Notification handbook
3.2 The Part 2 form
3.2.1 Security statement
Data controllers must give a general description of the measures to be taken for the purpose of protecting against unauthorised or unlawful processing of personal information and against accidental loss or destruction of or damage to personal information. The description will not appear in the public register.
Answering the questions provided satisfies the requirement to provide this description. The questions are at a very general level but cover some of the key requirements of effective information security management. A brief explanation of some of the terms is given in the following paragraphs.
A statement of information security policy sets out the management commitment to information security within the organisation and provides a clear direction on responsibilities and procedures.
Controlling physical security is concerned with restricting access to sites, buildings, computer rooms, offices, desks, storage areas, equipment and other facilities where unauthorised access could compromise security.
Controls on access to information include procedures for authorising and authenticating users, as well as software controls for restricting access, and techniques for protecting data (such as encryption).
(In these last two cases, ‘controlling’ includes monitoring and logging access so as to assist in detecting and investigating security breaches or attempted breaches when they occur).
A business continuity plan is a contingency plan that identifies the business functions and assets (including personal information) that would need to be maintained in the event of a disaster, and sets out the procedures for protecting them and restoring them if necessary.
Training your staff on security systems and procedures. Are your staff trained to be aware of information security issues? This may be covered during induction or by formal seminars.
Detecting and investigating breaches of security when they occur. Do you have controls in place which alert you to a breach in security? Do you investigate breaches of security? BS7799 is the British Standard on Information Security Management. It is a business-led approach to best security practice which provides a framework to implement and maintain effective security within an organisation. BS7799 is intended for guidance and is not a statutory requirement.
If you have a trading name or are known by any other names, it is helpful to include these on your notification. This will help people who wish to view specific entries but who do not know your formal legal title. However, names of separate legal entities (eg limited companies) who are also data controllers should not be listed here: separate legal entities must notify individually if they are data controllers. In the case of partnerships there is no requirement to provide the names of individual partners.
3.2.3 Statement of exempt processing
You are required to notify most types of processing. However, there are some specific types of processing that do not have to be included in your notification.
You have two choices:
- You can notify all of your processing of all personal information.
- You can restrict your notification to the processing that you are obliged to notify. In this case you must include the statement of exempt processing in your notification.
The statement of exempt processing is worded as follows:
This data controller also processes personal data which are exempt from notification.
The purpose of the statement is to alert those consulting the register to the fact that the entry is not a complete description of all the processing being carried out by a data controller. To determine whether or not you need to include the statement of exempt processing in your notification, you need to answer two questions.
Firstly, do you do any processing that you are not required to notify? YES/NO
You are not required to notify:
- any processing of structured manual records;
- processing for the purposes of staff administration;
- processing for the purposes of advertising, marketing and public relations (in connection with your own business activity);
- processing for the purposes of accounts and records; or
- processing by a body not established for profit for the purposes of membership administration and other activities.
Secondly, if you do undertake any processsing that you are not required to notify, have you chosen to include that processing in your notification voluntarily? YES/NO
If the answer to the first question is yes, and the answer to the second question is no, then you must include the statement of exempt processing.
3.2.4 Voluntary notification
Data controllers are required to notify unless they are exempt from notification. Section 4 of this handbook provides a summary of the exemptions and further help is given in Section 6.1.
If you are exempt from notification you can choose to notify voluntarily.
3.2.5 Representative details
If you are a data controller who is not established in the UK or in any other EEA state, but you are using equipment in the UK for processing personal information other than merely for the purposes of transit through the UK, you must complete the Representative details section. You must provide the name and address of a representative in the UK. This information will appear on the public register.
You may also complete this section if you would like to include on the register the name and address details that data subjects should use if they wish to contact you about a data protection matter. If you do not provide this information, individuals will be expected to communicate with you using the data controller name and address provided in Part 1.
There is a fee for notification of £35 (VAT nil), and any change to this fee will be advised to you when you start the process of notification. We do not send invoices but we will acknowledge receipt of payment. The period of notification is one year.
There are three ways to pay.
By direct debit
A direct debit form will be sent to you in your notification pack. We will acknowledge receipt of your direct debit instruction and advise you of the date on which the fee will be collected from your bank account.
Direct Debit Form
By cheque or postal order
Cheques should be made payable to ‘The Information Commissioner’ and crossed ‘A/C Payee only’. Please write your registration number on the back of your cheque.
BACS
In order that we can identify your BACS payment, please quote your registration number on your BACS documentation to ensure that your registration number appears on our bank statement. If possible, remittance advice should be sent to us with the forms, quoting your registration number and the date of your payment. Please note that you have not made a valid notification until we have received your forms and your BACS payment.
3.2.7 Declaration
The declaration should be signed and dated in all cases.
3.3 Using the internet to notify
It is possible to complete the notification form online. However, it must be printed out and sent to us by post with the notification fee or direct debit instruction. It is currently not possible to send the form to us electronically. You will be deemed notified from the day on which we receive your correctly completed forms and fee. Here is some information about what to expect when using the internet to complete your notification form.
- To complete a notification form online, go to www.ico.gov.uk/Home/what_we_cover/data_protection/notification.aspx You will find our publications relating to notification here, as well as instructions on how to complete the form.
- Completing the notification form online is a step-by-step process. You are asked to answer certain questions and provide information before continuing to the next question. Once the form is complete you can print it off and send it to us.
- The first questions are about the data controller who is notifying, for example their name, address and contact details.
- The next stage of the online process involves choosing an appropriate, nature of business template. Each notification must include a general description of the processing of personal information being carried out and on the register this description is structured by reference to purposes. A selection of templates is available to describe the processing that is likely to be being carried out by a range of different businesses. After selecting the template that is appropriate to your business you will need to check that it accurately describes the processing that is being carried out. You may amend the template or add additional purposes to it. If you cannot find a relevant template, either call the notification helpline or select the template that is closest to your needs and amend it as necessary.
- The next stage of the online process involves providing additional information, for example, the security statement, trading names and statement of exempt processing.
Some of this information is mandatory, so failure to return this part of the form renders your notification invalid and it will be returned to you.
- The final stage is to print the form, sign the declaration and return it to us with the notification fee or completed direct debit instruction. If, after printing the form you find that you have forgotten to include something, you can write in ink directly onto the form and we will include the details in your notification.