Data Protection Notification – Your legal obligations

lock002Every business deals with data of one sort or another. Whether it’s a customer’s shipping information, credit card details, employee information or even monitoring premises with CCTV. Due to the nature of the information collected and held, the law places some responsibilities on the “data collector”. These include the 8 data protection principles but also, notification of the Information Commissioners Office (ICO).

What does the ICO do?

The Information Commissioners’ Office is a government body responsible for the promotion of the regulations laid down by the Data Protection Act 1998. The enforcement of its principles, maintenance of the “data controller” register, resolution of disputes and prosecution of offenders.

Notification Requirements

Notification is a statutory requirement laid down by the Data Protection Act 1998 and requires every organisation that processes personal information to notify the ICO. Failure to notify is a criminal offence, this is a strict liability offence, and so if a business or organisation fails to register it commits the offence and ignorance of the law is no excuse. The law also states that in the case of these breaches, directors of limited companies will be deemed personally guilty of committing an offence under the Data Protection Act 1998

S.17(1) – “Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under section 19 (or is treated by notification regulations made by virtue of section 19(3) as being so included).”

S.21(1) – “If section 17(1) is contravened, the data controller is guilty of an offence.”

Potential Penalties

With amendments to the law made by The Data Protection (Monetary Penalties) Order 2010, organisations in breach of the Data Protection Act 1998 can now face fines of up to £500,000.

Other Criminal Offences

Other offences under the Data Protection Act include:

  • unlawfully obtaining, disclosing, or procuring the disclosure of personal data;
  • selling, or offering to sell, personal data which has been unlawfully obtained;
  • processing personal data without notifying the Information Commissioner (and other offences related to notification);
  • failing to comply with an enforcement notice or an information notice, or knowingly or recklessly making a false statement in compliance with an information notice;
  • obstructing, or failing to give reasonable assistance in, the execution of a search warrant;
  • requiring someone, for example during the recruitment process, to exercise their subject access rights to supply certain information (such as records of their criminal convictions), which the person wanting it would not otherwise be entitled to. This offence, known as “enforced subject access”, is not yet in force; and
  • the unlawful disclosure of certain information by the Information Commissioner, his staff or agents.

Relevant Reading:

Half a million pound fines for serious breaches of data protection (Ministry of Justice)

Data Protection – Registering Your Company

Data Protection Registration

Popularity: 1%