Chapter 3: Notifying Processing with the Information Commissioner – Data Protection Compliance in the UK, Second Edition


Ever since the first Data Protection Act in 1984, those who process personal data have had an obligation to register on a public register. This is now called notification. There are some exemptions from this obligation. These are quite narrow: however, organisations will not need to notify if the only reasons they process personal data are for what are called the core business purposes. These cover marketing, staff administration and accounting, but care should be taken when relying on these and reference should be made to the Information Commissioner’s website9 and the guidance available. Notification lasts for a year.

From 1st October 2009, there has been a two-tier fee structure. Data controllers must pay a fee of £500 if they are either a public authority with 250 or more members of staff, or a private sector body with a turnover of £25.9 million and 250 or more members of staff. Others pay only £35.00. The details will be put onto a public register that can be accessed on the Information Commissioner’s website. To notify you must provide:

• the name and address of the organisation;

• the name and address of the representative if one has been nominated;

• a description of the personal data which is being processed and the category or categories of data subjects;

• a description of the purposes which data are to be processed;

• a description of any recipients; and

• the names or description of places outside the EEA to which personal data are to be transferred.

The organization must also describe its security measures in general terms, although this information is not included on the register. Data controllers have an obligation to make sure that their register entries are kept up to date. If they fail to do this, they may be guilty of a criminal offence. The DPA provides for some types of processing to be subject to prior checking by the Information Commissioner but this has never been brought into operation. Even if a controller does not have to register (because they are within one of the narrow exemptions), they have to be prepared to make the same information available to a member of the public who asks for it.

Organisations should be aware of bogus agencies requesting payment for data protection registration, as these agencies are not connected to the Information Commissioner’s Office and often charge a fee exceeding the standard notification charge.10



10 See the Information Commissioner’s guidance for small businesses: protection_for_smes.pdf