In brief – are there any exemptions from the Data Protection Act?
The rights and duties set out in the Data Protection Act are designed to apply generally, but there are some exemptions from the Act to accommodate special circumstances. The exemptions tend to use complex language and, while this chapter has tried to clarify matters, it has had to use some of the same language so as not to mislead.
If an exemption applies, then (depending on the circumstances) you will be exempt from the requirement:
- to register with the ICO (to “notify”); and/or
- to grant subject access to personal data; and/or
- to give privacy notices; and/or
- not to disclose personal data to third parties.
Entitlement to an exemption depends in part on your purpose for processing the personal data in question – for example, there is an exemption from some of the Act’s requirements about disclosure and non-disclosure that applies to processing personal data for purposes relating to criminal justice and taxation. However, you must consider each exemption on a case-by-case basis because the exemptions only permit you to depart from the Act’s general requirements to the minimum extent necessary to protect the particular functions or activities the exemptions concern.
In more detail…
- What are the exemptions from notification?
- What about exemptions from subject access?
- Disclosure and non-disclosure – how do the exemptions work?
- Disclosure and non-disclosure – when do the exemptions apply?
- Are there any further exemptions?
Most organisations that process personal data must notify the ICO of certain details about that processing. However, the Act provides exemptions from notification for:
- organisations that process personal data only for:
- staff administration (including payroll);
- advertising, marketing and public relations (in connection with their own business activity); and
- accounts and records;
- some not-for-profit organisations;
- organisations that process personal data only for maintaining a public register;
- organisations that do not process personal information on computer.
Organisations and individuals can use our online self-assessment tool to check whether they need to register with (“notify”) the ICO.
We explain in the section of this guidance on subject access requests that an individual has the right to make a request in relation to personal data you hold about them. Several of the exemptions mentioned in the rest of this chapter mean that you do not have to grant subject access in respect of personal data to which the exemption applies.
Also, certain restrictions (similar to exemptions) are built into the Act’s subject access provisions. For example, there are restrictions on the disclosure of personal data about more than one individual in response to a subject access request.
Different exemptions work in different ways. An exemption may:
- restrict certain rights of individuals in relation to the processing of their personal data; and/or
- limit the duties of organisations when processing that data.
The rights and duties that are affected by one exemption are not necessarily affected by others. So you should look at each exemption carefully to see what effect it has. However, the Act bundles several rights and duties into two groups, and the exemptions tend to work by “disapplying” (blocking) one or both of these groups. The two groups are called the “subject information provisions” and the “non-disclosure provisions”.
The subject information provisions are:
- an organisation’s duty to provide individuals with a privacy notice when their personal data is collected (see Processing personal data fairly and lawfully); and
- an individual’s right to make a subject access request.
The non-disclosure provisions are:
- an organisation’s duty to comply with the first data protection principle, but not including the duty to satisfy one or more of the conditions for processing (see Processing personal data fairly and lawfully) – you must still do this.
- an organisation’s duty to comply with the second, third, fourth and fifth data protection principles;
- an individual’s right to object to processing that is likely to cause or is causing damage or distress; and
- an individual’s right in certain circumstances to have inaccurate personal information rectified, blocked, erased or destroyed .
An exemption from “the non-disclosure provisions” – which would, for example, allow you to disclose personal data that would otherwise be protected from disclosure – is not an automatic exemption from all (or any) of those provisions. This is because an exemption only applies to the extent that the provisions are inconsistent with the disclosure in question. So if you think you may be exempted from any of the non-disclosure provisions, you should consider each of those provisions in turn and decide:
- which, if any, would be inconsistent with the disclosure in question; and
- the extent of the inconsistency.
Several specific exemptions are set out in Part 4 of, and Schedule 7 to, the Data Protection Act. There are other exemptions in regulations made under the Act. The following are some of the exemptions that often apply.
The Act recognises that it is sometimes appropriate to disclose personal data for certain purposes to do with criminal justice or the taxation system. In these cases, individuals’ rights may occasionally need to be restricted.
In particular, the Act deals with several situations in which personal data is processed for the following “crime and taxation purposes”:
- the prevention or detection of crime;
- the capture or prosecution of offenders; and
- the assessment or collection of tax or duty.
Personal data processed for any of these purposes is exempt from:
- an organisation’s duty to comply with the first data protection principle, but not including the duty to satisfy one or more of the conditions for processing – you must still do this; and
- an individual’s right to make a subject access request.
The police process an individual’s personal data because they suspect him of involvement in a serious crime. If telling the individual they are processing his personal data for this purpose would be likely to prejudice the investigation (perhaps because he might abscond or destroy evidence) then the police do not need to do so.
However, the exemption applies, in any particular case, only to the extent that applying those provisions would be likely to prejudice the crime and taxation purposes. You need to judge whether or not this effect is likely in each case – you should not use the exemption to justify withholding subject access to whole categories of personal data if for some individuals the crime and taxation purposes are unlikely to be prejudiced.
A taxpayer makes a subject access request to HMRC for personal data they hold about him in relation to an ongoing investigation into possible tax evasion. If disclosing the information which HMRC have collected about the taxpayer would be likely to prejudice their investigation (because it would make it difficult for them to collect evidence, for example), HMRC could refuse to grant subject access to the extent that doing so would be likely to prejudice their investigation.
If, however, the taxpayer does not make the subject access request until some years later when the investigation (and any subsequent prosecution) has been completed, it is unlikely that complying with the request would prejudice the crime and taxation purposes – in which case HMRC would need to comply with it.
Nor would the exemption justify withholding all the personal data about an individual when only part of the personal data would be likely to prejudice those purposes.
In the above example about an ongoing investigation into possible tax evasion, HMRC would be entitled to refuse subject access to personal data which would be likely to prejudice their investigation. However, this would not justify a refusal to grant access to other personal data they hold about the taxpayer.
Personal data is also exempt from the non-disclosure provisions if:
- the disclosure is for any of the crime and taxation purposes; and
- applying those provisions in relation to the disclosure would be likely to prejudice any of the crime and taxation purposes.
The Act does not explain “likely to prejudice”. However, our view is that for these exemptions to apply, there would have to be a substantial chance (rather than a mere risk) that complying with the provision would noticeably damage one or more of the crime and taxation purposes.
The police ask an employer for the home address of one of its employees as they wish to find him urgently in connection with a criminal investigation. The employee is absent from work at the time. The employer had collected the employee’s personal data for its HR purposes, and disclosing it for another purpose would ordinarily breach the first and second data protection principles. However, applying those principles in this case would be likely to prejudice the criminal investigation. The employer may therefore disclose its employee’s home address without breaching the Act.
If challenged, you must be prepared to defend your decision to apply an exemption, to the ICO or the court. So we advise you to ensure that any such decisions are taken at an appropriately senior level in your organisation and that you document the reasons for the decision.
These exemptions do not require you to disclose personal data to the police or to other law enforcement agencies – they merely keep you within the Data Protection Act if you decide to disclose information in the circumstances in which the exemptions apply. We have published guidance about Using the crime and taxation exemptions (pdf) and Releasing information to a private investigator (pdf) that give more advice on this.
Another limb of the crime and taxation exemption is that personal data which:
- is processed for the purpose of discharging statutory functions; and
- consists of information obtained for this purpose from someone who held it for any of the crime and taxation purposes
is exempt from the subject information provisions to the extent that applying those provisions to the personal data would be likely to prejudice any of the crime and taxation purposes. This prevents the subject information provisions applying to personal data which is passed to statutory review bodies by law enforcement agencies, and ensures that the exemption is not lost when the information is disclosed during a review.
The Independent Police Complaints Commission (IPCC) begins an investigation into the conduct of a particular police force. Documents passed to the IPCC for the purposes of the investigation contain personal data about Mr A which the police force would not have been obliged to disclose to Mr A in response to a subject access request – because doing so would be likely to prejudice its criminal investigation. If Mr A then makes a subject access request to the IPCC, he has no greater right of access to the personal data in question.
There is another exemption that is designed to prevent the Data Protection Act being used to force public authorities to disclose information about the operation of crime detection and anti-fraud systems, where such disclosure might undermine the operation of those systems.
The Act provides an exemption from the subject information provisions for processing personal data in connection with regulatory activities. The exemption is not available to all organisations, and it applies only to the core functions of bodies that perform public regulatory functions concerned with:
- protecting members of the public from dishonesty, malpractice, incompetence or seriously improper conduct, or in connection with health and safety;
- protecting charities; or
- fair competition in business.
For the exemption to apply, those functions must also be:
- conferred by or under an enactment;
- functions of the Crown, a Minister or government department; or
- any other public function exercised in the public interest.
So the exemption applies to public functions exercised by various watchdogs whose regulatory role is recognised by the public and the sector they oversee. Such regulators may be established by law or as a result of mutual agreement between the participants in their sector of business. However, the exemption does not apply to investigatory or complaint-handling functions that may benefit the public but which organisations undertake when investigating their own activities. Functions like complaint handling, which are subsidiary activities of most organisations, do not fall within the scope of the exemption.
There is no blanket exemption for regulatory activities – not even for the activities that fall within the scope of the exemption. This is because personal data that is processed to perform such activities is exempt from the subject information provisions only to the extent that applying those provisions would be likely to prejudice the proper performance of the activities.
We have produced detailed guidance on the application of the regulatory activity exemption: