NOTIFICATION
Notification is the process by which information about data controllers and their data processing operations comes to be included in a publicly accessible register maintained by the Information Commissioner. The obligation to notify arises under section 17 of the DPA, which says that ‘personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner’. However, there are some exemptions to the obligation to notify.
The purpose of notification is threefold. By far and away the most important purpose is to foster transparency in data processing activities. Second, notification assists the Information Commissioner in the discharge of their regulatory functions (the register contains an important source of contact information for the Information Commissioner as well as information to enable the development of targeted regulatory strategies). Third, notification indirectly provides a source of funds for the running of the Information Commissioner’s office.
Once they have notified, data controllers are obliged to keep their notifications up to date (section 20 of the DPA). Furthermore, they have to renew their notifications on an annual basis (sections 19(4) and 19(5) of the DPA).
Offences
Where the obligation to notify exists it is a criminal offence to process personal data without having first notified (section 21(1) of the DPA) and it is also an offence to continue processing after failing to renew. Additionally, it is a criminal offence to fail to keep notifications up to date (section 21(2) DPA), but a due diligence defence exists for this offence (section 21(3) DPA).
The DPA pierces the corporate veil in the sense that where offences are committed by a corporate body its owners and managers can be personally prosecuted. Section 61(1) of the DPA says:
|
Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly. |
How to notify
Notification is given under section 19 of the DPA, which requires the data controller to supply the Information Commissioner with ‘registrable particulars’, a ‘general description of the measure to be taken for the purpose of complying with the seventh data protection principle’ and the fee. The Data Protection (Notification and Notification Fees) Regulations 200073 give the Information Commissioner the power to determine the form in which this information is to be provided.
Registrable particulars
The registrable particulars are identified in section 16(1) of the DPA. They consist of the following pieces of information:
the data controller’s name and address;
the name and address of the data controller’s nominated representative, if there is one;
a description of the personal data being processed, or to be processed, by or on behalf of the data controller and the category or categories of data subject to which they relate;
a description of the purpose or purposes for which the data are being, or are to be, processed;
a description of any recipient or recipients to whom the data controller intends, or may wish, to disclose the data;
the names, or a description of, any countries or territories outside the EEA to which the data controller directly or indirectly transfers data, or intends or may wish directly or indirectly to transfer data;
where the data controller is a public authority, a statement of that fact;
where any personal data are excluded from the obligation to notify due to the exemption for manual data, or the exemption for processing that is unlikely to prejudice the rights and freedoms of data subject, a statement of that fact.
The seventh data protection principle
The seventh data protection principle requires data controllers and data processors to take ‘appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
The fee
Section 19(4) of the DPA requires the payment of a fee before an entry can be made on the register. The fee is currently £35, set by the Data Protection (Notification and Notification Fees) Regulations 2000. A fee is also charged for annual renewals, again £35.
Additional information in the register
The Information Commissioner is entitled to include the following additional information in the register:
the registration number issued to the data controller;
the date of entry in the register;
the date when the entry will be removed;
additional information to assist data subjects communicate with the data controller.
The Information Commissioner’s approach
The Information Commissioner is given the power to determine the form in which the registrable particulars and the security statement are provided. The current scheme revolves around an application process devised by the Information Commissioner. This scheme is helpful but it is not as efficient as it should be.
Under the Information Commissioner’s system data controllers have three choices:
They can complete the application form contained on the Information Commissioner’s website.
They can telephone the Information Commissioner’s office to ask for the forms to be sent to them.
They can complete the application form over the telephone.
The Information Commissioner’s system needs exchange of correspondence by post, for provision of signatures and payment of the fee, which lessens its efficiency. Whichever method is used it is clear that the Information Commissioner is not expecting the data controller to go into significant detail, as the following passage taken from the online process reveals:
|
Your notification must include a general description of the processing of personal data being carried out. We ask data controllers to bear in mind when providing information for notification not to go into unnecessary detail. The aim is to keep the content at a general level with sufficient detail to give an overall picture of the processing. |
The Information Commissioner’s system is based around a series of templates. The current templates fall into the following categories:
general;
education;
finance;
health;
legal;
leisure;
local and central government ;
public bodies;
religious/political/charitable;
services.
The templates identify in very general terms the particular aspects of processing falling within the scope of notification, such as the classes of data subjects and category of records. Data controllers can amend the templates or, if no template is suitable they can select from options to build a bespoke notification.
The Information Commissioner’s system deals with the requirement for a security statement through a series of questions that require the data controller to select either yes or no answers. The full questions as they are currently appearing on the Information Commissioner’s website (www.ico.gov.uk) are as follows:
|
Have you taken any measures to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage? If yes do the methods include:
|
The online process explains these questions in this fashion:
|
Data controllers must give a general description of the measures to be taken for the purpose of protecting against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. The description does not appear in the public register. Answering the questions provided satisfies the requirement to provide that description. The questions are at a very general level but cover some of the key requirements of effective information security management. |
If the data controller uses the online process, it must print a copy of the completed form, sign it and then send it to the Information Commissioner with the fee.
The Data Protection (Notification and Notification Fees) Regulations 2000 identify the Information Commissioner’s obligations as they arise following receipt of a notification. The order requires the Information Commissioner to give the data controller a notice confirming the making of an entry in the register ‘as soon as practicable and in any event within a period of 28 days after making an entry in the register’. The date when the entry is deemed to have been made in the register is calculated by reference to the postal method used by the data controller for the sending of its signed form. If registered post or recorded delivery is used, the date of entry in the register is the day after the day on which it is received for dispatch at the post office. If ordinary post is used, the date of entry in the register is the date when the notification is received by the Information Commissioner.
Information Commissioner’s guidance on notification
The Information Commissioner’s ‘Legal Guidance’ contains very helpful information on notification. In addition, the Information Commissioner has published a comprehensive 45-page ‘Notification Handbook’74 and a ‘Self Assessment Guide’75 explaining how the notification exemptions work in practice.
Obtaining copies of register entries
Section 19(6) of the DPA requires the Information Commissioner to provide facilities ‘for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge’. The current facilities consist of the searchable online register, which is accessible from the Information Commissioner’s website.
The Information Commissioner is also obliged to ‘supply any member of the public with a duly certified copy in writing of the particulars contained in any entry made in the register’. A £2 fee is currently charged for this service.76
Keeping notifications up to date
Section 20 of the DPA permits the making of regulations in order to ensure that notifications are kept up to date. Again, the Data Protection (Notification and Notification Fees) Regulations 2000 apply. The obligation placed on the data controller is to notify the Information Commissioner of any respect in which an entry on the register becomes inaccurate or incomplete and to set out the changes that are recorded to make the entry accurate or complete. The notification of the inaccuracy must be given as soon as is practicable but never later than 28 days after the date that the entry in the register became inaccurate or incomplete.
The exemptions
There are a number of very important exemptions to the obligation to notify. These are:
for safeguarding national security;
for manual data;
processing for the purpose of maintaining a public record;
processing that is unlikely to prejudice the rights and freedoms of data subjects.
National security exemption
Section 28(1) of the DPA says that processing is exempt from the requirement to notify if the exemption is required for the purpose of safeguarding national security.
Manual data exemption
Section 17(2) of the DPA contains the exemption for manual data. It says that except where the processing is ‘assessable processing’, the prohibition on processing without having first notified does not apply ‘in relation to personal data consisting of information which falls neither within paragraph (a) of the definition of “data” in section 1(1) nor within paragraph (b) of that definition’. The categories of data were discussed in Chapter 1 and it will be recalled that the first category concerns data being processed, or to be processed, by equipment operating automatically, while the second category concerns data recorded with the intention that it will be processed by equipment operating automatically.
The manual data exemption does not apply in respect of assessable processing. Section 22 of the DPA describes assessable processing as ‘processing which is of a description specified in an order made by the Secretary of State as appearing to him to be particularly likely to cause substantial damage or substantial distress to data subjects, or otherwise significantly to prejudice the rights and freedoms of data subjects’. At the date of publication of this book the Secretary of State has not made any orders under section 22.
Public record exemption
This exemption is contained in section 17(4) of the DPA. It says in very succinct terms that the prohibition on processing without having first notified does not apply in relation to ‘any processing whose sole purpose is the maintenance of a public register’.
Processing unlikely to prejudice rights and freedoms of data subjects
Data Protection (Notification and Notification Fees) Regulations 200077 contain a series of exemptions for processing that the Secretary of State considers is unlikely to prejudice the rights and freedoms of data subjects. The power given to the Secretary of State to exempt processing of this nature is contained in section 17(3) of the DPA. If the data controller is processing personal data falling within this section it must state so in its registrable particulars (section 16(g) of the DPA).
This series of exemptions is for:
processing for the purposes of staff administration;
processing for the purposes of advertising, marketing and public relations;
processing for the purposes of accounts and records;
processing by non-profit-making organizations.
Each of the exemptions in this series identifies the exempt processing purposes, the kinds of data subjects falling within the exemption, the categories of personal data that may be processed within the exemption, the circumstances in which the personal data may be disclosed to a third party and the period for which the personal data may be retained.
The staff administration exemption is set out in paragraph 2 of the Schedule to the Regulations and it applies only to a limited category of processing purposes, all related to staff administration. These exempt purposes are ‘appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the data controller’ (paragraph 2(a)).
The personal data falling within this exemption must relate to a data subject falling within one of the categories in the Regulations, namely a past, existing or prospective member of staff of the data controller or ‘any person the processing of whose personal data is necessary for the exempt purposes’ (paragraph 2(b)). Furthermore, the personal data falling within the exemption is of a limited type, namely ‘personal data consisting of the name, address and other identifiers of the data subject or information as to qualifications, work experience or pay or other matters the processing of which is necessary for the exempt purposes’ (paragraph 2(c)).
The exemption tolerates only limited disclosures to third parties, namely disclosure with the consent of the data subject or disclosure that is necessary for the exempt purpose (paragraph 2(d)). Finally, the exemption requires destruction or deletion of the personal data after the relationship between the data controller and the staff member ends, unless retention is necessary for the exempt purpose (paragraph 2(d)).
The advertising, marketing and public relations exemption falls within paragraph 3 of the Schedule to the Regulations. The exempt purposes are processing ‘for the purposes of advertising or marketing the data controller’s business, activity, goods or services and promoting public relations in connection with that business or activity, or those goods or services’. The data subjects falling within the exemption are past, existing or prospective customers or suppliers, or any person the processing of whose personal data is necessary for the exempt purposes. The personal data that may be processed are ‘personal data consisting of the name, address and other identifiers of the data subject or information as to other matters the processing of which is necessary for the exempt purposes’. The rules on disclosures to third parties and retention periods are the same as those contained in the staff administration exemption.
The accounts and records exemption falls within paragraph 4 of the Schedule to the Regulations. The exempt processing purposes are processing:
for the purposes of keeping accounts relating to any business or other activity carried on by the data controller;
deciding whether to accept any person as a customer or supplier;
keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by or to the data controller in respect of those transactions;
for the purpose of making financial or management forecasts to assist the data controller in the conduct of any such business or activity.
The data subjects falling within the exemption are the same as for the advertising, marketing and public relations exemption. The personal data falling within the exemption is name, address and other identifiers of the data subject, or information as to financial standing, or other matters the processing of which is necessary for the exempt purposes. The rules on disclosures to third parties and retention periods are the same as those contained in the staff administration exemption and the advertising, marketing and public relations exemption. This exemption does not apply to personal data processed by, or obtained from, a credit reference agency.
The non-profit-making organizations’ exemption falls within paragraph 5 of the Schedule to the Regulations and it applies only where the processing is ‘carried out by a data controller which is a body or association which is not established or conducted for profit’. The exempt purposes are processing ‘for the purposes of establishing or maintaining membership of or support for the body or association, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it’. The data subjects are past, existing or prospective members of the body or organization, any person who has regular contact with the body or organization in connection with the exempt purposes, or any person the processing of whose personal data is necessary for the exempt purposes. The personal data falling within the exemption are personal data consisting of the name, address and other identifiers of the data subject, or information as to eligibility for membership of the body or association, or other matters the processing of which is necessary for the exempt purposes. The rules on disclosures to third parties and data retention are the same as before.
Notification and processing for domestic purposes
Processing done for purely domestic purposes is completely exempt from the DPA, under section 36.
Exempt processing and supplying relevant particulars
Where the manual data and the processing that is unlikely to prejudice the rights and freedoms of data subjects exemptions apply, data controllers will still be obliged to supply ‘relevant particulars’ (section 24 DPA). This obligation arises when the data controller receives a written request from any person. Where such a request is received the data controller must supply the relevant particulars within 21 days, free of charge.
Failure to comply with a written request for relevant particulars is a criminal offence, although it is a defence for a data controller to show that it exercised all due diligence to comply.
The relevant particulars are:
the data controller’s name and address;
the name and address of the data controller’s nominated representative, if there is one;
a description of the personal data being processed or to be processed by, or on behalf of, the data controller and the category or categories of data subject to which they relate;
a description of the purpose or purposes for which the data are being, or are to be, processed;
a description of any recipient or recipients to whom the data controller intends, or may wish, to disclose the data;
the names, or a description of, any countries or territories outside the EEA to which the data controller directly or indirectly transfers, or intends, or may wish, directly or indirectly to transfer, the data.
Notification by partnerships and schools
Special rules apply for notification by partnerships and schools.78 These state that partnerships can register in the name of the firm, giving the principal place of business as the address. Processing done on behalf of schools by school governors and head teachers may be notified in the name of the school.
It is worth noting that no special rules apply for groups of companies. Each individual company within a group must notify, unless an exemption applies.
Voluntary notification
Data controllers who can claim an exemption from notification may choose to notify on a voluntary basis, although this option is not available where the national security exemption applies or where personal data is processed for personal, domestic or recreational purposes. A data controller who elects to notify on a voluntary basis will not be able to undo its election at a later date and will therefore be bound by the full provisions of the notification regime until it stops processing.