- Q: Can I add VAT to the fee I charge for fulfilling a subject access request?
- No. Subject access requests are outside the scope of VAT. This is because data controllers have a statutory duty to respond to them. This applies regardless of whether the request is made by an individual or by someone with authority to act on their behalf, such as a solicitor.
^ Back to top
- Q: How do I know whether the Data Protection Act applies to my business/organisation?
-
The Act will usually apply unless you are an individual holding personal information for your own domestic use, eg an address book.
^ Back to top
- Q: I've received a letter from the Information Commissioner's Office but the letterhead looks different. Instead of the data protection logo that I'm familiar with, it has a new ICO logo. Is it from a bogus agency?
-
No. This letter is not from a bogus agency but is indeed from us. However, you are right to be wary when you notice such a change. A number of bogus agencies have been in operation over the last few years.
It's important to be aware of the dangers of bogus agencies and if you feel that you or your business is being targeted, please don't hesitate to contact us.
The change that you have noticed has come about as we update our letterhead to ensure a consistent corporate look across all areas of our work.
^ Back to top
- Q: What do I need to do under the Data Protection Act?
-
If you are required to comply with the Act, you have a number of legal responsibilities:
- to notify the Information Commissioner you are processing information, unless you are an organisation who has personal information only for:
- staff administration (including payroll);
- advertising, marketing and public relations for your own business; or
- accounts and records (some not-for-profit organisations)
- to process the personal information in accordance with the eight principles of the Act; and
- to answer subject access requests received from individuals.
^ Back to top
- Q: What security measures should I have in place to protect personal information on laptops?
- Where the information held on a laptop or other portable device could be used to cause an individual damage or distress, in particular where it contains financial or medical information, they should be encrypted. The level of protection provided by the encryption should be reviewed and updated periodically to ensure that it is sufficient if the device was lost or stolen, you may need to seek specialist technical advice. In addition to technical security, organisations must have policies on the appropriate use and security of portable devices and ensure their staff are properly trained in these. If it is brought to the Commissioner's attention that laptops that have been lost or stolen have not been protected with suitable encryption he will consider using his enforcement powers.
^ Back to top
- Q: How much does notification cost?
-
Notification costs an annual fee of £35, no VAT charged. This fee is payable to the Information Commissioner's Office.
A number of private companies have been contacting businesses throughout the UK demanding fees in excess of £95 to register/notify your business under the Data Protection Act. Do not be misled by these 'agencies'. They have no official standing or powers under the Data Protection Act and there is no connection between them and the Information Commissioner's Office.
For more information, go to our Notification page.
^ Back to top
- Q: I have just received a subject access request. What should I do with it?
-
A subject access request is a request from an individual, using their right under the Data Protection Act. You must decide taking any exemptions into consideration what information needs to be given. You have 40 calendar days to respond to the request and you may request a fee of up to £10.
For more guidance on how to deal with subject access requests, see our checklist for handling requests on personal information.
^ Back to top
- Q: Do I have to disclose everything under the Data Protection Act?
-
The Data Protection Act covers computer records and some manual records. Most computer records can easily be found about a particular person and should be disclosed removing any third party information. Manual records need to be in a relevant filing system. The files which form part of the relevant filing system are structured or referenced in such a way that information about the applicant can be easily located. Where manual files fall within the definition of a relevant filing system, the content will either be sub-divided, which allows the searcher to go straight to the correct category and retrieve the information requested without a manual search, or will be indexed to allow the searcher to go directly to a relevant page(s).
For example, a set of legal files containing files divided into sections for legal aid, pleadings, orders, correspondence by year, instructions to counsel, counsel's advice, will not be a relevant filing system because the divisions/referencing do not assist a searcher in retrieving the required personal information without the need to leaf through the file contents.
^ Back to top
- Q: We are a data controller, and have received a request for information that we hold about an individual from another organisation. Can we release it?
-
Generally the Act would not allow a disclosure to a third party data controller unless the individual had been informed of the disclosure (see the first principle - Fair Processing). However there are a number of exemptions that allow disclosure in certain circumstances.
^ Back to top
- Q: If the police approach us for information under what circumstances should we provide it?
-
There is an exemption under the Data Protection Act that can be applied if the police need some information to prevent or detect crime or catch or prosecute a suspect. However there are limits on the information you can release. If you are satisfied that the information is going to be used for this purpose and that if you did not release the information it would be likely to prejudice (that is, significantly harm) any attempt by the police to prevent a crime or catch a suspect then you can disclose this information.
This is an important subject, for more information, read our good practice note on Releasing information to prevent or detect crime
^ Back to top
- Q: I want to record customers that ring our company, can I do this?
-
If you have a legitimate reason for recording people that call your organisation eg staff training purposes) you may be able to record them, but to comply with the first principle of the Data Protection Act you would need to provide 'Fair Processing' information, unless it would be in their reasonable expectations to have the data recorded.
^ Back to top
- Q: I want to install covert cameras on my business premises. Would the Data Protection Act prevent me from doing this?
-
Although the Data Protection Act would not necessarily prohibit covert monitoring of staff, it would generally only be justified in exceptional circumstances and we would advise that a data controller exercise caution when proposing monitoring of this type. The monitoring should also be warranted, specific and limited.
For detailed guidance on the use of CCTV, read our CCTV Code of Practice .
^ Back to top
- Q: How long does my business need to keep information for?
-
The fifth principle of the Data Protection Act states that 'personal data kept for any purpose shouldn't be kept for longer than necessary'. Data controllers would therefore need to have their own retention policy.
^ Back to top
- Q: I am a data controller wanting to outsource some of our information for processing purposes. What are the data protection implications?
-
You must choose an organisation that you consider can carry out the work in a secure way and you should check that you are doing this. You should have a written contract with them that lays down how they can use and disclose the information you have entrusted to them. It must require them to take proper security measures.
Our good practice note on Outsourcing - a guide for small and medium sized businesses has more information on this subject.
^ Back to top
- Q: What do I need to put in my fair processing notice, which is given to individuals before I process their information?
-
You will need to outline what and how information is going to be processed. This is to make sure the individual knows exactly what is going to happen to their information and how it is going to be used. You shouldn't be doing anything with personal information unless the individual is made aware (unless certain exemptions apply)
^ Back to top
- Q: A customer asks to see details of her son’s bank account as he is seriously ill in hospital. What do I say?
-
Tell the customer that you will arrange to provide the information if she sends you written authorisation showing that she acts for her son.
For more information read our good practice note on Providing personal account information to a third party.
^ Back to top
- Q: What security measures should be in place to protect personal information under the Data Protection Act?
-
A written security procedure should cover the levels of protection appropriate for the different records you hold.
^ Back to top
- Q: A customer's record received from another company turns out to be inaccurate. What do you do?
-
Amend the details and let the other company know about the change.
^ Back to top
- Q: When should I erase personal information from our computer system?
-
You should ensure that all information is erased if it is no longer required for business purposes.
^ Back to top
- Q: I am unhappy with the way an organisation has dealt with my complaint about personal information. What do I do?
-
There are a number of options available - you can contact the ICO directly and ask us to make an assessment. You can write to your local MP with the matter or you can take the case directly to court.
^ Back to top