Data Protection (Amendment) Act 2003

Amendment of section 2 (collection, processing, keeping, use and disclosure of personal data) of Principal Act.

3.—Section 2 of the Principal Act is amended—

(a)  by the substitution of the following subsection for subsection (1):

“(1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions:

(a)  the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,

(b)  the data shall be accurate and complete and, where necessary, kept up to date,

(c)  the data—

(i)  shall have been obtained only for one or more specified, explicit and legitimate purposes,

(ii) shall not be further processed in a manner incompatible with that purpose or those purposes,

(iii) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and

(iv) shall not be kept for longer than is necessary for that purpose or those purposes,

(d)  appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”,

(b)  in subsection (5), by the substitution of the following paragraph for paragraph (a):

“(a) Subparagraphs (ii) and (iv) of paragraph (c) of the said subsection (1) do not apply to personal data kept for statistical or research or other scientific purposes, and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects, and”,

(c)  by the deletion of subsection (6), and

(d)  by the substitution of the following subsections for subsection (7):

“(7) Where—

(a)  personal data are kept for the purpose of direct marketing, and

(b)  the data subject concerned requests the data controller in writing—

(i)  not to process the data for that purpose, or

(ii) to cease processing the data for that purpose,

then—

(I)  if the request is under paragraph (b)(i)  of this subsection, the data controller—

(A) shall, where the data are kept only for the purpose aforesaid, as soon as may be and in any event not more than 40 days after the request has been given or sent to him or her, erase the data, and

(B) shall not, where the data are kept for that purpose and other purposes, process the data for that purpose after the expiration of the period aforesaid,

(II) if the request is under paragraph (b)(ii) of this subsection, as soon as may be and in any event not more than 40 days after the request has been given or sent to the data controller, he or she—

(A) shall, where the data are kept only for the purpose aforesaid, erase the data, and

(B) shall, where the data are kept for that purpose and other purposes, cease processing the data for that purpose,

and

(III) the data controller shall notify the data subject in writing accordingly and, where appropriate, inform him or her of those other purposes.

(8) Where a data controller anticipates that personal data, including personal data that is required by law to be made available to the public, kept by him or her will be processed for the purposes of direct marketing, the data controller shall inform the persons to whom the data relates that they may object, by means of a request in writing to the data controller and free of charge, to such processing.”.