Section 10 of the DPA 1998
Here we have a piece of legislation that’s very often misunderstood. This is what the legislation says:
10 Right to prevent processing likely to cause damage or distress.
(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—
(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
(b) that damage or distress is or would be unwarranted.
Data Protection Act 1998
This is what the ICO says:
In brief – what does the Data Protection Act say about objecting to processing?
The Act refers to the “right to prevent processing”. Although this may give the impression that an individual can simply demand that an organisation stops processing personal data about them, or stops processing it in a particular way, the right is often overstated. In practice, it is much more limited. An individual has a right to object to processing only if it causes unwarranted and substantial damage or distress. If it does, they have the right to require an organisation to stop (or not to begin) the processing in question.
So, in certain limited circumstances, you must comply with such a requirement. In other circumstances, you must only explain to the individual why you do not have to do so.
Information Commissioner
Note the text highlighted above. Also note the word LIMITED. Section 10 is not an open door for everyone to command others to stop processing their data, nor does issuing a notice under that section guarantee compliance. Now let’s look at the definition of “damage or distress”:
What is meant by “damage or distress”?
The Act does not define what is meant by unwarranted and substantial damage or distress. However, in most cases:
Information Commissioner
- substantial damage would be financial loss or physical harm; and
- substantial distress would be a level of upset, or emotional or mental pain, that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent.
Note that distress goes beyond annoyance and irritation. In other words, it’s not enough merely to be unhappy with the data being processed.
It is also important to establish what is personal data. An opinion or commentary is not “data”; saying that someone is unqualified, misunderstands legislation or gives wrong advice is not “personal data”. Nor is quoting what that person has said, written or posted, unless its his own personal details (for example, his name, address, date of birth and NI number).
In some cases, personal data is already in the public domain. This is often the result of actions taken by the data subject himself. For example, registering a limited company and becoming a director will result in the director’s personal details (name, address, date of birth, nationality and other directorships) being available from Companies House and other websites that draw company data. Legal action can also result in some details being made publicly available, for example, in connection with a judgment, order or decision.
The Data Protection Act was drafted in order to protect individuals’ rights to respect to private life amongst other things. This means an INDIVIDUAL can serve a section 10 notice, a business cannot. It’s not unusual for an individual to engage in business, in which case, the data in question may well refer to the individual’s business as well as his business practices. These are not covered by rights to privacy. People have a right to know how other people conduct their business, particularly if these people give advice or charge for their services.
Finally, there is also the requirement for the damage or distress to be unwarranted. The ICO states:
The Act recognises that organisations may have legitimate reasons for keeping records about people which may have a “negative” effect on them. For example, the information you hold may lead to their arrest, to their being made to pay child maintenance, or to their being required to buy a TV licence. The Act does not give individuals the right to prevent this. Even where damage or distress has been caused, the Act limits the right to prevent processing to cases where the effects are unwarranted.
Information Commissioner
It should also be noted that section 10 of the DPA applies to DATA CONTROLLERS, defined by the ICO as follows:
Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Note that not everyone is a data controller. Although the ICO states that data controllers can be individuals or organisations, its main concern is with organisations that process other people’s data. The reference to individuals would be to people working as sole traders, freelancers, consultants, etc., in which case they are “the organisation”.
Breaches
Section 10 also says:
(4) If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.
Data Protection Act 1998
Note that the court MAY order someone to comply with a section 10 notice. This is obviously once the court has had the opportunity to look at the evidence, which is not quite the same as making an emergency application for an interim injunction.
Leave a Reply
12 Comments on "Section 10 of the DPA 1998"
S10 principle 6
Schedule12 posted:
Was that the document that was not supposed to be used for any purpose other than that specified on the order itself? The one you went and published on the silly “fishy” site you resurrected?
How could any “client” of yours have any trust in you when you breach not only the DPA but also a court order by revealing confidential personal information to third parties?
Really? You must, once more, have disclosed a great deal of privileged information provided to you via a court order for anyone to have carried out such research.
You have a serious problem in your hands, Jason, with all the data breaches and breaches of court orders. No wonder you had to decamp to the Philippines.
This is very serious, personal information obtained by forcing disclosure through a court order can only be used in the course of the proceeding the information was obtained for and nothing else. Passing this information on to an unrelated third party such as a client of yours is contempt of court, and publishing it is even more serious.
The courts take Contempt very seriously and tend to impose custodial sentences to deter others from doing the same.
Jason, thanks for the info, mate now we know why you went all the way to the Philippines!
Excellent introduction Admin.
Enforcement on data breaches are usually down to the ICO, if there is no action after a complaint has been investigated and a decision made, then surely that is that.
Any action after that would be one for damages, but without that initial confirmation regarding the cause of action, I don’t see how a individuals complaint can be successful.
Misinterpreting or lying about the outcome of a complaint in order to start a damages claim is a very foolish path to follow.
Furthermore, he would have to show that the breach of the DPA was the cause of the losses and evidence those losses. If people decided not to use his business services after reading that his advice was wrong, that could hardly fall under the DPA, and he’d still have to prove his losses as well. There is more chance of seeing a flock of flying pigs than of him winning such a case.
An excellent introduction indeed from Admin regarding yet another subject that Jason Bennison really struggles to understand.
Is there anything he doesn’t struggle to understand?
So what about all the times Jason and his lapdogs have posted up people’s names, address, pictures of their homes, etc. on BHF? Wasn’t he breaching the DPA? As we know from this other thread, he is the data controller, as BHF is a trading style of xlaw ltd. http://bailiffhelpforumarewrongagain.com/jason-bennisons-legal-pretences/
At one time, he would deny being the owner of the Bailiff Help Forum. That is now a thing of the past.
Since evidence was forthcoming of his Dispute Resolution complaint to Identity Protect Ltd under the name of Bailiff Help Forum, and his separate application for an injunction against Nominet Ltd under his own name of Jason Bennison, he cannot any longer deny being the owner of the Bailiff Help Forum and accordingly, whether he likes it or not…..HE is the DATA CONTROLLER of that forum. Accordingly, he will be receiving correspondence very shortly.
He is also the domain registrant so, as far as Nominet were concerned, he didn’t have to prove ownership. He started denying owning the forum to play silly buggers after “doorstepping” David Lindley. Bennison and Lindley entered into an “agreement” not to post about each other, but this didn’t include Jason’s pets Mark and Pote. Mark kept making horrendous, abusive posts against Lindley and, when Lindley contacted Jason to say he’d breach the agreement, Jason said: “not me, I’m not posting anything about you.”
He said he had no admin permissions to remove anything and argued that Amy was the one. Obviously Amy couldn’t issue an injunction against Nominet, which is just as well…
No offence meant but at least one thing has come out of this but it was a great shame you suffered more than most.
All of his bluster about tracing IP addresses or getting information from ISPs and having accounts restricted was just that – bluster. He has made a laughing stock of himself, his cohorts, his methods & his websites. I fondly remember the horror there was over the answer he got when I answered the phone to him, pity more had not done the same. He obviously thought he was the Big I Am whereas in fact the allegation about him runs parallel with his small appendage.