client, or
between an advocate or his client and any other person, made in
connection with or in contemplation of proceedings under or
Data Protection Act 2002 Section 41
c AT 2 of 2002 Page 41
arising out of this Act (including proceedings before the Tribunal)
and for the purposes of such proceedings.65
(8) In subsection (7) references to the client of an advocate include references
to any person representing such a client.
(9) A person shall not be required by virtue of this section to furnish the
Information Commissioner with any information if the furnishing of that
information would, by revealing evidence of the commission of any
offence other than an offence under this Act, expose him to proceedings
for that offence.66
(10) The Information Commissioner may cancel a special information notice
by written notice to the person on whom it was served.67
41 Determination by Information Commissioner as to the special
purposes
68
[P1998/29/45]
(1) Where at any time it appears to the Information Commissioner (whether
as a result of the service of a special information notice or otherwise) that
any personal data —
(a) are not being processed only for the special purposes, or
(b) are not being processed with a view to the publication by any
person of any journalistic, literary or artistic material which has
not previously been published by the data controller,
he may make a determination in writing to that effect.69
(2) Notice of the determination shall be given to the data controller; and the
notice must contain particulars of the right of appeal conferred by
section 44.
(3) A determination under subsection (1) shall not take effect until the end of
the period within which an appeal can be brought and, where an appeal
is brought, shall not take effect pending the determination or withdrawal
of the appeal.
42 Restriction on enforcement in case of processing for the special
purposes
[P1998/29/46]
(1) The Information Commissioner may not at any time serve an
enforcement notice on a data controller with respect to the processing of
personal data for the special purposes unless —
(a) a determination under section 41(1) with respect to those data has
taken effect, and
(b) the High Court has granted leave for the notice to be served.70
Section 43 Data Protection Act 2002
Page 42 AT 2 of 2002 c
(2) The High Court shall not grant leave for the purposes of subsection (1)(b)
unless it is satisfied —
(a) that the Information Commissioner has reason to suspect a
contravention of the data protection principles which is of
substantial public importance, and71
(b) except where the case is one of urgency, that the data controller
has been given notice, in accordance with rules of court, of the
application for leave.
(3) The Information Commissioner may not serve an information notice on a
data controller with respect to the processing of personal data for the
special purposes unless a determination under section 41(1) with respect
to those data has taken effect.72
43 Failure to comply with notice
[P1998/29/47]
(1) A person who fails to comply with an enforcement notice, an information
notice or a special information notice is guilty of an offence.
(2) A person who, in purported compliance with an information notice or a
special information notice —
(a) makes a statement which he knows to be false in a material
respect, or
(b) recklessly makes a statement which is false in a material respect,
is guilty of an offence.
(3) It is a defence for a person charged with an offence under subsection (1)
to prove that he exercised all due diligence to comply with the notice in
question.
44 Rights of appeal
[P1998/29/48]
(1) A person on whom an enforcement notice, an information notice or a
special information notice has been served may appeal to the Tribunal
against the notice.
(2) A person on whom an enforcement notice has been served may appeal to
the Tribunal against the refusal of an application under section 37(2) for
cancellation or variation of the notice.
(3) Where an enforcement notice, an information notice or a special
information notice contains a statement by the Information
Commissioner in accordance with section 36(8), 39(5) or 40(6) then,
whether or not the person appeals against the notice, he may appeal
against —
Data Protection Act 2002 Section 45
c AT 2 of 2002 Page 43
(a) the Information Commissioner’s decision to include the statement
in the notice, or73
(b) the effect of the inclusion of the statement as respects any part of
the notice.74
(4) A data controller in respect of whom a determination has been made
under section 41 may appeal to the Tribunal against the determination.
(5) Schedule 6 has effect in relation to appeals under this section and the
proceedings of the Tribunal in respect of any such appeal.
45 Determination of appeals
[P1998/29/49]
(1) If on an appeal under section 44(1) the Tribunal considers —
(a) that the notice against which the appeal is brought is not in
accordance with the law, or
(b) to the extent that the notice involved an exercise of discretion by
the Information Commissioner, that he ought to have exercised
his discretion differently,75
the Tribunal shall allow the appeal or substitute such other notice or
decision as could have been served or made by the Information
Commissioner; and in any other case the Tribunal shall dismiss the
appeal.76
(2) On such an appeal, the Tribunal may review any determination of fact on
which the notice in question was based.
(3) If on an appeal under section 44(2) the Tribunal considers that the
enforcement notice ought to be cancelled or varied by reason of a change
in circumstances, the Tribunal shall cancel or vary the notice.
(4) On an appeal under section 44(3) the Tribunal may direct —
(a) that the notice in question shall have effect as if it did not contain
any such statement as is mentioned in section 44(3), or
(b) that the inclusion of the statement shall not have effect in relation
to any part of the notice,
and may make such modifications in the notice as may be required for
giving effect to the direction.
(5) On an appeal under section 44(4), the Tribunal may cancel the
determination of the Information Commissioner.77
(6) Any party to an appeal to the Tribunal under section 44 may appeal from
the decision of the Tribunal on a point of law to the High Court.
Section 46 Data Protection Act 2002
Page 44 AT 2 of 2002 c
46 Powers of entry and inspection
[P1998/29/50]
Schedule 8 (powers of entry and inspection) has effect.
PART 6 MISCELLANEOUS AND GENERAL
Functions of Information Commissioner78
47 General duties of Information Commissioner
79
[P1998/29/51]
(1) It is the duty of the Information Commissioner to promote the following
of good practice by data controllers and, in particular, so to perform his
functions under this Act as to promote the observance of the
requirements of this Act by data controllers.80
(2) The Information Commissioner shall arrange for the dissemination in
such form and manner as he considers appropriate of such information
as it may appear to him expedient to give to the public about the
operation of this Act, about good practice, and about other matters
within the scope of his functions under this Act, and may give advice to
any person as to any of those matters.81
(3) Where —
(a) the Council of Ministers so directs, or
(b) the Information Commissioner considers it appropriate to do so,82
the Information Commissioner shall, after such consultation with trade
associations, data subjects or persons representing data subjects as
appears to him to be appropriate, prepare and disseminate to such
persons as he considers appropriate codes of practice for guidance as to
good practice.83
(4) The Information Commissioner shall also —
(a) where he considers it appropriate to do so, encourage trade
associations to prepare, and to disseminate to their members, such
codes of practice, and
(b) where any trade association submits a code of practice to him for
his consideration, consider the code and, after such consultation
with data subjects or persons representing data subjects as
appears to him to be appropriate, notify the trade association
whether in his opinion the code promotes the following of good
practice.84
(5) A direction under subsection (3)(a) shall describe the personal data or
processing to which the code of practice is to relate, and may also
describe the persons or classes of persons to whom it is to relate.
Data Protection Act 2002 Section 48
c AT 2 of 2002 Page 45
(6) The Information Commissioner shall arrange for the dissemination in
such form and manner as he considers appropriate of such other
information as it may appear to him to be expedient to give to data
controllers in relation to any personal data about the protection of the
rights and freedoms of data subjects in relation to the processing of
personal data in countries and territories outside the Island.85
(7) The Information Commissioner may, with the consent of the data
controller, assess any processing of personal data for the following of
good practice and shall inform the data controller of the results of the
assessment.86
(8) The Information Commissioner may charge such sums as he may with
the consent of the Treasury determine for any services provided by him
by virtue of this Part.87
(9) In this section —
“good practice” means such practice in the processing of personal data as
appears to the Information Commissioner to be desirable having regard
to the interests of data subjects and others, and includes (but is not
limited to) compliance with the requirements of this Act;88
“trade association” includes any body representing data controllers.
48 Reports and codes of practice to be laid before Tynwald
[P1998/29/52]
(1) The Information Commissioner shall lay annually before Tynwald a
general report on the exercise of his functions under this Act.89
(2) The Information Commissioner may from time to time lay before
Tynwald such other reports with respect to those functions as he thinks
fit.90
(3) The Information Commissioner shall lay before Tynwald any code of
practice prepared under section 47(3), unless the code is included in any
report laid under subsection (1) or (2).91
49 International co-operation
[P1998/29/54]
(1) The Information Commissioner shall continue to be the designated
authority in the Island for the purposes of Article 13 of the Convention.92
(2) The Council of Ministers may by order make provision as to the
functions to be discharged by the Information Commissioner as the
designated authority in the Island for the purposes of Article 13 of the
Convention.93
(3) The Council of Ministers may by order make provision as to co-operation
by the Information Commissioner with supervisory authorities in
Section 50 Data Protection Act 2002
Page 46 AT 2 of 2002 c
countries and territories outside the Island in connection with the
performance of their data protection functions and, in particular, as to —
(a) the exchange of information with such authorities, and
(b) the exercise within the Island at the request of such an authority,
in cases excluded by section 3 from the application of the other
provisions of this Act, of functions of the Information
Commissioner specified in the order.94
95
(4) The Information Commissioner shall also carry out any data protection
functions which the Council of Ministers may by order direct him to
carry out for the purpose of giving effect to any international obligations
of the United Kingdom which extend to the Island.96
(5) In this section “data protection functions” means functions relating to the
protection of individuals with respect to the processing of personal
information.
Unlawful obtaining etc. of personal data
50 Unlawful obtaining etc. of personal data
[P1998/29/55]
(1) A person shall not knowingly or recklessly, without the consent of the
data controller —
(a) obtain or disclose personal data or the information contained in
personal data, or
(b) procure the disclosure to another person of the information
contained in personal data.
(2) Subsection (1) does not apply to a person who shows —
(a) that the obtaining, disclosing or procuring —
(i) was necessary for the purpose of preventing or detecting
crime, or
(ii) was required or authorised by or under any statutory
provision, by any rule of law or by the order of a court,
(b) that he acted in the reasonable belief that he had in law the right
to obtain or disclose the data or information or, as the case may
be, to procure the disclosure of the information to the other
person,
(c) that he acted in the reasonable belief that he would have had the
consent of the data controller if the data controller had known of
the obtaining, disclosing or procuring and the circumstances of it,
or
(d) that in the particular circumstances the obtaining, disclosing or
procuring was justified as being in the public interest.
Data Protection Act 2002 Section 51
c AT 2 of 2002 Page 47
(3) A person who contravenes subsection (1) is guilty of an offence.
(4) A person who sells personal data is guilty of an offence if he has
obtained the data in contravention of subsection (1).
(5) A person who offers to sell personal data is guilty of an offence if —
(a) he has obtained the data in contravention of subsection (1), or
(b) he subsequently obtains the data in contravention of that
subsection.
(6) For the purposes of subsection (5), an advertisement indicating that
personal data are or may be for sale is an offer to sell the data.
(7) Section 1(2) does not apply for the purposes of this section; and for the
purposes of subsections (4) to (6), “personal data” includes information
extracted from personal data.
(8) References in this section to personal data do not include references to
personal data which by virtue of section 24 or 29A are exempt from this
section.97
Records obtained under data subject’s right of access
51 Prohibition of requirement as to production of certain records
[P1998/29/56]
(1) A person must not, in connection with —
(a) the recruitment of another person as an employee,
(b) the continued employment of another person, or
(c) any contract for the provision of services to him by another
person,
require that other person or a third party to supply him with a relevant
record or to produce a relevant record to him.
(2) A person concerned with the provision (for payment or not) of goods,
facilities or services to the public or a section of the public must not, as a
condition of providing or offering to provide any goods, facilities or
services to another person, require that other person or a third party to
supply him with a relevant record or to produce a relevant record to him.
(3) Subsections (1) and (2) do not apply to a person who shows —
(a) that the imposition of the requirement was required or authorised
by or under any statutory provision, by any rule of law or by the
order of a court, or
(b) that in the particular circumstances the imposition of the
requirement was justified as being in the public interest.
(4) A person who contravenes subsection (1) or (2) is guilty of an offence.
Section 51 Data Protection Act 2002
Page 48 AT 2 of 2002 c
(5) In this section “a relevant record” means any record which —
(a) has been or is to be obtained by a data subject from any data
controller specified in the first column of the table below in the
exercise of the right conferred by section 5, and
(b) contains information relating to any matter specified in relation to
that data controller in the second column,
and includes a copy of such a record or a part of such a record.
Data Protection Act 2002 Section 52
c AT 2 of 2002 Page 49
Data controller Subject matter
The Chief Constable (a) Convictions.
(b) Cautions.
The Department of Home Affairs (a) Convictions.
(b) Cautions.
(c) Its functions under the Custody Act
1995 in relation to any person in custody.
The Treasury Its functions under the Social Security
Contributions and Benefits Act 1992, the
Social Security Administration Act 1992 or
the Jobseekers Act 1995 (Acts of Parliament)
[see SD505/94, SD506/94 and SD8/96] as they
have effect in the Island.98
(6) In the table in subsection (5) —
“caution” means a caution given to any person in the Island in respect of an
offence which, at the time when the caution is given, is admitted;
“conviction” has the same meaning as in the Rehabilitation of Offenders Act 2001.
(6A) A record is not a relevant record to the extent that it relates, or is to
relate, only to personal data falling within paragraph (e) of the definition
of “data” in section 1(1).99
(7) The Council of Ministers may by order amend —
(a) the table in subsection (5), and
(b) subsection (6).
(8) For the purposes of this section a record which states that a data
controller is not processing any personal data relating to a particular
matter shall be taken to be a record containing information relating to
that matter.
(9) In this section “employee” means an individual who —
(a) works under a contract of employment, as defined by section 88
of the Employment Act 1991, or
(b) holds any office,
whether or not he is entitled to remuneration; and “employment” shall
be construed accordingly.100
52 Avoidance of certain contractual terms relating to health records
[P1998/29/57]
(1) Any term or condition of a contract is void in so far as it purports to
require an individual —
(a) to supply any other person with a record to which this section
applies, or with a copy of such a record or a part of such a record,
or
Section 53 Data Protection Act 2002
Page 50 AT 2 of 2002 c
(b) to produce to any other person such a record, copy or part.
(2) This section applies to any record which —
(a) has been or is to be obtained by a data subject in the exercise of
the right conferred by section 5, and
(b) consists of the information contained in any health record.
Information provided to Information Commissioner or Tribunal101
53 Disclosure of information
[P1998/29/58]
No statutory provision or rule of law prohibiting or restricting the disclosure of
information shall preclude a person from furnishing the Information
Commissioner or the Tribunal with any information necessary for the discharge
of their functions under this Act.102
54 [Repealed]
103
General provisions relating to offences
55 Prosecutions and penalties
[P1998/29/60]
(1) No proceedings for an offence under this Act shall be instituted except
by the Information Commissioner or by or with the consent of the
Attorney General.104
(2) A person guilty of an offence under any provision of this Act other than
paragraph 12 of Schedule 8 is liable —
(a) on summary conviction, to a fine not exceeding £5,000, or
(b) on conviction on information, to a fine.
(3) A person guilty of an offence under paragraph 12 of Schedule 8 is liable
on summary conviction to a fine not exceeding £5,000.
(4) Subject to subsection (5), the court by or before which a person is
convicted of —
(a) an offence under section 18(1), 19(6), 50 or 51,
(b) an offence under section 18(2) relating to processing which is
assessable processing for the purposes of section 19, or
(c) an offence under section 43(1) relating to an enforcement notice,
may order any document or other material used in connection with the
processing of personal data and appearing to the court to be connected
with the commission of the offence to be forfeited, destroyed or erased.
Data Protection Act 2002 Section 56
c AT 2 of 2002 Page 51
(5) The court shall not make an order under subsection (4) in relation to any
material where a person (other than the offender) claiming to be the
owner of or otherwise interested in the material applies to be heard by
the court, unless an opportunity is given to him to show cause why the
order should not be made.
56 Liability of directors etc.
[P1998/29/61]
(1) Where an offence under this Act has been committed by a body
corporate and is proved to have been committed with the consent or
connivance of or to be attributable to any neglect on the part of any
director, manager, secretary or similar officer of the body corporate or
any person who was purporting to act in any such capacity, he as well as
the body corporate shall be guilty of that offence and be liable to be
proceeded against and punished accordingly.
(2) Where the affairs of a body corporate are managed by its members
subsection (1) shall apply in relation to the acts and defaults of a member
in connection with his functions of management as if he were a director
of the body corporate.
Supply and inspection of copies of public registers
57 Registers of electors etc.
The Jury Act 1980 [is] amended in accordance with Schedule 9.105
General
58 Application to Government
[1986/31/37]
(1) Except as provided in subsection (2), a Department, a Statutory Board
and an office of the Government shall be subject to the same obligations
and liabilities under this Act as a private person; and for the purposes of
this Act —
(a) an employee of the Public Services Commission acting under the
direction of any Department or Statutory Board shall be treated as
an employee of that Department or Board;106
(b) such employee shall be treated as an employee of the Treasury.107
(2) For the purposes of this Act a member of the Isle of Man Constabulary
shall be treated as an employee of the Chief Constable.
Section 59 Data Protection Act 2002
Page 52 AT 2 of 2002 c
59 Application to Tynwald
[P1998/29/63A, P2000/36/6/3]
(1) Subject to the following provisions of this section and to section 32, this
Act applies to the processing of personal data by or on behalf of
Tynwald, the Council or the Keys as it applies to the processing of
personal data by other persons.
(2) Where the purposes for which and the manner in which any personal
data are, or are to be, processed are determined by or on behalf of
Tynwald, the Council or the Keys, the data controller in respect of those
data for the purposes of this Act shall be the Clerk of Tynwald, the Clerk
of the Council or the Secretary of the Keys, as the case may be.
60 Service of notices by Information Commissioner
108
[P1998/29/65]
(1) Any notice authorised or required by this Act to be served on or given to
any person by the Information Commissioner may —
(a) if that person is an individual, be served on him —
(i) by delivering it to him, or
(ii) by sending it to him by post addressed to him at his usual
or last-known place of residence or business, or
(iii) by leaving it for him at that place;
(b) if that person is a body corporate or unincorporate, be served on
that body —
(i) by sending it by post to the proper officer of the body at its
principal office, or
(ii) by addressing it to the proper officer of the body and
leaving it at that office.109
(2) In subsection (1)(b) “principal office”, in relation to a registered
company, means its registered office and “proper officer”, in relation to
any body, means the secretary or other executive officer charged with the
conduct of its general affairs.
(3) This section is without prejudice to any other lawful method of serving
or giving a notice.
61 Orders, rules and regulations
[P1998/29/67]
(1) Orders, rules and regulations made by the Council of Ministers or any
Department (other than an order under section 67(2)) shall not have
effect unless they are approved by Tynwald.
(2) Before making any order or regulations under this Act (other than an
order under section 67(2)), the Council of Ministers or the Department
Data Protection Act 2002 Section 62
c AT 2 of 2002 Page 53
concerned, as the case may be, shall consult the Information
Commissioner.110
62 Interpretation
[P1998/29/68-70]
(1) In this Act —
“accessible record
” means —
(a) a health record,
(b) an educational record, or
(c) any record which is kept by an authority specified in the
following table and is a record of information of a description
specified in that table in relation to that authority —
Section 62 Data Protection Act 2002
Page 54 AT 2 of 2002 c
Authority Accessible information
The Department of
Infrastructure111
A local authority
A joint board
Information held for any purpose of the relationship of
landlord and tenant of a dwelling which subsists, has
subsisted or may subsist between the authority and any
individual who is, has been or, as the case may be, has
applied to be, a tenant of the authority
The Department of Health and
Social Care
Information held for the purpose of any past, current or
proposed exercise by the authority with respect to
functions under —
(a) the Social Services Act 2011;112
(b) the Adoption Act 1984;
(c) the Children and Young Persons Act 2001;113
“business
” includes any trade or profession;
“civil servant
” means a member of the Isle of Man Civil Service;
“college
” has the same meaning as in the Education Act 2001;
“the Convention
” means the Convention for the Protection of Individuals with
regard to Automatic Processing of Personal Data which was opened for
signature on 28th January 1981;114
“credit reference agency
” means a person carrying on a business comprising
the furnishing of persons with information relevant to the financial
standing of individuals and collected by that person for that purpose;
“the Data Protection Directive
” means Directive 95/46/EC on the protection of
individuals with regard to the processing of personal data and on the
free movement of such data;115
“educational record
” means any record of information which —
(a) relates to any person who is or has been a pupil at a school or
college maintained by the Department of Education and
Children,116
(b) is processed by or on behalf of that Department or the governing
body of, or a teacher at, that school or college, and
(c) originated from or was supplied by or on behalf of any of the
following —
(i) an employee of the Department of Education and
Children,117
(ii) in the case of a maintained school (within the meaning of
the Education Act 2001), a teacher or other employee at the
school,
(iii) the pupil to whom the record relates, and
(iv) a parent (within the meaning of the Education Act 2001) of
that pupil;
Data Protection Act 2002 Section 62
c AT 2 of 2002 Page 55
other than information which is processed by a teacher solely for
the teacher’s own use;
“fees regulations
” has the meaning given by section 13(2);
“health professional
” has the same meaning as in the Access to Health Records
and Reports Act 1993;
“health record
” means any record which —
(a) consists of information relating to the physical or mental health or
condition of an individual, and
(b) has been made by or on behalf of a health professional in
connection with the care of that individual;
“Information Commissioner”
means the Isle of Man Information
Commissioner appointed under section 52 of the Freedom of Information
Act 2015;118
“notification regulations
” has the meaning given by section 13(2);
“public register
” means any register which pursuant to a requirement
imposed —
(a) by or under any statutory provision, or
(b) in pursuance of any international agreement,
is open to public inspection or open to inspection by any person having a
legitimate interest;
“pupil
”, in relation to a school, means a registered pupil within the meaning of
the Education Act 2001,
“recipient
”, in relation to any personal data, means any person to whom the
data are disclosed, including any person (such as an employee or agent
of the data controller, a data processor or an employee or agent of a data
processor) to whom they are disclosed in the course of processing the
data for the data controller, but does not include any person to whom
disclosure is or may be made as a result of, or with a view to, a particular
inquiry by or on behalf of that person made in the exercise of any power
conferred by law;
“registered company
” means a company registered under the Companies Act
1931;
“school
” has the same meaning as in the Education Act 2001;
“statutory provision
” includes a statutory provision made after this Act;
“the Supervisor
” [Repealed]119
“third party
”, in relation to personal data, means any person other than —
(a) the data subject,
(b) the data controller, or
Section 63 Data Protection Act 2002
Page 56 AT 2 of 2002 c
(c) any data processor or other person authorised to process data for
the data controller or processor;
“the Tribunal
” means the Isle of Man Data Protection Tribunal.
(2) For the purposes of this Act data are inaccurate if they are incorrect or
misleading as to any matter of fact.
(3) In construing any provision of this Act any court or tribunal shall have
regard to any provision of the Convention or of the Data Protection
Directive which appears to the court or tribunal to be relevant.
63 Index of defined expressions
120
[P1998/29/71]
The following table shows provisions defining or otherwise explaining
expressions used in this Act (other than provisions defining or explaining an
expression only used in the same section or Schedule) —
accessible record section 62(1)
address (in Part 3) section 13(3)
business section 62(1)
civil servant section 62(1)
college section 62(1)
the Convention section 62(1)
credit reference agency section 62(1)
data section 1(1)
data controller sections 1(1) and (4)
data processor section 1(1)
the Data Protection Directive section 62(1)
data protection principles section 2 and Schedule 1
data subject section 1(1)
disclosing (of personal data) section 1(2)(b)
enforcement notice section 36(1)
fees regulations (in Part 3) section 13(2)
health professional section 62(1)
held section 1(1)
inaccurate (in relation to data) section 62(2)
Information Commissioner section 62(1)
information notice section 39(1)
the non-disclosure provisions (in Part 4) section 23(3)
notification regulations (in Part 3) section 13(2)
obtaining (of personal data) section 1(2)(a)
personal data section 1(1)
prescribed (in Part 3) section 13(2)
processing (of information or data) section 1(1)
public authority section 1(1)
public register section 62(1)
publish (in relation to journalistic, literary or artistic material) section 28(6)
pupil (in relation to a school) section 62(1)
recipient (in relation to personal data) section 62(1)
recording (of personal data) section 1(2)(a)
registered company section 62(1)
Data Protection Act 2002 Section 64
c AT 2 of 2002 Page 57
registrable particulars (in Part 3) section 13(1)
relevant filing system section 1(1)
school section 62(1)
sensitive personal data section 1(1)
special information notice section 40(1)
the special purposes section 1(1)
statutory provision section 62(1)
the subject information provisions (in Part 4) section 23(2)
third party (in relation to processing of personal data) section 62(1)
the Tribunal section 62(1)
using (of personal data) section 1(2)(b)
64 Transitional exemptions and modifications
[P1998/29/39 and 72]
(1) Part 1 of Schedule 10 (which confers transitional exemptions) has effect.
(2) During the period beginning with the commencement of Part 2 and
ending on 23rd October 2007, the provisions of this Act shall have effect
subject to the modifications set out in Part 2 of Schedule 10.
65 Transitional provisions and savings
[P1998/29/73]
Schedule 11 (which contains transitional provisions and savings) has effect.
66 Minor and consequential amendments etc
[P1998/29/74]
(1) The enactments specified in Schedule 12 are amended in accordance with
that Schedule.
(2) The enactments specified in Schedule 13 are repealed to the extent
specified in column 3 of that Schedule.
67 Short title and commencement
(1) This Act may be cited as the Data Protection Act 2002.
(2) This Act, except the following provisions —
(a) section 1,
(b) sections 61 to 63,
(c) this section,
(d) paragraph 18 of Schedule 11, and
(e) so much of any other provision of this Act as confers any power to
make orders, rules or regulations,
shall come into operation on such day or days as the Council of Ministers
may by order appoint.121
Data Protection Act 2002 Schedule 1
c AT 2 of 2002 Page 59
Schedule 1
THE DATA PROTECTION PRINCIPLES
Section 2(1) and (2)
PART 1 THE PRINCIPLES
The first principle: fair and lawful processing
1. Personal data shall be processed fairly and lawfully and, in particular, shall not
be processed unless —
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions
in Schedule 3 is also met.
The second principle: purpose for which data are obtained and processed
2. Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible with that
purpose or those purposes.
The third principle: adequacy and relevance of data
3. Personal data shall be adequate, relevant and not excessive in relation to the
purpose or purposes for which they are processed.
The fourth principle: accuracy of data
4. Personal data shall be accurate and, where necessary, kept up to date.
The fifth principle: time for keeping data
5. Personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes.
The sixth principle: rights of data subjects
6. Personal data shall be processed in accordance with the rights of data subjects
under this Act.
The seventh principle: measures against misuse and loss of data
7. Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data.
Schedule 1
Data Protection Act 2002
Page 60 AT 2 of 2002 c
The eighth principle: transfer of data abroad
8. Personal data shall not be transferred to a country or territory outside the Island
unless that country or territory ensures an adequate level of protection for the rights
and freedoms of data subjects in relation to the processing of personal data.
PART 2 INTERPRETATION OF THE PRINCIPLES IN PART 1
The first principle (fair and lawful processing)
9. (1) In determining for the purposes of the first principle whether personal
data are processed fairly, regard is to be had to the method by which they are obtained,
including in particular whether any person from whom they are obtained is deceived
or misled as to the purpose or purposes for which they are to be processed.
(2) Subject to paragraph 10, for the purposes of the first principle data are to
be treated as obtained fairly if they consist of information obtained from a person
who —
(a) is authorised by or under any statutory provision to supply it, or
(b) is required to supply it by or under any statutory provision or by
any convention or other instrument imposing an international
obligation on the United Kingdom and extending to the Island.
10. (1) Subject to paragraph 11, for the purposes of the first principle personal
data are not to be treated as processed fairly unless —
(a) in the case of data obtained from the data subject, the data
controller ensures so far as practicable that the data subject has, is
provided with, or has made readily available to him, the
information specified in sub-paragraph (3), and
(b) in any other case, the data controller ensures so far as practicable
that, before the relevant time or as soon as practicable after that
time, the data subject has, is provided with, or has made readily
available to him, the information specified in sub-paragraph (3).
(2) In sub-paragraph (1)(b) “the relevant time” means —
(a) the time when the data controller first processes the data, or
(b) in a case where at that time disclosure to a third party within a
reasonable period is envisaged —
(i) if the data are in fact disclosed to such a person within that
period, the time when the data are first disclosed,
(ii) if within that period the data controller becomes, or ought
to become, aware that the data are unlikely to be disclosed
to such a person within that period, the time when the data
controller does become, or ought to become, so aware, or
(iii) in any other case, the end of that period.
Data Protection Act 2002 Schedule 1
c AT 2 of 2002 Page 61
(3) The information referred to in sub-paragraph (1) is as follows, namely —
(a) the identity of the data controller,
(b) if he has nominated a representative for the purposes of this Act,
the identity of that representative,
(c) the purpose or purposes for which the data are intended to be
processed, and
(d) any further information which is necessary, having regard to the
specific circumstances in which the data are or are to be
processed, to enable processing in respect of the data subject to be
fair.
11. (1) Paragraph 10(1)(b) does not apply where either of the primary conditions
in sub-paragraph (2), together with such of the further conditions in sub-paragraphs (3)
to (7) as are relevant, are met.
(2) The primary conditions referred to in sub-paragraph (1) are —
(a) that the provision of that information would involve a
disproportionate effort, or
(b) that the recording of the information to be contained in the data
by, or the disclosure of the data by, the data controller is necessary
for compliance with any legal obligation to which the data
controller is subject, other than an obligation imposed by contract.
(3) Where either of the primary conditions in sub-paragraph (2) is met, a
further condition is that set out in sub-paragraph (6).
(4) Where the primary condition in sub-paragraph (2)(a) is met, a further
condition is that the data controller shall record the reasons for his view that that
primary condition is met in respect of the data.
(5) Where the primary condition in sub-paragraph (2)(b) is met by virtue of
the fact that the recording of the information to be contained in the data by, or the
disclosure of the data by, the data controller —
(a) is not a function conferred on him by or under any statutory
provision or an obligation imposed on him by order of a court,
but
(b) is necessary for compliance with any legal obligation to which the
data controller is subject, other than an obligation imposed by
contract,
a further condition is that set out in sub-paragraph (6).
(6) The condition referred to in sub-paragraphs (3) to (5) is that, in respect of
any particular data subject, either —
(a) no notice in writing has been received at any time by the data
controller from an individual, requiring that data controller to
provide the information set out in paragraph 10(3) before the
Schedule 1
Data Protection Act 2002
Page 62 AT 2 of 2002 c
relevant time (as defined in paragraph 10(2)) or as soon as
practicable after that time; or
(b) where such notice in writing has been received but the data
controller does not have sufficient information about the
individual in order readily to determine whether he is processing
personal data about that individual, the data controller shall send
to the individual a written notice stating that he cannot provide
the information set out in paragraph 10(3) because of his inability
to make that determination, and explaining the reasons for that
inability.
(7) The requirement in sub-paragraph (6) that notice should be in writing is
satisfied where the text of the notice —
(a) is transmitted by electronic means,
(b) is received in legible form, and
(c) is capable of being used for subsequent reference.
(8) The Council of Ministers may by order amend sub-paragraphs (1) to (7).
12. (1) Personal data which contain a general identifier falling within a
description prescribed by the Council of Ministers by order are not to be treated as
processed fairly and lawfully unless they are processed in compliance with any
conditions so prescribed in relation to general identifiers of that description.
(2) In sub-paragraph (1) “a general identifier” means any identifier (such as,
for example, a number or code used for identification purposes) which —
(a) relates to an individual, and
(b) forms part of a set of similar identifiers which is of general
application.
The second principle (purpose for which data are obtained and processed)
13. The purpose or purposes for which personal data are obtained may in particular
be specified —
(a) in a notice given for the purposes of paragraph 10 by the data
controller to the data subject, or
(b) in a notification given to the Information Commissioner under
Part 3 of this Act.122
14. In determining whether any disclosure of personal data is compatible with the
purpose or purposes for which the data were obtained, regard is to be had to the
purpose or purposes for which the personal data are intended to be processed by any
person to whom they are disclosed.
Data Protection Act 2002 Schedule 1
c AT 2 of 2002 Page 63
The fourth principle (accuracy of data)
15. The fourth principle is not to be regarded as being contravened by reason of any
inaccuracy in personal data which accurately record information obtained by the data
controller from the data subject or a third party in a case where —
(a) having regard to the purpose or purposes for which the data were
obtained and further processed, the data controller has taken
reasonable steps to ensure the accuracy of the data, and
(b) if the data subject has notified the data controller of the data
subject’s view that the data are inaccurate, the data indicate that
fact.
The sixth principle (rights of data subjects)
16. A person is to be regarded as contravening the sixth principle if, but only if —
(a) he contravenes section 5 by failing to supply information in
accordance with that section,
(b) he contravenes section 8 by failing to comply with a notice given
under section 8(1) to the extent that the notice is justified or by
failing to give a notice under section 8(3),
(c) he contravenes section 9 by failing to comply with a notice given
under section 9(1), or
(d) he contravenes section 10 by failing to comply with a notice given
under section 10(1) or (2)(b) or by failing to give a notification
under section 10(2)(a) or a notice under section 10(3).
The seventh principle (measures against misuse and loss of data)
17. Having regard to the state of technological development and the cost of
implementing any measures, the measures must ensure a level of security
appropriate to —
(a) the harm that might result from such unauthorised or unlawful
processing or accidental loss, destruction or damage as are
mentioned in the seventh principle, and
(b) the nature of the data to be protected.
18. The data controller must take reasonable steps to ensure the reliability of any
employees of his who have access to the personal data.
19. Where processing of personal data is carried out by a data processor on behalf
of a data controller, the data controller must in order to comply with the seventh
principle —
Schedule 1
Data Protection Act 2002
Page 64 AT 2 of 2002 c
(a) choose a data processor providing sufficient guarantees in respect
of the technical and organisational security measures governing
the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.
20. Where processing of personal data is carried out by a data processor on behalf
of a data controller, the data controller is not to be regarded as complying with the
seventh principle unless —
(a) the processing is carried out under a contract —
(i) which is made or evidenced in writing, and
(ii) under which the data processor is to act only on
instructions from the data controller, and
(b) the contract requires the data processor to comply with
obligations equivalent to those imposed on a data controller by
the seventh principle.
The eighth principle (transfer of data abroad)
21. An adequate level of protection is one which is adequate in all the
circumstances of the case, having regard in particular to —
(a) the nature of the personal data,
(b) the country or territory of origin of the information contained in
the data,
(c) the country or territory of final destination of that information,
(d) the purposes for which and period during which the data are
intended to be processed,
(e) the law in force in the country or territory in question,
(f) the international obligations of that country or territory,
(g) any relevant codes of conduct or other rules which are enforceable
in that country or territory (whether generally or by arrangement
in particular cases), and
(h) any security measures taken in respect of the data in that country
or territory.
22. The eighth principle does not apply to a transfer falling within any paragraph of
Schedule 4, except in such circumstances and to such extent as the Council of Ministers
may by order provide.
23. (1) Where in any proceedings under this Act any question arises as to
whether the requirement of the eighth principle as to an adequate level of protection is
met in relation to the transfer of any personal data to a country or territory within the
European Economic Area, it shall be conclusively presumed that that requirement is
met in relation to that transfer.
Data Protection Act 2002 Schedule 1
c AT 2 of 2002 Page 65
(2) Where —
(a) in any proceedings under this Act any question arises as to
whether the requirement of the eighth principle as to an adequate
level of protection is met in relation to the transfer of any personal
data to a country or territory outside the European Economic
Area, and
(b) a Community finding has been made in relation to transfers of the
kind in question,
that question is to be determined in accordance with that finding.
(3) In sub-paragraph (2) “Community finding” means a finding of the
European Commission, under the procedure provided for in Article 31(2) of the Data
Protection Directive, that a country or territory outside the European Economic Area
does, or does not, ensure an adequate level of protection within the meaning of Article
25(2) of the Directive.
Schedule 2
Data Protection Act 2002
Page 66 AT 2 of 2002 c
Schedule 2
CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE:
PROCESSING OF ANY PERSONAL DATA
Section 2(3)
1. The data subject has given his consent to the processing.
2. The processing is necessary —
(a) for the performance of a contract to which the data subject is a
party, or
(b) for the taking of steps at the request of the data subject with a
view to entering into a contract.
3. The processing is necessary for compliance with any legal obligation to which
the data controller is subject, other than an obligation imposed by contract.
4. The processing is necessary in order to protect the vital interests of the data
subject.
5. The processing is necessary —
(a) for the administration of justice,
(b) for the exercise of any functions of Tynwald, the Council or the
Keys;
(c) for the exercise of any functions conferred on any person by or
under any statutory provision,
(d) for the exercise of any functions of the Crown, a Department or a
Statutory Board, or
(e) for the exercise of any other functions of a public nature exercised
in the public interest by any person.
6. (1) The processing is necessary for the purposes of legitimate interests
pursued by the data controller or by the third party or parties to whom the data are
disclosed, except where the processing is unwarranted in any particular case by reason
of prejudice to the rights and freedoms or legitimate interests of the data subject.
(2) The Council of Ministers may by order specify particular circumstances
in which this condition is, or is not, to be taken to be satisfied.
Data Protection Act 2002 Schedule 3
c AT 2 of 2002 Page 67
Schedule 3
CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE:
PROCESSING OF SENSITIVE PERSONAL DATA
Section 2(3)
1. The data subject has given his explicit consent to the processing of the personal
data.
2. (1) The processing is necessary for the purposes of exercising or performing
any right or obligation which is conferred or imposed by law on the data controller in
connection with employment.
(2) The Council of Ministers may by order —
(a) exclude the application of sub-paragraph (1) in such cases as may
be specified, or
(b) provide that, in such cases as may be specified, the condition in
sub-paragraph (1) is not to be regarded as satisfied unless such
further conditions as may be specified in the order are also
satisfied.
3. The processing is necessary —
(a) in order to protect the vital interests of the data subject or another
person, in a case where —
(i) consent cannot be given by or on behalf of the data subject,
or
(ii) the data controller cannot reasonably be expected to obtain
the consent of the data subject, or
(b) in order to protect the vital interests of another person, in a case
where consent by or on behalf of the data subject has been
unreasonably withheld.
4. The processing —
(a) is carried out in the course of its legitimate activities by any body
or association which —
(i) is not established or conducted for profit, and
(ii) exists for political, philosophical, religious or trade-union
purposes,
(b) is carried out with appropriate safeguards for the rights and
freedoms of data subjects,
(c) relates only to individuals who either are members of the body or
association or have regular contact with it in connection with its
purposes, and
Schedule 3
Data Protection Act 2002
Page 68 AT 2 of 2002 c
(d) does not involve disclosure of the personal data to a third party
without the consent of the data subject.
5. The information contained in the personal data has been made public as a result
of steps deliberately taken by the data subject.
6. The processing —
(a) is necessary for the purpose of, or in connection with, any legal
proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising
or defending legal rights.
7. (1) The processing is necessary —
(a) for the administration of justice,
(b) for the exercise of any functions of Tynwald, the Council or the
Keys;
(c) for the exercise of any functions conferred on any person by or
under any statutory provision, or
(d) for the exercise of any functions of the Crown, a Department or a
Statutory Board.
(2) The Council of Ministers may by order —
(a) exclude the application of sub-paragraph (1) in such cases as may
be specified, or
(b) provide that, in such cases as may be specified, the condition in
sub-paragraph (1) is not to be regarded as satisfied unless such
further conditions as may be specified in the order are also
satisfied.
8. (1) The processing is necessary for medical purposes and is
undertaken by —
(a) a health professional, or
(b) a person who in the circumstances owes a duty of confidentiality
which is equivalent to that which would arise if that person were
a health professional.
(2) In this paragraph “medical purposes” includes the purposes of
preventive medicine, medical diagnosis, medical research, the provision of care and
treatment and the management of healthcare services.
9. (1) The processing —
(a) is of sensitive personal data consisting of information as to racial
or ethnic origin,
Data Protection Act 2002 Schedule 3
c AT 2 of 2002 Page 69
(b) is necessary for the purpose of identifying or keeping under
review the existence or absence of equality of opportunity or
treatment between persons of different racial or ethnic origins,
with a view to enabling such equality to be promoted or
maintained, and
(c) is carried out with appropriate safeguards for the rights and
freedoms of data subjects.
(2) The Council of Ministers may by order specify circumstances in which
processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the
purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the
rights and freedoms of data subjects.
10. (1) The processing —
(a) is in the substantial public interest;
(b) is necessary for the purposes of the prevention or detection of any
unlawful act; and
(c) must necessarily be carried out without the explicit consent of the
data subject being sought so as not to prejudice those purposes.
(2) In this paragraph, “act” includes a failure to act.
11. The processing —
(a) is in the substantial public interest;
(b) is necessary for the discharge of any function which is designed
for protecting members of the public against —
(i) dishonesty, malpractice, or other seriously improper
conduct by, or the unfitness or incompetence of, any
person, or
(ii) mismanagement in the administration of, or failures in
services provided by, any body or association; and
(c) must necessarily be carried out without the explicit consent of the
data subject being sought so as not to prejudice the discharge of
that function.
12. (1) The disclosure of personal data —
(a) is in the substantial public interest;
(b) is in connection with —
(i) the commission by any person of any unlawful act
(whether alleged or established),
(ii) dishonesty, malpractice, or other seriously improper
conduct by, or the unfitness or incompetence of, any
person (whether alleged or established), or
Schedule 3
Data Protection Act 2002
Page 70 AT 2 of 2002 c
(iii) mismanagement in the administration of, or failures in
services provided by, any body or association (whether
alleged or established);
(c) is for the special purposes as defined in section 1(1); and
(d) is made with a view to the publication of those data by any person
and the data controller reasonably believes that such publication
would be in the public interest.
(2) In this paragraph, “act” includes a failure to act.
13. The processing —
(a) is in the substantial public interest;
(b) is necessary for the discharge of any function which is designed
for the provision of confidential counselling, advice, support or
any other service; and
(c) is carried out without the explicit consent of the data subject
because the processing —
(i) is necessary in a case where consent cannot be given by the
data subject,
(ii) is necessary in a case where the data controller cannot
reasonably be expected to obtain the explicit consent of the
data subject, or
(iii) must necessarily be carried out without the explicit consent
of the data subject being sought so as not to prejudice the
provision of that counselling, advice, support or other
service.
14. (1) The processing —
(a) is necessary for the purpose of —
(i) carrying on insurance business, or
(ii) making determinations in connection with eligibility for,
and benefits payable under, an occupational pension
scheme as defined in section 1 of the Pension Schemes Act
1993 (an Act of Parliament), as it has effect in the Island;123
(b) is of sensitive personal data consisting of information as to the
physical or mental health or condition of a data subject who is the
parent, grandparent, great grandparent or sibling of the insured
person or the member of the scheme, as the case may be;
(c) is necessary in a case where the data controller cannot reasonably
be expected to obtain the explicit consent of that data subject and
the data controller is not aware of the data subject withholding his
consent; and
Data Protection Act 2002 Schedule 3
c AT 2 of 2002 Page 71
(d) does not support measures or decisions with respect to that data
subject.
(2) In this paragraph —
(a) “insurance business” means insurance business, as defined in
section 54 of the Insurance Act 2008, falling within such classes as
are prescribed by the Council of Ministers by regulations, and124
(b) “insured” and “member” includes an individual who is seeking to
become an insured person or member of the scheme respectively.
15. The processing —
(a) is of sensitive personal data in relation to any particular data
subject that are subject to processing which was already under
way immediately before the commencement of this Schedule;
(b) is necessary for the purpose of —
(i) carrying on insurance business, as defined in section 54 of
the Insurance Act 2008, falling within such classes as are
prescribed by the Council of Ministers by regulations; or125
(ii) establishing or administering an occupational
pension scheme as defined in section 1 of the Pension
Schemes Act 1993 (an Act of Parliament), as it has effect in
the Island; and
(c) either —
(i) is necessary in a case where the data controller cannot
reasonably be expected to obtain the explicit consent of the
data subject and that data subject has not informed the
data controller that he does not so consent, or
(ii) must necessarily be carried out even without the explicit
consent of the data subject so as not to prejudice those
purposes.
16. (1) Subject to the provisions of sub-paragraph (2), the processing —
(a) is of sensitive personal data consisting of information falling
within paragraph (c) or (e) of the definition of that expression in
section 1(1);
(b) is necessary for the purpose of identifying or keeping under
review the existence or absence of equality of opportunity or
treatment between persons —
(i) holding different beliefs as described in paragraph (c) of
that definition, or
(ii) of different states of physical or mental health or different
physical or mental conditions as described in paragraph (e)
of that definition,
Schedule 3
Data Protection Act 2002
Page 72 AT 2 of 2002 c
with a view to enabling such equality to be promoted or
maintained;
(c) does not support measures or decisions with respect to any
particular data subject otherwise than with the explicit consent of
that data subject; and
(d) does not cause, nor is likely to cause, substantial damage or
substantial distress to the data subject or any other person.
(2) Where any individual has given notice in writing to any data controller
who is processing personal data under the provisions of sub-paragraph (1) requiring
that data controller to cease processing personal data in respect of which that
individual is the data subject at the end of such period as is reasonable in the
circumstances, that data controller must have ceased processing those personal data at
the end of that period.
17. The processing —
(a) is in the substantial public interest;
(b) is necessary for research purposes (within the meaning of
section 29);
(c) does not support measures or decisions with respect to any
particular data subject otherwise than with the explicit consent of
that data subject; and
(d) does not cause, nor is likely to cause, substantial damage or
substantial distress to the data subject or any other person.
18. The processing is necessary for the exercise of any functions conferred on a
constable by any rule of law.
19. The personal data are processed in circumstances specified in an order made by
the Council of Ministers for the purposes of this paragraph.
Data Protection Act 2002 Schedule 4
c AT 2 of 2002 Page 73
Schedule 4
CASES WHERE THE EIGHTH PRINCIPLE DOES NOT APPLY
Section 2(3)
1. The data subject has given his consent to the transfer.
2. The transfer is necessary —
(a) for the performance of a contract between the data subject and the
data controller, or
(b) for the taking of steps at the request of the data subject with a
view to his entering into a contract with the data controller.
3. The transfer is necessary —
(a) for the conclusion of a contract between the data controller and a
person other than the data subject which —
(i) is entered into at the request of the data subject, or
(ii) is in the interests of the data subject, or
(b) for the performance of such a contract.
4. (1) The transfer is necessary for reasons of substantial public interest.
(2) The Council of Ministers may by order specify —
(a) circumstances in which a transfer is to be taken for the purposes
of sub-paragraph (1) to be necessary for reasons of substantial
public interest, and
(b) circumstances in which a transfer which is not required by or
under a statutory provision is not to be taken for the purpose of
sub-paragraph (1) to be necessary for reasons of substantial public
interest.
5. The transfer —
(a) is necessary for the purpose of, or in connection with, any legal
proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising
or defending legal rights.
6. The transfer is necessary in order to protect the vital interests of the data subject.
7. The transfer is of part of the personal data on a public register and any
conditions subject to which the register is open to inspection are complied with by any
person to whom the data are or may be disclosed after the transfer.
Schedule 5
Data Protection Act 2002
Page 74 AT 2 of 2002 c
8. The transfer is made on terms which are of a kind approved by the Information
Commissioner as ensuring adequate safeguards for the rights and freedoms of data
subjects.126
9. The transfer has been authorised by the Information Commissioner as being
made in such a manner as to ensure adequate safeguards for the rights and freedoms
of data subjects.127
Schedule 5
THE TRIBUNAL
128
Section 4(6)
PART 1
129
PART 2
130
6. [Repealed]131
Staff
7. The Public Services Commission shall make such arrangements as they consider
appropriate for the provision of staff for the Tribunal.132
Data Protection Act 2002 Schedule 6
c AT 2 of 2002 Page 75
Schedule 6
APPEALS AND REFERENCES
Sections 20(4), 24(10) and 44(5)
Interpretation
1. In this Schedule —
“appeal
” means an appeal under section 24 or 44;
“reference
” means a reference under section 20.
Hearing of appeals
2. For the purpose of hearing and determining appeals or references or any matter
preliminary or incidental to an appeal or reference the Tribunal shall sit at such times
and in such places as the chairman or deputy chairman may direct.
Constitution of Tribunal
3. Subject to paragraph 4 and to any rules under paragraph 5, the Tribunal shall be
duly constituted for the purpose of any proceedings if it consists of —
(a) the chairman or deputy chairman (who shall preside), and
(b) one or more other members.
Ex parte proceedings
4. Subject to any rules under paragraph 5, the jurisdiction of the Tribunal in
respect of an appeal under section 24 may be exercised ex parte by the chairman or
deputy chairman sitting alone.
Rules of procedure
5. (1) The Council of Ministers may make rules for regulating the exercise of
the rights of appeal conferred by section 24(4) or (7) and section 44, references and the
practice and procedure of the Tribunal.
(2) Rules under this paragraph may in particular make provision —
(a) with respect to the period within which an appeal can be brought
or a reference made and the burden of proof on an appeal or
reference,
(b) for the summoning of witnesses and the administration of oaths,
(c) for securing the production of documents and material used for
the processing of personal data,
Schedule 7
Data Protection Act 2002
Page 76 AT 2 of 2002 c
(d) for the inspection, examination, operation and testing of any
equipment or material used in connection with the processing of
personal data,
(e) for the hearing of an appeal or reference wholly or partly in
camera,
(f) for hearing an appeal in the absence of the appellant or for
determining an appeal without a hearing,
(g) for hearing a reference in the absence of the respondent or for
determining a reference without a hearing,
(h) for enabling an appeal under section 44(1) against an information
notice to be determined by the chairman or deputy chairman,
(i) for enabling any matter preliminary or incidental to an
appeal or reference to be dealt with by the chairman or
deputy chairman,
(j) for the awarding of costs,
(k) for the publication of reports of the Tribunal’s decisions, and
(l) for conferring on the Tribunal such ancillary powers as the
Council of Ministers thinks necessary for the proper discharge of
its functions.
(3) In making rules under this paragraph which relate to appeals under
section 24(4) or (7) the Council of Ministers shall have regard, in particular, to the need
to secure that information is not disclosed contrary to the public interest.
Obstruction etc.
6. Obstruction etc
(1) If any person is guilty of any act or omission in relation to proceedings
before the Tribunal which, if those proceedings were proceedings before the High
Court, would constitute contempt of court, the Tribunal may certify the matter to the
High Court.
(2) Where a matter is so certified, the High Court may inquire into it and,
after hearing any witness who may be produced against or on behalf of the person
charged with the matter, and after hearing any statement that may be offered in
defence, deal with him in any manner in which it could deal with him or her if the act
or omission had occurred in relation to the court.133
Schedule 7
MISCELLANEOUS EXEMPTIONS
Section 34
Data Protection Act 2002 Schedule 7
c AT 2 of 2002 Page 77
Confidential references given by the data controller
1. Personal data are exempt from section 5 if they consist of a reference given or to
be given in confidence by the data controller for the purposes of —
(a) the education, training or employment, or prospective education,
training or employment, of the data subject,
(b) the appointment, or prospective appointment, of the data subject
to any office, or
(c) the provision, or prospective provision, by the data subject of any
service.
Armed forces
2. Personal data are exempt from the subject information provisions in any case to
the extent to which the application of those provisions would be likely to prejudice the
combat effectiveness of any of the armed forces of the Crown.
Judicial appointments and honours
3. Personal data processed for the purposes of —
(a) assessing any person’s suitability for judicial office, or
(b) the conferring by the Crown of any honour or dignity,
are exempt from the subject information provisions.
Crown employment and appointments
4. The Council of Ministers may by order exempt from the subject information
provisions personal data processed for the purposes of assessing any person’s
suitability for —
(a) employment by or under the Crown, or
(b) any office to which appointments are made by Her Majesty, the
Governor, the Governor in Council or the Council of Ministers.
Management forecasts etc.
5. Personal data processed for the purposes of management forecasting or
management planning to assist the data controller in the conduct of any business or
other activity are exempt from the subject information provisions in any case to the
extent to which the application of those provisions would be likely to prejudice the
conduct of that business or other activity.
Corporate finance
6. (1) Where personal data are processed for the purposes of, or in connection
with, a corporate finance service provided by any person —
Schedule 7
Data Protection Act 2002
Page 78 AT 2 of 2002 c
(a) the data are exempt from the subject information provisions in
any case to the extent to which either —
(i) the application of those provisions to the data could affect
the price of any securities which are already in existence or
are to be or may be created, or
(ii) the data controller reasonably believes that the application
of those provisions to the data could affect the price of any
such securities, and
(b) to the extent that the data are not exempt from the subject
information provisions by virtue of paragraph (a), they are
exempt from those provisions if the exemption is required for the
purpose of safeguarding an important economic or financial
interest of the Island.
(2) For the purposes of sub-paragraph (1)(b) the Council of Ministers may by
order specify —
(a) matters to be taken into account in determining whether
exemption from the subject information provisions is required for
the purpose of safeguarding an important economic or financial
interest of the Island, or
(b) circumstances in which exemption from those provisions is, or is
not, to be taken to be required for that purpose.
(3) In this paragraph —
“corporate finance service” means a service consisting in —
(a) underwriting in respect of issues of, or the placing of issues of,
any securities,
(b) advice to undertakings on capital structure, industrial strategy
and related matters and advice and service relating to mergers
and the purchase of undertakings, or
(c) services relating to such underwriting as is mentioned in
paragraph (a);
“price” includes value;
“securities” means —
(a) shares or debentures,
(b) securities of the government of any country or territory, or
(c) rights or interests (described whether as units or otherwise) in any
such shares, debentures or securities.
Negotiations
7. Personal data which consist of records of the intentions of the data controller in
relation to any negotiations with the data subject are exempt from the subject
Data Protection Act 2002 Schedule 7
c AT 2 of 2002 Page 79
information provisions in any case to the extent to which the application of those
provisions would be likely to prejudice those negotiations.
Examination marks
8. (1) Section 5 shall have effect subject to the provisions of sub-paragraphs (2)
to (4) in the case of personal data consisting of marks or other information processed
by a data controller —
(a) for the purpose of determining the results of an academic,
professional or other examination or of enabling the results of any
such examination to be determined, or
(b) in consequence of the determination of any such results.
(2) Where the relevant day falls before the day on which the results of the
examination are announced, the period mentioned in section 5(8) shall be extended
until —
(a) the end of 5 months beginning with the relevant day, or
(b) the end of 40 days beginning with the date of the announcement,
whichever is the earlier.
(3) Where by virtue of sub-paragraph (2) a period longer than the prescribed
period elapses after the relevant day before the request is complied with, the
information to be supplied pursuant to the request shall be supplied both by reference
to the data in question at the time when the request is received and (if different) by
reference to the data as from time to time held in the period beginning when the
request is received and ending when it is complied with.
(4) For the purposes of this paragraph the results of an examination shall be
treated as announced when they are first published or (if not published) when they are
first made available or communicated to the candidate in question.
(5) In this paragraph —
“examination” includes any process for determining the knowledge,
intelligence, skill or ability of a candidate by reference to his performance in any
test, work or other activity;
“the prescribed period” means 40 days or such other period as is for the time
being prescribed under section 5 in relation to the personal data in question;
“relevant day” has the same meaning as in section 5.
Examination scripts etc.
9. (1) Personal data consisting of information recorded by candidates during
an academic, professional or other examination are exempt from section 5.
(2) In this paragraph “examination” has the same meaning as in
paragraph 8.
Schedule 8
Data Protection Act 2002
Page 80 AT 2 of 2002 c
Legal professional privilege
10. Personal data are exempt from the subject information provisions if the data
consist of information in respect of which a claim to legal professional privilege could
be maintained in legal proceedings.
Self-incrimination
11. (1) A person need not comply with any request or order under section 5 to
the extent that compliance would, by revealing evidence of the commission of any
offence other than an offence under this Act, expose him to proceedings for that
offence.
(2) Information disclosed by any person in compliance with any request or
order under section 5 shall not be admissible against him in proceedings for an offence
under this Act.
Schedule 8
POWERS OF ENTRY AND INSPECTION
Section 46
Issue of warrants
1. (1) If a judge of the High Court is satisfied by information on oath supplied
by the Information Commissioner that there are reasonable grounds for suspecting —
(a) that a data controller has contravened or is contravening any of
the data protection principles, or
(b) that an offence under this Act has been or is being committed,
and that evidence of the contravention or of the commission of the offence is to
be found on any premises specified in the information, he may, subject to sub-
paragraph (2) and paragraph 2, grant a warrant to the Information
Commissioner.134
(2) A judge shall not issue a warrant under this Schedule in respect of any
personal data processed for the special purposes unless a determination by the
Information Commissioner under section 41 with respect to those data has taken
effect.135
(3) A warrant issued under sub-paragraph (1) shall authorise the
Information Commissioner or any of his officers or staff, or any other person
authorised for the purpose by the Information Commissioner, at any time within 7
days of the date of the warrant to enter the premises, to search them, to inspect,
examine, operate and test any equipment found there which is used or intended to be
used for the processing of personal data and to inspect and seize any documents or
other material found there which may be such evidence as is mentioned in that sub-
paragraph.136
Data Protection Act 2002 Schedule 8
c AT 2 of 2002 Page 81
2. (1) A judge shall not issue a warrant under this Schedule unless he is
satisfied —
(a) that the Information Commissioner has given 7 days’ notice in
writing to the occupier of the premises in question demanding
access to the premises, and137
(b) that either —
(i) access was demanded at a reasonable hour and was
unreasonably refused, or
(ii) although entry to the premises was granted, the occupier
unreasonably refused to comply with a request by the
Information Commissioner or any of the Information
Commissioner’s officers or staff to permit the Information
Commissioner or the officer or member of staff to do any
of the things referred to in paragraph 1(3), and138
(c) that the occupier, has, after the refusal, been notified by the
Information Commissioner of the application for the warrant and
has had an opportunity of being heard by the judge on the
question whether or not it should be issued.139
(2) Sub-paragraph (1) does not apply if the judge is satisfied that the case is
one of urgency or that compliance with those provisions would defeat the object of the
entry.
3. A judge who issues a warrant under this Schedule shall also issue 2 copies of it
and certify them clearly as copies.
Execution of warrants
4. A person executing a warrant issued under this Schedule may use such
reasonable force as may be necessary.
5. A warrant issued under this Schedule shall be executed at a reasonable hour
unless it appears to the person executing it that there are grounds for suspecting that
the evidence in question would not be found if it were so executed.
6. If the person who occupies the premises in respect of which a warrant is issued
under this Schedule is present when the warrant is executed, he shall be shown the
warrant and supplied with a copy of it; and if that person is not present a copy of the
warrant shall be left in a prominent place on the premises.
7. (1) A person seizing anything in pursuance of a warrant under this Schedule
shall give a receipt for it if asked to do so.
(2) Anything so seized may be retained for so long as is necessary in all the
circumstances but the person in occupation of the premises in question shall be given a
copy of anything that is seized if he so requests and the person executing the warrant
considers that it can be done without undue delay.
Schedule 8
Data Protection Act 2002
Page 82 AT 2 of 2002 c
Matters exempt from inspection and seizure
8. The powers of inspection and seizure conferred by a warrant issued under this
Schedule shall not be exercisable in respect of personal data which by virtue of
section 24 are exempt from any of the provisions of this Act.
9. (1) Subject to the provisions of this paragraph, the powers of inspection and
seizure conferred by a warrant issued under this Schedule shall not be exercisable in
respect of —
(a) any communication between an advocate and his client in
connection with the giving of legal advice to the client with
respect to his obligations, liabilities or rights under this Act, or
(b) any communication between an advocate and his client, or
between an advocate or his client and any other person, made in
connection with or in contemplation of proceedings under or
arising out of this Act (including proceedings before the Tribunal)
and for the purposes of such proceedings.
(2) Sub-paragraph (1) applies also to —
(a) any copy or other record of any such communication as is there
mentioned, and
(b) any document or article enclosed with or referred to in any such
communication if made in connection with the giving of any
advice or, as the case may be, in connection with or in
contemplation of and for the purposes of such proceedings as are
there mentioned.
(3) This paragraph does not apply to anything in the possession of any
person other than the advocate or his client or to anything held with the intention of
furthering a criminal purpose.
(4) In this paragraph references to the client of an advocate include
references to any person representing such a client.
10. If the person in occupation of any premises in respect of which a warrant is
issued under this Schedule objects to the inspection or seizure under the warrant of
any material on the grounds that it consists partly of matters in respect of which those
powers are not exercisable, he shall, if the person executing the warrant so requests,
furnish that person with a copy of so much of the material as is not exempt from those
powers.
Return of warrants
11. A warrant issued under this Schedule shall be returned to the Chief Registrar —
(a) after being executed, or
(b) if not executed within the time authorised for its execution;
Data Protection Act 2002 Schedule 9
c AT 2 of 2002 Page 83
and the person by whom any such warrant is executed shall make an
endorsement on it stating what powers have been exercised by him
under the warrant.
Offences
12. Any person who —
(a) intentionally obstructs a person in the execution of a warrant
issued under this Schedule, or
(b) fails without reasonable excuse to give any person executing such
a warrant such assistance as he may reasonably require for the
execution of the warrant,
is guilty of an offence.
Vessels, vehicles etc.
13. In this Schedule “premises
” includes any vessel, vehicle, aircraft or hovercraft,
and references to the occupier of any premises include references to the person in
charge of any vessel, vehicle, aircraft or hovercraft.
Schedule 9
REGISTERS OF ELECTORS ETC.
Section 57
[Sch 9 amended by Registration of Electors Act 2006 Sch 3, and amends the
following Act —
Jury Act 1980 q.v.]
Schedule 10
EXEMPTIONS AND MODIFICATIONS HAVING EFFECT BEFORE 24TH
OCTOBER 2007
Section 64
PART 1 TRANSITIONAL EXEMPTIONS
1. In this Schedule —
“the appointed day
” means the date on which Part 2 comes into operation;
“automated data
” means data which fall within paragraph (a) or (b) of the
definition of “data
” in section 1(1);
“manual data
” means data which fall within paragraph (c) or (d) of the
definition of “data
” in section 1(1);
Schedule 10
Data Protection Act 2002
Page 84 AT 2 of 2002 c
“the relevant conditions
” has the same meaning as in section 29;
“the transitional period
” means the period from the appointed day to the 23rd
October 2007.
Temporary exemption for certain manual data
2. (1) This paragraph applies to —
(a) manual data which were held immediately before the appointed
day, and
(b) personal data which fall within paragraph (d) of the definition of
“data” in section 1(1) but do not fall within (a) above.
(2) During the transitional period, data to which this paragraph applies are
exempt from the following provisions —
(a) the first data protection principle (fair and lawful processing)
except to the extent to which it requires compliance with
paragraph 10 of Schedule 1,
(b) the second data protection principle (purpose for which data are
obtained and processed),
(c) the third data protection principle (adequacy and relevance of
data),
(d) the fourth data protection principle (accuracy of data),
(e) the fifth data protection principle (time for keeping data), and
(f) section 12(1) to (3).
Exemption for historical research
3. (1) This paragraph applies to manual data which —
(a) were held immediately before the appointed day, and
(b) are processed only for the purpose of historical research in
compliance with the relevant conditions.
(2) After the transitional period, data to which this paragraph applies are
exempt from the provisions specified in paragraph 2(2).
4. (1) This paragraph applies to automated data which —
(a) were subject to processing which was already under way
immediately before the appointed day, and
(b) are processed only for the purpose of historical research in
compliance with the relevant conditions.
(2) During and after the transitional period, data to which this paragraph
applies are exempt from the first data protection principle to the extent to which it
requires compliance with the conditions in Schedules 2 and 3.
Data Protection Act 2002 Schedule 10
c AT 2 of 2002 Page 85
(3) During and after the transitional period, data to which this paragraph
applies which are processed otherwise than by reference to the data subject are also
exempt from the provisions referred to in paragraph 2(2).
5. For the purposes of this Part of this Schedule personal data are not to be treated
as processed otherwise than for the purpose of historical research merely because the
data are disclosed —
(a) to any person, for the purpose of historical research only,
(b) to the data subject or a person acting on his behalf,
(c) at the request, or with the consent, of the data subject or a person
acting on his behalf, or
(d) in circumstances in which the person making the disclosure has
reasonable grounds for believing that the disclosure falls within
paragraph (a), (b) or (c).
Exemption from section 19
6. Processing which was already under way immediately before the appointed
day is not assessable processing for the purposes of section 19.
PART 2 MODIFICATIONS HAVING EFFECT BEFORE 24TH
OCTOBER 2007
7. After section 10 insert —
“10A Rights of data subjects in relation to exempt manual data
(1) A data subject is entitled at any time by notice in writing —
(a) to require the data controller to rectify, block, erase or destroy
exempt manual data which are inaccurate or incomplete, or
(b) to require the data controller to cease holding exempt manual
data in a way incompatible with the legitimate purposes pursued
by the data controller.
(2) A notice under subsection (1)(a) or (b) must state the data subject’s
reasons for believing that the data are inaccurate or incomplete or, as the case may be,
his reasons for believing that they are held in a way incompatible with the legitimate
purposes pursued by the data controller.
(3) If the High Court is satisfied, on the application of any person who has
given a notice under subsection (1) which appears to the court to be justified (or to be
justified to any extent) that the data controller in question has failed to comply with the
notice, the court may order him to take such steps for complying with the notice (or for
complying with it to that extent) as the court thinks fit.
(4) In this section “exempt manual data” means data to which paragraph 2
of Schedule 10 applies.
Schedule 11
Data Protection Act 2002
Page 86 AT 2 of 2002 c
(5) For the purposes of this section personal data are incomplete if, and only
if, the data, although not inaccurate, are such that their incompleteness would
constitute a contravention of the third or fourth data protection principles, if those
principles applied to the data.”
8. In section 28 —
(a) in subsection (2), after “section 10” insert —
“(dd) section 10A,”;
(b) in subsection (4), after “10(8)” insert 10A(3)”.
9. In section 30, for “section 12(1) to (3)” substitute “sections 10A and 12(1) to (3).”
10. In paragraph 16 of Schedule 1, omit the word “or” at the end of paragraph (c),
and after paragraph (d) insert “or
(e) he contravenes section 10A by failing to comply with a notice
given under section 10A(1) to the extent that the notice is
justified.”
Schedule 11
TRANSITIONAL PROVISIONS AND SAVINGS
Section 65
Interpretation
1. In this Schedule —
“the 1986 Act
” means the Data Protection Act 1986;
“the old principles
” means the data protection principles within the meaning of
the 1986 Act;
“the new principles
” means the data protection principles within the meaning
of this Act.
Effect of registration under Part II of 1986 Act
2. (1) Subject to sub-paragraphs (4) and (5), any person who, immediately
before the commencement of Part 3 of this Act —
(a) is registered as a data user under Part II of the 1986 Act, or
(b) is treated by virtue of section 7(6) of the 1986 Act as so registered,
is exempt from section 14(1) of this Act until the end of the registration period.
(2) In sub-paragraph (1) “the registration period”, in relation to a person,
means —
Data Protection Act 2002 Schedule 11
c AT 2 of 2002 Page 87
(a) where there is a single entry in respect of that person as a data
user, the period at the end of which, if section 8 of the 1986 Act
had remained in force, that entry would have fallen to be
removed unless renewed, and
(b) where there are 2 or more entries in respect of that person as a
data user, the period at the end of which, if that section had
remained in force, the last of those entries to expire would have
fallen to be removed unless renewed.
(3) Any application for registration as a data user under Part II of the 1986
Act which is received by the Supervisor before the commencement of Part 3 of this Act
(including any appeal against a refusal of registration) shall be determined in
accordance with the old principles and the provisions of the 1986 Act.
(4) If a person falling within sub-paragraph (1)(b) receives a notification
under section 7(1) of the 1986 Act of the refusal of his application, sub-paragraph (1)
shall cease to apply to him —
(a) if no appeal is brought, at the end of the period within which an
appeal can be brought against the refusal, or
(b) on the withdrawal or dismissal of the appeal.
(5) If a data controller gives a notification under section 15(1) at a time when
he is exempt from section 14(1) by virtue of sub-paragraph (1), he shall cease to be so
exempt.
(6) The Supervisor shall include in the register maintained under section 16
an entry in respect of each person who is exempt from section 14(1) by virtue of sub-
paragraph (1); and each entry shall consist of the particulars which, immediately before
the commencement of Part 3 of this Act, were included (or treated as included) in
respect of that person in the register maintained under section 4 of the 1986 Act.
(7) Notification regulations under Part 3 of this Act may make provision
modifying the duty referred to in section 17(1) in its application to any person in
respect of whom an entry in the register maintained under section 16 has been made
under sub-paragraph (6).
(8) Notification regulations under Part 3 of this Act may make further
transitional provision in connection with the substitution of Part 3 for Part II of the
1986 Act (registration), including provision modifying the application of provisions of
Part 3 in transitional cases.
Rights of data subjects
3. (1) The repeal of section 20 of the 1986 Act (right of access to personal data)
does not affect the application of that section in any case in which the request (together
with the information referred to in section 21(4)(a) and, in a case where it is required,
the consent referred to in section 21(4)(b)) was received before the day on which the
repeal comes into force.
Schedule 11
Data Protection Act 2002
Page 88 AT 2 of 2002 c
(2) Sub-paragraph (1) does not apply where the request is made by reference
to this Act.
(3) Any fee paid for the purposes of section 20 of the 1986 Act before the
commencement of section 5 in a case not falling within sub-paragraph (1) shall be
taken to have been paid for the purposes of section 5.
4. The repeal of section 21 of the 1986 Act (compensation for inaccuracy) and the
repeal of section 22 of that Act (compensation for loss or unauthorised disclosure) do
not affect the application of those sections in relation to damage or distress suffered at
any time by reason of anything done or omitted to be done before the commencement
of the repeals.
5. The repeal of section 23 of the 1986 Act (rectification and erasure) does not affect
any case in which the application to the High Court was made before the day on which
the repeal comes into force.
6. Section 12(3)(b) does not apply where the rectification, blocking, erasure or
destruction occurred before the commencement of section 12.
Enforcement and transfer prohibition notices served under Part V of 1986 Act
7. (1) If, immediately before the commencement of section 36 —
(a) an enforcement notice under section 10 of the 1986 Act has effect,
and
(b) either the time for appealing against the notice has expired or any
appeal has been determined,
then, after that commencement, to the extent mentioned in sub-paragraph (3), the
notice shall have effect for the purposes of sections 37 and 43 as if it were an
enforcement notice under section 36.
(2) Where an enforcement notice has been served under section 10 of the
1986 Act before the commencement of section 36 and immediately before that
commencement either —
(a) the time for appealing against the notice has not expired, or
(b) an appeal has not been determined,
the appeal shall be determined in accordance with the provisions of the
1986 Act and the old principles and, unless the notice is quashed on
appeal, to the extent mentioned in sub-paragraph (3) the notice shall
have effect for the purposes of sections 37 and 43 as if it were an
enforcement notice under section 36.
(3) An enforcement notice under section 10 of the 1986 Act has the effect
described in sub-paragraph (1) or (2) only to the extent that the steps specified in the
notice for complying with the old principle or principles in question are steps which
the data controller could be required by an enforcement notice under section 36 to take
for complying with the new principles or any of them.
Data Protection Act 2002 Schedule 11
c AT 2 of 2002 Page 89
8. (1) If, immediately before the commencement of section 36 —
(a) a transfer prohibition notice under section 12 of the 1986 Act has
effect, and
(b) either the time for appealing against the notice has expired or any
appeal has been determined,
then, on and after that commencement, to the extent specified in sub-paragraph (3), the
notice shall have effect for the purposes of sections 37 and 43 as if it were an
enforcement notice under section 36.
(2) Where a transfer prohibition notice has been served under section 12 of
the 1986 Act and immediately before the commencement of section 36 either —
(a) the time for appealing against the notice has not expired, or
(b) an appeal has not been determined,
the appeal shall be determined in accordance with the provisions of the 1986 Act and
the old principles and, unless the notice is quashed on appeal, to the extent mentioned
in sub-paragraph (3) the notice shall have effect for the purposes of sections 37 and 43
as if it were an enforcement notice under section 36.
(3) A transfer prohibition notice under section 12 of the 1986 Act has the
effect described in sub-paragraph (1) or (2) only to the extent that the prohibition
imposed by the notice is one which could be imposed by an enforcement notice under
section 36 for complying with the new principles or any of them.
Notices under new law relating to matters in relation to which 1986 Act had effect
9. The Supervisor may serve an enforcement notice under section 36 on or after the
day on which that section comes into force if he is satisfied that, before that day, the
data controller contravened the old principles by reason of any act or omission which
would also have constituted a contravention of the new principles if they had applied
before that day.
10. Section 36(5)(b) does not apply where the rectification, blocking, erasure or
destruction occurred before the commencement of section 36.
11. The Supervisor may serve an information notice under section 39 on or after the
day on which that section comes into force if he has reasonable grounds for suspecting
that, before that day, the data controller contravened the old principles by reason of
any act or omission which would also have constituted a contravention of the new
principles if they had applied before that day.
12. Where by virtue of paragraph 11 an information notice is served on the basis of
anything done or omitted to be done before the day on which section 39 comes into
force, section 39(2)(b) shall have effect as if the reference to the data controller having
complied, or complying, with the new principles were a reference to the data controller
having contravened the old principles by reason of any such act or omission as is
mentioned in paragraph 11.
Schedule 11
Data Protection Act 2002
Page 90 AT 2 of 2002 c
Self-incrimination, etc.
13. (1) In section 39(8), section 40(9) and paragraph 11 of Schedule 7, any
reference to an offence under this Act includes a reference to an offence under the 1986
Act.
(2) In section 34(9) of the 1986 Act, any reference to an offence under that
Act includes a reference to an offence under this Act.
Warrants issued under 1986 Act
14. The repeal of Schedule 4 to the 1986 Act does not affect the application of that
Schedule in any case where a warrant was issued under that Schedule before the
commencement of the repeal.
Complaints under section 35(2) of 1986 Act and requests for assessment under
section 38
15. The repeal of section 35(2) of the 1986 Act does not affect the application of that
provision in any case where the complaint was received by the Supervisor before the
commencement of the repeal.
16. In dealing with a complaint under section 35(2) of the 1986 Act or a request for
an assessment under section 38 of this Act, the Supervisor shall have regard to the
provisions from time to time applicable to the processing, and accordingly —
(a) in section 36(2) of the 1986 Act, the reference to the old principles
and the provisions of that Act includes, in relation to any time
when the new principles and the provisions of this Act have
effect, those principles and provisions, and
(b) in section 38 of this Act, the reference to the provisions of this Act
includes, in relation to any time when the old principles and the
provisions of the 1986 Act had effect, those principles and
provisions.
Applications under Access to Health Records and Reports Act 1993
17. (1) The repeal of any provision of the Access to Health Records and Reports Act
1993 does not affect —
(a) the application of section 3 or 6 of that Act in any case in which
the application under that section was received before the day on
which the repeal comes into force, or
(b) the application of section 8 of that Act in any case in which the
application to the High Court was made before the day on which
the repeal comes into force.
(2) Sub-paragraph (1)(a) does not apply in relation to an application for
access to information which was made by reference to this Act.
Data Protection Act 2002 Schedule 12
c AT 2 of 2002 Page 91
The Supervisor
18. Any reference in this Act or in any instrument under this Act to the Supervisor
shall be construed, in relation to any time before the commencement of section 4(1), as
a reference to the Isle of Man Data Protection Registrar.
Staff of Supervisor
19. Any officer of the Supervisor who immediately before the commencement of
this Act was a civil servant shall not cease to be a civil servant by virtue only of the
passing of this Act unless he and the Civil Service Commission otherwise agree in
writing.
Functions relating to children and young persons
20. Until the whole of the Children and Young Persons Act 2001 has come into force,
the reference in the table in section 62(1) to functions of the Department of Health and
Social Security under that Act shall be construed as including a reference to functions
of that Department under any enactment repealed by that Act.
Schedule 12
AMENDMENT OF ENACTMENTS
Section 66(1)
[Sch 12 amended by Public Sector Pensions Act 2011 Sch 3, and amends the
following Acts —
Legal Aid Act 1986 q.v.
Customs and Excise Management Act 1986 q.v.
Access to Health Records and Reports Act 1993 q.v.
Lloyds TSB Act 1997 q.v.
Residence Act 2001 q.v.
Online Gambling Regulation Act 2001 q.v.
Halifax International Act 2001 q.v.]
Schedule 13
ENACTMENTS REPEALED
Section 66(2)
[Sch 13 repeals the following Act wholly —
Data Protection Act 1986
and the following Acts in part —
Statute Law Revision Act 1989
Schedule 13
Data Protection Act 2002
Page 92 AT 2 of 2002 c
Access to Health Records and Reports Act 1993
Criminal Justice Act 2001.]
Data Protection Act 2002 Endnotes
c AT 2 of 2002 Page 93
ENDNOTES
Table of Legislation History
Legislation Year and No Commencement
Table of Renumbered Provisions
Original Current
Table of Endnote References
1
Para (e) inserted by Freedom of information Act 2015 Sch 4. 2
Definition of “held” inserted by Freedom of Information Act 2015 Sch 4. 3
Definition of “public authority” inserted by Freedom of Information Act 2015 Sch 4. 4
S 4 heading substituted by Freedom of Information Act 2015 Sch 4. 5
Subs (1) repealed by Freedom of Information Act 2015 Sch 4. 6
Subs (2) repealed by Freedom of Information Act 2015 Sch 4. 7
Subs (4) substituted by Legislation Act 2015 s 99. 8
Subs (5) repealed by Tribunals Act 2006 Sch 3. 9
Subs (6) amended by Freedom of Information Act 2015 Sch 4. 10
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 11
S 7A inserted by Freedom of Information Act 2015 Sch 4. 12
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 13
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 14
Subs (3) amended by Freedom of Information Act 2015 Sch 4. 15
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 16
Para (b) amended by Freedom of Information Act 2015 Sch 4. 17
Subs (6) amended by Freedom of Information Act 2015 Sch 4. 18
Subs (7) amended by Freedom of Information Act 2015 Sch 4. 19
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 20
Para (b) amended by Freedom of Information Act 2015 Sch 4. 21
Subs (4) amended by Freedom of Information Act 2015 Sch 4. 22
S 19 heading amended by Freedom of Information Act 2015 Sch 4. 23
Subs (2) amended by Freedom of Information Act 2015 Sch 4.
Endnotes Data Protection Act 2002
Page 94 AT 2 of 2002 c
24
Subs (3) amended by Freedom of Information Act 2015 Sch 4. 25
Subs (4) amended by Freedom of Information Act 2015 Sch 4. 26
Para (a) amended by Freedom of Information Act 2015 Sch 4. 27
Para (b) amended by Freedom of Information Act 2015 Sch 4. 28
Subs (5) amended by Freedom of Information Act 2015 Sch 4. 29
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 30
Subs (2) amended by Freedom of Information Act 2015 Sch 4. 31
Subs (3) amended by Freedom of Information Act 2015 Sch 4. 32
Para (a) amended by Freedom of Information Act 2015 Sch 4. 33
Para (b) amended by Freedom of Information Act 2015 Sch 4. 34
See General Note. 35
Para (b) amended by SD155/10 Sch 10. 36
Para (a) amended by SD155/10 Sch 6 and by SD2014/08. 37
Subs (5) inserted by Social Services Act 2011 Sch 3. 38
Para (a) amended by Freedom of Information Act 2015 Sch 4. 39
S 29A inserted by Freedom of Information Act 2015 Sch 4. 40
S 30 amended by Freedom of Information Act 2015 Sch 4. 41
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 42
Subs (2) amended by Freedom of Information Act 2015 Sch 4. 43
Subs (3) amended by Freedom of Information Act 2015 Sch 4. 44
Para (b) amended by Freedom of Information Act 2015 Sch 4. 45
Para (b) amended by Freedom of Information Act 2015 Sch 4. 46
Para (a) amended by Freedom of Information Act 2015 Sch 4. 47
Subs (8) amended by Freedom of Information Act 2015 Sch 4. 48
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 49
Subs (2) amended by Freedom of Information Act 2015 Sch 4. 50
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 51
Subs (2) amended by Freedom of Information Act 2015 Sch 4. 52
Subs (3) amended by Freedom of Information Act 2015 Sch 4. 53
Subs (4) amended by Freedom of Information Act 2015 Sch 4. 54
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 55
Para (a) amended by Freedom of Information Act 2015 Sch 4. 56
Para (b) amended by Freedom of Information Act 2015 Sch 4. 57
Subs (5) amended by Freedom of Information Act 2015 Sch 4. 58
Subs (6) amended by Freedom of Information Act 2015 Sch 4. 59
Subs (8) amended by Freedom of Information Act 2015 Sch 4. 60
Subs (9) amended by Freedom of Information Act 2015 Sch 4. 61
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 62
Para (a) amended by Freedom of Information Act 2015 Sch 4. 63
Para (b) amended by Freedom of Information Act 2015 Sch 4. 64
Subs (6) amended by Freedom of Information Act 2015 Sch 4.
Data Protection Act 2002 Endnotes
c AT 2 of 2002 Page 95
65
Subs (7) amended by Freedom of Information Act 2015 Sch 4. 66
Subs (9) amended by Freedom of Information Act 2015 Sch 4. 67
Subs (10) amended by Freedom of Information Act 2015 Sch 4. 68
S 41 heading amended by Freedom of Information Act 2015 Sch 4. 69
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 70
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 71
Para (a) amended by Freedom of Information Act 2015 Sch 4. 72
Subs (3) amended by Freedom of Information Act 2015 Sch 4. 73
Para (a) amended by Freedom of Information Act 2015 Sch 4. 74
Subs (3) amended by Freedom of Information Act 2015 Sch 4. 75
Para (b) amended by Freedom of Information Act 2015 Sch 4. 76
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 77
Subs (5) amended by Freedom of Information Act 2015 Sch 4. 78
Cross-heading amended by Freedom of Information Act 2015 Sch 4. 79
S 47 heading amended by Freedom of Information Act 2015 Sch 4. 80
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 81
Subs (2) amended by Freedom of Information Act 2015 Sch 4. 82
Para (b) amended by Freedom of Information Act 2015 Sch 4. 83
Subs (3) amended by Freedom of Information Act 2015 Sch 4. 84
Subs (4) amended by Freedom of Information Act 2015 Sch 4. 85
Subs (6) amended by Freedom of Information Act 2015 Sch 4. 86
Subs (7) amended by Freedom of Information Act 2015 Sch 4. 87
Subs (8) amended by Freedom of Information Act 2015 Sch 4. 88
Definition of “good practice” amended by Freedom of Information Act 2015 Sch 4. 89
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 90
Subs (2) amended by Freedom of Information Act 2015 Sch 4. 91
Subs (3) amended by Freedom of Information Act 2015 Sch 4. 92
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 93
Subs (2) amended by Freedom of Information Act 2015 Sch 4. 94
Para (b) amended by Freedom of Information Act 2015 Sch 4. 95
Subs (3) amended by Freedom of Information Act 2015 Sch 4. 96
Subs (4) amended by Freedom of Information Act 2015 Sch 4. 97
Subs (8) amended by Freedom of Information Act 2015 Sch 4. 98
Para (b) amended by SD155/10 Sch 6 and by SD2014/08. 99
Subs (6A) inserted by Freedom of Information Act 2015 Sch 4. 100
S 51 not yet in force. 101
Cross-heading amended by Freedom of Information Act 2015 Sch 4. 102
S 53 amended by Freedom of Information Act 2015 Sch 4. 103
S 54 repealed by Freedom of Information Act 2015 Sch 4. 104
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 105
S 57 amended by Registration of Electors Act 2006 Sch 3.
Endnotes Data Protection Act 2002
Page 96 AT 2 of 2002 c
106
Para (a) amended by Public Services Commission Act 2015 Sch. 107
Para (b) amended by Public Services Commission Act 2015 Sch. 108
S 60 heading amended by Freedom of Information Act 2015 Sch 4. 109
Subs (1) amended by Freedom of Information Act 2015 Sch 4. 110
Subs (2) amended by Freedom of Information Act 2015 Sch 4. 111
Entry amended by SD2015/0109. 112
Para (a) substituted by Social Services Act 2011 Sch 3. 113
Para (c) amended by SD155/10 Sch 6 and by SD2014/08. 114
See CM1329 115
See OJ L281, 23.11.95, p. 31. 116
Para (a) amended by SD155/10 Sch 10. 117
Subpara (i) amended by SD155/10 Sch 10. 118
Definition of “Information Commissioner” inserted by Freedom of Information Act
2015 Sch 4. 119
Definition of “the Supervisor” repealed by Freedom of Information Act 2015 Sch 4. 120
Index amended by Freedom of Information Act 2015 Sch 4. 121
ADO (whole Act except provisions specified in s 67(2)(a) to (e), ss 51 and 57 and Sch
9) 1/4/2003 (SD15/03); (s 57 and Sch 9) 1/1/2004 (SD701/03). 122
Item (b) amended by Freedom of Information Act 2015 Sch 4. 123
See SD531/95. 124
Item (a) amended by Insurance Act 2008 Sch 8. 125
Subitem (i) amended by Insurance Act 2008 Sch 8. 126
Para 8 amended by Freedom of Information Act 2015 Sch 4. 127
Para 9 amended by Freedom of Information Act 2015 Sch 4. 128
Sch 5 heading amended by Freedom of Information Act 2015 Sch 4. 129
Part 1 repealed by Freedom of Information Act 2015 Sch 4. 130
Part 2 heading repealed by Freedom of Information Act 2015 Sch 4. 131
Para 6 repealed by Tribunals Act 2006 Sch 3. 132
Para 7 amended by Public Services Commission Act 2015 Sch. 133
Para 6 substituted by Legislation Act 2015 s 99. 134
Subpara (1) amended by Freedom of Information Act 2015 Sch 4. 135
Subpara (2) amended by Freedom of Information Act 2015 Sch 4. 136
Subpara (3) amended by Freedom of Information Act 2015 Sch 4. 137
Item (a) amended by Freedom of Information Act 2015 Sch 4. 138
Subitem (ii) amended by Freedom of Information Act 2015 Sch 4. 139
Item (c) amended by Freedom of Information Act 2015 Sch 4.
