It is a statutory requirement for all data controllers to submit details of their information related activities (a process known as notification) to the Information Commissioner's Data Protection Register, unless they meet certain exemption criteria. Data controllers are people (individuals, partnerships or companies) who make decisions about what and how personal information should be processed. Notification largely applies to information stored in electronic form, but organisations can volunteer to register their manually stored information too should they wish.
The Data Protection Register is a publicly accessible record of the organisations and individuals who hold personal information about people as well as a description of the types and purposes of that information in generic terms. The Register provides clarity to the public about how their personal information is used, a principle which underlies the whole of the Data Protection Act 1998 (DPA). Failure to notify is a criminal offence.
The Notification Process
Notification can happen in various ways. The Information Commissioner’s Office operates a telephone helpline and can help data controllers determine the typical types and purposes of information that they deal with based on the type of organisation they work in. For those who are more certain about their information usage, online notification may prove an easy and convenient alternative. Or indeed paper notification is still possible; complete a ‘request for notification form’ which is available via the Information Commissioner’s website.
The first part of the notification form requires information about the data controller’s organisation including company registration information, contact details and general descriptions of the types and purposes of the personal information the organisation processes. Purposes might include education, consultancy and advisory services, or credit referencing, depending on the nature of the organisation.
The form also requires a description of the groups of people, or data subjects, about whom the organisation holds personal information, e.g. employees, students, patients, etc, and the groups of people to whom the information can be passed (data recipients), e.g. government organisations, examining bodies. Organisations must also provide details about what classes of data are held. Further purposes can be specified on the entry which must be kept up to date, even after submission, and in any case renewed annually. The annual fee is currently £35.
There are two types of personal information. Most is non-sensitive, but some can be of a more intimate nature and is classed as sensitive, such as political opinions, physical health records or religious beliefs. Sensitive information processing must be expressly specified on the form.
The second part of the form relates to information security. Data controllers must demonstrate that they have taken measures to protect the information they process, including staff training, controlling access to the information, and having procedures in place in case of a breach of security.
Exemptions from Notification
In some cases notification is not necessary. Organisations who think they may be exempt should seek clarification from the Information Commissioner’s Office and use the self-assessment guide available on its website. However, some categories where exemptions are possible include:
- Those only processing personal information for staff administration, advertising, marketing and public relations, and accounts and records.
- Some not-for-profit organisations
- Those only processing for personal, family or household affairs
- Those only processing for the maintenance of a public register
- Those who do not process personal information on a computer
(Information Commissioner’s Office)
For further information visit the Information Commissioner’s website, or look for a data protection training course in your area.
Readers may also like to learn more about dealing with subject access requests.
(Please note that this article does not constitute legal advice. Wherever possible it is advisable to take a data protection training course or seek specialist guidance from legally trained professionals.)
 |
