Non-disclosure exemptions under the DPA 1998 [Archived]
Non-disclosure exemptions under the DPA 1998 [Archived]

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Non-disclosure exemptions under the DPA 1998 [Archived]
  • Disclosures required by law
  • Crime and taxation exemption
  • Journalism, literature and art exemption
  • Publicly available information exemption

ARCHIVED: This archived Practice Note provides information on the data protection regime before 25 May 2018 and reflects the position under the Data Protection Act 1998 (DPA 1998). This Practice Note is for background information only and is not maintained.

The DPA 1998 requires that data controllers process personal data in accordance with the eight data protection principles (see Practice Note: Data protection principles under the DPA 1998). In addition, a data controller must not disclose personal data to third parties contrary to the non-disclosure provisions set out in section 27(3) DPA 1998, which include:

  1. the first data protection principle (fair and lawful processing), except for the requirement to satisfy one or more of the conditions for processing (DPA 1998, Sch 2 and 3)

  2. the second (purposes), third (adequacy), fourth (accuracy) and fifth (retention) data protection principles

  3. an individual's right under section 10 DPA 1998 to prevent processing likely to cause damage or distress

  4. an individual's right under section 14 DPA 1998 to have incorrect personal data rectified, blocked, erased or destroyed

There are, however, exemptions from these non-disclosure obligations. The exemptions do not impose an obligation on data controllers to disclose personal data, but they