Data Protection Act 2002

The Data Protection Act 2002 came into operation on the 1st April 2003 and has repealed and replaced the 1986 Act.  The Act has been drafted to meet the standards set out in the European Data Protection Directive 95/46/EC and is broadly similar to the UK's Data Protection Act 1998.  The Act extends protection to cover manual records, as well as computer records, CCTV systems,etc, and also establishes new rights for individuals.

The Isle of Man has applied to the European Commission for a decision with regard to the adequacy of the Data Protection Act 2002 with regard to the European Directive.  In April 2004, the Commission made a formal decision recognising the Isle of Man as a jurisdiction with adequate levels of protection for personal data.  In October 2005, the Isle of Man Government brought in legislation to implement Article 13 of the Privacy and Electronic Communications Directive 2002/58/EC of the European Parliament. 

Aims

The purpose of the Data Protection Act 2002 is to protect a person's right to privacy with regard to the processing of their personal information.

To achieve this, the Act encourages businesses to follow good practice and to be open and honest about the use of personal data.  The Act also establishes rights for individuals, which can be enforced if necessary.

Data Protection Principles

To achieve its aim, the Act sets out eight data protection principles and how these principles are to be interpreted.

Terminology

The Act defines a number of terms.

Any information held by a business or organisation that refers to a living person who can be identified from that information is called ' personal data.'  The living individual is referred to as a data subject while the business or organisation who determines how the information will be used is called a data controller.  Processing is defined in such a way that any action or operation involving personal data would be included.

Notification

In most cases, a data controller must notify (register) certain details of his operations with the Data Protection Supervisor. This information is published in the Register of Data Controllers, which is available for public inspection. There are three core business exemptions for Staff Administration, Marketing and PR, Accounts and Records, and also and exemption for certain "not for profit" organisations.

Unless an exemption applies, it is an offence for a data controller to process personal data without notifying the Supervisor.

Registration of Data Controllers

The Register of Data Controllers includes: the name and address of the data controller, the purpose(s) for which they process data, the type of information processed, any recipients to whom it may be disclosed and to which countries data may be transferred.

Data Subject Access

All data subjects have the right to obtain from a data controller information as to whether or not they hold any personal data on the data subject and, if so, to obtain a copy of that personal data in a readable form.  If the data subject believes there to be any mistakes in the information, he has the right to have them corrected. In certain circumstances, he will be able to add qualifying comment to the information held by the data controller.

The data controller is able to charge a fee, currently up to a maximum of £10.  The data controller has the right to reasonably request further information to ascertain the identity of the data subject and to help locate the information requested.  The data controller must provide the information within forty calendar days.

If a data controller has unjustifiably failed to comply with a subject access request, the Court may impose a fine up to £5000.

In certain circumstances the data controller may not be able to provide the information.  Such circumstances include where the identity of a third party would be disclosed or the data is subject to an exemption.

The Exemptions

The Act lists a number of exemptions.  These exemptions may concern the whole of the Act or certain parts of it but most are limited and need to be applied on a case by case basis.  A data controller should examine the exemption closely before concluding that the exemption can be applied.

Exemptions include the processing of data required for the purpose of safeguarding national security, data that a data controller is required by law to disclose, and data concerned only with an individual's personal, family household or recreational affairs.

The Act also specifies certain situations in which access to his data by a data subject can be refused.  These include data held for the purposes of the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment of collection of any tax or duty.

Other exemptions include the provision of information which is required by law or by the order of a court, made for the purpose of obtaining legal advice, and where the information is required to prevent injury or other damage to the health of any person or persons.

The Council of Ministers may by order exempt data from subject access provisions where they consider this is in the best interests of the data subject or other individual.  Examples of such orders include those that limit access to data consisting of information about the physical or mental health of a data subject and data held for the purpose of carrying out social work.

Enforcement and Information notices

To achieve compliance with the data protection principles the Supervisor may issue an Enforcement Notice when satisfied that a data controller has contravened the data protection principles.  If the Supervisor requires any information to determine if a data controller is complying with the data protection principles, he may also issue an Information Notice.

Failure to comply with an Enforcement or Information Notice is an offence.

The Data Protection Tribunal

The Act also creates a Data Protection Tribunal, to which data controllers may appeal in the event of the Supervisor serving an Enforcement or Information Notice.

The Courts

Any person who believes he has suffered damage and or distress by reason of any contravention by a data controller of any requirements of the Act may seek compensation by applying to the High Court.

In the case of a failure to comply with a subject access request the Court may award compensation for distress alone.

Acknowledgement: Office of Data Protection

Contact Details:

ODPS [Office of Data Protection Supervisor]
PO Box 69
Douglas
Isle of Man
IM99 1EQ
British Isles

TEL NO: +44 (0)1624 661030

FAX NO: +44 (0) 1624 661088

EMAIL: odps@odps.gov.im

Please click on the Office of Data Protection Supervisor logo for a link to their own website.