Out-Law News 2 min. read

ICO reminds firms of requirement to gain clearance for personal data processing

The UK's data protection watchdog is reminding firms that they must notify it and be registered in order to process personal data.

The Information Commissioner's Office (ICO) has a guide on organisations' requirements to inform it of its personal data processing intentions prior to commencing the activity. Organisations that proceed with processing activities without being registered where they are required to be so are guilty of an offence under UK data protection laws.

Under the Data Protection Act (DPA) organisations cannot process personal data unless they have notified the ICO of their planned activities and have been included in the watchdog's "Data Controller Register", subject to some exceptions. One exception is where an organisation only processes personal data for staff administration purposes.

When notifying the ICO of their processing activities, an organisation must provide information such as the organisation's name and address, as well as a description of the personal data that is to be processed. Details of the intended recipients for personal data that organisations may disclose, as well as details of arrangements for international transfers of that data, must also be provided.

In addition, organisations must provide the ICO with "a general description of measures" they plan to take to ensure personal data is properly secure and which protects against the risk of "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" .

An organisation's registration with the ICO lasts for a year and therefore organisations must notify with the ICO on an annual basis. Organisations are also obliged to keep their registrations up-to-date during the term of the notification. It is a criminal offence to process personal data without an appropriate entry on the data controller register unless an exemption applies. It is also a criminal offence to fail to notify the ICO of any changes to the data controller's processing; or to process personal data which is inconsistent with the organisation's registry entry.

The ICO is tasked with assessing whether an organisation's planned processing activities are "particularly likely to cause substantial damage or substantial distress to data subjects, or otherwise significantly to prejudice the rights and freedoms of data subjects." If it finds the activities are not likely to be compliant with the DPA, it can write to those organisations informing them of its opinion.

Technically it is an offence for organisations to commence with processing personal data until either it has received a letter from the ICO confirming that its activities are cleared or if it has not received a letter from the watchdog within 28 days of submitting the notification.

However, data protection law specialist Danielle van der Merwe of Pinsent Masons, the law firm behind Out-Law.com, said that proposed changes to EU data protection laws could bring an end to the notification requirement.

"The proposed General Data Protection Regulation, which is set to change the EU data protection regime, currently includes a provision which will ease the regulatory burden on data controllers by scrapping the need for organisations to notify with their local data protection authority," she said.

Under the draft Regulation many large businesses and those with personal data-heavy processing operations would be required to appoint dedicated data protection officers whilst businesses would also be required to keep a record of their personal data processing and provide the information upon request to regulators.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.