In brief – are there any exemptions from the Data Protection Act?
The rights and duties set out in the Data Protection Act are designed to apply generally, but there are some exemptions from the Act to accommodate special circumstances. The exemptions tend to use complex language and, while this chapter has tried to clarify matters, it has had to use some of the same language so as not to mislead.
If an exemption applies, then (depending on the circumstances) you will be exempt from the requirement:
- to register with the ICO; and/or
- to grant subject access to personal data; and/or
- to give privacy notices; and/or
- not to disclose personal data to third parties.
Entitlement to an exemption depends in part on your purpose for processing the personal data in question – for example, there is an exemption from some of the Act’s requirements about disclosure and non-disclosure that applies to processing personal data for purposes relating to criminal justice and taxation. However, you must consider each exemption on a case-by-case basis because the exemptions only permit you to depart from the Act’s general requirements to the minimum extent necessary to protect the particular functions or activities the exemptions concern.
In more detail…
What are the exemptions from notification?
Most organisations that process personal data must notify the ICO of certain details about that processing. However, the Act provides exemptions from notification for:
- organisations that process personal data only for:
- staff administration (including payroll);
- advertising, marketing and public relations (in connection with their own business activity); and
- accounts and records;
- some not-for-profit organisations;
- organisations that process personal data only for maintaining a public register;
- organisations that do not process personal information on computer.
Organisations and individuals can use our online self-assessment tool to check whether they need to register with the ICO.
What about exemptions from subject access?
We have explained the right of an individual to make a subject access request in relation to personal data you hold about them. Several of the exemptions mentioned in the rest of this chapter mean that you do not have to grant subject access in respect of personal data to which the exemption applies.
Also, certain restrictions (similar to exemptions) are built into the Act’s subject access provisions. For example, there are restrictions on the disclosure of personal data about more than one individual in response to a subject access request.
Disclosure and non-disclosure – how do the exemptions work?
Different exemptions work in different ways. An exemption may:
- restrict certain rights of individuals in relation to the processing of their personal data; and/or
- limit the duties of organisations when processing that data.
The rights and duties that are affected by one exemption are not necessarily affected by others. So you should look at each exemption carefully to see what effect it has. However, the Act bundles several rights and duties into two groups, and the exemptions tend to work by “disapplying” (blocking) one or both of these groups. The two groups are called the “subject information provisions” and the “non-disclosure provisions”.
The subject information provisions are:
- an organisation’s duty to provide individuals with a privacy notice when their personal data is collected; and
- an individual’s right to make a subject access request.
The non-disclosure provisions are:
- an organisation’s duty to comply with the first data protection principle, but not including the duty to satisfy one or more of the conditions for processing – you must still do this.
- an organisation’s duty to comply with the second, third, fourth and fifth data protection principles;
- an individual’s right to object to processing that is likely to cause or is causing damage or distress; and
- an individual’s right in certain circumstances to have inaccurate personal information rectified, blocked, erased or destroyed.
An exemption from “the non-disclosure provisions” – which would, for example, allow you to disclose personal data that would otherwise be protected from disclosure – is not an automatic exemption from all (or any) of those provisions. This is because an exemption only applies to the extent that the provisions are inconsistent with the disclosure in question. So if you think you may be exempted from any of the non-disclosure provisions, you should consider each of those provisions in turn and decide:
- which, if any, would be inconsistent with the disclosure in question; and
- the extent of the inconsistency.
Disclosure and non-disclosure – when do the exemptions apply?
Several specific exemptions are set out in Part 4 of, and Schedule 7 to, the Data Protection Act. There are other exemptions in regulations made under the Act. The following are some of the exemptions that often apply.
Crime and taxation
The Act recognises that it is sometimes appropriate to disclose personal data for certain purposes to do with criminal justice or the taxation system. In these cases, individuals’ rights may occasionally need to be restricted.
In particular, the Act deals with several situations in which personal data is processed for the following “crime and taxation purposes”:
- the prevention or detection of crime;
- the capture or prosecution of offenders; and
- the assessment or collection of tax or duty.
Personal data processed for any of these purposes is exempt from:
- an organisation’s duty to comply with the first data protection principle, but not including the duty to satisfy one or more of the conditions for processing – you must still do this; and
- an individual’s right to make a subject access request.
The police process an individual’s personal data because they suspect him of involvement in a serious crime. If telling the individual they are processing his personal data for this purpose would be likely to prejudice the investigation (perhaps because he might abscond or destroy evidence) then the police do not need to do so.
However, the exemption applies, in any particular case, only to the extent that applying those provisions would be likely to prejudice the crime and taxation purposes. You need to judge whether or not this effect is likely in each case – you should not use the exemption to justify withholding subject access to whole categories of personal data if for some individuals the crime and taxation purposes are unlikely to be prejudiced.
A taxpayer makes a subject access request to HMRC for personal data they hold about him in relation to an ongoing investigation into possible tax evasion. If disclosing the information which HMRC have collected about the taxpayer would be likely to prejudice their investigation (because it would make it difficult for them to collect evidence, for example), HMRC could refuse to grant subject access to the extent that doing so would be likely to prejudice their investigation.
If, however, the taxpayer does not make the subject access request until some years later when the investigation (and any subsequent prosecution) has been completed, it is unlikely that complying with the request would prejudice the crime and taxation purposes – in which case HMRC would need to comply with it.
Nor would the exemption justify withholding all the personal data about an individual when only part of the personal data would be likely to prejudice those purposes.
In the above example about an ongoing investigation into possible tax evasion, HMRC would be entitled to refuse subject access to personal data which would be likely to prejudice their investigation. However, this would not justify a refusal to grant access to other personal data they hold about the taxpayer.
Personal data is also exempt from the non-disclosure provisions if:
- the disclosure is for any of the crime and taxation purposes; and
- applying those provisions in relation to the disclosure would be likely to prejudice any of the crime and taxation purposes.
The Act does not explain “likely to prejudice”. However, our view is that for these exemptions to apply, there would have to be a substantial chance (rather than a mere risk) that complying with the provision would noticeably damage one or more of the crime and taxation purposes.
The police ask an employer for the home address of one of its employees as they wish to find him urgently in connection with a criminal investigation. The employee is absent from work at the time. The employer had collected the employee’s personal data for its HR purposes, and disclosing it for another purpose would ordinarily breach the first and second data protection principles. However, applying those principles in this case would be likely to prejudice the criminal investigation. The employer may therefore disclose its employee’s home address without breaching the Act.
If challenged, you must be prepared to defend your decision to apply an exemption, to the ICO or the court. So we advise you to ensure that any such decisions are taken at an appropriately senior level in your organisation and that you document the reasons for the decision.
These exemptions do not require you to disclose personal data to the police or to other law enforcement agencies – they merely keep you within the Data Protection Act if you decide to disclose information in the circumstances in which the exemptions apply. We have published guidance about Releasing information to prevent or detect crime and Releasing information to a private investigator that give more advice on this.
Another limb of the crime and taxation exemption is that personal data which:
- is processed for the purpose of discharging statutory functions; and
- consists of information obtained for this purpose from someone who held it for any of the crime and taxation purposes
is exempt from the subject information provisions to the extent that applying those provisions to the personal data would be likely to prejudice any of the crime and taxation purposes. This prevents the subject information provisions applying to personal data which is passed to statutory review bodies by law enforcement agencies, and ensures that the exemption is not lost when the information is disclosed during a review.
The Independent Police Complaints Commission begins an investigation into the conduct of a particular police force. Documents passed to the IPCC for the purposes of the investigation contain personal data about Mr A which the police force would not have been obliged to disclose to Mr A in response to a subject access request – because doing so would be likely to prejudice its criminal investigation. If Mr A then makes a subject access request to the IPCC, he has no greater right of access to the personal data in question.
There is another exemption that is designed to prevent the Data Protection Act being used to force public authorities to disclose information about the operation of crime detection and anti-fraud systems, where such disclosure may undermine the operation of those systems.
The Act provides an exemption from the subject information provisions for processing personal data in connection with regulatory activities. The exemption is not available to all organisations, and it applies only to the core functions of bodies that perform public regulatory functions concerned with:
- protecting members of the public from dishonesty, malpractice, incompetence or seriously improper conduct, or in connection with health and safety;
- protecting charities; or
- fair competition in business.
For the exemption to apply, those functions must also be:
- conferred by or under an enactment;
- functions of the Crown, a Minister or government department; or
- any other public function exercised in the public interest.
So the exemption applies to public functions exercised by various watchdogs whose regulatory role is recognised by the public and the sector they oversee. Such regulators may be established by law or as a result of mutual agreement between the participants in their sector of business. However, the exemption does not apply to investigatory or complaint-handling functions that may benefit the public but which organisations undertake when investigating their own activities. Functions like complaint handling, which are subsidiary activities of most organisations, do not fall within the scope of the exemption.
There is no blanket exemption for regulatory activities – not even for the activities that fall within the scope of the exemption. This is because personal data that is processed to perform such activities is exempt from the subject information provisions only to the extent that applying those provisions would be likely to prejudice the proper performance of the activities.
We have produced detailed guidance on the application of the regulatory activity exemption: Regulatory Activity (Section 31).
Publicly available information
Where an organisation is obliged by or under an enactment to make information available to the public, personal data that is included in that information is exempt from:
- the subject information provisions;
- the non-disclosure provisions;
- the organisation’s duty to comply with the fourth data protection principle (accuracy); and
- an individual’s right in certain circumstances to have inaccurate personal information rectified, blocked, erased or destroyed.
The provisions mentioned in the third and fourth bullet points form part of the non-disclosure provisions. However, they are mentioned separately here because there is an automatic exemption in these circumstances. There is no need for the organisation to show that the provisions are inconsistent with the disclosure.
The Registrar of Companies is legally obliged to maintain a public register of certain information about companies, including the names and (subject to certain restrictions) addresses of company directors. A director complains that his name has been inaccurately recorded on the register. The Registrar is exempt from the director’s right under the Data Protection Act to have the inaccuracy corrected (the Registrar’s duties in relation to the register are governed by other legislation).
The exemption only applies to the information that the organisation is required to publish. If it holds additional personal data about the individuals, the additional data is not exempt even if the organisation publishes that data.
Disclosures required by law
Personal data is exempt from the non-disclosure provisions if you are required to disclose it:
- by or under any UK enactment;
- by any rule of common law; or
- by an order of a court or tribunal in any jurisdiction.
In these circumstances, the legal obligation overrides any objection the individuals may have.
An employer is legally required to disclose details of its employees’ pay to HMRC in the usual course of administering its PAYE arrangements. The employer may disclose this information irrespective of any objection which an employee may raise.
If you know that you are likely to be legally required to disclose certain kinds of personal data, it is good practice to tell individuals about this when you collect the information from them. This is because telling individuals about the legal requirement is compatible with the disclosure of personal data to comply with the requirement.
Legal advice and proceedings
Personal data is exempt from the non-disclosure provisions where the disclosure of the data is necessary:
- for or in connection with any legal proceedings (including prospective legal proceedings);
- for obtaining legal advice; or
- for establishing, exercising or defending legal rights.
You do not have to disclose personal data in response to a request from a third party simply because this exemption applies. You can choose whether or not to apply the exemption to make a disclosure, and you should do so only if you are satisfied that the disclosure falls within the scope of the exemption. In other words:
- it is necessary for one of the above purposes; and
- applying the non-disclosure provision would be inconsistent with the disclosure.
When faced with a request for disclosure, it can be difficult to decide whether the necessity test can be satisfied. You may also be reluctant to make a disclosure of personal data because of your relationship with the individual. In such circumstances you may decide not to comply with the request, unless obliged to do so under a court order.
Personal data is also exempt from the subject information provisions if it consists of information for which legal professional privilege (or its equivalent in Scotland) could be claimed in legal proceedings.
Personal data is exempt from an individual’s right of subject access if it comprises a confidential reference that an organisation gives (or is to give) in connection with education, training or employment, appointing office holders, or providing services. The exemption only applies to references you give, and not to references you receive.
Company A provides an employment reference for one of its employees to company B. If the employee makes a subject access request to company A, the reference will be exempt from disclosure. If the employee makes the request to company B, the reference is not automatically exempt from disclosure and the usual subject access rules apply.
A further exemption applies to personal data that is processed for management forecasting or management planning. Such data is exempt from the subject information provisions to the extent that applying those provisions would be likely to prejudice the business or other activity of the organisation.
The senior management of an organisation is planning a re-organisation. This is likely to involve making certain employees redundant, and this possibility is included in management plans. Before the plans are revealed to the workforce, an employee makes a subject access request. In responding to that request, the organisation does not have to reveal its plans to make him redundant if doing so would be likely to prejudice the conduct of the business (perhaps by causing staff unrest in advance of an announcement of the management’s plans).
Personal data that consists of a record of your intentions in negotiations with an individual is exempt from the subject information provisions to the extent that applying those provisions would be likely to prejudice the negotiations.
An individual makes a claim to his insurance company. The claim is for compensation for personal injuries which he sustained in an accident. The insurance company dispute the seriousness of the injuries and the amount of compensation they should pay. An internal paper sets out the company’s position on these matters and indicates the maximum sum they would be willing to pay to avoid the claim going to court. If the individual makes a subject access request to the insurance company, they would not have to send him the internal paper – because doing so would be likely to prejudice the negotiations to settle the claim.
The most comprehensive exemption applies when personal data is processed by a data controller who is an individual (not an organisation) only for the purposes of their personal, family or household affairs.
An individual keeps a database of their friends’ and relatives’ names, addresses and dates of birth on their PC. They use the database for keeping track of birthdays and to produce address labels for Christmas cards. The domestic purposes exemption applies to this type of processing.
An individual records the highlights of their summer holiday on a digital camcorder. The recording includes images of people they meet on holiday. Although those digital images are personal data, the domestic purposes exemption applies.
None of the data protection principles apply in these circumstances, nor do any of the rights which the Act gives to data subjects. There is also no need to notify the ICO about processing for these purposes.
So there is an almost total exemption from the Data Protection Act for individuals who just use personal data for their own domestic and recreational purposes. However, the Act still applies to the extent that the ICO may investigate if someone seems to have gone beyond the scope of the exemption, and we may take enforcement action where necessary.
Further guidance about when this exemption may apply to information posted on social networking sites or other online forums can be found in our guidance Social networking and online forums – when does the DPA apply?
Are there any further exemptions?
Yes. Exemptions are also available in relation to:
- national security and the armed forces;
- personal data that is processed only for journalistic, literary or artistic purposes;
- personal data that is processed only for research, statistical or historical purposes;
- personal data relating to an individual’s physical or mental health. This applies only in certain circumstances and only if granting subject access would be likely to cause serious harm to the physical or mental health of the individual or someone else;
- personal data that consists of educational records or relates to social work;
- personal data relating to human fertilisation and embryology, adoption records and reports, statements of a child’s special educational needs and parental order records and reports;
- personal data processed for, or in connection with, a corporate finance service involving price-sensitive information;
- examination marks and personal data contained in examination scripts; and
- personal data processed for the purposes of making judicial, Crown, or Ministerial appointments or for conferring honours.