Bsi bip 0050 2009

for the U K Data Protec tion Commis ioner now Infor mation Commis ioner and has be n an in-hou se Data Pr iva y Ofc er for Br itish Gas and Ac c entu re.. In ad d ition to c omplying wit

EtalFts atYinip Sc on Eio

EtalF atY Finip

Sc on Eio

Mig

Pl

T he Dta Pteio

ta Pto n Po cktGid s a ufr ily id,pc k ed wih pic al

ac e o c om siuto hta bfeiolmigtex pec e n hir

oizto,wtev er th siz o s.Rle c as stuie bin h sje

to e a p ufulmtelo izto’s r ainin a

Se o d e iti n

Se o d e iti n

Lond on W4 4AL

© B tish Stand a rd s Insitu tion 2 0

Al l r ight rseved Exc ept a s per mitted u nd er the Co yr ight, Designs and Pa tents

Ac t 1 8 , no par t o th is pu blication ma be rprod u c ed , sor d in a rtr ieval

system or tra nsmitted in a n y fr m or b a n y means, elec tronic , ph otoc op in ,

rc ord in or oth erwise , with ou t pr ior per mis ion in wr itin from th e pu bl ish er

Whil st eve y care has be n taken in d evel opin a nd c ompili g th is pu bl ica tion, BSI ac c epts

no l ia bil it y fr a n y los or d amage ca u sed , ar isin d irc tly or ind irc tly in c on ec tion with

rlianc e on its c ontents exc ept to th e extent th a t su c h l iabilit y ma not be excl u d ed in la w

W hil st eve y efort has be n mad e to trac e al l c op r igh t hold ers, an yone

cla imin c op r ight hou l d get in tou ch with th e BSI at the abo e ad d res

BSI h as no rsp nsibi l it y fr th e pe sistenc e or ac c u racy o U RLs fr exter nal

or third -par t y inter net websites rferred to in th is b ok, and d oes not gu a ra ntee

th a t an y c ontent on su c h websites is, or wil l r ma in, ac c u ra te or appro r ia te

Trou ghou t the text, severa l c ompa nies are named in exa mpl es a nd ca se stu d ies

Tese c ompanies are mentioned fr il l u str ative pu rp ses onl y a nd th eir c itin

is not to be ta ken as an end orsement b BSI o the c ompanies named

Te r igh t o Nic ol a Mc Kil l igan and Naomi Powel l to be id entifed as th e

au thors o th is Work has be n a sser ted b Nic ol a and Naomi in ac c ord anc e

with sec tions 7 7 and 78 o th e Co yr igh t, Desig s and Patents Ac t 1 8

F irs ed ition pu blished Dec embe 2 04

Repr inted 2 07

Ty eset in Casl on Pro and Fr ank n Gothic b Monol ith – h tt p://ww monolith u k.c om

Pr inted in Grat B ta in b Ber for ts Grou p, w w.ber for ts.c o u k

B tish L ibr ary Catal ogu in in Pu blica tion Data

A cata logu e rc ord fr th is b ok is ava il abl e from th e B tish Libra ry

F r ewor d ix

E ns ring the q alty of p rson l information 3

FAQs – Resp n ing to in ivid als exercising their rights u der the

E mai, SMS text a d MMS multimedia mes ag s 8

BSI wou ld li ke to th an k th e Data Protection Ed i torial Board an d th e represen tatives

of th e followin g au th oritative b d i es for th eir as isan c e i n reviewi n g th i s b ok

– Batc hel or Assoc iates

– Deloitte and Tou che

– F inan c ial Servic es Au thor it y (FSA)

– Gener al Med ical Cou n c il

– Eu ro ean Pr ivacy Par tn ership

for the U K Data Protec tion Commis ioner (now Infor mation Commis ioner) and

has be n an in-hou se Data Pr iva y Ofc er for Br itish Gas and Ac c entu re She is

ed itor of the Wo rld Data Pro teto n Repo rt and is an exper ienc ed tech ical wr iter

Naomi Powel l is a r isk ad viser who hol d s profsion al q u al ifcation s in d ata

protec tion , f anc ial c r ime preven on and training prac tic e. She began her d ata

protec tion care r at the Infor mation Commis ioner’s Ofc e, working in the

Registration, Po cy and Compl ian c e teams Her pr ac tical and c ommon sense

approach to c ompl ianc e was d evel oped as a d ata protec tion ofc er and pr iva y

c onsu l tan t in the f nanc ial servic es and energy sec tor

an o erview of d ata protec tion l aw and pr ac tical ad vic e and gu id an c e for smal l

organizations l ooking to c omply with the spir it ofthe new Br itish Stand ard for

Data Protec tion: BS 10 12 Tis sec on ed ition al so c ontain s new c hapters on

u sing CCTV systems in a way that c ompl ies with the l aw, maintaining ong ing

c omp anc e, u pd ates on ke ping d ata sec u re Te case stu d ies are taken from the

I fo rmatio n Co mmi io ner’s An ual Repo rt or pres rel eases

Te Data Protec tion Ac t set ou t r u les that m u st be fol lowed wh erever peron al

in formation is proces ed for an ythin g oth er than a domesic pu r pose T e Data

Protection Ac t is th e pr imary piece of legislation whic h g vern s c omp an c e in

th is are bu t organ ization s c an also c h oose to c ompl y on a v lu n tary basis with

th e British Stan dard BS 10 12: Data pro teto n — Spe fcato n fo r a perso nal

info rmato n ma a ement sys m , wh ic h pro id es ad d ition al requ iremen ts for d ata

protec tion c omp an c e

Tis b ok c omplements BS10 12 bu t if y u want to c omply with the stand ard

y u wil l al so ne d to reer to its req u iremen ts b reeren c ing the fu l l text of

BS 10 12 itself Tis b ok d oes not ec reate al l the req u iremen ts of the stan d ard

in fu l l bu t merely pro id es some gu id anc e on its pr ac tical implementation

Ify u are not intend in g to impl ement BS 10 12 in fu l l bu t wou ld sti l i e to ad opt

some of its pr ac tical req u irements y u can fol l ow the ad vic e in this b ok Tis may

be par tic u l arly u seu l if y u are a very smal l bu sines that wou l d otherwise f d it

d ifc u l t to implement the whole of BS 10 12

Tis b ok is intend ed to be u sed b an yone who ne d s to u nd erstan d their

o li ations u nd er the l aw In partic u lar, it pro id es pr ac tical , simpl e and easy

to fol l ow ad vic e for mal l bu sin eses, char ities, u ninc orp r ated members’ cl u bs

and an yone el se who d oes not have the beneft ofa l arge in-hou se c ompl ianc e

d epar tmen I is also a u seu l q u ick reerenc e for managers and exec u tives who

are resp nsible for d ata protec tion c omp anc e bu t who d o n ot ne d an in-d epth

tech ical k owl ed ge ofthe su bjec t

its pro isions.

Ify u or y u r organization o er ate in breac h of the l aw when proc es ing personal

infor mation y u may inc u r c ivil, and sometimes c r iminal, l iabilit y Te ad verse

pu bl ic it y may al so c os y u y u r bu sin es or u in y u r organ ization’s repu tation

Yo d o n ot ne d to be d oing very mu ch with person al information to f d y u rself

having to c omply with the Data Protec tion Ac t

Have a q u ick l ook at the l is below Do y u :

• hol d c ontac t d etail s for c u stomers on c ompu ter

• ke p c opies of in voic es from su pp er?

• have an o erfowin g f l ing cabinet in the c or ner that c on tains personal

infor mation?

• tel ephon e c u stomers or other in d ivid u als to en s su pp r t or bu sines ?

• pu bl ish images on the internet?

• have sta fworking alongsid e y u ?

• u se third -part y ou tsou rc ers to d o work for y u ?

Infor mation on ind ivid u al s is a valu abl e asset and like y u r other assets ne d s to

be pro erly protec ted Apar t from makin g g od bu sin es sense, the repu tation and

su c c es of y u r organ ization can be u nd er threat if y u d o not make l ooking after

personal infor mation y u r pr ior it y W ithou t it, y u wou ld not be abl e to fu nc tion

as an organization With it, y u can c reate, maintain and bu il d rel ation ships

of m u tu al ben eft with y u r c u stomer, clien ts, su pp er , su pp r ter, in vestor

and sta f, who in tu rn wil l rec ommen y u to their c u stomers, clients, su ppl iers,

su pp r ters, in vestors and sta f A review ofthe I fo rmatio n Co mmi io ner’s An ual

Repo rt shows that, so far, the major it y ofprosec u tions u nd er the l aw have be n

d irec ted at smal l bu sineses that were either u naware of the l aw or fail ed to ensu re

c omp anc e with it while r u n ning their bu sines

Wh this b ok?

Tere are a nu mber of d etailed l aw b oks and gu id es avail able that wil l take y u

throu gh the req u irements of the Data Protec tion Ac t bu t mos organization s or

ind ivid u al s ne d to u nd erstand the prac tical app cation of the l aw an d how it

app es to them Tis b ok pro id es y u with this basic pr ac tical ad vic e to hel p

make c ompl ianc e with the Data Protec tion Ac t easier

Tis b ok is al so hel pfu l be au se it in cl u d es ad d ition al information abou t

c omp anc e, d r awn from BS 10 12, whic h can hel p y u make su re that y u r

approach to d ata protec tion c ompl ianc e is fu l ly efec tive

Tis b ok rel ates the req u irements of the l aw d irec tly to the way y u proc es y u r

c u stomer, client or c on tac t infor mation I al so expl ains what y u have to d o and

pro id es examples ofhow to d o it In ad d ition , it pro id es spec ifc gu id an c e for

bu sin eses or other organizations o er ating in high r isk areas

Tis b ok c overs al l the req u irements of the Data Protec tion Ac t, and b the en d

of it y u wil l be abl e to:

• id en fy what personal infor mation y u can legal ly c ol l ec t and u se;

• k ow what y u can and can not d o with the per onal infor mation y u have

c ol l ec ted ;

• u nd ertand the l aw as it appl ies to y u r par tic u l ar bu sines or ac tivit y ;

• d eal with d ata protec tion ‘emergenc ies’ su c h as req u ests for ac c es to

infor mation from ind ivid u al s, bad pu blic ity and in vestigation b the

• ke p on the r ight id e of the law and avoid c ompensation , het y f es or

impr isonmen

• beneft from impro ed d ata management an d a better elationship with

c u stomers, cl ients and other c on tac ts;

• monitor and review y u r proc es es and proc ed u res for c ompl ian c e in line with

the req u irements ofBS 10 12

Be au se this b ok is a basic gu id e to the Data Protec tion Ac t, we d o not c over

related l egal topic s su ch as c omp anc e with the Hu man Rights Ac t, fre d om

of information l egisl ation or laws that c over the interc eption or egu l ation of

c omm u nications in an y d etail Other gu id anc e is availabl e from BSI that ad d res es

these is u es in more d etail

Te law app es to personal infor mation from the moment ofc ol l ec tion ofthat

infor mation to its d estru c tion, and to al l thin gs that happen to that infor mation

in betwe n – this is the way in whic h this b ok has be n set ou t I is stru c tu red to

refec t the l if cycle ofthe person al information u sed b y u r organ ization an d to

take y u step-b - tep throu gh what y u ne d to d o

Tis b ok pro id es gu id an c e on:

• notifying the Infor mation Commis ion er of y u r proc esing (a legal

req u irement);

• c ol l ec tion ofperonal infor mation;

• u se of per onal infor mation, in cl u d in g some spec ifc ad vic e for spec ialis areas;

• sec u r it y and d isp sal ofperonal in formation

Trou blesho tin g tips are also in cl u d ed to help with c ommon q u er ies

T is b ok avoids th e u se of legal termin olog an d th e comp c ated d ef n ition s

set ou t in th e law We h ave , h owever, tr ied to en su re th at al l th e d ef n ition s we

u se are con sisen t with BS 10 12 T e main diferen ces are that wh ere th e law

reer to ‘peron al d ata’, b th thi s b ok an d th e British Stan d ard reer to ‘peron al

in formati on’, an d rath er th an reerr i n g to organ ization s th at c ompl y wi th th e law as

‘data con troller’ (as th e satu te does), th is b ok reer to ‘y u’ an d ‘y u r organ ization’

Who mu t comply with the Data P r otectio Act?

Al l ind ivid u al s and organization s who ‘proc es’ personal infor mation for their own

bu sin es pu r poses mu st c omply with the Data Protec tion Ac t 19 8

Ty es of organization that proc es personal infor mation and thereore m u st

c omply with the Data Protec tion Ac t incl u d e:

• smal l, med iu m and l arge c ommerc ial organizations incl u d ing limited

c ompanies, par tn erships, l imited par tnerhips and sol e tr ad ers;

• char ities, chu rches, p litical par ties, and pu bl ic and state sc ho ls;

• sel f-empl oyed heal th profs ion al s su ch as GPs, o tic ians and d en sts;

• hospital s and NHStru sts;

• l ocal au thor ities an d other pu bl ic sec tor organizations;

• u ninc or porated member’ clu bs and assoc iations;

• an yone who empl oys sta f

Te Data Protec tion Ac t c ontain s eight pr inc iples for g od infor mation han dl i g

Tese are that per onal infor mation m u st be:

1 proc es ed fairly and l awfu l ly ;

2 proc es ed only for pec ifed and c ompatibl e pu rp ses;

3 kept ac c u r ate and u p to d ate;

4 rel evant and not exc es ive;

5 retained for no l onger than nec es ary ;

7 kept ec u re;

8 ad eq u ately protec ted ifit is to be tr ansfred ou tsid e the Eu ro ean Ec onomic

1

Gu id anc e on how to c omply with these pr inc iples is the main foc u s of this b ok

Fu r ther in formation abou t the EEA is given in Chapter 8, Tra sferin perso nal

info rmato n oversas

In ad d ition to c omplying with these ru l es, organizations and ind ivid u al s who mu st

c omply with the Data Protec tion Ac t may also have to notify the Infor mation

Commisioner ofthe d etails of how they proc es per onal infor mation Chapter 2,

No tifcatio n d eals with this req u iremen

Te law al so c ontain s a nu mber of c r iminal ofenc es that relate to the misu se of

personal infor mation Tese are c overed in the relevan t chapters

An y information from which a l ivin g ind ivid u al can be id en fed is protec ted

u nd er the Data Protec tion Ac t as l on g as that ind ivid u al is the foc u s of the

infor mation in q u estion

A fw examples of d ata that might be c onsid ered personal infor mation, pro id ing

that it is p sibl e to id en fy a l iving ind ivid u al from the in formation in q u estion

and make them the foc u s ofthe infor mation, in cl u d e:

• name an d ad d res d etail s;

• health information ;

• infor mation in email s;

• email ad d res es;

• CCTV fo tage fatu r ing the ind ivid u al ’s image;

• cal l rec ord ings fatu r ing the in d ivid u al ’s v ic e;

• photos, either d igital or on paper;

• National Insu r anc e nu mbers;

1

T e Eu ro ean Ec onomic Are or E EA c on sis of the member tates of th e Eu ro ean U nion

pl u s Norway, Ic eland an d Liec hten stein

• fu l l p stc od es;

• infor mation in a peronn el fl e

In form ati o n proce ssed b auto m ate d me an s, suc h as o n com pute r, i s al ways protecte d

Infor mation held in ‘manu al ’ or paper based fles wil l be c overed b the l aw to a

d iferen t extent d epen d ing on whether it is proc es ed in the pu blic or the pr ivate

sec tor

Ifthe paper based infor mation is proc esed b a pu bl ic sec tor organization , it is

c overed b the Data Protec tion Ac t

Ifthe same infor mation is proc es ed in the pr ivate sec tor, it wil l only be c overed

b the l aw when it is hel d in a very organized way (for exampl e infor mation that

is hel d in a paper-based f l ing system, where it can easiy be retr ieved be au se it

is organized so that someon e who d oes not have an y previou s k owl ed ge of the

system c ou ld locate the infor mation they req u ire)

Yo wil l on ly have to c omply with the l aw if y u are ‘proc esing ’ person al

infor mation Te Data Protec tion Ac t d ef es what is meant b ‘proc esing’, and

the d ef ition is very wid e

‘Proc es ing’ personal infor mation means d oing an ything at al l with the

infor mation, incl u d ing c ol l ec ting, u sing, stor in g and d estro ing it Even ju st

re d ing or ac c es ing in formation can be ‘proc es ing’ it

Exampl es of proc es ing:

• collecti n g i n formati on vi a an ap li c ati on form, o er th e teleph on e or vi a a websi te;

• pu bl ishing infor mation;

• sel l ing infor mation;

• u sing infor mation for ad ministration;

• u sing infor mation for marketin g;

• interc eptin g information ;

• rec ord ing infor mation;

• d ata matchin g, d ata mining or prof ng;

• arc hiving infor mation;

• read in g information from a sc re n;

• d isclosing or passing infor mation to an other organ ization or ind ivid u al ;

• making infor mation avail able on a website.

As the d efn ition ofproc esing is so wid e, mos organ izations that u se personal

infor mation wil l f d it d ifc u l t to argu e that they are not proc es ing per onal

infor mation

Te only organizations that might escape bein g c overed b the Data Protec tion

Ac t are those that only proc es person al information on behalfofother ind ivid u als

or organ izations u nd er their instr u c tions Su ch organizations or ind ivid u als are

reered to as ‘d ata proc es or ’ u nd er the Data Protec tion Ac t

Tese rel ation ships m u st be g verned b a c on trac t that spec if cal ly sets ou t

what can and cannot be d one with the in formation being proc esed b the d ata

proc es or If y u proc es person al information u nd er an ou tsou rc in g c ontr ac t l i e

this, the organization that is instr u c ting y u wil l be resp nsibl e for c omplying with

the l aw, not y u

Exampl es of t ypes of organization that wil l often be d ata proc esor in cl u d e:

• mail i g hou ses;

• IT c onsu l tan ts that have ac c es to clien ts’ personal infor mation when servic in g

Ify u are proc es in g y u r own peronal infor mation, for example in rel ation

to y u r empl oye s, y u wil l have to c omply with the req u iremen ts ofthe Data

Protec tion Ac t with respec t to this in formation (Se Chapter 10, Emploers a d

emploe info rmatio n.)

However, in pr ac tical terms, whether or n ot y u are proc es ing in formation on

y u r own behalfor on someone el se’s, it is u nl i ely to make m u c h d iferen c e to

the safegu ard s that y u are req u ired to pu t in pl ac e Te main d iferen c e is likely

to be that when y u proc es on behal fofanother, y u wil l have to c omply with

the restr ic tions in an y c ontr ac t r ather than the o l igation s set ou t in the Data

Protec tion Ac t However, these req u iremen ts are likely to mirror each other,

espec ial ly in rel ation to the sec u r it y of the infor mation

Rememb R

Ev n if yo are not d ire tl y afe ted by th req ireme ts of th Data

Prote tion Act 19 8, yo w pro abl y be o l iged to compl y with its

req ireme ts und er contra tual ara geme ts

Te Data Protec tion Ac t is enforc ed b an ind epend ent egu lator – the UK

Infor mation Commis ioner Te Information Commisioner al so pro id es ad vic e

and gu id an c e to those trying to c omply with the l aw and has a helpfu l en q u iry

servic e that wil l pro id e ad vic e on a ‘n o names’ basis Tere is al so a Sc ottish

Infor mation Commis ioner who has resp nsibil it y for fre d om ofinformation

regu lation in Sc otland However, on ly the UK Information Commisioner enforc es

the Data Protec tion Ac t in the U K

For c ontac t d etails for the U K Infor mation Commis ion er’s Ofc e, se So urc o f

info rmato n at the back of this b ok

Te c ou r ts can also enforc e the law Cr iminal prosec u tions are u su al ly brou ght b

the Crown Prosec u tion Servic e on behal fof the Information Commis ioner

Notif yin th Infor matio Commis io er

One ofthe req u irements of d ata protec tion law is that organizations are cl ear

and transparen t abou t the peronal in formation they hol d and how they u se it

With this in mind , on e of the Information Commis ioner’s key resp nsibil i es

is to maintain a pu blic register, avail able on the internet, ofind ivid u als an d

organizations that proc es personal infor mation Te aim of this register is to

reassu re the pu bl ic b making d etails ofthe proc es ing ofperonal infor mation

availabl e to them

U nles they benef t from an exemption, organizations that are d ata c ontrol ler are

req u ired to ‘notify’ d etail s of their proc esing to the Infor mation Commisioner on

an an nu al basis so that these d etail s can be pl ac ed on the register

Te notif cation proc es in volves the c ompletion of a ‘notif cation form’ that mu st

be su bmitted to the In formation Commisioner, id eal ly beore y u star t proc esing

an y personal infor mation

Tere are two par ts to the notif cation form

Par t 1 incl u d es:

• the name and ad d res of the organ ization;

• the c ompan y registration n u mber at Companies Hou se (f app cable);

• c ontac t d etail s for the c ompan y;

• a d esc r iption of the proc esing being carr ied ou t, to incl u d e pu rp ses, t ypes

of ind ivid u al , t ypes of infor mation, t ypes of d isclosu re and whether an y

infor mation is sent ou tsid e the EEA

Par t 2 incl u d es:

• a sec u r it y statemen

• tr ad ing names;

• a statement of exempt proc es ing (for example, ify u are proc es ing

infor mation on paper-based f l es, whic h are exempt from n oti cation );

• v l u ntary noti cation (.e if y u are exempt from notif cation be au se y u are

a not-for-proft organ ization, or are only proc es ing for c ore bu sines pu rp ses,

bu t y u d ec id e to notify an yway)

Not al l organizations have to notify Yo shou l d che k whether or not y u ft an y

of the exempt categ r ies set ou t in Chapter 3, Exemp tio ns fro m no tifcatio n, bu t if

y u are o l iged to notify y u have a var iet y of o tion s when it c omes to c ompl eti g

y u r n oti cation

Wa s to n tify

Tere are thre ways to notify :

1 on the inter n et (www.infor mationc ommisioner.g v.u k) – there is a step-b

-step proc es to fol low, at the en of which y u wil l be abl e to pr int ofthe forms

read y to p st;

2 b tel ephone – this is pro ably the easies way, as y u have the beneft ofbeing

abl e to ask an y q u estions y u may have;

3 fl ling in a req u es for m – b c ompl eti g a req u es for m availabl e on the website

and then faxing it throu gh or p sti g it

Ify u req u es a noti cation for m via the tel ephone or via the req u es for m, y u

wil l rec eive a pre-c ompleted template notif cation form that ou tlines the t ypical

proc es ing ac tivities ofy u r t ype of organization, for example:

• sc ho ls;

• ind epend ent f nanc ial ad viser (IFAs);

• char ities

Ify u u se the internet to req u es a noti cation for m, y u wil l be abl e to sel ec t the

c orrec t templ ate for y u r bu sines y u rsel f

intend ed to be an o erview, an d the head in gs u sed are q u ite general to refec t this

fac t Ifit d oes n ot c over one ofy u r proc es ing pu rp ses, it d oes not mean y u are

d oing an ything wrong bu t that y u simply n eed to c ompl ete an extr a for m

Ify u are a l arger organization, y u may wish to c onsu lt with c ol l eagu es who have

resp nsibilit y for c er tain areas, e.g c u stomer ervic es or per on el , to se whether

they agre with the c u rrent notif cation entry

Te fe for noti cation is c u rren y £3 per annu m, whic h is V T exempt If

y u  set u p a d irec t d ebit, the renewal takes pl ac e au tomatical ly, thereore remo ing

the r isk that y u mis the renewal d ate and are thereore proc esing il legal ly u ntil

y u re-apply

NB At the time of wr iti g the fes for noti cation are c u rren y u nd er review

and may be in c reased for ome organizations Pl ease che k with the Infor mation

Commisioner’s Ofc e for the l ates p sition

Organizations can n otify the In formation Commisioner d irec tly Tere are

c ompan ies that ofer a servic e to notify on y u r behal f Tey target organ izations

that d o not appear on the pu bl ic register Tey wil l forward y u r c ompl eted for ms

to the Infor mation Commisioner and ask for an ad d itional fe on top ofthe

stand ard charge

Su ch servic es are not u su al ly c os efec tive Tis sec tion ofthe b ok takes y u

step-b - tep throu gh the noti cation proc es so that y u can c omplete y u r

noti cation y u rself withou t in c u rr in g an y fu r ther c osts

Te revenu e from the noti cation sc heme is u sed to repay the ‘ grant-in-aid’ that

the Go ernment u pp es to fu nd the In formation Commis ioner’s work

Ify u stop proc esin g person al information in a year when y u have alre d y paid

for the noti cation, the fe wil l not be reu nd ed

After su bmitin g y u r completed form b p s, y u wi l l receive an ac kn owledgemen t

leter from th e In formati on Commi ssion er ’s Of ce T e forms wi l l be su bject to a

preli min ary c h ec k to en su re th ey are i n order Ifth ere i s a pro lem, th e In formati on

Commi ssion er ’s Of ce wi l l con tact y u , so en su re th at th e con tact detai ls gi ven on

th e form are th ose for y u r of ce h ou rs

Te notif cation takes efec t from the d ay it is rec eived at the Infor mation

Commisioner’s Ofc e, and in ord er to be c er tain that the forms are rec eived b a

c er tain d ate, they c ou l d be sent b rec ord ed d el ivery

When y u r noti cation has be n entered onto the register, y u wil l rec eive a c op

of y u r register en try

CRimin l lia ility

Fail ure to notify (unl es e empt) a d fail ure to ke p a notifcation e try

u to d ate is a ‘ strict l iabil ity’ criminal ofe c , i.e th re is no d efe c

to mitigate th c arge If yo are c u ht o t yo w n ed to hol d u

yo r h nd s a d a c pt th conseq e c s No e cuses w be a c pted

Ind ivid u al s can ac c es the register to f nd ou t what t ypes ofperonal infor mation

are being proc es ed b an organization Tey can u se it to o tain c ontac t d etails if

they want to exerc ise their r ights u n d er the Data Protec tion Ac t, for example to

o t ou t of marketi g or to make a su bjec t ac c es req u est

Eac h entry on this register c ontains d etails ofthe c ompan y and the pu r poses for

which they proc es peronal infor mation Each pu rp se head ing c ontains fu r ther

d etail s on the in d ivid u als (for exampl e c u stomers, sta fan d su ppl iers), t ypes of

infor mation held on these ind ivid u al s, and an y fu rther d isclosu res or transfrs of

this infor mation Te organization al so has to give the Commisioner infor mation

abou t its sec u r it y measu res However, for o viou s reasons, these are not p sted on

the internet

CRimin l lia ility

Yo d o not h v to d ispl ay th register e try, b t n ith r sho l d yo

fl e it awa to far fom re c Yo w n ed to ke p it und er re iew to

e sure th t it is a curate, as yo are o l iged to ref ect a y c a ges

in yo r proc s ing as so n as pra ticabl e a d in a y c se within

2 c l end ar d ays, oth rwise yo are g il ty of acriminal ofe c For

e ampl e, if yo h v ind icated in yo r noti fcation th t yo w onl y use

peron l information for ad ministrative p rp ses b t yo now wishto

use th information for marketing, yo must u d ate yo r notifcation to

ref ect this

easiy u sin g a c ompan y’s p stc od e or c ompan y nu mber.

Se cu ri ty i s on e ofth e bi gges con si de rati on s u n der th e Data Protecti on Act, an d wi th

th i s i n mi n d, y u wi ll be i ssued wi th a secu ri ty n u m ber th at wi ll n eed to be qu oted

i n an y con tact re gardi n g th e re gi ster en try By ke pi n g th i s n u mber con f den ti al,

y u wi ll gu ard agai n st an yon e , mali ci ou sl y or oth erwi s maki n g c h an ges to th e

n oti f c ati on th at could u lti matel y lead to li abi li ty for a cri mi n al ofen ce

For ms to ad d an ad d itional pu r pose and to make an y amend men ts to y u r register

entry are avail able on the website or on req u est Tere is no charge for makin g a

change to a noti cation entry

Eac h l egal en tity has to have its own noti cation Ifthere is a c hange in l egal

en t y, e.g from sol e tr ad er to partnership , par tnership to limited c ompan y or one

c ompan y takes o er another, a new notif cation entry wil l have to be su bmitted as

entr ies are non-tr an sfr able

Ab u t on e mon th prior to th e expiry d ate y u will rec eive ren ewal forms from th e

In formati on Commisi on er’s Of c e If y u h ave set u p a direct debi t, th i s ren ewal

wi l l take place au tomatic all y If y u mis th e ex iry d ate y u wi l l h ave to make a n ew

n oti f c ation ap li cation as it i s n ot p si ble to ren ew an en try on ce it h as expired

Renewal time is a g od prompt to che k y u r register en try to ensu re that it ti

refec ts y u r proc esing

Ify u are c omplying with the B tish Stand ard on d ata protec tion, y u wil l ne d

to ensu re that y u always maintain an u p-to-d ate in ventory of what per onal

infor mation y u r organization proc es es and what it is u sed for Yo may want to

carry ou t regu l ar reviews of this in ventory to ensu re it is u p to d ate

Yo c an u se y u r data i n ve n tory to collect an d mai n tai n th e detai ls ofy ur proces i n g

i n pre parati on for y u r an n ual n oti f c ati on Yo sh ould also se t u p a di ary or oth e r

rem i n der sysem to make su re y u are rem i n ded wh en y ur n oti f c ati on i s du e for

ren ewa Yo sh ould le ave en ough ti m e betwee n th i s rem i n de r an d th e ren ewal date

to let y u revi ew y u r cu rre n t proce ssi n g acti vi ti es an d make any n e ce ssary u pdate s to

y ur n oti f c ati on

Tere are a nu mber of c ompanies that sen noti cation mail i gs to spec ifc

organizations that are not c u rren y on the n oti cation register, whether they are

exempt or be au se they have fail ed to notify Tey ask the organization to c omplete

the stand ard noti cation for ms, an d then the noti cation agen cy forward s these to

the Infor mation Commisioner’s Ofc e for a fe, which inclu d es the stand ard £3

noti cation fe You are n ot o li ed to resp n to su c h mailings

While man y organizations ofer ing these servic es are legitimate, some have be n

c r itic ized b the Ofc e ofFair Tr ad ing (OFT) for misl ead ing organizations

Ca e study

Data Protec onAgen y Services Limited, also tra ing a Data Colec on

E nforcement Agen y, receiveda inju c on u der the Contol of

Mislea ing Adverisements Re ula on 1 8 folowing in es ga on by

the Off e of Fair Tra ing T e compa y h s s bseq ently c a g d its

n me to Data Services (North West) Limited T is n me c a g s ould

mea les confu ion a to the statu of the compa y a one that ofers

a service, rather th n a off ial g vernment b d

I is imp r tant to remember that c oresp nd enc e from the Infor mation

Commisioner’s Ofc e wil l always be on its head ed paper and inclu d e its l og

(c ompr ising the in itial s ‘IC’ in sid e an o al ) Tis can be c ros - eerenc ed with its

website, or b cal ling its enq u iry l i e

Tere are c er tain exemption s from the req u irement to ‘notify’ I is imp r tant to

bear in min that even ify u are exempt from noti cation, y u are not exempt

from the req u iremen t to c omply with the Data Protec tion Ac t itsel f

Te rel evant exemptions apply if:

• y u d o not proc es an y infor mation on c ompu ter;

• an y proces i n g y u un dertake i s sri ctl y on i n stru cti on s from an oth e r organ i zati on ,

i e y u are a data proce ssor (se Ch apter 1, I trduc on for m ore i n formati on ),

or y u on l y proces i n formati on for peron al, fmi l y or h ou seh old afai rs, e g a

pe rson al addres li st, Ch ri stmas c ard li st or domesi c close d-ci rcu i t te levi si on ;

• y u are a not-for proft organization ;

• y u are on ly proc esing for the c ore bu sines pu rp ses

S me of these exemption s are expl ain ed in more d etail throu ghou t the res of

this chapter

Ify u are proc es in g information for one or more c ertain pu r poses, k own as ‘c ore

bu sin es pu r poses’, y u may be exempt from noti cation Tese pu rp ses are:

• sta fad ministration;

• ad ver tisin g, marketi g an d pu blic relations;

• ac c ou nts and rec ord s

Yo are exempt as l ong as y u r proc esing for this pu rp se is l imited to:

• infor mation on y u r sta f, for exampl e temp rary sta f, agents and v l u n teer;

• infor mation that is nec es ary for empl oyment pu r poses, for exampl e

q u alifcations, work exper ienc e, pay and per formanc e, and health d ata;

• making d isclosu res with the c onsent of sta fother than those that y u are

req u ired to make as an employer, for exampl e to the Inland Revenu e, or to those

organization s that have p wers in law to d emand it, for exampl e the Child

Su pp r t Agency

Yo are exempt as l ong as y u r proc esing for this pu rp se is l imited to:

• infor mation on ind ivid u al s, for exampl e c u stomer, su ppl iers and su pp r ters,

that y u u se for the pu rp se ofad ver tising, marketin g and pu blic relations in

rel ation to y u r organization;

• infor mation that is nec es ary for ad vertising, marketi g and pu bl ic rel ation s, for

exampl e name, ad d res an d other c ontac t d etail s;

• hol d ing infor mation only for as l ong as nec es ary for these reasons and not after

the rel ation betwe n y u and the c u stomer or the su ppl ier end s

Note th at ify u o tain in formation from a third par t y, for example a lis broker, a

c harit y or a similar bu sin es, th en y u wil l n ot lose th is exemption from n otif cation

Yo are exempt as l ong as y u r proc esing is l imited to the fol l owing pu rp ses:

• ke ping ac c ou n ts rel atin g to y u r bu sines or other ac tivity carr ied ou t b y u ;

• d ec id ing whether or not to ac c ept a person as a c u stomer or su pp er ;

• ke ping pu rchase, sal es or tr an sac tion rec ord s to ensu re that payments and

d el iver ies are mad e b or to y u ;

• pl ann ing pu rp ses;

AND y u r proc es ing is l imited to:

• infor mation abou t peo l e that it is n ec es ary to proc es for these pu r poses, and

an y d isclosu res to third parties withou t the in d ivid u al ’s c onsent are only mad e

where n ec es ary for these pu r poses, e.g d isclosu res to an ac c ou ntant or c ou r ier;

AND

• y u hol d infor mation on ly for as long as is nec esary for these reasons and not

after the relationship betwe n y u and the c u stomer or the su ppl ier end s

Smal l cl u bs, v l u ntary organization s, chu rches an d some char ities may beneft

from this exemption iftheir proc esing is l imited to:

• establishin g and maintaining memberhip or su pp r t for a b d y or assoc iation

not establ ished or c on d u c ted for prof and

• an y fu r ther proc es ing that d oes n ot fal l ou tsid e the c ore bu sines pu r poses

d esc r ibed abo e

Having g ne throu gh the proc es of d etermin ing whether y u are exempt from

noti cation, y u may d ec id e to notify an yway Wh y wou l d y u d o this

Ind ivid u al s are en tl ed to c on tac t y u at an y time and ask for infor mation abou t

y u r proc es in g You have to resp n to this req u es within 21 calend ar d ays of

rec eiving a wr itten req u es as it is a c r iminal ofenc e not to d o so (u nles y u can

show that y u have exerc ised ‘al l d u e d ili enc e’ to c omply Tis wou l d not incl u d e

the req u es being mispl ac ed in someone’s in tr ay) If y u have v lu ntar ily ‘noti ed’

y u are not o li ed to resp n d to these req u ests, al thou gh it is ad visabl e to l et the

ind ivid u al k ow that y u are on the register

As men oned previou sly, failu re to ke p a noti cation entry u p to d ate is a

c r iminal ofenc e, to which there is no d efnc e Yo have to ensu re that y u have

proc ed u res in plac e to ke p ‘on top of’ the ac c u r acy ofthe n oti cation entry

T is ch ap ter covers th e frs data p ro teto n p rincple:

1 Perso nal info rmatio n must be procesd fairly a d law fully

Now that y u have noti ed the Infor mation Commision er, y u can begin to

c ol lec t personal infor mation; however, y u mu st ensu re that it is c ol lec ted in a

c omp ant fashion

Peron al in formation i s protected b d ata protection law from th e momen t i t is f rs

c ollected to th e time wh en i t i s even tu all y desro yed, an d at al l th e p i n ts i n betwe n

If y u wan t to collect an d u se peron al i n formati on for an yth i n g oth er th an domesi c

pu r poses y u m u st collect th i s i n formation b th fi r l y an d lawfu ll y

Tis mean s that y u n eed to thin abou t how y u are g ing to c omply with the l aw

beore y u approac h ind ivid u al s with a view to c ol l ec ting their infor mation

Ifpersonal infor mation is not c ol l ec ted fairly or l awfu l ly it means that y u or y u r

organization may u ltimately be prevented , b the Infor mation Commis ion er or

the c ou rts, from u sing this infor mation in ways that are esen al to fu l fl l in g y u r

organization’s basic ne d s, su c h as marketi g, fr au d preven on or the shar ing of

infor mation with other par ties

I is thereore very imp r tant that y u star t ou t b fol l owing al l the r u les set ou t in

the l aw that c over the o taining ofpersonal infor mation

T ere are th re e seps y u m ust follow i n orde r to e n sure n y collecti on ofi n form ati on

i s fi r an d lawfu l, an d th ese th re e seps c an be summari zed b th e followi n g

1 En su re that y u have a l egitimate reason for n eed ing to proc es the peronal

infor mation (reasons are limited to those set ou t in the Data Protec tion Ac t)

and ify u wish to proc es sensitive categ r ies of person al information make

2 Beore y u c ol l ec t personal infor mation, make su re that the ind ivid u al whose

personal infor mation is bein g c ol lec ted k ows who y u are and what the

infor mation is to be u sed for, in cl u d in g d etails ofan y third par ties to whom the

infor mation may be passed or with whom it may be shared Yo shou l d d o this

b pro id ing a ‘pr ivacy notic e’ to the in d ivid u al

3 En su re the c ol lec tion of the per onal infor mation and its su bseq u ent u se d oes

not break an y law or breach an y c ontr ac tu al ter m or d u t y ofc on d en al it y

Te res of this sec tion d isc u sses what is in volved in each ofthese thre steps

Beore c ol l ec ting per onal in formation, y u or y u r organ ization m u st d emonstr ate

that y u have a l egitimate reason for ne d ing to c ol l ec t an d u se the personal

infor mation in q u estion

Te law lists a limited nu mber of reasons wh y organization s might ne d to proc es

peronal infor mation

Do y u proc es peronal in formation for an y ofthe fol l owing reasons

• Yo have a legitimate bu sines ne d to proc es the per onal infor mation

• Yo have the c on sen t ofthe ind ivid u al to u se their infor mation

• Yo ne d to u se the in formation in ord er to en su re the per for manc e of a

c ontrac t with the ind ivid u al or be au se y u wan t to enter into a c ontrac t with

that ind ivid u al , e.g y u may ne d ac c es to a jo appl icant’s ed u cational history

and pro f ofq u alifcations in ord er to ofer them a c ontrac t ofempl oymen

• Yo ne d to proc es the personal infor mation in ord er to c omply with a l egal

o l igation y u have be n plac ed u nd er

• Yo ne d to proc es the infor mation in ord er to save the in d ivid u al ’s lif or

protec t them from grave har m

• Yo exerc ise a statu tory fu nc tion, ad minister ju stic e or carry ou t some other

fu nc tion of a pu bl ic natu re that is in the pu blic interes an d req u ires the

proc es ing of the personal infor mation

If at leas on e of th e ab ve re son s ap lies to y u th en y u wi l l be able to begin

procesi n g per on al in formation pro idi n g it i s n ot classif ed as sen si ti ve in formation

(se Wh t i sns ive info rmato n? below for more in formation )

In mos cases it wil l be simple enou gh for an organization to establish a l egitimate

bu sin es interes in proc esin g the personal infor mation, i.e that proc es ing the

infor mation is nec esary for the organization to fu nc tion

Tis wil l c over mos u ses that wil l be mad e of person al information , inclu d ing

marketi g However, y u mu st always ensu re that an ything y u inten to d o with

the infor mation wil l not in vad e the pr ivacy of the ind ivid u al who has pro id ed

their information otherwise y u may l ose the r ight to rely on this grou nd

A pr ivate in vestigator may want to sel l in formation abou t a c elebr it y ’s spen d ing

habits u sing infor mation that he has o tained from ‘d u mpster d iving’ (.e g ing

throu gh the c el ebr it y’s bins) Whil e the pr ivate in vestigator might e a bu sin es

benef t in su ch an ac tivit y, the in vasion ofthe c el ebr it y’s pr ivacy might ou tweigh

the bu sines ne d , and the in vestigator might n eed to f d another grou n d for

u sing the infor mation or rely on an exemption from the Data Protec tion Ac t 19 8

Ify u cannot how a legitimate bu sines n eed , y u wil l ne d to satisfy one ofthe

other grou nd s

S me personal infor mation is su bjec t to spec ial protec tion u nd er the Data

Protec tion Ac t be au se it is regard ed as bein g sensitive Sensitive in formation

inclu d es infor mation abou t an ind ivid u al ’s:

• r ac ial or ethn ic or igin;

• c ommision or al l eged c ommision ofan y c r imin al ofenc e b the ind ivid u al;

• in volvement in c r iminal proc eed ings in rel ation to an y ofen c e that has be n

c ommitted or has be n al l eged to have be n c ommitted b the ind ivid u al

Where y u or y u r organ ization want to c ol l ec t the t ypes of infor mation set ou t

abo e, y u m u st d emonstr ate a par tic u l ar ne d to u se the sensitive infor mation

Do an y ofthe fol l owing apply to y u r proc esing of sensitive person al infor mation?

• Te ind ivid u al explic itly c on sen ts to the c ol l ec tion and u se oftheir en sitive

infor mation

• Te proc esin g is nec es ary to c omply with empl oyment l aw

• Te proc esin g is nec es ary to protec t the ind ivid u al or an y other person

from d eath or grave har m, and it is not p s ible or reason abl e to o tain the

ind ivid u al ’s c on sen t to the proc esing

• Yo are a not-for-prof t p litical , phil oso hical , religiou s or tr ad e u nion

organization that proc es es person al information abou t its own members

rel ating to the pu rp ses ofthe organ ization, and the in formation is n ot passed

on to an y other ind ivid u al s or organizations For example, a p l i cal part y c ou l d

ke p a n ote ofthe fac t that its members were v ter bu t c ou ld n ot d iscl ose this

infor mation withou t its members’ c onsen

• Te information abou t the ind ivid u al has al read y be n mad e pu bl ic b the

ind ivid u al

• Yo are exerc ising a statu tory fu n c tion or ad minister ing ju stic e

• Te proc esin g is for med ical pu r poses and y u are either:

– a heal th profsional su ch as a GP, mid wif, o tic ian, nu rse, d en st,

ph ysiother apist, or

– a person u nd er a similar d u t y of c on d en al it y

• Te information is to be u sed for eq u al o p r tu nities monitor ing on the basis

of ethnic or igin or d isabilit y, and y u al so pro id e safegu ard s, su ch as al l owing

ind ivid u al s the c hanc e to ‘opt ou t’ ofthis

• Yo are pro id ing a c on d en al c ou nsel ling or ad vic e servic e

Te p l ic e and other limited organ izations may al so proc es sensitive person al

infor mation in ord er to prevent or d etec t an u nl awfu l ac t or for the preven tion or

d etec tion of c r ime or other u nac c eptabl e behaviou r inclu d ing the in vestigation of

chil d abu se o er the internet

Ify u cannot d emon str ate that y u ne d to proc es sen sitive peronal infor mation

for one of the reasons set ou t abo e, y u can o tain ‘expl ic it c on sen t’ from the

ind ivid u al whose infor mation y u are c ol lec ting to u se this information Even

if y u thin y u can rely on one of the grou nd sset ou t abo e y u may sti ne d

to che k with the Infor mation Commis ioner that y u can d o so , as spec ial

c ond itions may apply

Ca e study

In 20 4, the s p rmodel Naomi Camp el s c es fuly s ed Th

Mirror newspap r for in a ion of her priv c Th Mirror h d publs ed

a picture of Naomi lea ing a Narcoti s Anon mou me ting As par of

her c se Naomi argued that Th Mirror wa proces ing her sen iti e

informa on, in this c se informa on ab ut her mental a dph sic l

health, without her con ent T e c se went to the Hou e of Lord a d

‘Expl icit con ent’ a a ba is for coll ecting sen itive information

As th e grou n ds for proces i n g sen si ti ve in formation are m u c h more li mi ted, th e

e sies way to sati sfy th is aspect ofST EP 1 i s to ask for th e i n di vi d u al ’s con sen t to

proces th i s i n formati on An y organ i zati on or i n di vi d u al c an collect an d u se sen siti ve

peron al i n formati on wh ere th ey h ave o tai n ed ‘ex lici t c on sen t’ from th e in dividu al

wh ose sen si ti ve in formation is bein g proces ed, wi th ou t woryi n g ab u t ju sti fyin g

th e proces i n g u n der on e ofth e oth er more limi ted grou n d s set ou t i n th e law

Te key word here is ‘expl ic it’ In ord er to o tain ‘explic it c onsent’ the c ol l ec tor

of the sen sitive infor mation m u st have mad e clear to the in d ivid u al whose d ata

is being c ol l ec ted exac tly what sensitive infor mation is bein g u sed an d for which

pu rp se Te ind ivid u al giving c onsent m u st ac tively ind icate their agre ment

to their ensitive infor mation being u sed in this way Tis agre ment hou l d

preerably be rec ord ed , for example b askin g the ind ivid u al to sign a statement

ind icating their explic it agre men

However, it is sti p s ibl e to c ol lec t su c h c onsent ver bal ly, for example, o er

the tel ephon e

Ca e study

A c arity colec ng information ab ut sight-related dis bi ty inorder

to sen out Brai e version of informa on might provide the folowing

expla ation whencolec ng the dis bi ty information over the phone:

Caler: ‘Yu’ve explained to u that you are re istered bln

I’m ju t g ing to mak a note of that on our computer so that we c n

rememb r to sen you al your informa on in Brai e format

Is that O ?’

In ivid al: ‘Y s, of course

T e c ler mak s a note onthe in ivid al’s record that agre ment to

record sen iti e informa onwa o tained

In 20 4 the Information Commis s ioner fou d th t a loc l a thority wa

proces s ing s ens itive p rs on l information relating to citizen who were

‘h rd of hearing’ without the explcit cons ent of the in ivid als on erned

Ins tea the loc l a thority o tained the information ab ut their hearing

diff ulties directly fom their medic l record without their cons ent

T e loc l a thority argued that it h d implcit con ent rom the

in ivid als con erned, but the Informa on Commis ioner fou d that

a the informa on wa health informa on a dtherefore sen iti e

p rson l information, explcit con ent s ould b o tained inorder for

the proces ing to b re arded a fair

Onc e an ind ivid u al or organ ization has d ec id ed that it can satisfy STEP 1and

establish a reason or grou n d s for its proc es in g of per onal in formation, it mu st

al so ensu re that its c ol lec tion of the peronal infor mation from the in d ivid u al is

‘tr ansparent’, i.e it mu st be mad e clear to the in d ivid u al how their in formation is

to be u sed

Tis step in volves the isu e of a ‘pr ivacy n otic e’ to the ind ivid u al pro id ing their

infor mation Tis is the mos imp r tant eq u irement of the l aw in rel ation to the

c ol lec tion ofpersonal infor mation

Te pu r pose of a pr ivacy n otic e is to expl ain to the ind ivid u al:

• the id en t y of the organization c ol lec ting their information ;

• how the person al information that is pro id ed wil l be u sed ;

• an y other information that the ind ivid u al shou ld be told in ord er to ensu re the

proc es ing of their information is fair, for exampl e:

– a d esc r iption of an y other organ izations that the infor mation may be shared

with or d isclosed to;

– whether the information wil l be tr ansfrred ou tsid e the Eu ro ean Ec onomic

Are (the member states ofthe Eu ro ean Union plu s Norway, Ic eland and

– the fac t that the ind ivid u al can o jec t to the u se of their information

for marketi g;

– th e fct that an i n di vi dual c an o tai n a cop y ofthe i r i n form ati o n ( se e Chapte r 9,

Usn g inform aton in lne wih in dividu l’rig t, for m ore i n form ati o n )

Te Information Commis ioner has also su ggested in its Privacy No ti s Code o f

Pract e (avail able from its website) that y u also explain:

• h ow long y u or other organ izations wil l be retaining their infor mation; and

• whether the in d ivid u al wil l su fer an ad vere impac t ifthey d o not pro id e their

in for mation, for exampl e if they wil l no l onger be en tl ed to rec eive benef ts

Ify u are c ol lec tin g some infor mation that is c ompu l sory and some infor mation

that is v lu ntary, y u shou ld also make this cl ear when y u c ol l ec t the infor mation

Te in d ivid u al can then c ho se whether to pro id e the v l u n tary infor mation

Sec urity

S me ind ivid u al s or organizations al so cho se to explain the sec u r it y in pl ac e for

the ind ivid u al ’s infor mation and to pro id e d etail s of who to c on tac t with an y d ata

protec tion c onc erns However, y u shou ld be careu l not to su pply too man y d etails

in case y u pu t y u r own sec u r it y at r isk, an d y u shou ld not give fal se assu r anc es

abou t the protec tion that is pro id ed b these measu res

Te fol lowing is an example of a str aightforward pr ivacy n otic e u sed b a smal l

bu sin es c ol l ec ting infor mation o er its website

Ca e study

Barbara’s Bed a d Breakfa t wi u e the informa onyou give to u ,

for ex mple your n me a d contact detais, to con rm your b o ing

a d provide your a commod tion If youprovide u with detais of a y

dis bi ty or sp cial dietary req irements we wi only u e these detais,

withyour agre ment, to mak sp cial ara g ments for your stay We

wi k e your informa onsec rely a d wi not s are it with a y other

orga ization u les req ired to do so by law

If you provide your emai a dres to u we would lk to sen you

detais of sp cial breaks a d ofers If you agre to u contac ng you by

emai in this wa plea e ti k

❏

Te pr ivacy notic e mu st be pro id ed beore an y peronal in formation is rec ord ed

or c ol l ec ted or the su bseq u ent proc es ing ofthe peronal in formation may be in

breac h of the l aw

In 20 3, a health a thority c ried out a s rvey that colected health

informa on lnk d to ful p stcodes T is res lted in a complaint

b ing ma e to a n tion l newspap r th t the s rvey wa not en rely

T e health a thority h d not realzed th t p s tcodes ould b cons idered

p rson l information even though they would s ometimes relate to the

a dres s of only one lving in ivid al As a res ult it h d not provided a

clear a d ful expla ation of how the informationwould b us edwhen it

colected information fom paricipa ts in the s urvey

T e Informa on Commiss ioner b c me in olved a d the health a thority

a ce ted th t a clearer a d more ta sparent noti e s hould h ve b en

provided to paricipa ts in the s urvey

How y u pro id e the pr ivacy notic e wil l d epen on the med ia y u are u sin g to

c ol lec t infor mation I can be pro id ed :

• ver bal ly, where in formation is c ol lec ted fac e to fac e or b phone;

• in wr itin g, where the infor mation is c ol l ec ted on an appl ication for m; or

• elec tronical ly, where infor mation is c ol l ec ted via a website or b text mes age

Expl ain the non-o vious

Te mos imp r tant c onsid eration is that y u r pr ivacy n otic e shou ld explain al l the

u ses that y u wou l d want to make of the per onal infor mation I shou ld espec ial ly

make cl ear an y u ses of the infor mation that wou ld not be immed iately o viou s to

the ind ivid u al whose d ata is being c ol l ec ted

Ca e study

T e s p lers of the In ov tion c talo ue lost their ap eal again t a

enforcement noti e served in 1 92 th t eq ired themto provide a

priv c noti e ‘up font’ at the time of colec ng p rson l informa on

that wa to b u ed for mark ti g purp ses by the compa y a dother

orga ization with whom the p rson l informa onwa s ared

In ov tion a verti ed throughmedia s c a newspap rs, television

a d ra io Cu tomers bu ing prod cts fom In ov tion provided their

n mes a d a dres es a d pa ment detais when pla ing a order T ey

received no noti e explaining to them that their detais would b u ed

for mark ti g purp ses when they provided their informa on,but the

a knowledg ment orm that they received later did feature a noti e

explaining how their informa on would b u ed

T e Informa onTribu al held that In ov tion mu t provide a noti e

explaining a y non-o viou u e of the informa on, in lu ing the

tra ing a d s le of the informa onto third parties for mark ti g,

b fore colec ng the informa on, for ex mple ina y a verti ement

en ouraging a order to b pla ed T e Tribu al also held that the

noti e s ould b ‘clearly expres edinordin ry la gu g a d pla edin a

p sition of rea on ble prominen e in the a verti ement’

If y u fail to explain a non -o viou s u se ofperon al information to an in d ivid u al y u

wil l n ot be able to u se that in d ivid u al ’s in formation for the n on-o viou s pu r pose

Where an y pr ivacy notic e is pro id ed y u mu st ensu re that the notic e is not hid d en

in the smal l pr int ofthe appl ication for m or in separ ate terms and c ond itions that

may not be read ily availabl e to the ind ivid u al at the time that their infor mation is

being c ol l ec ted

Te notic e m u st be clearly d eli ered , for exampl e abo e the signatu re b x on the

app cation for m, or it may n ot be valid

Ca e study

Lingu phone, the home-stud la gu g course providers, lost a

Informa on Tribu al ap eal in 1 9 At the ap eal the Tribu al

ex mined the priv c notices u ed by Lingu phone a d criticized the

compa y for providing the wording in very smal print, whic faied to

provide a s ff ient expla a on of how the p rson l informa onb ing

As men oned earlier, it is imp r tant to make the u ses of the infor mation d esc r ibed

in y u r pr iva y notic e as c omprehensive as p s ible If y u have tol d ind ivid u al s, via

y u r pr ivacy notic e, that their in formation wil l be u sed on ly for c er tain pu rp ses

and y u l ater d ec id e to exten d the u ses to be mad e ofthat infor mation in to areas

that are su bstantial ly d iferen y u wil l have to o tain the in d ivid u als’ c on sen t to

new u ses oftheir in formation

In 1 9 , Briti h Ga wa prevented fomu ing p rson l information

colectedfom c stomers who h d not eceived a a eq ate priv c

noti e for the mark ti g of a ything other tha ga or energy-elated

prod cts Briti h Ga wa ted to u e its h g d taba e (whic d ted

ba k to its time a a mono oly publc sector s p ler) for wider

mark ting a d tried to rely on a noti e that wa served to c stomers

after the colectionof their information In some c ses the noti e wa

served ma y years after the frst colec on

T e noti e explained that their informa on would b u ed for wider

mark ting purp ses Briti h Ga argued that if c stomers did not

conta t it to o ject o the new mark ti g purp ses it could interpret

this a con ent to mark t to them T e Tribu al fou d that con ent

could not b reled up n where Britis Ga received no resp n e fom

its c stomers

I might be tempti g for a smal l organization to u se a pr ivacy notic e that is d r afted

in su ch wid e terms that it c overs everything an organization wou l d l i e to d o with

an in d ivid u al ’s information For exampl e:

‘L et’s Do It Al plc may use yo ur info rmatio n a y w ay i neds to fo r th e

p urpo se o fo peratin i busine ’

Tis sor t ofapproach wil l not be c ompl iant with d ata protec tion law You mu st

pro id e en ou gh d etail n the word ing of y u r pr ivacy notic e to make it clear what

the d ata is to be u sed for However, try to avoid giving so m u ch d etail that the

meaning ofthe notic e is o sc u red

Other wording th t co l d form part of the priva y notice

Yo can al so u se y u r pr ivacy notic e to satisfy some of the other eq u irements of

the l aw

Yo can u se the pr ivacy notic e as a mec hanism for c ol l ec ting c onsent where this is

req u ired for the proc esing ofthe personal infor mation

Consent may n eed to be sou ght via a pr ivacy notic e where:

• no other reason can be rel ied u pon as a legitimate basis for proc esing per onal

infor mation (se STEP 1, page 16);

• no other reason can be rel ied u pon as a legitimate basis for proc esing sensitive

infor mation (se STEP 1, page 16);

• send in g information ou tsid e Eu ro e in instanc es where there is no ad eq u ate

protec tion for that infor mation (se Chapter 8, Transferin perso nal info rmatio n

oversas for fu r ther d etail s);

• infor mation was c ol lec ted for on e pu r pose bu t y u now wish to u se that

infor mation for another pu rp se, bu t have not told the ind ivid u al (s) c onc erned

Where y u ne d the ind ivid u al ’s c onsent to proc es their in formation y u ne d to

ensu re that their c onsent is valid

In ord er to be val id , c onsent m u st be fu l ly infor med and fre ly given Where y u

want to inclu d e a cl au se gaining c onsent for proc es ing in the pr ivacy n otic e y u

mu st ensu re that y u give a very d etail ed expl anation ofexac tly what it is that the

ind ivid u al is c onsen ng to

Yo sh ou ld u su al l y ty to o tai n pro fofcon sen t su c h as a si gn atu re , an d at th e

very leas th e in d i vidu al m u st give some active in d i cation ofagre men t Yo c an n ot

o tai n con sen t b sen d i n g ou t a leter to an in d i vidu al to ask for con sen t an d as u me

th at th eir filu re to resp n d or to o ject in d i cates th eir agre men t to con sen t

Yo mu st be su re the ind ivid u al c onc er ned has b th u nd erstood and agre d to the

u ses ofthe information for whic h y u were se king their c onsen

Rememb

R

In most c ses it w be suff cient to e sure th t th ind ivid ual is mad e

aware of how th ir d ata is g ing to beused Yo w onl y h v to se k

a frmer ind ication ofconse t in th particul ar insta c s wh re th l aw

req ires it

Ify u wish to u se an y infor mation y u are c ol lec ting for marketi g pu rp ses

y u mu st explain this in the pr ivacy n otic e However, the law al so c ontain s a

req u irement that y u mu st al l ow ind ivid u al s the o tion of c ho sing not to rec eive

marketi g mater ial (whether b mail, phone, email or an y other method ) (Se

Chapter 9, Usn info rmato n in lne w ith individual’righ ts for more infor mation.)