Data Protection Act 1984 (c. 35)
1984 Chapter c.35 - continued
 
  PART III
  RIGHTS OF DATA SUBJECTS
Right of access to personal data.  21. - (1) Subject to the provisions of this section, an individual shall be entitled- 
 
 
    (a) to be informed by any data user whether the data held by him include personal data of which that individual is the data subject; and
 
    (b) to be supplied by any data user with a copy of the information constituting any such personal data held by him;
  and where any of the information referred to in paragraph (b) above is expressed in terms which are not intelligible without explanation the information shall be accompanied by an explanation of those terms.
 
      (2) A data user shall not be obliged to supply any information under subsection (1) above except in response to a request in writing and on payment of such fee (not exceeding the prescribed maximum) as he may require; but a request for information under both paragraphs of that subsection shall be treated as a single request and a request for information under paragraph (a) shall, in the absence of any indication to the contrary, be treated as extending also to information under paragraph (b).
 
      (3) In the case of a data user having separate entries in the register in respect of data held for different purposes a separate request must be made and a separate fee paid under this section in respect of the data to which each entry relates.
 
      (4) A data user shall not be obliged to comply with a request under this section- 
 
 
    (a) unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which he seeks; and
 
    (b) if he cannot comply with the request without disclosing information relating to another individual who can be identified from that information, unless he is satisfied that the other individual has consented to the disclosure of the information to the person making the request.
      (5) In paragraph (b) of subsection (4) above the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that paragraph shall not be construed as excusing a data user from supplying so much of the information sought by the request as can be supplied without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
 
      (6) A data user shall comply with a request under this section within forty days of receiving the request or, if later, receiving the information referred to in paragraph (a) of subsection (4) above and, in a case where it is required, the consent referred to in paragraph (b) of that subsection.
 
      (7) The information to be supplied pursuant to a request under this section shall be supplied by reference to the data in question at the time when the request is received except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.
 
      (8) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data user in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request; but a court shall not make an order under this subsection if it considers that it would in all the circumstances be unreasonable to do so, whether because of the frequency with which the applicant has made requests to the data user under those provisions or for any other reason.
 
      (9) The Secretary of State may by order provide for enabling a request under this section to be made on behalf of any individual who is incapable by reason of mental disorder of managing his own affairs.
 
Compensation for inaccuracy.  22. - (1) An individual who is the subject of personal data held by a data user and who suffers damage by reason of the inaccuracy of the data shall be entitled to compensation from the data user for that damage and for any distress which the individual has suffered by reason of the inaccuracy.
 
      (2) In the case of data which accurately record information received or obtained by the data user from the data subject or a third party, subsection (1) above does not apply if the following requirements have been complied with- 
 
 
    (a) the data indicate that the information was received or obtained as aforesaid or the information has not been extracted from the data except in a form which includes an indication to that effect; and
 
    (b) if the data subject has notified the data user that he regards the information as incorrect or misleading, an indication to that effect has been included in the data or the information has not been extracted from the data except in a form which includes an indication to that effect.
      (3) In proceedings brought against any person by virtue of this section it shall be a defence to prove that he had taken such care as in all circumstances was reasonably required to ensure the accuracy of the data at the material time.
 
      (4) Data are inaccurate for the purposes of this section if incorrect or misleading as to any matter of fact.
 
Compensation for loss or unauthorised disclosure.  23. - (1) An individual who is the subject of personal data held by a data user or in respect of which services are provided by a person carrying on a computer bureau and who suffers damage by reason of- 
 
 
    (a) the loss of the data;
 
    (b) the destruction of the data without the authority of the data user or, as the case may be, of the person carrying on the bureau; or
 
    (c) subject to subsection (2) below, the disclosure of the data, or access having been obtained to the data, without such authority as aforesaid,
  shall be entitled to compensation from the data user or, as the case may be, the person carrying on the bureau for that damage and for any distress which the individual has suffered by reason of the loss, destruction, disclosure or access.
 
      (2) In the case of a registered data user, subsection (1) (c) above does not apply to disclosure, or access by, any person falling within a description specified pursuant to section 4(3)(d) above in an entry in the register relating to that data user.
 
      (3) In proceedings brought against any person by virtue of this section it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to prevent the loss, destruction, disclosure or access in question.
 
Rectification and erasure.  24. - (1) If a court is satisfied on the application of a data subject that personal data held by a data user of which the applicant is the subject are inaccurate within the meaning of section 22 above, the court may order the rectification or erasure of the data and of any data held by the data user and containing an expression of opinion which appears to the court to be based on the inaccurate data.
 
      (2) Subsection (1) above applies whether or not the data accurately record information received or obtained by the data user from the data subject or a third party but where the data accurately record such information, then- 
 
 
    (a) if the requirements mentioned in section 22(2) above have been complied with, the court may, instead of making an order under subsection (1) above, make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve; and
 
    (b) if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a) above.
      (3) If a court is satisfied on the application of a data subject- 
 
 
    (a) that he has suffered damage by reason of the disclosure of personal data, or of access having been obtained to personal data, in circumstances entitling him to compensation under section 23 above; and
 
    (b) that there is a substantial risk of further disclosure of or access to the data without such authority as is mentioned in that section,
  the court may order the erasure of the data; but, in the case of data in respect of which services were being provided by a person carrying on a computer bureau, the court shall not make such an order unless such steps as are reasonably practicable have been taken for notifying the person for whom those services were provided and giving him an opportunity to be heard.
 
Jurisdiction and procedure.  25. - (1) The jurisdiction conferred by sections 21 and 24 above shall be exercisable by the High Court or a county court or, in Scotland, by the Court of Session or the sheriff.
 
      (2) For the purpose of determining any question whether an applicant under subsection (8) of section 21 above is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV of this Act) a court may require the information constituting any data held by the data user to be made available for its own inspection but shall not, pending the determination of that question in the applicant's favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery (or, in Scotland, recovery) or otherwise.
 
 
 
previous section contents continue other acts Her Majesty's Stationery Office home page
 
We welcome your comments on this site
 © Crown copyright 1984
Prepared 6 March 1997