The Data Protection Act 1998 (‘the Act’) governs the processing of information in respect of living, identifiable individuals. Any person or company or other organization that collects or holds information about an identifiable, living individual or which discloses, retains or destroys that information, is likely to be ‘processing personal data’.
The Act imposes obligations on people or organizations which collect and use personal information and confers rights on the individuals whose personal data are being processed. Eight principles, which must be complied with in relation to the processing of personal data, are set out under the Act. Failure to comply with these principles may result in an enforcement action by the Information Commissioner and criminal liability.
Data protection registration
If you process personal data, you are obliged to ‘notify’ the Information Commissioner’s Office (‘ICO’) of the manner in which you collect personal information and the purposes for which they are processed. This information is used by the ICO to make entries in the notification register, which is available to the public for inspection. Processing of personal information without registration constitutes a criminal offense under the Act.
What information is ‘personal data’?
Any information which relates to a living individual who can be identified from such data, or from such data together with other information in the possession of, or likely to come into the possession of the data controller or datenschutz is construed as personal data or personal information.
The Act further recognizes as ‘sensitive personal data’, information relating to the racial or ethnic origin, political opinions, religious beliefs, physical or mental conditions, sexual orientation, the commission of offenses/criminal proceedings or membership of a trade union.
DPA registration process
To register under the Data Protection Act, a notification statement must be prepared and submitted to the ICO together with the relevant fee. The main purpose of notification and the public register is to promote openness and transparency as to the use of personal information. It is therefore imperative that you notify the ICO of all the purposes for which you process personal information. If you fail to notify for any purpose (or any changes), then you may not process personal data for such purpose. You may, therefore, prefer to use a special Data Protection Training registration service to ensure that your registration fully covers your activities and purposes.
On 1 October 2009, a two-tiered fee structure was introduced for notification and annual renewal of register entries. The fee now depends on the organization’s size and turnover, with the exception of public authorities whose fees continue to be based on the organization’s size only. Data controllers with fewer than 250 employees and with a turnover of less than £25.9 million falls into Tier 1 and continue to pay the fee of £35 per annum. Companies with 250 or more staff and a turnover of £25.9 million or more are in Tier 2 and must pay a fee of £500. To maintain the registration the fees must be confirmed annually.
Exemptions from DPA registration
The Act envisages certain exemptions from the obligation to notify the ICO. Organizations which process personal information generally only for the purposes of:
National Security & Public registers
- staff administration (including payroll)
- advertising, marketing and public relations (in connection with their own business activity)
- accounts and records
- some not-for-profit organizations; and
- organizations that process personal data only for maintaining a public register
Are exempt from the notification. The same applies to individuals who process personal data for domestic purposes only.
The Act maintains a balance between the right of individuals to respect for their personal data and the needs of people or organizations to collect and use personal data for business and other purposes. Many companies are required to notify under the Act. Failure to give adequate notification may result in criminal liability.