Notification handbook
Section 3
Completing the notification form
Introduction
The notification form is in two parts.
The Part 1 form
Part 1 of the notification form consists of sections for:
- the name and address of the data controller;
- the company registration number (optional)
- contact details;
- and a general description of the processing of personal information being carried out by the data controller, including:
- the purposes for which personal information is being or is to be processed, eg debt collection or research;
- a description of the data subjects about whom data is or is to be held, eg employees or patients;
- a description of the data classes, eg employment details and financial details;
- a list of the recipients of data, eg Central Government and Financial Organisations; and
- information about whether data is transferred outside the European Economic Area (EEA).
The Part 2 form
Part 2 of the notification form consists of sections for:
- security statement;
- trading names;
- statement of exempt processing;
- voluntary notification;
- representative name and address;
- fees; and
- the declaration.
3.1 The Part 1 form
3.1.1 Data controller name
The name you provide must be the correct legal title of the individual or organisation. Examples are given below.
Sole traders: provide the full name of the individual, eg Anna Katherine Smith.
Partnerships: provide the trading name of the firm, eg Buttersfield & Co. (you do not have to provide the names of the partners).
Limited or public limited companies: provide the full name of the company, eg ABC Limited (not your trading name).
Groups of companies: groups of companies cannot submit a single notification. Individual companies who are data controllers must notify separately.
Schools: provide the name of the school, eg Hazeldown School.
In Scotland, only schools in the independent sector need to register; all other schools are covered within the relevant local authority notification.
Others, eg voluntary bodies: provide the name by which you are known to the public. These details should be altered (if necessary) on the Part 1 form itself.
3.1.2 Data controller address
If you are a limited company you must provide your registered office address, and in all other cases you must provide the address of your principal place of business. If there is no place of business (eg for a small local voluntary body), you should provide the address of the official who has completed the form.
These details should be altered (if necessary) on the Part 1 form itself.
3.1.3 Company registration number
If you are a limited or a public limited company, we encourage you to provide your company registration number as a unique identifier for the company. However, you are not obliged to do so.
3.1.4 Contact details
You may provide a name, address, telephone number, fax number and email address. These details will be used by us for all correspondence in connection with your notification but will not appear on the public register. These details should be altered (if necessary) on the Part 1 form itself.
3.1.5 General description of the processing of personal information
Each notification must include a general description of the processing of personal information being carried out. On the register this description is structured by reference to the purposes for which data is being processed.
If you have received a notification form from us, Part 1 will be pre-completed, draft purposes will have been constructed by us and will be likely to be appropriate to the nature of your business. You must check these details to ensure that they are an accurate description of your processing. You may need to change them in one of two ways.
- You may need to add an additional purpose (see Section 3.1.6).
- You may need to make an amendment to some part of the draft details on the Part 1 form (see Section 3.1.7).
| Purpose example | |
| Provision of financial services and advice | |
| Data subjects are: | • customers and clients; |
| • complainants, correspondents and enquirers; and | |
| • advisers, consultants and other professional experts. | |
| Data classes are: | • personal details; |
| • family, lifestyle and social circumstances; | |
| • employment details; | |
| • financial details; and | |
| • goods or services provided. | |
| Recipients are: | • data subjects themselves; |
| • relatives, guardians or other persons associated with the data subject; | |
| • business associates and other professional advisers; | |
| • financial organisations and advisers; and | |
| • ombudsmen and regulatory authorities. | |
| Transfers: | • none outside the EEA. |
3.1.6 Adding a new purpose to Part 1 of your notification form
You will find a detachable purpose form in Section 6.3. If you wish to add more than one purpose you will need to photocopy the form, alternatively, the template for the purpose form can be found online. A purpose form must be fully completed for each new purpose you wish to add. You may only use each purpose title once, but the Information Commissioner’s Office may allow a purpose title to be used more than once in exceptional circumstances, where we believe that it will aid transparency.
- Select one purpose title from the list in Section 3.1.8. If none of the standard descriptions apply, you may use your own words to describe your purpose.
- Select one or more data subjects from the list in Section 3.1.9. Enter the code(s) or text on the form.
- Select one or more data classes from the list in Section 3.1.10. Enter the code(s) or text on the form.
- Select one or more recipients from the list in Section 3.1.11. Enter the code(s) or text on the form.
- Choose one of the options relating to transfers described in Section 3.1.12.
- Return the purpose form(s), attached to your Part 1 form.
3.1.7 Amending the draft details on Part 1 of your form
You may need to make amendments to the draft purposes on your form. However, please note that the Information Commissioner has determined that the level of detail provided in these draft purposes is sufficient for the purpose of notification, bearing in mind the overriding objectives referred to in the introduction to this handbook.
| How to change the draft details | |
| To delete details | Cross through the text that requires deletion. To delete a whole purpose, strike through it with a diagonal line. |
| To add: a subject, class, recipient or transfer to a draft purpose | Using the codes listed (Data classes) write or type your additions into the purposes that you wish to amend. |
| To add a new purpose with its associated subjects, classes, recipients and transfers | Use the new purpose form in Section 6.3 and return it with the Part 1 and Part 2 form |
| Example | |
| Staff administration | |
| Data subjects are: | • staff including volunteers, agents, and temporary and casual workers. |
| S105, S106 | |
| Data classes are: | • personal details; |
| • employment details; and | |
| • education and training details. | |
| C205, C210 | |
| Recipients are: | • Data subjects themselves |
| • Current, past or prospective employers of the data subjects | |
| • Financial organisations and advisers | |
| R404, R407 | |
| Transfers: | • none outside the EEA. |
The codes eg C205 are for use during the notification process, but will not appear on the public register.
Below is a list of standard purposes and purpose descriptions for use on register entries: wherever possible, these must be used. If none apply, you may use your own words to describe your purpose.
Standard business purposes
Staff administration
Appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the data controller.
Advertising, marketing and public relations
Advertising or marketing the data controller’s own business, activity, goods or services, and promoting public relations in connection with that business or activity, or those goods or services.
Accounts and records
Keeping accounts relating to any business or other activity carried out by the data controller or deciding whether to accept any person as a customer or supplier or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by him or to him in respect of those transactions, or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity.
If you are processing personal information for the standard business purposes only, you may not need to notify. For more information about the notification exemptions refer to Section 6.1.
Other purposes
Accounting and auditing
The provision of accounting and related services; the provision of an audit where such an audit is required by statute.
Administration of justice
Internal administration and management of courts of law or tribunals and discharge of court business.
Administration of membership records
The administration of membership records.
Advertising, marketing and public relations for others
Public relations work, advertising and marketing, including host mailings for other organisations and list broking.
Assessment and collection of taxes and other revenue
Assessment and collection of taxes, duties, levies and other revenue. You will be asked to indicate the type of tax or other revenue concerned.
Benefits, grants and loans administration
The administration of welfare and other benefits. You will be asked to indicate the type(s) of benefit you are administering.
Canvassing political support amongst the electorate
The seeking and maintenance of support amongst the electorate by the data controller.
Constituency casework
The carrying out of casework on behalf of individual constituents by elected representatives.
Consultancy and advisory services
Giving advice or rendering professional services. The provision of services of an advisory, consultancy or intermediary nature. You will be asked to indicate the nature of the services which you provide.
Credit referencing
The provision of information relating to the financial status of individuals or organisations on behalf of other organisations. This purpose is for use by credit reference agencies, not for organisations who merely contact or use credit reference agencies.
Crime prevention and prosecution of offenders
Crime prevention and detection and the apprehension and prosecution of offenders. This includes the use of most CCTV systems which are used for this purpose.
Debt administration and factoring
The tracing of consumer and commercial debtors and the collection on behalf of creditors. The purchasing of consumer or trade debts, including rentals and instalment credit payments, from business.
Education
The provision of education or training as a primary function or as a business activity.
Fundraising
Fundraising in support of the objectives of the data controller.
Health administration and services
The provision and administration of patient care.
Information and databank administration
Maintenance of information or databanks as a reference tool or general resource. This includes catalogues, lists, directories and bibliographic databases.
Insurance administration
The administration of life, health, pensions, property, motor and other insurance business. This applies only to insurance companies doing risk assessments, payment of claims and underwriting. Insurance consultants and intermediaries should use the provision of financial services and advice purpose.
Journalism and media
Processing by the data controller of any journalistic, literary or artistic material made or intended to be made available to the public or any section of the public.
Legal services
The provision of legal services, including advising and acting on behalf of clients.
Licensing and registration
The administration of licensing or maintenance of official registers.
Pastoral care
The administration of pastoral care by a vicar or other minister of religion.
Pensions administration
The administration of funded pensions or superannuation schemes. Data controllers using this purpose will usually be the trustees of pension funds.
Policing
The prevention and detection of crime; apprehension and prosecution of offenders; protection of life and property; maintenance of law and order; also rendering assistance to the public in accordance with force policies and procedures.
Private investigation
The provision on a commercial basis of investigatory services according to instruction given by clients.
Processing for not-for-profit organisations
Establishing or maintaining membership of or support for a body or association which is not established or conducted for profit, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it.
An organisation that is a body or association not established or conducted for profit may be exempt from notification provided that the processing meets specific criteria. If you are a not-for-profit organisation, please call the notification helpline for guidance on whether the exemptions cover your organisation’s processing.
Property management
The management and administration of land, property and residential property and the estate management of other organisations.
Provision of financial services and advice
The provision of services as an intermediary in respect of any financial transactions including mortgage and insurance broking.
Realising the objectives of a charitable organisation or voluntary body
The provision of goods and services in order to realise the objectives of the charity or voluntary body.
Research
Research in any field, including market, health, lifestyle, scientific or technical research. You will be asked to indicate the nature of the research undertaken.
Trading/sharing in personal information
The sale, hire, exchange or disclosure of personal information to third parties in return for goods/services/benefit.
The following is a list of standard descriptions of data subjects. A data subject is an individual about whom personal information is held.
S100: Staff including volunteers, agents, temporary and casual workers
S101: Customers and clients
S102: Suppliers
S103: Members or supporters
S104: Complainants, correspondents and enquirers
S105: Relatives, guardians and associates of the data subject
S106: Advisers, consultants and other professional experts
S107: Patients
S108: Students and pupils
S109: Offenders and suspected offenders
All of the above categories include current, past or prospective data subjects.
The following is a list of standard descriptions of data classes. Data classes are the types of personal information that is being or is to be processed.
C200: Personal details
Included in this category is any information that identifies the data subject and their personal characteristics. Examples are name, address, contact details, age, sex, date of birth, physical description, and any identifier issued by a public body, eg National Insurance number.
C201: Family, lifestyle and social circumstances
Included in this category is any information relating to the family of the data subject and the data subject’s lifestyle and social circumstances. Examples are details about current marriage and partnerships and marital history, details of family and other household members, habits, housing, travel details, leisure activities and membership of charitable or voluntary organisations.
C202: Education and training details
Included in this category is any information which relates to the education and any professional training of the data subject. Examples are academic records, qualifications, skills, training records, professional expertise, and student and pupil records.
C203: Employment details
Included in this category is any information relating to the employment of the data subject. Examples are employment and career history, recruitment and termination details, attendance records, health and safety records, performance appraisals, training records and security records.
C204: Financial details
Included in this category is any information relating to the financial affairs of the data subject. Examples are income, salary, assets and investments, payments, creditworthiness, loans, benefits, grants, insurance details and pension information.
C205: Goods or services provided
Included in this category is any information relating to goods and services that have been provided. Examples are details of the goods or services supplied, licences issued, agreements and contracts.
The examples given are not an exhaustive list of what may be included in each category.
The following classes of data have been designated as sensitive personal information. If you process the following types of data you must specify this in your notification.
C206: Racial or ethnic origin
C207: Political opinions
C208: Religious or other beliefs of a similar nature
C209: Trade union membership
C210: Physical or mental health or condition
C211: Sexual life
C212: Offences (including alleged offences)
C213: Criminal proceedings, outcomes and sentences
The following is a list of standard descriptions of recipients. Recipients are individuals or organisations to whom the data controller intends or may wish to disclose data. It does not include any person to whom the data controller may be required by law to disclose data in any particular case, for example if required to do so by the police under a warrant.
R400: Data subjects themselves
R401: Relatives, guardians or other persons associated with the data subject
R402: Current, past or prospective employers of the data subject
R403: Healthcare, social and welfare advisers or practitioners
R404: Education and training establishments, and examining bodies
R405: Business associates and other professional advisers
R406: Employees and agents of the data controller
R407: Other companies in the same group as the data controller
R408: Suppliers and providers of goods or services
R409: Persons making an enquiry or complaint
R410: Financial organisations and advisers
R411: Credit reference agencies
R412: Debt collection and tracing agencies
R413: Survey and research organisations
R414: Traders in personal data
R415: Trade, employer associations, and professional bodies
R416: Police forces
R417: Private investigators
R418: Local government
R419: Central government
R420: Voluntary and charitable organisations
R421: Political organisations
R422: Religious organisations
R423: Ombudsmen and regulatory authorities
R424: The media
R425: Data processors
3.1.12 Transfers of personal information
Data controllers must indicate whether or not personal information is transferred outside the European Economic Area (EEA).*
The choices are:
- None outside the EEA
- Worldwide
- Named individual countries outside the EEA. (If there are more than 10 countries, indicate ‘Worldwide’.)
A transfer is not defined in the Act. However, the ordinary meaning of the term is transmission from one place, person, etc to another. This may include posting information on a website that can be accessed from overseas. In these circumstances it would be appropriate to indicate ‘Worldwide’.
*At the time of publication the countries in the EEA are: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.