After his visit to Tesco this week Antony Worrall Thompson’s recipes took on a whole new meaning:
“Take three onions and one wedge of cheese…”
It was only a little but sadly it didn’t help.
Of course it’s easy to scoff at a fallen celebrity and feel cosy whilst swaddled in law-abiding rectitude. You’ve stolen no food, snorted no cocaine and you definitely haven’t put any cats in a bin.
You’re pretty sure you haven’t anyway – it’s a while since you’ve seen Smudge and that black bin bag did seem oddly furry the other day…
No no, you can firmly say you’ve stuck by the law.
Or at least to the best of your knowledge you have. In reality, though, many small businesses in the UK are breaking the law right now because they haven’t realised they are obliged by the authorities to register themselves with the Information Commissioner’s Office (ICO) if they keep certain data. The Data Protection Act 1998 sets out rules and rights relating to any personal information stored and used by business, so if you keep any information at all, no matter how small your business, you need to read on.
But I Only Keep Basic Information
It’s so easy not to realise you are keeping important data. You’re not collecting any sensitive information and clients know all about the basic data you hold. You don’t share it with anyone and it’s just for the purposes of your business: contact information for the companies you work with – that sort of thing. You didn’t even keep that compromising email meant for ‘Snugglebunny’ but sent to you by mistake. Tempting as it was…
Nevertheless, it’s surprising how little information you need to keep in order to require registration as a ‘data controller’. In which case you also have to abide by clear regulations about how that data is both stored and used.
Failure to do so is illegal and whilst you won’t face prison (though custodial sentences are being considered as part of changes to the Act) you could be landed with a substantial fine.
Do I Need to Register?
The Act applies to the processing of personal data held by companies. Generally this applies to information held in computers and related electronic storage equipment, but if you have physical files which are structured in an organised way then these may also fall under the Act.
Most companies hold data relating to employees, customers and business contacts. If an individual could be identified from this information then you need to register unless your business is classed as exempt. The following circumstances would generally mean a business does not need to register:
- Data controllers who only process personal information for:
○ Staff administration (including payroll)
○ Marketing and public relations for their own business
○ Accounts and records
- Some not-for-profit organisations
- Processing personal information for personal, family or household affairs
- Maintenance of a public register
- Processing personal information without an automated system such as a computer
Businesses falling under any of these categories should not simply assume that’s it – you may find there are other aspects of your business which mean you do qualify after all. Furthermore, you are still obliged to handle the data in accordance with the guidelines – the exemption is only from formal notification.
However, it remains true that for most businesses notification will be necessary. Take my own copywriting business, for instance. I hold information about people I work with. This ranges from the contact information I keep in Outlook to the details I’ve taken to create About Us pages on websites. It’s personal information at a very simple level and when it comes to About Us pages, this information is going to be plastered over the web anyway! Nevertheless, I hold that information and I have used it for marketing that person’s business, not my own, so I need to register.
Indeed, there is a range of uses to which I put this information and you can get a good idea of how quickly and easily your day-to-day business falls into the relevant categories for registration by taking a look at my own entry on the list of data controllers. Sadly the system doesn’t provide a specific page I can link to, but search for ‘Nexus Copywriting’ on the Data Protection Register.
The ICO actually makes it very simple to see if you need to register or not. Complete the ICO Online Assessment questionnaire and all will become clear.
How Do I Register?
Unfortunately the ICO has yet to catch up with the 21st century and you cannot register online. This is a paper form and black pen job and although the notification page of the ICO site makes it look like there are lots of helpful alternatives such as ‘On the Internet’, email and phone, you quickly realise these are only different ways to be sent the form! The only concession to helpfulness is that ordering the form online or over the phone means you are sent a partially completed form based on the information you provide.
There is a registration fee which is used to cover the costs of the ICO service. This falls into two tiers: if you employ fewer than 250 people and your company earned less than £25.9 million pounds in the last financial year you are in tier 1 and pay £35. Otherwise you fall into tier 2 and pay £500. But I think you can afford it.
This is an annual fee and you will be sent a reminder to renew your notification, updating any information which has changed.
Once registered you will be added to the public list of data controllers and receive an ICO registration number, such as I have at the bottom of my business web pages.
And let’s face it, whilst this can seem like a bit of a chore, what it actually does is help instil trust in your clients. By making clear you’ve kept the regulations it shows you take the question of protecting clients’ data seriously. That can only boost your credibility as a professional service provider.
Which of course begs the question:
What Are the Regulations I’m Signing Up For?
Naturally you aren’t just going through the motions. By signing up for the data controllers register you are stating your compliance with the principles of responsible data handling:
- The data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the Act.
- Data should be obtained only for specified and lawful purposes.
- Data should be adequate, relevant and not excessive.
- Data should be accurate and, where necessary, kept up to date.
- Data should not be kept longer than is necessary for the purposes for which it is processed.
- Data should be processed in accordance with the rights of the data subject under the Act.
- Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
So, in short, keep the data safe (are your computers password protected?), don’t keep old data you don’t need and only use the data for the intended purpose.
The ICO does search actively for businesses which should have registered, often focusing on particular sectors. Don’t be caught out – it won’t cost an arm and a leg, it doesn’t take that long and it will ensure you aren’t breaking the law.