- Privacy & Data Protection Logo -
Privacy & Data Protection

 

 

The Ultimate Guide to the Data Protection Act 1998

Part II
 

This article examines the notification system and its exemptions

The starting point for any discussion on the system of notification set up under the 1998 Act must be that it is generally a criminal offence to process personal data unless there is a relevant entry on the register of data controllers.  The register entry must reflect both the fact of processing and also list the types of processing undertaken by the registrant data controller (for definitions of 'processing', 'personal data' and 'data controller' see the Ultimate Guide Part I

The register is held and maintained by the Office of the Information Commissioner (OIC), located in Wilmslow, Cheshire, United Kingdom.  The register is a public document and can be inspected at the OIC's premises or online at www.dpr.gov.uk  A search of the register will reveal the name of the registrant, registration number, date of expiry of current registration and the types of processing registered as undertaken by that data controller.

This article considers the notification process in detail, including whether any particular data controller should notify its processing activities, the penalties for failing to notify and the exemptions from the notification requirement.

 

The Need to Notify

The obligation to notify arises out of section 17 of the Data Protection 1998 which provides that,

"…personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner…"

The requirement to have a register entry prior to carrying out personal data processing first arose under the Data Protection Act 1984.  The premise behind the system is transparency, i.e. that individuals should be able to inspect a publicly available register to determine who is processing personal data and the reasons that they are doing so.

Certain types of processing are exempt from the need to notify - see below.  But it is most important for data controllers to realise that the Data Protection Principles (contained in Schedule 1 to the Act) apply to all processing, even if such processing is exempt from the notification requirement.  This means that the OIC can take action against data controllers for breaching one or more Principles as a result of processing that was not required to be notified.

 

How to Notify

Notification can be undertaken either online, www.dpr.gov.uk, or by telephone +44 (0)1625- 545 700.  In each case the data controller will be asked for certain information - see below.

The data controller will then be sent a copy of the draft register entry and given an opportunity to amend it before it becomes available for public inspection.  Data controllers should ensure that all their automated processing (unless exempt—see below) is covered in their register entry.

Manual data processing does not need to be notified, but data controllers may volunteer to include their manual processing within their register entry.  The advantage of notifying manual data processing for data controllers who only process that type of data is that the data controller will thereby be subject to less onerous disclosure obligations where a data subject access request is made (see section 24 of the Act).

The notification fee is £35 and the register entry will be maintained for one year.  About two months before the expiry of the registration, the OIC will contact the data controller to invite renewal - a further £35 fee is payable each year.  Only one register entry is permitted per data controller.

 

What to Notify

The data controller will be asked for its name, address, contact information and company registration number (if relevant).  The data controller will then be expected to make general statements about the types of processing undertaken and whether or not personal data are sent outside the European Economic Area - see below.

The general statement includes information on the purposes of processing (e.g. for credit referencing, fundraising, trading in personal information), the data subjects whose data are being processed (e.g. staff, customers, agents), the classes of data processed (e.g. personal details, employment details, family and social circumstances) and the persons to whom the data may be disclosed (e.g. prospective employers, financial institutions, the media).  In each case the data controller is given an opportunity to select from a list of available options.

When data controllers are considering whether they send personal data outside the EEA, they should bear in mind the need that some businesses have to book foreign hotel rooms or airline tickets for their employees.  They should also be aware that where personal data are available on the data controller's website, such availability will effectively be a transfer to all countries of the world.  If data are to be sent outside the EEA then the notification must reflect this fact.

Data controllers will additionally be expected to make a security statement.  This consists of a series of questions to which the answer may be either 'yes' or 'no'.  It should be noted that there are no adverse consequences of answering with a 'no'.  However, where data controllers find that their answers are in the negative, they should be aware that their processing may breach the Seventh Data Protection Principle.  The questions are set out in the insert on the next page.

It should be remembered that if the data controller's processing changes after a notification has been made, there is a duty to inform the OIC of this change as soon as possible - data controllers should not wait until the expiry of their 'notification year' before informing the Commissioner of the change.

 

The Criminal Offences

Prosecutions by the OIC for breaching the notification and related requirements of the Act take place in local magistrates' courts - for this reason they tend to escape public attention.  Of the 145 cases prosecuted under the 1984 Act in the year 1999-2000, 130 resulted in a 'guilty' verdict.  Examples of companies and firms who were prosecuted in the last year include Butlins, Canon & Co Solicitors, Hitachi, Nottinghamshire Probation Committee, the Rugby Football Union and Playmate Escort Services Ltd.

The above prosecutions took place under the 1984 Act regime.  The new regime includes offences that are defined in slightly broader terms.  A future article in this series will set out the offences in detail.  As far as the notification regime is concerned, it is generally a criminal offence to:

  • process personal data without a register entry; and

  • fail to notify the OIC of changes to the registrable particulars.

By virtue of s.61 of the 1998 Act, a director, manager, secretary or other officer of a corporate body may be prosecuted for the same offence as that which has been proved against the corporate body if he or she has been involved in the offence by way of some connivance or neglect.

 

The Exemptions

The rules on exemptions from the notification requirement derive from the Data Protection (Notification and Notification Fees) Regulations 2000.  Certain types of person are exempt from the notification requirement:

  • individuals who process personal data for personal, family or household affairs (including recreational purposes);

  • data controllers who only process personal data for the maintenance of a public register;

  • data controllers who do not process personal data on computer; and

  • some not-for-profit organisations.

The OIC has given guidance that the above reference to 'computer' includes desktop, mainframe, laptop and palmtop or hand-held device.  It also includes other equipment that have some ability to process data automatically, such as automated information retrieval systems for microfilm and microfiche, audio and visual systems, electronic flexitime systems and telephone logging equipment.

Additionally, certain types of processing are exempt from the requirement to notify, namely processing undertaken for:

  • national security;

  • staff administration;

  • advertising, marketing and public relations; and

  • accounts and records.

It should be noted that the exemption from the requirement to notify will be lost where the processing is for one of the purposes listed in the table below.

 

Conclusion

Notification is important, not least because it is a criminal offence to process personal data without a corresponding register entry.  The notification process is relatively quick and cheap.

It must be remembered however, that notification is not the complete picture.  By making an appropriate notification to the OIC, a data controller is merely complying with one obligation in the Data Protection Act.  Data controllers must then go on to comply with the Data Protection Principles—notification does not exempt data controllers from compliance with other obligations in the Act.

 

Non-Exempt Purposes

  • Private Investigation
  • Health Administration and Services
  • Policing
  • Crime Prevention and Prosecution of Offenders
  • Legal services
  • Debt Administration and Factoring
  • Trading/Sharing in Personal Information
  • Constituency casework
  • Education

 

-

Homepage       © Privacy & Data Protection Limited, 2002

Part III...

 

All Rights Reserved   |   Legal Notice   |   Privacy Policy   |   Site Comments?  Email webmaster