• Find us on:

Information that is excluded from the Data Protection Act


News

Morrisons Supermarkets are breathing a sigh of relief since the Supreme Court ruling that they are not vicariously liable for a deliberate data breach by a disgruntled ex-employee which exposed personal data of almost 100,000 of its employees.  Vicarious liability is when an employer is held responsible for something done by an employee in the course of their employment. In WM Morrison Supermarkets plc v Various Claimants [2020] the Supreme Court considered the circumstances in which an employer is vicariously liable for the conduct of its employees and whether the Data Protection Act 1998 (DPA 1998) excluded vicarious liability for such  claims…..Read more

Excluded Information

Certain types of information are exempt from the Data Protection Act 1998. These exemptions can be found at sections 27-29 and Schedule 7. The most important are listed as follows; 

Data processed for the purposes of national securitySection 28 

Personal data is exempt;

Section 35 

Personal data used by a person for domestic purposes.

Section 36 
If providing information would prejudice proceedings, a data controller does not have to respond to subject access requests where;

  • the data is processed for the prevention or detection of crime
  • apprehension or prosecution of offenders
  • assessment or collection of tax
Section 29 
A data controller does not have to respond to subject access requests if the data is processed for the purposes of discharging regulatory functions.Section 31 
A data controller does not have to respond to subject access requests where personal data is processed only for ‘special purposes’, (journalism, literature and art).Section 32 
A data controller does not have to respond to subject access requests if the data is processed only for research purposes.

 

Section 33 
A data controller does not have to respond to subject access requests if the data is information that is already in the public domain.

 

Section 34 
Confidential references provided by the employer in confidence for the purposes of an individual’s education, training or employment or the provision of a service by them.

 

Schedule 7, paragraph 1 
Management forecasting or management planning where access would be likely to prejudice the conduct of that business or other activity.

 

Schedule 7, paragraph 5 
Data comprising the intentions of the data controller in relation to any negotiations with the individual making the request where such access would be likely to prejudice those negotiations.

 

 Schedule 7, paragraph 7 
Data consisting of information over which legal professional privilege could be maintained in legal proceedings.Schedule 7, paragraph 10 

Updated: 07/04/2020


DISCLAIMER

The information and content on this website is provided for general information purposes only and is not intended to constitute legal or other professional advice. Legal information or content on this website relates only to the laws of England and Wales. You should not take any actions based on information found on this website without first seeking appropriate legal advice with respect to your specific matter. No representations or warranties are made about the suitability, currentness, comprehensiveness and/or accuracy of the information and other content contained on this website. It should be noted that legal information and content can rapidly become out of date and we give no undertaking to keep this website up to date. All liability for any loss or damage of any kind which may be suffered as a result of accessing and using the information and/or content of this website is hereby excluded to the full extent permitted by law.