What does the Data Protection legislation do?
The Data Protection legislation sets-out and protects the rights of living individuals in respect of their Personal Data.
What is this guidance for?
The guidance in this section is designed to indicate whether your business may have to make a Notification to the Information Commissioner. It also draws your attention to the 8 Data Protection Principles.
What does my business have to do?
If your business is a 'Data Controller' it must comply with the 8 Data Protection Principles in respect of the Personal Data it processes.
Most Data Controllers are also obliged to make a 'Notification' to the Information Commissioner.
What is a Data Controller?
A Data Controller is a person who determines the purposes for which and the manner in which Personal Data are, or are to be, processed.
A company can be a Data Controller, as can an individual, organisation, partnership and an unincorporated body of persons. If you run your business through a company then the company is most likely to be the Data Controller rather than the directors or any other person.
A Data Controller must comply with the 8 Data Protection Principles in relation to the Personal Data it controls.
If two persons acting together, or multiple persons acting in common, determine the purpose and manner in which Personal Data are to be processed then all of those persons are Data Controllers.
If a person processes data on behalf of a Data Controller (other than the employees of that Data Controller) then that person is a 'Data Processor'. There is no requirement for Data Processors to make a Notification. Data Controllers retain full responsibility for the actions of their Data Processors.
What is Data?
Data is, broadly, information stored with the intention of being automatically processed or stored in such a way so that specific information relating to particular individuals is readily accessible.
The definition of Data covers both data stored electronically and 'manual' data such as information stored in card indexes and paper files.
What is Personal Data?
Personal Data is information relating to a living individual from which that individual can be identified.
Identification can be either from the data itself or from the data in combination with other information which is in the possession, or likely to come within the possession, of the Data Controller.
Data relating to non-individuals, for example companies, is not Personal Data and is therefore not subject to the Data Protection rules
However, data relating to an individual in a business capacity is Personal Data, for example an employee's appraisal report.
What is 'Processing' Data?
The definition of 'processing' data is extremely wide. Even if you are merely holding Personal Data you are deemed to be processing it.
Any action that a person carries-out which involves Personal Data falls within the definition of 'processing'.
Processing includes, holding, obtaining, recording, organising, altering, adapting, retrieving, consulting, using, disclosure, aligning, combining, blocking, erasing or destroying data.
What are the 8 Data Protection Principles?
The Data Protection Principles are also known as the principles of 'good data handling'.
Personal Data must be:
- Fairly and lawfully processed.
- Processed for limited purposes.
- Adequate, relevant and not excessive.
- Not kept longer than necessary.
- Processed in accordance with the data subject's rights.
- Not transferred to countries outside the European Economic Area without adequate protection.
Data Controllers must comply with these 8 principles in respect of the Personal Data they control.
What is Notification?
Data Controllers are obliged to notify the Information Commissioner of certain details about the Personal Data they process.
The Information Commissioner then uses that information to make an entry on the public register describing in general terms the type of data processing that the Data Controller undertakes. The general public have a right to consult the public register and to obtain a copy of individual Notifications.
How do I Notify the Information Commissioner?
We recommend that you complete the Notification Form online.
Click here to view the form.
Once you have completed the form you will need to print it out and send it to the Information Commissioner with the Notification fee. The Information Commissioner's address is shown on the form.
How much does Notification cost?
A fee of £35 is payable to the Information Commissioner on Notification. The Notification must be renewed each year, so the fee is £35 per year.
The Commissioner charges £2 for a copy of a Notification that appears on the public register.
Changes to your Notification
If any of the information contained in a Notification made by a Data Controller changes or becomes incomplete, for example if the Data Controller decides to process new types of Personal Data, then a new notification must be submitted within 28 days of the current Notification becoming inaccurate or incomplete.
Failure to notify a change is a criminal offence.
What if I don't make a Notification?
It is a criminal offence (punishable by a fine) to process data without making a Notification, unless one of the exemptions set out below apply.
It is also a criminal offence (punishable by a fine) to fail to notify the Commissioner of any changes to the information contained in your Notification.
Where the Data Controller is a body corporate the directors, managers and company secretary can also be made liable.
Exemptions from Notification
About the exemptions
If your business ONLY processes Personal Data which falls within one of the exemptions set out below then it does not have to make a Notification.
However, please note that businesses exempt from making a Notification still have to adhere to the 8 Data Protection Principles when processing Personal Data.
In other words, exemption from Notification does not mean exemption from compliance with the 8 Data Protection Principles.
Before looking through the exemptions please note that if you process data for one of the following purposes you will have to make a Notification even if you fall within one of the exemptions.
Please note that if you do not process data for any of the following purposes that does not mean that you are exempt from making a Notification.
- Accountancy / Auditing
- Administration of Justice and Legal Services
- Canvassing Political Support amongst the electorate
- Constituency Casework
- Credit Referencing
- Crime Prevention and Prosecution of Offenders (including the use of CCTV for this purpose)
- Debt Administration and Factoring
- Health Administration and Provision of Health Services
- Mortgage / Insurance Broking / Insurance Administration
- Pastoral Care
- Private Investigation
- Provision of Financial Services and Advice
- Trading and Sharing Personal Information
- Pensions Administration
- Processing Personal Data obtained from a credit reference agency
Exemption - Manual Filing Systems
If your business does not store (or intend to store) any Personal Data on a computer or on any other form of data processing equipment then you do not need to make a Notification to the Information Commissioner.
However, be aware that the definition of a computer is quite wide, for example telephone logging equipment, CCTV recording systems and machines for retrieving paper records are all deemed to be computers for this purpose.
Traditional paper files stored in a filing cabinet, and cards stored in a rollerdex are examples of manual filing systems.
Exemption - Staff Administration (including Payroll)
Personal Data processed in relation to the appointment and dismissal of staff, pay, discipline, work management and other personnel matters.
Exemption - Advertising, Marketing and Public Relations (for your own business)
Personal Data processed for the purpose of advertising or marketing your business, goods and services and related PR. For example your customer and supplier lists.
Please note that if you obtain personal information from a third party for the purpose of advertising or marketing your business then you will not be able to rely on this exemption.
Exemption - Accounts and Record Keeping
Personal Data processed for the purpose of keeping accounting records in relation to your own business, including information about customers and suppliers.
This exemption does not apply in relation to Personal Data processed by or obtained from a credit reference agency.
Exemption - Charities and other not for profit organisations
This exemption only applies to certain types of Personal Data processing, such as maintaining a list of members or supporters of a charitable / not for profit organisation.
Exemption - Maintaining a Public Register
Personal Data processed for the purpose of maintaining a published public register. For example the public telephone directory.
Exemption - Domestic Purposes
Processing Data for personal, family and household affairs is exempt. For example an electronic telephone book listing your friends constitutes processing Personal Data, but you don't have to make a Notification.
This exemption only applies to individuals (ie not businesses) and does not apply to Personal Data held for business or professional purposes.
An individual who falls within this exemption does not need to comply with the 8 Data Protection Principles in respect of the Personal Data he processes for domestic purposes.