the Data Protection Act 1998 any individual or organisation that processes
personal data may be liable to register with the Information Commissioner’s
Office (ICO) – so make sure you know what to do
Information Commissioner’s office answers some frequently asked questions.
Data Protection Act 1998 (DPA) covers ‘data controllers’ and ‘data subjects’
but what do these terms mean?
data controller is the person, or persons, who determines the purpose for
which, and the manner in which, personal data are, or are to be, processed.
This may be an individual or an organisation.
data subject is the living individual who is the subject of the personal
DPA requires the Information Commissioner’s Office (ICO) to maintain a public
register of data controllers. Each register entry includes their name and
address and a general description of the processing of personal data by the
data controller. Individuals can access
the register to find out what processing of personal data is being carried out.
Notification is the process by which a data controller’s details are added to
I need to register or notify with the Information Commissioner’s Office?
will need to notify with the ICO if you process personal information. There are
certain exemptions, so not all businesses or organisations need to notify.
Exemptions are possible for:
Certain not-for-profit organisations
Processing of personal data for personal, family or household affairs
(including recreational purposes)
Data controllers who only process personal information for their own business
for purposes of staff administration, advertising, marketing and public
relations, accounts and records
Maintenance of a Public Register
only have manual records so do I still need to notify?
is no requirement to notify manual records which come within the scope of the
DPA. However, you can choose to notify them voluntarily.
do I notify?
are three easy methods:
On the internet – visit http://www.informationcommissioner.gov.uk/eventual.aspx?id=322
By phone – call 01625 525 740 and a draft notification form will be sent to you
based on the information you will be asked to provide on the telephone
By completing a Request for a Notification Form and returning it back to the
Information Commissioner’s Office. Visit the following webpage to obtain a
have received an official-looking letter from an agency demanding over £35 to
notify under the Data Protection Act – what should I do?
simple message to businesses is to throw the letter in the bin and not to pay
the fee demanded. The Information
Commissioner works closely with a variety of official bodies such as the Office
of Fair Trading, local trading standards and local police to help target these
long do I need to keep employment records on file?
DPA requires you to keep information for a specific purpose. Once that purpose
has been fulfilled then you should no longer keep records. Obviously the DPA
does not stop you from keeping records that have a purpose and are of use.
need to ask yourself if you really need the employment records of someone who
left the organisation some time ago and what you would need it for. For
example, you would need to keep a record of employees for at least 21 weeks
after they are made redundant as they may want to contest their
I need to back-up all payroll information on computer to comply with the DPA?
DPA does not require you to keep information electronically. Manual paper
records should be kept in a relevant filing system so that information is
easily accessible. You can check to see
if your paper records are filed correctly by conducting a ‘temp test’. For
example, would a temporary employee be able to source information that they
require with ease? A well-organised filing system is essential for good
business practice and not just for DPA compliance.
will the final part of Data Protection employment practices code be published?
draft code was published in December 2003 for a three-month period of public
consultation and the finalised version will be published by the Autumn of this
year. The Code aims to give employers clear and practical guidance on how to
comply with data protection law when handling information about workers’
1-3 of the Code have already been published and are available on the ICO’s