Data Protection: Registering your business under the Data Protection Act
Protecting your data
The Data Protection Act 1998 (the "DPA") rules over the information processing realm with an iron fist. DPA has been intricately designed to regulate the "processing of personal data", which encompasses any individuals or companies that retain, collect, disclose or destroy data relating to an "identifiable, living individual".
DPA operates in a dual capacity by imposing obligations on data collectors/users (the "Data Controller") and confers rights on the individuals whose personal data is being used. DPA establishes 8 guiding principles and failure to ensure compliance with these principles may result in a criminal offence and enforcement action by the guardian of the data processing world – the Information Commissioner.
Registration under the DPA
If you collect or process personal data electronically then you are required to register with the Information Commissioner's Office (the "ICO") by notifying the ICO of your method of collecting the personal data and the purposes for which it is being processed. The ICO will use the information provided to enter you into the notification register, which is available for public inspection. Processing personal data without being registered constitutes a criminal offence under DPA!
What is personal data?
Personal data is classed as information relating to a living individual who can be identified using such data, either by itself or in conjunction with other information in the possession of the Data Controller. DPA also recognises any information regarding race, political opinion, religion, disability, sexuality, membership of trade unions and past convictions as "sensitive personal data".
The registration process in a nutshell
Step 1: fill out the "data protection registration form" - this can be found at http://ico.org.uk/for_organisations/data_protection/registration (or alternatively you can call the notification helpline on 01625 545740).
Step 2: create an email with "Data protection new registration" as the subject;
Step 3: email the completed form to firstname.lastname@example.org;
Step 4: ICO will respond to your application by providing you with a draft registration within a week of your application, ICO will confirm your details and ask you for payment of the applicable fee (either £35 or £500 as listed below); and
Step 5: Once payment has been made, your registration will appear on the public register.
You are required to notify the ICO of all the purposes for which you process any personal data, failure of notification of any purpose or changes, will automatically prohibit you from processing personal data for that particular purpose.
What do I have to pay?
The fee payable (for registration and annual renewal of register entries) will depend on your organisation's size and turnover. If you are a public authority, fees will be based on your organisation's size only. For your company to remain registered under the DPA, the relevant fee must be paid annually. Data controllers will fall under one of the two tiers below.
Tier 1 - fewer than 250 employees and turnover of less than £25.9 million = fee will be £35 per annum
Tier 2 - 250 or more staff and turnover of £25.9 million or more = fee will be £500 per annum
Are there any exemptions from registration?
Yes, certain organisations are exempt from the obligation to notify the ICO, they are generally organisations processing personal data only for the purposes set out below:
- Maintaining public registers;
- Upholding national security;
- Staff administration (e.g. payroll);
- Public relations (including advertising and marketing) in connection with their own business activities;
- Certain non-profit organisations; and
- Individuals who process personal data for domestic purposes only
If you process data manually, without the use of any electronic means, then you do not have to register with the ICO. However, in the absence of registration, you will still be obliged to comply with the requirements of the DPA. If you use email or word processing packages then this will be classed as the use of electronic means. The only other exception to this might be if you only work for one client, which is highly unlikely in most cases.
DPA has been designed to have a dual effect; to protect an individual's personal data and facilitate a transparent environment for people and/or organisations to collect and process personal data for commercial purposes. A large number of companies are required to register with the ICO; a failure to register may result in criminal liability. Be clever. Be safe. Register now.
For further information please contact Balraj Kang.