Some organisations may be falling foul of the Data Protection Act 1998 by failing to notify details of their personal data processing to the Information Commissioner's Office (ICO).
Notification is a legal requirement for every organisation that processes personal information (unless they are exempt), and failure to comply with this obligation is a criminal offence.
The (ICO) maintains a public register of organisations that process personal data, together with details about the types of personal information they process and the purposes for which they process it.
The register and each organisation's individual notification are publicly available to view via the ICO website.
What is notification?
Notification requires organisations to provide certain minimum information to the ICO, including:
- name and address
- types of personal data processed
- purposes for which the data is processed
- confirmation about whether or not they transfer data outside the European Economic Area
These details are then added to the register maintained by the ICO.
Who must notify?
Most organisations processing personal data are required to notify, but there are some limited exemptions. Where these apply, an organisation will not be required to notify.
Such exemptions include some not-for-profit organisations and where an organisation processes data only for certain limited purposes such as staff administration.
Even organisations that are exempt from the notification obligation are still required to ensure that their processing of personal data is conducted in accordance with the eight Data Protection Principles set out in the Data Protection Act 1998.
Exempt organisations are free to notify voluntarily if they wish.
The ICO has published guidance to help organisations decide if they are exempt.
How to notify?
Notification is a relatively simple process and can be completed online, by phone or by post to the ICO.
Notification must be renewed on an annual basis and a fee is payable both on submission of the first notification and each year thereafter.
The fee payable depends on an organisation's size and turnover. For an organisation with an annual turnover of £25.9m and 250 or more staff, the annual fee is £500. For smaller organisations it is £35.
Keeping the register up-to-date
Organisations are responsible for ensuring the content of their ICO notification is kept accurate and up-to-date.
Any changes to the notification (for example if new types of information are being processed or data is being used for new purposes) must be notified in writing to the ICO (quoting the security number provided on the original letter confirming acceptance onto the register) as soon as possible and within 28 days of the change.
Failure to keep a register entry up-to-date is a criminal offence.
It is not possible to change the legal entity of a data controller, for example on a restructuring, and further notification must be made in such circumstances.
Where can I get further information?
The ICO's website has extensive guidance on notification.
How can we help?
For advice on whether your organisation is required to notify (or whether you are exempt), the content of your notification, or any other queries regarding the processing of personal data, please contact a member of our data protection team: [email protected] or [email protected]