Data Protection (Amendment) Act 2003

Amendment of section 1 (interpretation and application of Act) of Principal Act.

2.—Section 1 of the Principal Act is amended—

(a)  in subsection (1)—

(i)   by the insertion of the following definitions:

“‘the Act of 2003’ means the Data Protection (Amendment) Act 2003;

‘automated data’ means information that—

 (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or

 (b) is recorded with the intention that it should be processed by means of such equipment;

‘blocking’, in relation to data, means so marking the data that it is not possible to process it for purposes in relation to which it is marked;

‘the Directive’ means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1) ;

‘the EEA Agreement’ means the Agreement on the European Economic Area signed at Oporto on 2 May 1992 as adjusted by the Protocol signed at Brussels on 17 March 1993;

‘enactment’ means a statute or a statutory instrument (within the meaning of the Interpretation Act 1937 );

‘the European Economic Area’ has the meaning assigned to it by the EEA Agreement;

‘manual data’ means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;

‘relevant filing system’ means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;

‘sensitive personal data’ means personal data as to—

 (a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,

 (b) whether the data subject is a member of a trade union,

 (c) the physical or mental health or condition or sexual life of the data subject,

 (d) the commission or alleged commission of any offence by the data subject, or

 (e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings;”,

(ii)  by the substitution of the following definition for the definition of “data”:

“‘data’ means automated data and manual data;”,

(iii) by the substitution of the following for the definition of “direct marketing”:

“‘direct marketing’ includes direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office;”,

(iv) by the substitution of the following definition for the definition of “personal data”:

“‘personal data’ means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;”,

and

(v) by the substitution of the following definition for the definition of “processing”:

“‘processing’, of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including—

 (a) obtaining, recording or keeping the information or data,

 (b) collecting, organising, storing, altering or adapting the information or data,

 (c) retrieving, consulting or using the information or data,

 (d) disclosing the information or data by transmitting, disseminating or otherwise making it available, or

 (e) aligning, combining, blocking, erasing or destroying the information or data;”,

(b)  by the insertion of the following subsections after subsection (3):

“(3A) A word or expression that is used in this Act and also in the Directive has, unless the context otherwise requires, the same meaning in this Act as it has in the Directive.

(3B) (a) Subject to any regulations under section 15(2) of this Act, this Act applies to data controllers in respect of the processing of personal data only if—

(i)  the data controller is established in the State and the data are processed in the context of that establishment, or

(ii) the data controller is established neither in the State nor in any other state that is a contracting party to the EEA Agreement but makes use of equipment in the State for processing the data otherwise than for the purpose of transit through the territory of the State.

(b) For the purposes of paragraph (a) of this subsection, each of the following shall be treated as established in the State:

(i)  an individual who is normally resident in the State,

(ii)  a body incorporated under the law of the State,

(iii) a partnership or other unincorporated association formed under the law of the State, and

(iv) a person who does not fall within subparagraphs (i), (ii) or (iii) of this paragraph, but maintains in the State—

(I)  an office, branch or agency through which he or she carries on any activity, or

(II) a regular practice,

and the reference to establishment in any other state that is a contracting party to the EEA Agreement shall be construed accordingly.

(c) A data controller to whom paragraph (a)(ii) of this subsection applies must, without prejudice to any legal proceedings that could be commenced against the data controller, designate a representative established in the State.

(3C) Section 2 and sections 2A and 2B (which sections were inserted by the Act of 2003) of this Act shall not apply to—

(a)  data kept solely for the purpose of historical research, or

(b)  other data consisting of archives or departmental records (within the meaning in each case of the National Archives Act 1986 ),

and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects.”,

and

(c)  by the insertion of the following subsection after subsection (4):

“(5) (a) A right conferred by this Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997 .

(b) The Commissioner and the Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other.”.

(1) O.J. No. L 281/38 of 23.11.95, p.31.