The Data Protection legislation sets-out and protects the rights of living individuals in respect of their Personal Data.
The guidance in this section is designed to indicate whether your business may have to make a Notification to the Information Commissioner. It also draws your attention to the 8 Data Protection Principles.
If your business is a ‘Data Controller’ it must comply with the 8 Data Protection Principles in respect of the Personal Data it processes.
Most Data Controllers are also obliged to make a ‘Notification’ to the Information Commissioner.
A Data Controller is a person who determines the purposes for which and the manner in which Personal Data are, or are to be, processed.
A company can be a Data Controller, as can an individual, organisation, partnership and an unincorporated body of persons. If you run your business through a company then the company is most likely to be the Data Controller rather than the directors or any other person.
A Data Controller must comply with the 8 Data Protection Principles in relation to the Personal Data it controls.
If two persons acting together, or multiple persons acting in common, determine the purpose and manner in which Personal Data are to be processed then all of those persons are Data Controllers.
If a person processes data on behalf of a Data Controller (other than the employees of that Data Controller) then that person is a ‘Data Processor’. There is no requirement for Data Processors to make a Notification. Data Controllers retain full responsibility for the actions of their Data Processors.
The definition of Data covers both data stored electronically and ‘manual’ data such as information stored in card indexes and paper files.
Personal Data is information relating to a living individual from which that individual can be identified.
Identification can be either from the data itself or from the data in combination with other information which is in the possession, or likely to come within the possession, of the Data Controller.
Data relating to non-individuals, for example companies, is not Personal Data and is therefore not subject to the Data Protection rules
However, data relating to an individual in a business capacity is Personal Data, for example an employee’s appraisal report.
The definition of ‘processing’ data is extremely wide. Even if you are merely holding Personal Data you are deemed to be processing it.
Any action that a person carries-out which involves Personal Data falls within the definition of ‘processing’.
Processing includes, holding, obtaining, recording, organising, altering, adapting, retrieving, consulting, using, disclosure, aligning, combining, blocking, erasing or destroying data.
The Data Protection Principles are also known as the principles of ‘good data handling’.
Data Controllers must comply with these 8 principles in respect of the Personal Data they control.
Data Controllers are obliged to notify the Information Commissioner of certain details about the Personal Data they process.
The Information Commissioner then uses that information to make an entry on the public register describing in general terms the type of data processing that the Data Controller undertakes. The general public have a right to consult the public register and to obtain a copy of individual Notifications.
We recommend that you complete the Notification Form online.
Click here for more details.
Once you have completed the form you will need to print it out and send it to the Information Commissioner with the Notification fee. The Information Commissioner’s address is shown on the form.
A fee of £35 is payable to the Information Commissioner on Notification. The Notification must be renewed each year, so the fee is £35 per year.
The Commissioner charges £2 for a copy of a Notification that appears on the public register.
If any of the information contained in a Notification made by a Data Controller changes or becomes incomplete, for example if the Data Controller decides to process new types of Personal Data, then a new notification must be submitted within 28 days of the current Notification becoming inaccurate or incomplete.
Failure to notify a change is a criminal offence.
It is a criminal offence (punishable by a fine) to process data without making a Notification, unless one of the exemptions set out below apply.
It is also a criminal offence (punishable by a fine) to fail to notify the Commissioner of any changes to the information contained in your Notification.
Where the Data Controller is a body corporate the directors, managers and company secretary can also be made liable.
If your business ONLY processes Personal Data which falls within one of the exemptions set out below then it does not have to make a Notification.
However, please note that businesses exempt from making a Notification still have to adhere to the 8 Data Protection Principles when processing Personal Data.
In other words, exemption from Notification does not mean exemption from compliance with the 8 Data Protection Principles.
Before looking through the exemptions please note that if you process data for one of the following purposes you will have to make a Notification even if you fall within one of the exemptions.
Please note that if you do not process data for any of the following purposes that does not mean that you are exempt from making a Notification.
If your business does not store (or intend to store) any Personal Data on a computer or on any other form of data processing equipment then you do not need to make a Notification to the Information Commissioner.
However, be aware that the definition of a computer is quite wide, for example telephone logging equipment, CCTV recording systems and machines for retrieving paper records are all deemed to be computers for this purpose.
Traditional paper files stored in a filing cabinet, and cards stored in a rollerdex are examples of manual filing systems.
Personal Data processed in relation to the appointment and dismissal of staff, pay, discipline, work management and other personnel matters.
Personal Data processed for the purpose of advertising or marketing your business, goods and services and related PR. For example your customer and supplier lists.
Please note that if you obtain personal information from a third party for the purpose of advertising or marketing your business then you will not be able to rely on this exemption.
Personal Data processed for the purpose of keeping accounting records in relation to your own business, including information about customers and suppliers.
This exemption does not apply in relation to Personal Data processed by or obtained from a credit reference agency.
This exemption only applies to certain types of Personal Data processing, such as maintaining a list of members or supporters of a charitable / not for profit organisation.
Personal Data processed for the purpose of maintaining a published public register. For example the public telephone directory.
Processing Data for personal, family and household affairs is exempt. For example an electronic telephone book listing your friends constitutes processing Personal Data, but you don’t have to make a Notification.
This exemption only applies to individuals (ie not businesses) and does not apply to Personal Data held for business or professional purposes.
An individual who falls within this exemption does not need to comply with the 8 Data Protection Principles in respect of the Personal Data he processes for domestic purposes.
