Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

ICO reminds firms of requirement to gain clearance for personal data processing

The UK's data protection watchdog is reminding firms that they must notify it and be registered in order to process personal data.24 Jul 2012

The Information Commissioner's Office (ICO) has a guide on organisations' requirements to inform it of its personal data processing intentions prior to commencing the activity. Organisations that proceed with processing activities without being registered where they are required to be so are guilty of an offence under UK data protection laws.

Under the Data Protection Act (DPA) organisations cannot process personal data unless they have notified the ICO of their planned activities and have been included in the watchdog's "Data Controller Register", subject to some exceptions. One exception is where an organisation only processes personal data for staff administration purposes.

When notifying the ICO of their processing activities, an organisation must provide information such as the organisation's name and address, as well as a description of the personal data that is to be processed. Details of the intended recipients for personal data that organisations may disclose, as well as details of arrangements for international transfers of that data, must also be provided.

In addition, organisations must provide the ICO with "a general description of measures" they plan to take to ensure personal data is properly secure and which protects against the risk of "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" .

An organisation's registration with the ICO lasts for a year and therefore organisations must notify with the ICO on an annual basis. Organisations are also obliged to keep their registrations up-to-date during the term of the notification. It is a criminal offence to process personal data without an appropriate entry on the data controller register unless an exemption applies. It is also a criminal offence to fail to notify the ICO of any changes to the data controller's processing; or to process personal data which is inconsistent with the organisation's registry entry.

The ICO is tasked with assessing whether an organisation's planned processing activities are "particularly likely to cause substantial damage or substantial distress to data subjects, or otherwise significantly to prejudice the rights and freedoms of data subjects." If it finds the activities are not likely to be compliant with the DPA, it can write to those organisations informing them of its opinion.

Technically it is an offence for organisations to commence with processing personal data until either it has received a letter from the ICO confirming that its activities are cleared or if it has not received a letter from the watchdog within 28 days of submitting the notification.

However, data protection law specialist Danielle van der Merwe of Pinsent Masons, the law firm behind Out-Law.com, said that proposed changes to EU data protection laws could bring an end to the notification requirement.

"The proposed General Data Protection Regulation, which is set to change the EU data protection regime, currently includes a provision which will ease the regulatory burden on data controllers by scrapping the need for organisations to notify with their local data protection authority," she said.

Under the draft Regulation many large businesses and those with personal data-heavy processing operations would be required to appoint dedicated data protection officers whilst businesses would also be required to keep a record of their personal data processing and provide the information upon request to regulators.

Join My Out-Law

  • See only the content that matters to you
  • Tailor Out-Law to your exact needs
  • Save the most useful content for later reading
  • Tailor our weekly eNewsletter to your interests

Join My Out-Law

Already signed up to My Out-Law? Sign in

Expertise in Confidential Information

Ideas, techniques and know-how can lie at the heart of a business. Pinsent Masons' international intellectual property team is dedicated to helping you to protect those intangible valuables that help you to stand out from your competitors.

More about Confidential Information