DO I NEED TO NOTIFY?
Who needs to notify?
All data controllers are required by the Data Protection Act 2002 to
notify the Data Protection Supervisor of any processing of personal
data they undertake unless they are exempt from the requirement
to notify.
A series of questions has been designed to help you determine
whether you are required to notify or whether you qualify for an
exemption from notification.
What is a Data Controller?
A data controller is the legal person responsible for compliance with
the Data Protection Act and decides what personal information is
required and the purposes for which it will be used.
Am I a data controller?
A data controller is usually a company, limited or otherwise, a
partnership, or other organisation.
Non-profit making organisations, such as sports clubs, registered
charities or churches, are also data controllers.
Individuals may also be data controllers.
Are you ...
A company, limited or otherwise, a partnership,
YES
or other organisation?
A non-profit making organisation, such as
YES
sports club, registered charity or church ?
An individual, sole trader or sole practitioner?
YES
Individuals
An individual will be a data controller and may be required to notify
if they are a
sole trader,
sole practitioner,
liquidator,
private medical practitioner
OR
use personal information to undertake a specific role, such as
elected representative or candidate for election
Do you use personal information for any of these
functions?
YES NO
Individuals
An individual is a data controller if they only use personal
information for domestic purposes.
What are
domestic
purposes?
Individuals
As an individual do you only use personal
information for domestic purposes?
YES NO
Non profit-making
organisations
A non profit-making organisation is
“is a body or association which is not established or
conducted for profit”.
If such organisations use a computer or other electronic equipment, they
may be exempt from the requirement to notify even though they will be a
data controller.
The exemption from notification only applies in
limited circumstances.
Please click the arrow to find out more.
Non profit-making organisations
The exemption from notification circumstances are:
The type of information held must only be details of members’ or
supporters’ names, addresses and eligibility for membership.
The purpose for using information is for establishing or maintaining
membership of or support for the body or association, or providing or
administering activities for individuals who are either members of the
body or association or have regular contact with it.
The purpose for using information is for the three core business
purposes
Non profit-making
organisations
Does the organisation have or use any personal information for
any other purpose or purposes?
For example:
do you undertake vetting?
do you hold medical information about members?
do you have a CCTV system?
do you sell your list of members?
YES NO
No requirement to notify
If you ONLY process people's information for the
• NON-PROFIT MAKING PURPOSE, or
• NON-PROFIT MAKING PURPOSE and THREE CORE BUSINESS PURPOSES
but for NO other purpose, then you are exempt from the requirement to
notify.
Even though you do not need to notify you will still be obliged to comply
with the remaining provisions of the Data Protection Act.
If you are in any doubt about whether you need to register, please
click to return to the start, or contact the
Office of the Data Protection Supervisor
The Data Protection Supervisor's website carries a list of those data
controllers who are exempt form notification. If you wish to be included
on this list please complete a Notification Exemption Form.
Is automatic equipment used?
Does the data controller, or someone on
their behalf, use a computer or any other
equipment that operates automatically, for
fulfilling their functions?
What is
YES NO automatic
equipment
What equipment operates
automatically?
Any type of computer however described, for example, mainframe,
desktop, laptop, netbook etc.
It also includes other types of equipment which, although not normally
described as computers, nevertheless have some ability to process
automatically.
For example, automatic retrieval systems for microfilm and microfiche,
audio and visual systems, electronic flexi-time systems , telephone
logging equipment and CCTV systems.
Do you process data?
Processing means obtaining, recording or holding data or carrying
out any operation or set of operations on data. It includes
organising, adapting and amending the data, retrieval, consultation
and use of the data, disclosing and erasure or destruction of the
data.
It is difficult to envisage any activity involving data which does not
amount to processing.
YES NO NOT SURE
Is personal data processed?
Personal data means data which relate to a living individual who can be
identified from those data or from those data and other information
which is in the possession of, or is likely to come into the possession of,
the data controller.
Personal data can include, but is not limited to, name, postal address,
email address, date of birth, account, client or patient reference
numbers, CCTV images or voice recordings. It also includes opinions
and intention towards that person.
YES NO NOT SURE
You may be required to notify
Domestic Purposes
Domestic purposes include personal, domestic and household affairs
(including recreational purposes).
Examples might be a personal address list, Christmas card list or data
held in connection with a hobby.
It does not include the use of personal data for
business or professional purposes on a home
computer.
Three Core Business Purposes
The Act recognises that data controllers need to have, and use,
certain information about people to perform basic business tasks.
These are known as the three core business purposes and are for
your own:
staff administration
accounts and records
advertising, marketing and PR
Three Core Business Purposes
Do you only use information for the
three core business purposes?
YES – only NO – for What other
three core other purposes
purposes purposes are there?
Examples of other purposes
Accountancy/auditing for other persons Education
Administration of justice and legal services Gaming/gambling operations
Advertising, marketing, public relations for Insurance administration
others Licensed investment business
Constituency casework and political Regulated licensed activity
campaigning
Pastoral care
Credit reference agency
Private investigation
Crime prevention and prosecution of
offenders (including use of CCTV for these Property management
purposes) Research
Crime prevention and prosecution of Telecommunications
offenders - Anti Money-Laundering Code
Trading and sharing in personal information
Requirements (AMLCR)
Transport
Debt administration and factoring
Vetting
Only processing for the
three core business purposes
If you ONLY process people's information for the THREE CORE BUSINESS
PURPOSES and no other purpose, then you are exempt from the
requirement to notify.
You will still however be obliged to comply with the
remaining provisions of the Data Protection Act.
The Data Protection Supervisor's website carries a list of those data
controllers who are not required to notify. If you wish to be included on
this list you should complete a Notification Exemption Form.
You are required to notify
What next?
What do I need to do?
You need to make a
“Request for Registration”
The Office of the Data Protection Supervisor will
generate template registration forms based on the
information provided.
These will be sent to you for your completion and must be
returned together with any required fee.
Click here for a
Request for Registration Form
NO NEED TO NOTIFY
You have reached this page because either
you are not a data controller, or
you do not process personal data at all, or
you do not use automatic equipment to process
personal data, or
you only use information for domestic purposes
If this is correct then you are not required to notify.
If you are in any doubt, please click to return to the start,
or contact the Office of the Data Protection Supervisor
End