Site guide

My attempt at simplifying the Data Protection Act.

My blog updates

  • Grand Central: Great trains, terrible terms
    Feb 26, 2010
    Recently I travelled to York on Grand Central Railway. I really like their train service because you pay the same fare whether you buy your ticket in advance, at the station, or on the train. ...
  • Filling cabinet breaches
    Feb 1, 2010
    I like to analyse the ICO's undertakings and enforcement notices to see whether there are lessons you can learn from other people's unfortunate mistakes. ...
  • Data Sharing and the Blue Badge Parking Scheme
    Jan 13, 2010
    Back in 2008 the government announced that they were going to reform some of the ways the disabled parking / blue-badge scheme worked to reduce the amount of fraudulent use. ...
  • The future of privacy talk at ORG
    Dec 6, 2009
    Bruce Schneier spoke on the subject of The Future of Privacy at the Open Rights Group on Friday. ...
  • Abuse of radio buttons and check boxes
    Dec 5, 2009
    I’m particularly sensitive to interface design and I saw a real horror this week. ...
CISSP Logo

Registration

All Data Controllers must register with the Information Commissioner’s Office (ICO) unless they are exempt. The most common reason organisations are exempt from registration is that they only process Personal Data for:

  • Staff administration (including payroll)
  • Advertising, marketing and public relations (in connection with your business activity)
  • Accounts and records.

However, being exempt from registration doesn’t mean that you are exempt from complying with the Act.

My advice is always to register (as you have to do everything else to comply) and it helps with your responsibilities under Principle 2. If anyone ever asked why you didn’t register then it would probably take more than £35 of your time (and perhaps your lawyer’s time) to respond. Invariably over time any business will do something that’s outside the scope of the three activities above, and need to register anyway.

Contrary to what you may think, there are very few criminal offences in the Act but failure to register is one of them. You can be fined up to £5,000 for not registering.

Registration is quite easy and involves filling on an online form on the ICO web site. The process is made slightly more complex because the ICO often calls this process ‘notification’ (technically this is correct, but it doesn’t help to have half of the site saying registration and the other half of the site saying ‘notification’).

The ICO has published a Notification Handbook at http://www.ico.gov.uk/upload/documents/notifications_handbook_html/introduction.html

You can complete the online form here https://www.ico.gov.uk/cgi-bin//dprproc?page=7.html

At the end of the process you have to print out the form, sign it and post it to the ICO.

You can also ring up the ICO notification / registration helpline (01625 545740) and they will help you fill out the form over the phone and send you a partially completed form to that you just need to finish off and sign.

What information goes on the form?

Apart from the normal information about your organisation, the interesting part of form is where you describe:

  • Why you will process personal data (purposes)
  • Whose data you will process (Data Subjects)
  • The sorts of data you will process (Data Classes)
  • Who you may pass data to (Recipients)
  • Whether you will transfer data outside the European Economic Area

If you fill-out the online form all you need to do is to pick one of the business-types that the ICO lists and the system will pre-select the purposes, subject and classes it thinks will be relevant for you. You can then go on to add more reasons for processing data and the associated Subjects, Classes and Recipients.

Next you answer some very high-level questions about whether you have any security measures in place to comply with Principle 7 (don’t lose data) such as “Adopting and Information Security Policy” and “Training your staff”.

Before getting to the last page (which you have to print out and sign) there’s a couple of tricky questions to answer.

  1. Does your notification cover all your processing of all personal data? and
  2. If you are exempt from notification but you have decided to notify voluntarily please choose yes?

What these questions are trying to discover is whether your entry on the register needs to include this statement:

This data controller also processes personal data which are exempt from notification

If you don’t want to get into the intricacies of the bits of processing you don’t need to tell the ICO about then I recommend that you:

  • Notify all types of processing (which is good for compliance with principle 2)
  • Answer these two questions, Yes-Yes

(Note that if you’re following the ICO’s ‘Notification handbook’ be careful as this has the questions worked the other way round)

What does it cost?

The ICO charges an annual fee which is £35 unless you are either:

  • A business that turns over more than £25.9 million AND you employ more than 250 people (this doesn’t apply to charities), or
  • A public body that employ more than 250 people

in which case the annual fee is £500.

You can pay by cheque but I always advise people to set up a direct debit, that way you don’t forget and then have your registration lapse.

‘Fraudulent’ Registration Companies and Agents

There are some companies who will send you slightly threatening letters about registering with the information Commissioner. They will often have official-sounding, made-up names such as “The Information Protection Enforcement Agency” and may even include official-looking registration forms. They always want to charge you more than £35 and they probably won’t even send your registration to the ICO. These people are scammers and are trying to steal your money, so tell your local trading standard people and put their letter in the bin!

The ICO has a list of such companies at http://www.ico.gov.uk/what_we_cover/data_protection/notification/bogus_agencies.aspx

Gap Analysis

The first step in my Data Protection and Information Security Gap Analysis is to make a list of all your information systems that contain personal data, and for each one document the types of processing, data subjects, data classes and recipients. I’ll will check this against your registration with the Information Commissioner to make sure you’ve not missed anything out.

This list of systems and the information they contain is my staring point to discover any eight-principle gaps and to asses the appropriate level of security you need based on the impact that a problem would have on you and on the people whose data you process.

Disclaimer: This is general information only and I’ve tried to simplify the major parts of the Act to make it easy (I hope) to understand. This isn’t specific advice for you. If you’re looking for help with DPA and Information Security compliance then please contact me.