Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

UK draft notification regulations propose wide exceptions [2000] PLBIRp 5; (2000) 52 Privacy Laws and Business International Report 6

UK draft notification regulations

propose wide exemptions

THE UNITED KINGDOM is on its way to adopt the secondary legislation needed for the Data Protection Act 1998 to come into force on 1st March. The latest addition to the drafts are the notification regulations, which exempt certain categories of processing from notification. However, all the other provisions of the law apply to these processing categories.

The draft notification regulations, published on 20th January, lay down the detail of the new registration scheme. Registration, to be called notification under the new law, will be greatly simplified. The requirement of the Act's section 17(1) to notify will not apply to several categories of processing. The Home Office has considered that these processing operations are unlikely to pose specific risks to individuals' personal data.

The categories that are proposed to be exempt from notification include the following:

o processing for purposes of staff administration

o processing for purposes of advertising, marketing and public relations

o processing for purposes of keeping accounts

o certain processing by nonprofit making organisations.

NO NEED TO NOTIFY MANUAL DATA OR PUBLIC REGISTERS

It has already been clear from the 1998 Act that notification is not required if personal data held falls within the definition of a "relevant filing system." The Office of the Data Protection Registrar (ODPR) has published some guidance about which manual data are regarded as fitting within this description (The Data Protection Act 1998: an Introduction. Published by the ODPR in October 1998). There is also an exemption from notification for processing the sole purpose of which is the maintenance of a public register.

Organisations should note that if they process both manual and automated data, they still have to notify the automated processing. Organisations that need to notify must include, apart from the registrable particulars such as a description of the data and the purposes for which it will be processed, a general description of the security measures that the organisation has taken.

PRIOR CHECKING AND NOTIFICATION

Notification must be given if the processing is subject to prior checking by the Data Protection Commissioner (section 22 of the Act). The Home Office had not, by the end of January, published the categories for prior checking. When an organisation intends to carry out "assessable processing" requiring prior checking, no processing can take place until the organisation has notified the Commissioner, and she has replied within 28 days indicating whether processing is allowed or not.

The draft notification regulations will be laid before Parliament some time in February. Apart from the exemptions, the draft regulations deal with notification in respect of business partnerships, the duty to notify changes in the processing, and other details of giving the notification to the Data Protection Commissioner.

PERSONNEL MATTERS AND MARKETING EXEMPT

Many processing operations carried out for staff administration will be exempt. These operations include processing for the purposes of appointments, pay, discipline, superannuation, work management and other personnel matters. It is important to note that this exemption does not only apply to currently employed staff, but also to past and prospective members of staff.

Importantly, the Government proposes that "processing for the purposes of advertising or marketing the data controller's business, activity, goods or services and promoting public relations in connection with that business or activity, or those goods and services is exempt."

This applies to processing personal data of past, existing or prospective customers or suppliers. To benefit from this notification exemption, however, it is required that the organisation does not disclose the data to any third party without the individual's consent.

FURTHER EXEMPTIONS

Also recommended to be exempt from notification is processing for the purposes of keeping accounts relating to any business or other activity carried on by the data controller. This includes keeping records of purchases, sales and transactions.

Finally, not-for-profit organisations are exempt from notification when the processing is carried out for the purposes of membership administration, or keeping records of those who have supported the organisation or have regular contact with it.

HIGHER FEES PROPOSED

The Government has decided to charge the same fee regardless of the size of the company or the number of purposes for which they process personal data. It is proposed that the new fee will be £35 a year. The current fee under the 1984 Act is £75 for three years (£25 per year).

Under the 1984 Act, the Registrar could not take action against organisations that did not comply with the Act if those organisations were exempt from notification. Under the 1998 Act, the situation changes. All data controllers have to comply with the Act's provisions, and may be prosecuted for non-compliance.

TRANSITION FROM OLD TO NEW

Data controllers who are currently registered do not have to contact the ODPR immediately. The Registrar's office states that many data controllers believe that they have to comply with the notification rules under the 1988 Act as soon as their registration expires. The Registrar's advice is that if the processing was under way before 24th October 1998, the organisation continues to benefit from the transitional periods, regardless of when the register entry expires and whether or not they have notified under the 1998 Act.

Therefore, the current registrations are valid until their expiry date, or 23rd October 2001, whichever is earlier. New data controllers, who have started their processing operations after 24th October 1998 will have to notify according to the new notification regulations which will take effect from 1st March.

The draft notification regulations, as well as other data protection draft statutory instruments are available

on the Home Office website at http://www.homeoffice.gov.uk.

For more information on the Data Protection Act 1998, contact

Privacy Laws & Business,

Tel: + 44 (0) 20 8423 1300

Fax: + 44 (0) 20 8423 4536

E-mail: info@privacylaws.co.uk

Internet: www.privacylaws.com.

The ODPR website can be found at http://www.dataprotection.gov.uk.