Notification By Data Controllers Under The Data Protection Act, 1998 (Uk)
1. NOTIFICATION BY DATA
CONTROLLERS
1 Vishnu Kesarwani (IMS2007011)
Rajendra Prasad (IMS2007012)
2nd Semester
MS (Cyber Law & Information Security)
IIIT-Allahabad
2. INTRODUCTION
The Data Protection Act, 1984 established the Data
Protection Register and the system of registration
maintained by the Registrar.
The Data Protection Act, 1998 introduced a new system of
notification which replaced the registration scheme.
Meaning:
Notification is the process by which a data controller
informs the Commissioner of certain details about the
processing of personal data carried out by that data
controller.
2
4. NOTIFICATION EXEMPTIONS
The Act provides exemption from notification for data
controllers.
Exemptions are :
data controllers who only process personal data for :
staff administration
advertising, marketing and public relations (of their
own business)
accounts and records
not for profit Organisations
4
5. CONTD….
processing personal data for personal, family or household
affairs
data controllers who only process personal data for the
maintenance of a public register
data controllers who do not process personal data on
computer
5
6. STAFF ADMINISTRATION EXEMPTION
The processing is for the purposes of
appointments or
removals,
pay,
discipline,
superannuation,
work management or
other personnel matters in relation to the staff of the data controller;
(b) is of personal data in respect of which the data subject is -
o a past,
o existing or
o prospective
member of staff of the data controller
(c) is of personal data consisting of the name, address and other identifiers of
the data subject or information as to -
qualifications, 6
o work experience or
o pay
7. ADVERTISING, MARKETING AND PUBLIC
RELATIONS EXEMPTION
(a) is for the purposes of
advertising or
marketing the data controller's business,
activity,
goods or services
and promoting public relations in connection with that
business or activity, or those goods or services;
(b) is of personal data in respect of which the data subject is -
o a past,
o existing or
o prospective customer or supplier
7
8. ACCOUNTS AND RECORDS EXEMPTION
The processing –
(a) is for the purposes of
keeping accounts relating to any business or
other activity carried on by the data controller, or any person
as a customer or supplier, or
keeping records of purchases, sales or
(b) is of personal data in respect of which the data subject is -
o a past,
o existing or
o prospective customer or
o supplier
8
9. NON PROFIT-MAKING ORGANISATIONS
EXEMPTIONS
The processing -
(a) is carried out by a data controller which is a body or association
which is not established or conducted for profit;
(b) is for the purposes of establishing or maintaining membership of
or support for the body or association, or providing or administering
activities for individuals who are either members of the body or
association or have regular contact with it;
(c) is of personal data in respect of which the data subject is -
a past,
existing or
prospective member of the body or organisation;
9
10. THE REGISTRABLE PARTICULARS
According to Section 16(1) the registrable particulars means:
Data Controller’s name and address,
The name and address of the representative,
A description of the personal data,
A description of the purpose or purposes,
A description of any recipient or recipients,
The names, or a description of, any countries or territories outside the
European economic area,
10
11. Duty of the data controller
Duty to notify changes
If any changes takes place regarding personal data then
data controller is bound by the Act to notify the
Commissioner.
Duty to make certain information available
The data controller has not notified the relevant
particulars in respect of that processing under section 18,
the data controller must, within twenty-one days of
receiving a written request from any person, make the
relevant particulars available to that person in writing free
of charge.
11
12. Function of the Commissioner
As soon as practicable after the passing of this Act, the
Commissioner shall submit to the Secretary of State
proposals as to the provisions to be included in the first
notification regulations.
The Commissioner shall keep under review the working of
notification regulations and may from time to time submit
to the Secretary of State proposals as to amendments to be
made to the regulations.
12
13. Function of the secretary of state
The Secretary of State may from time to time require the
Commissioner to consider any matter relating to
notification regulations and to submit to him proposals as
to amendments to be made to the regulations in connection
with that matter.
Before making any notification regulations, the Secretary
of State shall—
(a) consider any proposals made to him by the
Commissioner under subsection (1), (2) or (3), and
(b) consult the Commissioner
Power to make provision for appointment of data protection
supervisors
13
14. Offences relating to notification
It is an offence to process personal data without notification unless:-
the personal data fall within either of the national security or
domestic purposes exemptions,
the personal data are exempt under the transitional exemptions,
the personal data fall within the ―relevant filing system‖/
―accessible record‖ or public register exceptions referred to above,
the processing operation falls within the exemptions referred to in
the Regulations
the processing is of a description which notification regulations
provide is exempt from the requirements to notify on the ground
that it is unlikely to prejudice the rights and freedoms of data
14
subjects. No such provision was included in the Regulations.
15. CONTD…
It will also be an offence for a person to fail to notify the
Commissioner of changes to the register entry.
The Regulations provided that such notification must be
given as soon as practicable and in any event within a
period of 28 days from the date upon which the entry
becomes inaccurate or incomplete.
Defense: due diligence
15
16. Nature of Offence
When Data Controller fail to comply the provision of the
Act or contravene the provision then the Data Controller
will be held liable.
The nature of offence will be criminal.
In all cases the Data Controller will be held strictly liable (
strict liability offence).
16
17. REFERENCES
1/28/2010
THE DATA PROTECTION ACT, 1998
Data Protection Act 1998: Legal Guidance; available from
http://www.ico.gov.uk/upload/documents/library/data_protection/detailed
_specialist_guides/data_protection_act_legal_guidance.pdf
Hamilton, Angus and Jay, Rosemary, Data Protection Act 1998 (UK:
Sweet & Maxwell, 1999)
17