This snapshot, taken on
12/08/2011
, shows web content acquired for preservation by The National Archives. External links, forms and search may not work in archived websites and contact details are likely to be out of date.
 
 
The UK Government Web Archive does not use cookies but some may be left in your browser from archived websites.

Data Protection FAQs – For organisations

Q: Can I add VAT to the fee I charge for fulfilling a subject access request?

Q: How do I know whether the Data Protection Act applies to my business/organisation?

Q: What do I need to do under the Data Protection Act?

Q: What security measures should I have in place to protect personal information on laptops?

Q: I have just received a subject access request. What should I do with it?

Q: Do I have to disclose everything under the Data Protection Act?

Q: We are a data controller, and have received a request for information that we hold about an individual from another organisation. Can we release it?

Q: If the police approach us for information under what circumstances should we provide it?

Q: I want to record customers that ring our company, can I do this?

Q: I want to install covert cameras on my business premises. Would the Data Protection Act prevent me from doing this?

Q: How long should organisations keep data for?

Q: I am a data controller wanting to outsource some of our information for processing purposes. What are the data protection implications?

Q: What do I need to put in my fair processing notice, which is given to individuals before I process their information?

Q: A customer asks to see details of her son’s bank account as he is seriously ill in hospital. What do I say?

Q: What security measures should be in place to protect personal information under the Data Protection Act?

Q: A customer's record received from another company turns out to be inaccurate. What do you do?

Q: When should I erase personal information from our computer system?

Q: I am unhappy with the way an organisation has dealt with my complaint about personal information. What do I do?

Q: Does the Data Protection Act apply to me?

Q: Are there any other exemptions from the Act?

Q: What should I do if an individual complains about what I am doing with their personal data?

Q: What does “fair processing” mean?

Q: What is a privacy notice?

Q: Can I use personal data for a new purpose or disclose it to a third party?

Q: Must I encrypt all the information I store on computer?

Q: When is it a criminal offence to breach the Data Protection Act?


Q: Can I add VAT to the fee I charge for fulfilling a subject access request?

No. Subject access requests are outside the scope of VAT. This is because data controllers have a statutory duty to respond to them. This applies regardless of whether the request is made by an individual or by someone with authority to act on their behalf, such as a solicitor.

Q: How do I know whether the Data Protection Act applies to my business/organisation?

The Act will usually apply unless you are an individual holding personal information for your own domestic use, eg an address book.

 

Q: What do I need to do under the Data Protection Act?

If you are required to comply with the Act, you have a number of legal responsibilities:

- to notify the Information Commissioner you are processing information, unless you are an organisation who has personal information only for:

  • staff administration (including payroll);
  • advertising, marketing and public relations for your own business; or
  • accounts and records (some not-for-profit organisations)

- to process the personal information in accordance with the eight principles of the Act; and

- to answer subject access requests received from individuals.

Q: What security measures should I have in place to protect personal information on laptops?

Where the information held on a laptop or other portable device could be used to cause an individual damage or distress, in particular where it contains financial or medical information, they should be encrypted. The level of protection provided by the encryption should be reviewed and updated periodically to ensure that it is sufficient if the device was lost or stolen, you may need to seek specialist technical advice. In addition to technical security, organisations must have policies on the appropriate use and security of portable devices and ensure their staff are properly trained in these. If it is brought to the Commissioner's attention that laptops that have been lost or stolen have not been protected with suitable encryption he will consider using his enforcement powers.

Q: I have just received a subject access request. What should I do with it?

A subject access request is a request from an individual, using their right under the Data Protection Act. You must decide taking any exemptions into consideration what information needs to be given. You have 40 calendar days to respond to the request and you may request a fee of up to £10.

For more guidance on how to deal with subject access requests, see our checklist for handling requests on personal information.

Q: Do I have to disclose everything under the Data Protection Act?

The Data Protection Act covers computer records and manual records. Most computer records can easily be found about a particular person and should be disclosed removing any third party information.

If data controllers are not subject to the Freedom of Information Act 2000 (FOIA), eg public authorities, then subject access requests can only apply to manual records which are part of, or intend to be part of, a relevant filing system. The files which form part of the relevant filing system are structured or referenced in such a way that information about the applicant can be easily located.

However, if data controllers are subject to the FOIA, then they should also be aware that subject access requests apply to unstructured files.  Please follow the link for further guidance concerning what constitutes unstructured data.

Q: We are a data controller, and have received a request for information that we hold about an individual from another organisation. Can we release it?

Generally the Act would not allow a disclosure to a third party data controller unless the individual had been informed of the disclosure (see the first principle - Fair Processing). However there are a number of exemptions that allow disclosure in certain circumstances.

Q: If the police approach us for information under what circumstances should we provide it?

There is an exemption under the Data Protection Act that can be applied if the police need some information to prevent or detect crime or catch or prosecute a suspect. However there are limits on the information you can release. If you are satisfied that the information is going to be used for this purpose and that if you did not release the information it would be likely to prejudice (that is, significantly harm) any attempt by the police to prevent a crime or catch a suspect then you can disclose this information.

This is an important subject, for more information, read our good practice note on Releasing information to prevent or detect crime

Q: I want to record customers that ring our company, can I do this?

If you have a legitimate reason for recording people that call your organisation (eg staff training purposes) you may be able to record them, but to comply with the first principle of the Data Protection Act you would need to provide 'Fair Processing' information, unless it would be in their reasonable expectations to have the data recorded.

Q: I want to install covert cameras on my business premises. Would the Data Protection Act prevent me from doing this?

Although the Data Protection Act would not necessarily prohibit covert monitoring of staff, it would generally only be justified in exceptional circumstances and we would advise that a data controller exercise caution when proposing monitoring of this type. The monitoring should also be warranted, specific and limited.

For detailed guidance on the use of CCTV, read our CCTV Code of Practice.

Q: How long should organisations keep data for?

The Data Protection Act says that information should be kept for no longer than is necessary. The Act does not specify what a ‘necessary’ period should be for particular information. Each case would be considered on its own merits. If an organisation is obliged to retain data for a given length of time under any other laws, this should be taken into consideration.

For example, financial institutes may have to keep some information for up to six years in accordance with the Financial Services Authority regulations. A sole trader, however, may not need to keep information for longer than a month.

Q: I am a data controller wanting to outsource some of our information for processing purposes. What are the data protection implications?

You must choose an organisation that you consider can carry out the work in a secure way and you should check that you are doing this. You should have a written contract with them that lays down how they can use and disclose the information you have entrusted to them. It must require them to take proper security measures.

Our good practice note on Outsourcing - a guide for small and medium sized businesses has more information on this subject.

Q: What do I need to put in my fair processing notice, which is given to individuals before I process their information?

You will need to outline what and how information is going to be processed. This is to make sure the individual knows exactly what is going to happen to their information and how it is going to be used. You shouldn't be doing anything with personal information unless the individual is made aware (unless certain exemptions apply)

Q: A customer asks to see details of her son’s bank account as he is seriously ill in hospital. What do I say?

Tell the customer that you will arrange to provide the information if she sends you written authorisation showing that she acts for her son.

For more information read our good practice note on Providing personal account information to a third party.

Q: What security measures should be in place to protect personal information under the Data Protection Act?

A written security procedure should cover the levels of protection appropriate for the different records you hold.

Q: A customer's record received from another company turns out to be inaccurate. What do you do?

Amend the details and let the other company know about the change.

Q: When should I erase personal information from our computer system?

You should ensure that all information is erased if it is no longer required for business purposes.

Q: I am unhappy with the way an organisation has dealt with my complaint about personal information. What do I do?

There are a number of options available - you can contact the ICO directly and ask us to make an assessment. You can write to your local MP with the matter or you can take the case directly to court.

Q: Does the Data Protection Act apply to me?

This might seem an obvious question. However, the Act applies to a particular activity – processing personal data – rather than to particular people or organisations. So, if you “process personal data”, then you must comply with the Act and, in particular, you must handle the personal data in accordance with the data protection principles. Broadly, however, if you collect or hold information about an identifiable living individual, or if you use, disclose, retain or destroy that information, you are likely to be processing personal data. The scope of the Data Protection Act is therefore very wide as it applies to just about everything you might do with individuals’ personal details.

Q: Are there any other exemptions from the Act?

The Data Protection Act contains a number of other exemptions from the rights and duties in the Act. You must process personal data in accordance with the Act unless one of these exemptions applies. 

The exemptions either allow for the disclosure of information where there would otherwise be a breach of the Act or allow information to be withheld that would otherwise need to be disclosed. They are designed to accommodate special circumstances, for example when processing personal data:

  • in connection with criminal justice, taxation or regulatory activities;
  • that is required to be made public;
  • where disclosure is required by law or is necessary for legal proceedings; or
  • to provide a confidential reference.

It is important to note that each exemption is intended to apply only in very specific circumstances. So just because, for example, you are using personal data in connection with the criminal justice system or for regulatory purposes, you cannot disregard the whole of the Data Protection Act.

Even if you are entitled to an exemption for your processing, this will not be a blanket exclusion of the rights and duties in the Act. You will need to look at the exemption carefully, in the light of your particular circumstances, to see what effect it has.

For further details, please read the section about the application and effect of the Act’s main exemptions.

Q: What should I do if an individual complains about what I am doing with their personal data?

You should carefully consider such a complaint. It is good practice to provide a reasoned response to all complaints and, depending what the complaint is about, the Data Protection Act may require you to do so. The Act may also require you to stop, or change, what you are doing with an individual’s personal data following a complaint. In particular, you might have to:

  • correct or delete information about an individual which is inaccurate;
  • stop processing their personal data for direct marketing; or
  • stop processing their data completely or in a particular way (depending upon the circumstances).

For more information, please read the section about the rights of individuals.

Q: What does “fair processing” mean?

The first data protection principle requires you to process personal data fairly and lawfully. Ensuring fairness in everything you do with people’s personal details is, in our view, central to complying with your duties under the Data Protection Act. In practice, it means that you must:

  • have legitimate reasons for collecting and using the personal data;
  • not use the data in ways that have unjustified adverse effects on the individuals concerned;
  • be open and honest about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
  • handle people’s personal data only in ways they would reasonably expect; and
  • make sure you do not do anything unlawful with the data.

Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with you. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.

Read more about how to comply with the first data protection principle, and examples of good practice in handling personal data.

Q: What is a privacy notice?

One of the requirements of the Act’s fair processing provisions is that certain information is given to the individuals concerned. The oral or written statement that individuals are given when information about them is collected is often called a “privacy notice” or a “fair processing notice”.

We have published a Privacy Notices Code of Practice to help organisations draft clear privacy notices and to ensure they collect information about people fairly and transparently. In general terms, a privacy notice should state:

  • your identity and, if you are not based in the UK, the identity of your nominated UK representative;
  • the purpose or purposes for which you intend to process the information; and
  • any extra information  you need to give individuals (in the circumstances) to enable you to process the information fairly.

When deciding how to draft and communicate a privacy notice, try to put yourself in the position of the people you are collecting information about. Ask yourself:

  • do they already know who is collecting the information and what it will be used for?
  • is there anything they would find deceptive, misleading, unexpected or objectionable?
  • are the consequences of providing the information, or not providing it, clear to them?

Q: Can I use personal data for a new purpose or disclose it to a third party?

It depends. You should explain why you want to use an individual’s personal data at the outset, based on your intentions at the time you collect it. If over time you devise new ways of using that information, perhaps because of changes in technology, you will be able to use their personal data for the new purpose if it is fair to do so.

As you develop the goods and services you offer, you should think about whether your customers are likely to reasonably expect you to use their personal data to offer them these products. If you are unsure about this, you should explain your intentions and, at the very least, give your existing customers an easy way to opt out. If you intend to make a significant change to what you do with personal data, you will usually need to get your customers’ consent.

Individuals should generally be able to choose whether or not their personal data is disclosed to another organisation, unless one of the Act’s specific exemptions applies. If you did not make your intention to disclose information to a third party absolutely clear at the outset, at a time when the individual could choose not to proceed, then you will usually need to get the individual’s consent before making such disclosures.

Q: Must I encrypt all the information I store on computer?

Not necessarily. The Data Protection Act does not require you to encrypt personal data. However, it does require you to have appropriate security measures in place to guard against unauthorised use or disclosure of the personal data you hold, or its accidental loss or destruction.  Encryption might be a part of your information security arrangements – for example, in respect of confidential personal data stored on laptops or portable storage devices. On the other hand, you might not need to encrypt data which always remains on your premises, provided you have sufficient other controls on who can access it and for what purpose. Even where you do encrypt personal data, you will probably need to take additional steps to comply with the Act’s information security requirements. Read more about complying with these requirements in the section about information security.

Q: When is it a criminal offence to breach the Data Protection Act?

Some criminal offences have already been mentioned in this section, but not every breach of the Act is an offence. In particular, failure to comply with the data protection principles is not, on its own, a criminal offence. Such a failure may still cause problems for the organisation concerned – for example, the organisation may face a claim for compensation from individuals who have suffered damage and distress or have a financial penalty imposed by the Information Commissioner.

Most of the offences created by the Act can be tried in a magistrates’ court or the Crown Court. In Scotland, they may be tried in the Sheriff Court or the High Court of Justiciary. Usually, prosecutions under the Act are brought by the Information Commissioner. In Scotland they are brought by the Procurator Fiscal. A person found guilty is liable, if the case is heard by magistrates or a sheriff, to a fine not exceeding £5,000, or on conviction in the Crown Court or in the High Court of Justiciary, to an unlimited fine.

If a company or other corporation commits a criminal offence under the Act, any director, manager, secretary or similar officer or someone purporting to act in any such capacity is personally guilty of the offence, as well as the corporate body, if:

  • the offence was committed with their consent or connivance; or
  • the offence is attributable to neglect on their part.

In addition, where the affairs of a corporate body are managed by its members, any member who exercises the functions of management as if they were a director can also be guilty of the offence that results from their acts or omissions.

The criminal offences created by the Act include:

  • unlawfully obtaining, disclosing, or procuring the disclosure of personal data;
  • selling, or offering to sell, personal data which has been unlawfully obtained;
  • processing personal data without notifying the Information Commissioner (and other offences related to notification);
  • failing to comply with an enforcement notice or an information notice, or knowingly or recklessly making a false statement in compliance with an information notice;
  • obstructing, or failing to give reasonable assistance in, the execution of a search warrant;
  • requiring someone, for example during the recruitment process, to exercise their subject access rights to supply certain information (such as records of their criminal convictions), which the person wanting it would not otherwise be entitled to. This offence, known as “enforced subject access”, is not yet in force; and
  • the unlawful disclosure of certain information by the Information Commissioner, his staff or agents.