Notification handbook
Section 6
Appendices
6.1 Notification exemptions: A self-assessment guide
6.2 Application to alter or remove an entry 
6.3 Purpose form
6.4 Request for a notification form
Notification exemptions A self-assessment guide
Introduction
Some data controllers do not need to notify. By working through questions 1-9 you will be able to determine whether notification is required. The sequence of questions is such that if there is no possibility of an exemption for you, this will be made clear very quickly.
Exemptions are possible for the following.
- Data controllers who only process personal information for:
- staff administration (including payroll);
- advertising, marketing and public relations (in connection with their own business activity); and
- accounts and records.
- Some not-for-profit organisations.
- Processing personal information for personal, family or household affairs (including recreational purposes).
- Maintenance of a public register.
- Processing personal information without an automated system such as a computer.
Q1. Are you processing personal information?
Move to Q2 
No requirement
to notify
Personal information
Personal information means information which relates to a living individual who can be identified from that information. It is also any other information which is in the data controller’s possession, or that is likely to come into their possession.
Processing
Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on that data.
Processing includes the following activities:
 organising |
adapting |
| amending |
retrieving |
| consulting |
using |
| disclosing |
erasing |
| destroying |
storing |
Q2. Is any of your processing on computer?
Move to Q3 No requirement
to notify
Processing on computer
If none of your processing is carried out on computer, there is no requirement to notify. The term ‘computer’ includes any type of computer, for example mainframe, desktop, laptop, palmtop, etc. It also includes other types of equipment which, although not normally described as computers, nevertheless have some ability to process automatically; eg automatic retrieval systems for microfilm and microfiche, audio and visual systems, electronic flexi-time systems, telephone logging equipment and some CCTV systems.
Q3. Are you a data controller?
Move to Q4 No requirement
to notify
Data controller
Data controller means a person who (either alone, or jointly, or in common with others) decides how and why any personal information is to be processed.
You do not need to notify if you are a data processor. Data processors only process personal information in-line with instructions from data controllers.
Q4. Are you only processing personal information for personal, family or household affairs (including recreational purposes)?
No requirement
to notify Move to Q5
Personal, family and household affairs
Individuals are exempt from notification if the only information processed is for personal, domestic and household affairs (including recreational purposes). Examples might include a personal address list, Christmas card list or personal information held in connection with a hobby.
This exemption does not apply to individuals who hold personal information for business or professional purposes.
Q5. Are you processing personal information for any of the following purposes?
Accountancy and auditing.
Administration of justice.
Advertising, marketing and public relations for others.
Canvassing political support among the electorate.
Constituency casework.
Consultancy and advisory services.
Credit referencing.
Crime prevention and prosecution of offenders (including some CCTV systems).
Debt administration and factoring.
Education.
Health administration and provision of patient care.
Insurance administration.
Journalism and media.
Legal services.
Mortgage/insurance broking.
Pastoral care.
Pensions administration.
Personal information processed by or obtained from a credit reference agency.
Private investigation.
Property management (including the selling of property).
Provision of childcare.
Provision of financial services and advice.
Research.
Trading and sharing in personal information.
|
You are required to notify unless you are a not-for-profit organisation (See Q7). | |
Move to Q6 |
Non-exempt purposes
You will NOT be exempt so you WILL have to notify if you are processing personal information for any of the purposes listed above. This is not meant to be a complete list, but it shows the most common purposes where there is a requirement to notify.
Data controllers who are unlikely to be exempt include accountants, barristers, consultants, dentists, doctors, employment and recruitment agencies, estate agents, financial advisers, schools, solicitors and businesses using personal information obtained from a credit reference agency.
For information on how to notify please see How to notify.
Q6. Are you only processing personal information to maintain a public register?
No requirement
to notify Move to Q7
Public registers
There is a specific exemption from notification for any processing whose sole purpose is the maintenance of a public register. The exemption only applies to the information that the data controller is required to publish.
Q7. Are you a not-for-profit organisation?
Not-for-profit organisations
There is a specific exemption from notification for data controllers that are a body or association not established or conducted for profit, provided that their processing does not fall outside the descriptions in Q8 and Q9.
Q.8 As a not-for-profit organisation is all of your processing covered by the following descriptions?
Your processing is only for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it.
Your data subjects are restricted to the processing of those for whom personal information is necessary for this exempt purpose.
Your data classes are restricted to personal information that is necessary for this exempt purpose.
Your disclosures other than those made with the consent of the data subject are restricted to those third parties that are necessary for this exempt purpose.
The personal information is not kept after the relationship between you and the data subject ends, unless (and for so long as) it is necessary to do so for the exempt purpose.
No requirement
to notify 
Move to Q9
If the answer is no, but the only additional processing you do is for one or more of the purposes described in Q9, there is no requirement to notify.
This exempt purpose may be used by some small clubs, voluntary organisations, church administrations and some charities.
Further written guidance on this exemption is available by telephoning the notification helpline.
Q9. You do not have to notify if the only* processing you carry out is for one or more of these purposes:
Staff administration
Advertising, marketing and public relations
Accounts and records
Please read the following information about each of the exempt purposes to determine whether or not you are exempt.
* A not-for-profit organisation may also carry out processing covered by the description in Q8.
Exemptions for core business purposes
The purposes listed here are sometimes referred to as ‘core business purposes’. Typically they would relate to a small business that processes personal information only for these purposes, to support its primary activity.
You must read the description of each purpose to ensure that you only process personal information covered by one or more of the descriptions.
Staff administration
This is processing for the purposes of appointments or removals, pay, discipline, superannuation, work management or other personnel matters concerning your staff.
The individuals you hold information about are restricted to:
any person whose personal information needs to be processed for staff administration.
The information processed is restricted to:
data which are necessary for staff administration.
Your disclosures (except those made with the data subject’s consent) are restricted to:
those which you must make to third parties for the purposes of staff administration.
Retention of personal information
You must not keep personal information after the relationship between you
and the data subjects ends, unless and for so long as this is necessary for
staff administration or a legal requirement.
The term staff includes all past, existing or prospective members of staff who are employees, office holders, temporary and casual workers, and also agents and volunteers. The personal information held about them includes all personnel and work management matters, for example their qualifications, work experience, pay and performance.
Advertising, marketing and public relations
This is processing for the purposes of advertising or marketing your business, activity, goods or services and promoting public relations only in connection with that business or activity, or those goods or services.
The individuals you hold information about are restricted to
any person whose personal information you need to process for your
own advertising, marketing and public relations, for example past, existing or
present customers or suppliers.
Your information is restricted to
information which is necessary for your advertising, marketing and public relations,
for example names, addresses and other identifiers.
Your disclosures (except those made with the data subject’s consent) are restricted to
those which you must make to third parties for purposes of your advertising,
marketing and public relations.
Retention of personal information
you must not keep personal information after the relationship between you and
the customer or supplier ends, unless and for so long as this is necessary for
purposes of your advertising, marketing and public relations.
This exemption applies only to data controllers who are advertising and marketing their own goods and services.
If you obtain personal information from a third party for the purpose of marketing your own goods and services, you may still rely on this exemption. You must notify if you sell or trade a list of your customers.
Accounts and records
This is processing for the purposes of:
keeping accounts relating to any business or other activity you carry out; or
deciding whether to accept anyone as a customer or supplier; or
keeping records of purchases, sales or other transactions to ensure that the
relevant payments, deliveries or services take place; or
making financial or management forecasts to help you carry out your
business or activity.
The individuals you hold information about are restricted to:
anyone whose personal information needs to be processed for your accounts and
records, for example past, existing or present customers or suppliers.
The information you hold is restricted to:
personal information that is necessary for your accounts and records, for example
name, address and credit card details. Personal information processed by or obtained
from a credit reference agency is not exempt.
Your disclosures (other than those made with the data subject’s consent) are restricted to:
those you must make to third parties for purposes of your accounts and records,
for example to external auditors.
Retention of the data
You must not keep personal information after the relationship between you and
the customer or supplier ends, unless and for so long as this is necessary for your
accounts and records.
This exemption covers the administration of customer and supplier records.
It includes processing relating to deciding whether or not to do business with a particular customer or supplier but specifically excludes personal information processed by or obtained from a credit reference agency.
Data controllers who are providing accounting services for their customers are not exempt.
There are three easy ways to notify.
- By internet - you can complete the notification form online, print it and send the form to us with the notification fee or your direct debit instruction.
- By completing the Request for Notification form. ( Request for Notification form)
Please fax or post this Form (f.a.o. Notification Department – Notification Requests)
or alternatively the information can be e-mailed. We will then send the notification forms
for further completion.
- By telephone - you can telephone the Notification Helpline. You will be asked to provide your name, address and contact details and to specify the nature of your business.
If you request an application form via the Notification Helpline or via the Request For a Notification Form option, we will send you a partially completed notification form based on the nature of your business. When you receive your forms you will need to check the details on the Part 1 Form, complete the relevant sections on the Part 2 Form and then return both Parts 1 and 2 to us with the notification fee or your completed direct debit instruction.
The following section gives information about compliance and does not form part of the notification process.
Compliance with the Data Protection Act 1998
Data controllers must comply with the provisions of the 1998 Act even if they are exempt from notification.
There are eight data protection principles. In summary, they require that data shall be:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate;
- not kept longer than necessary;
- processed in accordance with the data subjects’ rights;
- secure; and
- not transferred to countries outside the EEA without adequate protection.
| Data protection checklist | |
| Provision of financial services and advice | |
| YES NO | Do I really need this information about an individual? |
| YES NO | Do I know what I’m going to use it for? |
| YES NO | Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for? |
| YES NO | If I’m asked to pass on personal information, would the people about whom I hold information expect me to do this? |
| YES NO | Am I satisfied that the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure? |
| YES NO | Is access to personal information limited to those with a strict need to know? |
| YES NO | Am I sure, the personal information is accurate and up to date? |
| YES NO | Do I delete or destroy personal information as soon as I have no more need for it? |
| YES NO | Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting these into practice? |
| YES NO | Do I need to notify the Information Commissioner, and if so is my notification up to date? |
| To help determine how well you comply with the data protection principles, please read the ‘Data protection audit manual’, www.ico.gov.uk | |
| The information you need when you want it Our free e-newsletter service will keep you up to date with current developments, while e-alerts allow you to choose your areas of interest and receive news of additions to the website. To subscribe to these free services, please visit www.ico.gov.uk. | |