The Data Protection (Processing of Sensitive Personal Data) Order 2000 No. 417


BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

United Kingdom Statutory Instruments


You are here: BAILII >> Databases >> United Kingdom Statutory Instruments >> The Data Protection (Processing of Sensitive Personal Data) Order 2000 No. 417
URL: http://www.bailii.org/uk/legis/num_reg/2000/uksi_2000417_en.html

[New search] [Help]


Statutory Instruments

2000 No. 417

DATA PROTECTION

The Data Protection (Processing of Sensitive Personal Data) Order 2000

Made

17th February 2000

Coming into force

1st March 2000

Whereas a draft of this Order has been laid before and approved by a resolution of each House of Parliament:

Now, therefore, the Secretary of State, in exercise of the powers conferred on him by section 67(2) of, and paragraph 10 of Schedule 3 to, the Data Protection Act 1998(1) and after consultation with the Data Protection Commissioner in accordance with section 67(3) of that Act, hereby makes the following Order:

1.-(1) This Order may be cited as the Data Protection (Processing of Sensitive Personal Data) Order 2000 and shall come into force on 1st March 2000.

(2) In this Order, "the Act" means the Data Protection Act 1998.

2. For the purposes of paragraph 10 of Schedule 3 to the Act, the circumstances specified in any of the paragraphs in the Schedule to this Order are circumstances in which sensitive personal data may be processed.

Mike O'Brien

Parliamentary Under-Secretary of State

Home Office

17th February 2000

Article 2

SCHEDULECIRCUMSTANCES IN WHICH SENSITIVE PERSONAL DATA MAY BE PROCESSED

1.-(1) The processing-

(a)is in the substantial public interest;

(b)is necessary for the purposes of the prevention or detection of any unlawful act; and

(c)must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice those purposes.

(2) In this paragraph, "act" includes a failure to act.

2. The processing-

(a)is in the substantial public interest;

(b)is necessary for the discharge of any function which is designed for protecting members of the public against-�

(i)dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person, or

(ii)mismanagement in the administration of, or failures in services provided by, any body or association; and

(c)must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the discharge of that function.

3.-(1) The disclosure of personal data-

(a)is in the substantial public interest;

(b)is in connection with-

(i)the commission by any person of any unlawful act (whether alleged or established),

(ii)dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person (whether alleged or established), or

(iii)mismanagement in the administration of, or failures in services provided by, any body or association (whether alleged or established);

(c)is for the special purposes as defined in section 3 of the Act; and

(d)is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.

(2) In this paragraph, "act" includes a failure to act.

4. The processing-

(a)is in the substantial public interest;

(b)is necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service; and

(c)is carried out without the explicit consent of the data subject because the processing-

(i)is necessary in a case where consent cannot be given by the data subject,

(ii)is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of the data subject, or

(iii)must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the provision of that counselling, advice, support or other service.

5.-(1) The processing-

(a)is necessary for the purpose of-

(i)carrying on insurance business, or

(ii)making determinations in connection with eligibility for, and benefits payable under, an occupational pension scheme as defined in section 1 of the Pension Schemes Act 1993(2);

(b)is of sensitive personal data consisting of information falling within section 2(e) of the Act relating to a data subject who is the parent, grandparent, great grandparent or sibling of-

(i)in the case of paragraph (a)(i), the insured person, or

(ii)in the case of paragraph (a)(ii), the member of the scheme;

(c)is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of that data subject and the data controller is not aware of the data subject withholding his consent; and

(d)does not support measures or decisions with respect to that data subject.

(2) In this paragraph-

(a)"insurance business" means insurance business, as defined in section 95 of the Insurance Companies Act 1982(3), falling within Classes I, III or IV of Schedule 1 (classes of long term business) or Classes 1 or 2 of Schedule 2 (classes of general business) to that Act, and

(b)"insured" and "member" includes an individual who is seeking to become an insured person or member of the scheme respectively.

6. The processing-

(a)is of sensitive personal data in relation to any particular data subject that are subject to processing which was already under way immediately before the coming into force of this Order;

(b)is necessary for the purpose of-

(i)carrying on insurance business, as defined in section 95 of the Insurance Companies Act 1982, falling within Classes I, III or IV of Schedule 1 to that Act; or

(ii)establishing or administering an occupational pension scheme as defined in section 1 of the Pension Schemes Act 1993; and

(c)either-

(i)is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of the data subject and that data subject has not informed the data controller that he does not so consent, or

(ii)must necessarily be carried out even without the explicit consent of the data subject so as not to prejudice those purposes.

7.-(1) Subject to the provisions of sub-paragraph (2), the processing-

(a)is of sensitive personal data consisting of information falling within section 2(c) or (e) of the Act;

(b)is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons-

(i)holding different beliefs as described in section 2(c) of the Act, or

(ii)of different states of physical or mental health or different physical or mental conditions as described in section 2(e) of the Act,

with a view to enabling such equality to be promoted or maintained;

(c)does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject; and

(d)does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person.

(2) Where any individual has given notice in writing to any data controller who is processing personal data under the provisions of sub-paragraph (1) requiring that data controller to cease processing personal data in respect of which that individual is the data subject at the end of such period as is reasonable in the circumstances, that data controller must have ceased processing those personal data at the end of that period.

8.-(1) Subject to the provisions of sub-paragraph (2), the processing-

(a)is of sensitive personal data consisting of information falling within section 2(b) of the Act;

(b)is carried out by any person or organisation included in the register maintained pursuant to section 1 of the Registration of Political Parties Act 1998(4) in the course of his or its legitimate political activities; and

(c)does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person.

(2) Where any individual has given notice in writing to any data controller who is processing personal data under the provisions of sub-paragraph (1) requiring that data controller to cease processing personal data in respect of which that individual is the data subject at the end of such period as is reasonable in the circumstances, that data controller must have ceased processing those personal data at the end of that period.

9. The processing-

(a)is in the substantial public interest;

(b)is necessary for research purposes (which expression shall have the same meaning as in section 33 of the Act);

(c)does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject; and

(d)does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person.

10. The processing is necessary for the exercise of any functions conferred on a constable by any rule of law.

Explanatory Note

(This note is not part of the Order)

The first data protection principle set out in paragraph 1 of Schedule 1 to the Data Protection Act 1998 prohibits the processing of sensitive personal data unless one of the conditions in Schedule 3 to the Act is met. The condition set out in paragraph 10 of that Schedule is that the processing of sensitive personal data is carried out in circumstances specified by the Secretary of State. The Schedule to this Order specifies ten such circumstances.

Paragraph 1 of the Schedule to this Order covers certain processing for the purposes of the prevention or detection of any unlawful act, where seeking the consent of the data subject to the processing would prejudice those purposes. Paragraph 2 is a similar provision for cases where the processing is required to discharge functions which protect members of the public from certain conduct which may not constitute an unlawful act, such as incompetence or mismanagement.

Paragraph 3 of the Schedule covers certain disclosures for journalistic, artistic or literary purposes of personal data relating to a wide range of conduct (e.g. unlawful acts, dishonesty and incompetence etc.).

Paragraph 4 of the Schedule covers processing required to discharge functions involving the provision of services such as confidential counselling and advice, in circumstances where the consent of the data subject is not obtained for one of the specified reasons set out in the paragraph.

Paragraph 5 of the Schedule covers processing in certain insurance or occupational pension scheme contexts, where details of particular relatives of the principal insured or member are required (e.g. health details of relatives used to calculate the life expectancy of the insured). The data controller must not process these data to make decisions or take actions with respect to the relatives, nor if he is aware of the relative withholding his consent to the processing.

Paragraph 6 of the Schedule covers the processing of sensitive data that were already being processed before the coming into force of this Order in certain insurance and pension contexts. Like the provision in paragraph 5, the data controller must not continue to process these data if he is aware of the data subject withholding his consent to the processing. Alternatively, the data controller may continue the processing in the case of group insurance or pension schemes even without the explicit consent of the data subject to avoid prejudice to that insurance policy or pension scheme.

Paragraph 9 of Schedule 3 to the Data Protection Act 1998 provides as a condition relevant for the purposes of the first data protection principle that the processing is of personal data relating to racial or ethnic origin for the purposes of ethnic monitoring. Paragraph 7 of the Schedule to this Order makes similar provision in relation to the monitoring of equality between persons with different religious beliefs or between persons of differing physical or mental states or conditions.

Paragraph 8 of the Schedule relates to the processing of information about political opinions by registered political parties, provided such processing does not cause substantial damage or distress to any person.

Paragraph 9 of the Schedule covers, for example, processing in the course of maintaining archives where the sensitive personal data are not used to take decisions about any person without their consent and no substantial damage or distress is caused to any person by the keeping of those data.

Paragraph 10 of the Schedule covers processing by the police in the exercise of their common law powers.

This Order contributes to the implementation of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

A Regulatory Impact Assessment was prepared for the Data Protection Bill as it was then and the statutory instruments to be made under it, and was placed in the libraries of both Houses of Parliament. The Regulatory Impact Assessment is now available on the internet at www.homeoffice.gov.uk. Alternatively, copies can be obtained by post from the Home Office, LGDP Unit, 50 Queen Anne's Gate, London SW1H 9AT.


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/uk/legis/num_reg/2000/uksi_2000417_en.html