Courts of Justice

Print this page
Email page to a friend

Data Protection Act

The Isle of Man Data Protection Act 2002 came into operation on the 1st of April 2003. This section of the web-site aims to explain the Data Protection Act, its principles and the rights of the individual.

EXPRESSIONS

The Data Protection Act 2002 introduces a number of new expressions. They are:-

Back to Top

PRINCIPLES

The Data Protection Act 2002 applies to personal information about a living individual. Any organisation or business (Data Controller), which uses personal information (data) in any form, including paper, must do so in a manner that is compliant with the Act and, in particular, the eight Data Protection principles:-

  1. Fair and lawful processing

    Personal data must be processed lawfully and fairly. This means that an organisation should be open and honest with the individual and explain why the information is required and what it will be used for. The basic requirements of fair processing are that when an organisation obtains personal data form an individual it must ensure that the individual knows:-

    • The identity of the organisation.
    • The purpose for which the organisation intends to process the information.
    • Other information which is necessary (e.g. if the organisation also intends to use the information for direct marketing it must inform the individual).

    For the processing to be lawful, it must meet one or more of the following conditions:-

    • with the consent of the individual;
    • for the performance of a contract with the individual;
    • to comply with a legal obligation;
    • to protect the vital interests of the individual;
    • for the administration of justice, or the exercise of any statutory function;
    • for the legitimate interests of the organisation, unless the interests of the individual would be prejudiced.

    It is a common misconception that an individual must consent to the use of their personal information. While an organisation must always use personal information fairly and lawfully, provided the organisation can satisfy at least one of the other conditions listed above then the consent of an individual is not required.

    Sensitive Personal Data” means personal data consisting of information as to:-

    • the racial or ethnic origin of the data subject;
    • his/her political opinions;
    • his/her religious beliefs or other beliefs of a similar nature;
    • whether he/she is a member of a trade union;
    • his/her physical or mental health or condition;
    • his/her sexual life;
    • the commission or alleged commission by him/her of any offence;
    • any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings.

    If an organisation uses Sensitive Personal Data then, in an addition to the above conditions, one or more of the following conditions must also be met:-

    • with the explicit consent of the individual ;
    • to perform any right or obligation under employment law;
    • to protect the vital interests of the data subject or another person;
    • for the legitimate interests of a not-for-profit organisation;
    • where the data have been made public by the individual;
    • in connection with legal proceedings;
    • for the administration of justice, or the exercise of any statutory function;
    • for medical purposes;
    • for equal opportunity monitoring;
    • for any other purposes specified by Order by the Council of Ministers.

  2. Purpose for which data are obtained & processed

    An organisation must inform the Data Protection Supervisor of the organisation’s purposes for using personal information. Personal information can only be used for the purposes that have been defined. If you intend to pass personal information to another organisation (disclosure), you must be satisfied that this disclosure will be fair and lawful. You need to consider the following:-

    • Is the individual aware that their personal information is to be passed to another organisation?
    • Is the disclosure compatible with the purpose for which the personal information was obtained?
    • Does the disclosure of the information satisfy one or more of the conditions set out in the First Principle?
    • Has the organisation to which the disclosure will be made notified the Supervisor of their purpose for using the personal information?

  3. Adequacy and relevance of data

    Organisations, which use personal information, must monitor the amount of personal information held to ensure that neither too much nor too little personal information is used, and that the personal information is relevant for a specified purpose. There may be occasions when an organisation wishes to use personal information that is not necessary for a specified purpose. Provided the individual has been made aware that this additional information is “optional” and has freely consented then it is acceptable for this additional information to be used.

  4. Accuracy of data

    An organisation must take reasonable steps to ensure that information is accurate and, where necessary, kept up to date. It is not necessary for all information to be kept up to date, for example, if the information is only used as an historical record, then it is not necessary for that information to be kept to date Cases may arise when an individual states that the information held is inaccurate but the organisation disagrees. In such cases, a note to this effect must be attached to the information.

  5. Time for keeping data

    Organisations should develop a data retention policy and in accordance with that policy review the personal data held and remove any data which is no longer required for their purposes. The data retention policy must consider any statutory obligations with regard to the retention of data and ensure that the retention policy accords with the minimum statutory retention periods. Organisations may consider the value of the information for historical purposes. The Act permits personal data processed for historical, statistical purposes to be kept indefinitely.

  6. Rights of data subjects

    Personal data must be processed in accordance with the rights of individuals (data subjects). See the “Rights of the Individual” section below.

  7. Measures against misuse and loss of data

    Organisations must ensure that they provide adequate security for any personal data they use taking into account the nature and sensitivity of the information. In particular, organisations must consider the harm that could arise from unauthorised disclosure or loss of data. Adequate security will be dependent upon the size of an organisation and the scale of its operation. Matters that need to be considered include:-

    • Does the Organisation have a Security policy?
    • Is access to the information controlled?
    • Are staff properly trained and aware of their responsibilities?
    • Do procedures exist for detecting breaches?
    • Where an organisation uses a third party (data processor) to process information; is this processing carried out under contract to ensure the third party only processes information in accordance with the organisation’s instruction and does the third party have adequate security measures in place?

  8. Transfer of data abroad

    Before personal information can be transferred outside the Island an organisation must ensure that adequate protection exists for the information in the receiving country. Countries within the European Economic Area, that is, European Union member states plus Norway, Iceland and Liechtenstein are deemed to have adequate protection. In addition, the European Commission has made adequacy findings for other countries, including Argentina, Guernsey, Hungary, Switzerland and Canada, and US companies that have “signed up” to the Safe Harbor provisions. On the 28th April 2004, the European Commission formally decided that the Isle of Man has adequate data protection legislation. There are cases where the eighth principle does not apply these include:-

    • Where consent of the individual has been given
    • Is necessary for a contract with the individual
    • For reasons of substantial public interest
    • Where legal proceedings are involved
    • To protect the vital interests of the individual
    • Where the information is on a public register
Back to Top

RIGHTS OF THE INDIVIDUAL

The Act gives rights to individuals in respect of personal data held about them. These rights are:-

Back to Top

ACCESS

You have the right to know what personal information is processed about you and you can exercise your right by writing to the data controller. This is usually referred to as a “Subject Access Request” and you are entitled to a copy of the information held about you, both on computer and as part of a relevant filing system. You also have the right to receive a description of why your information is processed, anyone it may be disclosed to, and any information available to you about the source of the data.

Although the Data Protection Supervisor has sample letters that an individual may use they are not required to do so. A letter requesting a data subject access does not need to mention the Data Protection Act 2002 – it may just say something as simple as “I want to see what you hold about me”.

If a data controller receives a written subject access request, it must deal with it promptly and in any case within 40 days from the date of receipt. It may be that it needs further information from the person making the request to help it to locate the data. It may also require further information in order to satisfy it as to the identity of the person making the request or to assist it in locating the information being sought.

A data controller is entitled to ask for a fee of not more than £10 (£50 for Health Records) and the 40 days does not begin until this is received. However it must not delay informing the individual that a fee is required and must endeavour to respond to the request as soon as possible.

A data controller may send the information as a computer printout, in a letter, or on a form. However, it should be easy to understand and any codes should be explained.

Subject access should be handled in the light of an on-going relationship with the data subject. Routine requests for limited information, which would in any case form part of normal transactions, should continue to be processed in that way. It is also possible that by simply providing access to inspect and make copies of any files would satisfy the person making the request.

In replying to a Subject Access request there are certain exemptions from disclosure which may apply:-

Tynwald has approved further exemptions in the following Orders:-

If a data controller relies on an exemption, it is not obliged to inform the Data Subject that an exemption has been applied.

Sometimes, giving full access to personal data cannot be done without revealing information about others. Third party information should not normally be disclosed without the consent of the individuals concerned.

When a data controller decides that information about other individuals must be excluded, there is still an obligation to supply as much information to the data subject as possible. A data controller should not remove information about other individuals if it is clear that consent is not required, either because the data subject already knows the information, or is given by professionals as part of their normal duties (e.g. a medical practitioner). A data controller should blank out information about others so as to protect their identity. This edited response can then be provided to the data subject and if he/she is satisfied then the data controller need take no further steps to seek consent from third parties.

If a Data Controller fails to comply with a subject access request then the individual may apply to the High Court. The Court may:-

An individual may also seek compensation for distress (alone) where a failure to comply with a request has occurred.

  1. Damage or distress

    You have the right to object to any processing of your personal data that is causing or would cause unwarranted substantial damage or distress either to you or another person. However this right does not apply when the processing is performed:-

    • with the consent of the individual ;
    • for the performance of a contract with the individual;
    • to comply with a legal obligation;
    • to protect the vital interests of the individual;
    • as specified by Order.

  2. Direct Marketing

    You are entitled to require a data controller to cease, or not to start, processing your personal data for the purpose of direct marketing. This right applies even if you had previously consented. You can exercise this right by writing to the data controller, who must comply as soon as possible. If a data controller fails to comply, then you may apply to the Court for an Order

    There are other actions you can take to prevent personalised “Junk Mail” and unsolicited phone calls or faxes.

    When collecting data from members of the public, the data controller should give them the opportunity to let them know whether or not they wish to receive marketing material from it. If they do not wish to receive the data controller’s promotional materials, it must ensure that it can suppress their details on any mailing lists it uses.

    If the data controller intends to pass personal data to other companies, including companies in the same group, for direct marketing purposes, again it must first inform the individuals concerned and receive their consent. This should be done when it first collects the data, perhaps on an application form. It must not pass on the details of anyone who objects to their details being used in this way.

    If the data controller has not previously sent out marketing material or passed on details to third parties for marketing, it should obtain the consent of existing customers before beginning to process their data for either of those purposes.

  3. Automated decision-making

    You have the right, by notice in writing, to require a data controller to ensure that no decision that significantly affects you is based solely on the processing by automatic means of personal data.

    Although not exhaustive, specific examples are provided in the Act, such as performance at work. Another example may be a web site where a credit decision is based solely upon information provided by you in response to questions asked.

    A data controller must inform you if a decision was based solely upon processing by automatic means as soon as reasonably practical. Once a data controller has replied, you have a further 21 days in which to write to the data controller to require the data controller to reconsider the decision or to take a new decision on a different basis.

    The data controller has a further 21 days to write to you and explain what steps will be taken. There are decisions that are exempt from this right. An exemption would apply if the following conditions were met:-

    • The decision was taken either with

      • a view to entering into a contract with the individual; or
      • for the performance of a contract with the individual; or
      • to comply with a legal obligation;

        and:-

      • the effect of the decision must be to grant a request of the individual; or
      • steps have been taken to safeguard the interests of the individual, such as allowing the individual to make representations.

    If a data controller fails to comply, then you may apply to the Court. The Court may order the decision to be reconsidered or to take a new decision, provided the Court is satisfied that the data controller has failed to comply.

  4. Compensation

    You have the right to seek compensation through the Court for any damage suffered as a result of any contravention of the Act by a data controller. You may also seek compensation for distress if the contravention:-

    • also caused damage, or
    • relates to processing for the special purposes of Journalism, Literature or Art; or
    • consists of a failure of a data controller to comply with a subject access request under section 5 of the Act.

    It is a defence for a data controller to prove that he/she had taken all reasonable care to comply. Unless the matter is settled between the parties, an individual who wishes to seek compensation must apply to the Court. A claim for compensation may be made alone or combined with an application in respect of any breach of the Act.

    Note: The Data Protection Supervisor has no power to award compensation, nor can the Supervisor assist with legal proceedings. Anyone considering legal action should always seek the advice of a qualified Manx Advocate.

  5. Inaccurate data

    You have the right to apply to the Court for an order requiring the data controller to rectify, block, erase, or destroy such data relating to you as are inaccurate, including any expression of opinion contained in personal data relating to you which the Court finds inaccurate.

    Under the Consumer Credit Act 1974 (an Act of the UK Parliament) you also have the right to have any incorrect information removed or amended.

    The Credit Reference Regulations are complex and are currently under review. If you wish to exercise this right then the Data Protection Supervisor can provide further advice.

Back to Top

NOTIFICATION

Back to Top

These notes are only intended as an outline of the Data Protection Act 2002 and are not intended as definitive legal advice. For more information you should contact the Information Commissioner (was the Office of the Data Protection Supervisor) or consult an advocate.

Page last updated on 12 May 2016