Notification obligations under British data protection law

The British Data Protection Act (DPA) 1998 (ENG) contains provisions for reporting obligations in Section III.

Article 17 of the DPA contains a general ban on processing data without prior registration.

The ICO website contains useful information on the reporting obligation (link).

Obligation to report to the data protection authority

In accordance with Article 18 of the DPA, the notification must be made to the Information Commissioner’s Office (ICO), www.ico.org.uk, before processing or a plurality of processing operations are performed to achieve one or more associated purposes.

The ICO keeps a register of all notifications (cf. Article 19 of the DPA), which is publicly available on the ICO’s website (link).

 Content of the reporting obligation

In accordance with Article 11 of the DPA, the report must contain the following information:

  • Name and address of the data controller responsible for processing and, where necessary, its representative,
  • the type and purpose the of data processing,
  • a general description of the data processing,
  • a description of the category(-ies) of the data subjects and any data or data categories in this regard,
  • the recipients or categories of recipient who can be notified of the data,
  • a planned transfer of data to third-party countries,
  • a general description, which allows it to be assessed beforehand, whether the measures for guaranteeing the processing security are adequate,

The information must be in the possession of the data protection authority before the data collection is able to start processing. IN the event of the state of affairs changing in the notification, the data protection authority must be informed of the change in a corresponding manner (cf. Article 20 of the DPA).

The registration form provided by the ICO must be used for registration:

Exceptions to the reporting obligation

Section IV of the DPA lists exceptions to the reporting obligation. Certain organisations are exempt from the reporting obligation. As a rule, these are organisations, which process data for the following purposes:

  • Staff administration (including salary accounting);
  • Advertising, marketing and public relations (in connection with their own business activities);
  • Accounting documents.

In addition, the following are also exempt from the reporting obligation:

  • some non-profit organisations,
  • organisations that process personal data for running public directories, and
  • organisations that manually process personal data

To be sure as to whether an organisation is exempt from the reporting obligation, the ICO has made an online self-assessment tool available: