This snapshot, taken on 04/03/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.

We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for

 
 

Data Protection

The Data Protection Act 1998 requires many UK-based organisations that hold information about living, identifiable individuals to register their use of 'personal data' and be open and clear about the way such information is used.

Organisations also need to abide by a set of legally enforceable rules of good information handling - the eight 'data protection principles'

The Act also provides various rights for individuals regarding access to information that is held about them, including the correction and/or deletion of data in some circumstances.

The Act applies to businesses (including sole traders) and public bodies. You may be obliged to register with the Information Commissioner's Office (ICO) at www.ico.gov.uk, if you or your company:

  • Hold information about living individuals on computer (or have such information processed on computer by others).
  • Hold information about living individuals in a structured manual filing system (with files ordered in such a way that it is possible to retrieve specific records easily). NB in cases of manual information processing only (i.e. where there is no processing carried out on a computer), there would be no obligation to notify the IC

There are exemptions from registration, which typically apply to smaller businesses that only process personal information for core business purposes, such as keeping records about their customers or staff.

If you are in any doubt about your own obligations, it is always better to check rather than assume you are exempt. Should you fail to notify the ICO and it is subsequently found that an exemption does not apply, you could face legal action.

The notification process

There are three ways to register with the ICO:

  • Online registration. The ICO web site includes an online notification form .You can complete the form online, then print it and return a signed copy to the ICO to complete the registration process.
  • Complete the request for notification form - You can download a request form in PDF format, and return completed details to the ICO.
  • Telephone registration. You can telephone the notification help line on 01625 545 740 and a draft notification form will be sent to you based on the information you provide on the telephone.

In each case you should include the annual notification fee (£35 in 2008).

A complete Guide to Notification is available to download from the ICO website.

Beware of bogus agencies sending out official looking warning letters about notification and charging inflated fees to notify on your behalf. Always deal directly with the Information Commissioner's Office - it is cheaper and better to do so.

Once the ICO receives your form, it will check the details and then let you know it has been received. Your notification period begins when the ICO receives a correctly completed form (or the day after the post date of registered post or a recorded delivery).

When your notification has been added to the ICO register, you will be sent a copy of your entry and issued with a security number which you should use in any subsequent correspondence, updates or renewals.

Updating your entry

Your registration entry must be kept up to date. Always inform the ICO when any part of your entry becomes inaccurate or incomplete, or if you want to add an additional 'purpose' for handling personal information.

This must be done within 28 days from the date your entry becomes inaccurate or incomplete - failure to do so is a criminal offence. Updates must be submitted to the ICO in writing, quoting your security number. Forms are available from the ICO office or from the ICO web site.

The ICO will write to you when the change has been processed and send you a copy of your amended entry. No fee is charged for this type of update.

Changes of legal entity

If your company changes its legal status (for example, if you change from being a partnership to a limited company) you must re-register, as entries are not transferable.

You should telephone the notification help line or use online registration to restart the process. Fee refunds are not usually given.

Failure to comply with the Data Protection Act

To comply with the Act, you have to comply with the eight data protection principles, as summarised on our Data Protection page. 

Failure to comply is not a criminal offence, but should the ICO consider that one or more of the principles has been (or is being) breached, it may issue an 'enforcement notice'. Failure to address breaches detailed in an enforcement notice IS a criminal offence.

You can contest an enforcement notice by appealing to an independent Data Protection Tribunal. However, if the notice is upheld, the compliance failure becomes a criminal offence.

Data protection in action

Following the practical steps below will help to ensure that you comply with the Data Protection Act:

  • Make sure people you keep records about are aware that you are doing so, and that they know why the information is being kept. If you intend to pass information about a person to a third party, the person should be aware of this. This information could be provided in writing, for example when you ask a client or customer to provide personal information on a form. It could also be done over the telephone if you collect personal information that way. Only collect and hold personal information when you have a legitimate reason for doing so.
  • When you collect personal information from individuals, always be honest and open about why you want it. In particular, you should never mislead individuals.
  • You should make sure that you don't hold unnecessary or excessive information about people, but on the other hand you should keep enough information to ensure that personal records are fit for the purpose for which they are kept. There is a balance to be struck here.
  • Personal information must be accurate. Always ensure that errors are corrected promptly. Where a person says a record is inaccurate but you cannot prove it either way, put a note on the record saying that there is a disagreement over its content.
  • Only hold personal information for as long as is necessary to serve the purpose for which it is being held. Ensure that systems are in place for the timely removal of personal information after specified periods or in specific circumstances (e.g. when a customer has ceased to trade with you). The decision about whether to retain or delete information can call for careful judgement, and risk analysis techniques may help you to make the decision.
  • Information about people must be stored securely. The level of security should be appropriate for the nature of the data and the potential harm that disclosure or loss could cause for the individual. Only authorised personnel should have access to personal information - access should normally be managed by usernames and passwords for computer systems. Audit trails can be useful for finding out who has accessed a particular record and why.
  • Establish disciplinary procedures in the case of misuse of personal information by members of staff.
  • Computer terminals should be placed in such a way that screens displaying personal information are not in public view and cannot be seen by passers-by. This is particularly important for mobile staff using laptops and similar devices in public places.
  • Minimise the risks associated with accidental loss or theft of personal information. Keep backup copies of files in secure areas (away from the computer equipment on which they are normally used) and keep equipment safe from harm and/or theft. Protect laptops and other portable devices so that even if they are lost or stolen, the information on them cannot be accessed.
  • The Data Protection Act places special restrictions on the processing of sensitive personal information - for example that concerning a person's health, sex life, political opinions, race, ethnicity or religious beliefs. You can only hold such information where the individual has given explicit consent for this or in certain other limited circumstances, for example where you are required by employment law to process sensitive information.
  • If you use (or intend to use) personal information for direct-marketing purposes, inform people of this and give them the opportunity to prevent their details being used in such a way.Maintain a 'suppression list' (containing details of individuals who have asked you not to send them direct marketing material) and always check this against mailing lists.
  • If you wish to transfer personal information to a country outside the EEA (the European Union plus Norway, Iceland and Liechtenstein), you will need either to ensure adequate protection for it in the host country, or obtain consent from data subjects. Many companies legitimise their overseas transfer of personal information by contractual means.

© Crown copyright2010