Department for Constitutional AffairsFreedom of information

|© Crown Copyright & Disclaimer

Home > People's rights > Freedom of Information > Practitioners > Full exemptions guidance > Section 40 > Annex A

FOI full exemptions guidance

Section 40 - Personal Information

Chapters: 01 | 02 | 03 | 04 | 05 | 06 | annex A | annex B

Annex A: The Data Protection Act 1998: Key terms

The data protection principles

  1. The data protection principles are contained in Part I of Schedule 1 to the DPA and require data to be:
    • (a) Processed fairly and lawfully and only processed if one of a limited number of conditions are met (those conditions are specified in Schedule 2 and, in respect of sensitive personal data, Schedule 3)
    • (b) Obtained for specified purposes and not processed incompatibly with those purposes;
    • (c) Adequate, relevant and not excessive;
    • (d) Accurate and kept up to date as necessary;
    • (e) Not kept for any longer than is necessary;
    • (f) Processed in accordance with the rights of data subjects under the DPA;
    • (g) Kept secure;
    • (h) Not transferred to non-EEA countries which do not ensure adequate protection.
  2. Data controllers must observe the data protection principles in respect of all processing of personal data. Part II of Schedule 1 contains binding guidance on the interpretation of these principles.

Subject access

  1. Section 7 of the DPA provides an 'access regime' which requires data controllers to provide data subjects with access to their personal data on request. This is termed the right of "subject access".
  2. Section 7(1)(a) and (b) of the DPA correspond approximately to the FOI Act duty to confirm or deny: they give individuals the right to be informed whether a data controller is processing personal data about them. If so, section 7(1)(b) entitles them to be given a description of the information, the purposes for which it is processed and the persons to whom it may be disclosed (the FOI Act does not have an equivalent provision). Section 7(1)(c) corresponds to the FOI Act duty to provide the information and entitles the data subject to have his personal data communicated to him along with any information available as to the source of those data.
  3. Disclosing personal data in response to a subject access request may also involve the disclosure of information relating to other individuals. For example, the expression of an opinion about a person can constitute his personal data but may also reveal information about the person who has expressed the opinion. Section 7(4) provides that where complying with a subject access request would reveal information about another individual who can be identified from that information, he is not obliged to comply unless that individual consents or it is reasonable to comply without consent. This ensures a balance between the right of the data subject to have access to his personal data and the rights of other individuals to protection where appropriate.

Section 10: right to prevent processing likely to cause damage or distress.

  1. Section 10 of the DPA provides individuals with the right to require a data controller, in writing, to cease or not to begin processing any of that person's personal data on the grounds that the processing would cause or be likely to cause substantial and unwarranted damage or distress to him or another. If a data controller receives such a notice, it must consider whether or not that notice is justified and, if so, it must comply with the notice. If a data controller does not consider the notice justified it must notify the individual, within 21 days, of the reasons for this.
  2. A court may order a data controller to comply with such a notice if it is satisfied that it has failed to do so: data controllers are obliged to comply with valid section 10 notices.

Exemptions

  1. Part IV of the DPA contains a number of exemptions. The exemptions do not apply to the entire DPA regime - each exemption will exempt from a limited and varying number of provisions.
  2. Some exemptions provide an exemption from the subject access provisions: if such an exemption applies, the data subject will not be able to access his personal data by way of a subject access request. For example, section 34 exempts personal data from the subject access provisions if the data controller is obliged under an enactment to make those data available to the public. Paragraph 1 of Schedule 7 exempts personal data from the subject access provisions if those data consist of a confidential reference given for the purposes of employment or appointment to any office.
  3. Other provisions of Part IV exempt personal data from one or more aspects of the data protection principles. For example, section 28 exempts personal data from any of the data protection principles if exemption is required for the purpose of safeguarding national security. Section 35 exempts personal data from the non-disclosure provisions where disclosure is required by an enactment, rule of law or order of a court. The non-disclosure provisions are the second, third, fourth and fifth principles and the first principle, except the requirement to comply with the conditions in Schedules 2 and 3.

© Crown Copyright