Data Protection Act - Registration - for Small Business - UK
|
Data Protection Helpline: 01625 545745.
Data Protection Publications Line: 0870 600 8100
For more information on the rights of individuals: 0870 600 8100
Data Protection Website
Data Protection Act Registration
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
|
The following information is adapted from the official UK data protection website. The guidelines given below are not the full set of guidelines - you should only use the information below as an introduction to some of the data protection registration issues. The information was adapted from the official website in early 2005. For full unabridged up-to-date information please visit their website.
Order processing software, such as our own (TOPS) incorporates a customer database. (In order to find out how simply and efficiently our TOPS software handles your customer details, please see our presentation.)
If you store your customer details in a database then by law you must register this activity in order to conform with the Data Protection Act 1998 UK and its registration requirements. It is quite simple and easy to do, and costs around £35 for a two year period. Normally your solicitor would adivse you to do this when setting up your business. However you might have found yourself in business without setting yourself up so formally and Data Protection Act registration may have been overlooked.
The Data Protection Act 1998 UK aims to promote high standards in the handling of personal information and so protect the individual’s right to privacy. The Data Protection Act 1998 applies to firms holding information about living individuals in electronic format and, in some cases, on paper. They must follow the eight data protection principles of good information handling.
These data protection principles say that personal information must be:
- fairly and lawfully processed;
- processed for specified purposes;
- adequate, relevant and not excessive;
- accurate and, where necessary, kept up to date;
- not kept for longer than is necessary;
- processed in line with the rights of the individual;
- kept secure; and
- not transferred to countries outside the European
Economic Area unless the information is adequately
protected.
The Data Protection Act 1998 covers any information that relates to living individuals which is held on computer. For example, this may include information such as name, address, date of birth and opinions about the individual or any other information from which the individual can be identified.
The processing of personal information, so far as the Data Protection Act is concerned, includes obtaining, disclosing, recording, holding, using, erasing or destroying personal information.
The Data Protection Act 1998 requires the Information Commissioner to maintain a Register of:
- certain data controllers (broadly speaking, firms and
others who are responsible for processing
information); and
- the purposes for which they use personal
information.
If you hold and process information about individuals
who are customers, employees, suppliers, clients or other members of the public, you may need to join the Data Protection Act Register. This is called ‘notification’.
Not everyone has to notify – for example, you may not
need to notify if you only process personal information for core business purposes such as your own marketing, staff administration and accounting, although you should check with the Data Protection Registration Notification Helpline. You DO need to notify if you process personal information for purposes such as accounting or auditing, crime prevention and prosecution of offenders, pensions administration, mortgage/insurance broking or insurance administration.
Please note: Beware of bogus agencies requesting
payment for data protection registration. There is no connection between the Information Commissioner and such agencies. You are advised not to reply or make any payment to them but to tell the local Trading Standards Office instead. Remember the standard fee for notification is only £35.
Individuals have a right under the Data Protection Act 1998 to get a copy from you of the information you hold about them on computer, and in some manual filing systems. This is known as the right of subject access. If you do receive a subject access request, you must deal with it promptly and in any case within 40 days of the date of receiving it. You should send the individual a copy of the personal information you hold on them and certain other details of your processing. You can charge a fee of up to £10 for responding to a request.
There are some circumstances where you need not supply personal information and there are also circumstances where you need not give information about other people.
Why should I comply with the DPA? First, because it’s a legal requirement. However, it also makes good business sense
For example:
- Sending out a mailing from incorrect or out-of-date records could not only annoy your customers but also waste time and money.
- Good information handling can improve your business’s reputation by increasing customer and employee confidence in you.
- Good information handling should also reduce the risk of a complaint being made against you. Every day members of the public contact the Information Commissioner with enquiries about the way their information is handled. They can also ask the Information Commissioner to assess whether particular processing is likely or unlikely to comply with the Data Protection Act.
- What’s more, if you are not processing information in line with data protection requirements, and an individual suffers damage as a result, then that individual may seek compensation for the damage through the courts.
The Data Protection Act also gives us all certain rights as individuals, including the right to see information that is held about us and to have it corrected if it’s wrong.
Failure to notify or renew a notification when you are not exempt from notifying is a criminal offence. The Information Commissioner could also take enforcement action to make you bring your processing into line with the data protection principles. Failure to comply with an enforcement notice is also a criminal offence. An individual may seek compensation through the courts for any damage suffered. Your business’s reputation and finances could be affected.
You need to make sure that you and all your staff
follow the eight data protection principles. These principles are central to the Data Protection Act, and everyone who handles personal information must abide by them. Our simple checklist will help you to do this. You also need to find out whether you need to notify the Commissioner of certain details about your processing.
- Data Protection Helpline: 01625 545745.
- Data Protection Publications Line: 0870 600 8100
- For more information on the rights of individuals: 0870 600 8100
Data Protection Act Registration
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
|
