How you handle and protect your organisation’s data i.e. your digital or electronic data (including CCTV images) and any data held in structured, easy to access manual filing system is subject to legislation, and by 2018 will also be subject to more stringent EU regulations under the GDPR. It is important to remember that your organisation’s data protection responsibilities exist in order to protect the rights of your staff, your customers, and your stakeholders. The importance of this is underlined by the scale of the penalties that the Information Commissioner could impose on your organisation for breaches of the principles of the Data Protection Act which could be fines of up to £500,000.
What Is Meant By Data?
Recorded as part of a relevant filing system or with the intention that it should become part of a relevant filing system. A relevant filing system for example could be where you have manual files that contain single categories of information about an individual’s complaint, account, or personal information, and where that information is readily accessible.
The definition can also include information that:
The information relating to data in relation to the DPA included on this web page is intended to be as a general guide and is by no means definitive and complete. For more information follow the links below, or contact us.
Notifying The Information Commissioner’s Office (ICO)
Under the Data Protection Act 1998, as a data controller (e.g. as a company / organisation or sole trader) who is processing personal information, you will need to register with the ICO (known as “Notification”) unless you are exempt. N.B. At the time of writing this 400,000 organisations are registered.
Is There a Fee?
Yes. Registration with the ICO costs £35 each year for organisations turning over up to £23.9m, and £500 for companies exceed this turnover and with more than 250 employees.
What Exemptions Are There?
Finding Out If You Need To Register
Find out if you need to register by taking the ICO’s own 5 minute self-assessment test here : https://ico.org.uk/for-organisations/register/self-assessment/
Understanding The Terms
As with any area where the law and regulations are involved it is important to be familiar with the terms.
In this case the “personal data” means any information that relates to a living person, and the individual that the information relates to is known as the “data subject”. The “data controller” is you i.e. the organisation or body using / processing personal data, and “processing personal data” refers to storing, accessing, viewing transferring, and analysing that data. When data is described as “sensitive personal data” this refers to personal data that relates to a person’s sexual orientation, health, race or ethnicity, religious or other beliefs, criminal record, political views, and trade union membership(s).
The Data Protection Act (DPA) 1998
The purpose of the DPA is therefore to create a framework of rights and duties which are designed to safeguard and regulate the use of personal data. This refers to data that is about any living person from which they can or are likely to be (in conjunction with other information held) identified.
More detailed sources of information about the exact contents and application of the DPA can be found in a series of guides here:
Data - Find out more about what constitutes ‘data’ for the purposes of the DPA by clicking here for a 29 page guide from the Information Commissioner’s Office (ICO).
Relevant filing system - Find out more about what constitutes a ‘relevant filing system’ by clicking here, a 4 page ICO guide.
See also: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/ and how it relates to The Freedom of Information Act 2000.
What Are The 8 Principles of the DPA?
Schedule 1 of The Data Protection Act is essentially laid out in 8 principles that should be followed in order to ensure compliance to ensure that you are following ‘best practice’ for handling, processing and transferring Personal Data. The Principles say that everyone responsible for using the data in your organisation must ensure that it is:
The Act and Your Staff
Remember that the Data Protection Act applies to the recruitment
your staff, managing your employee records, and giving workers access to
of the information that you hold about them on request. This includes
and disciplinary issues, and information you may have obtained through
Staff monitoring for example could include monitoring of emails and
P-O-S terminals, CCTV, and information given by other people or
For more information see the ICO’s Employment Practice Guide: https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf
How We Can Help
If you are a UK business looking for help with any (or all) of your IT requirements, click here.