Adviser: look after your sensitive information

As recently revealed in Accountancy Age, the information
commissioner has decided to target accountancy firms in a new campaign to
improve levels of compliance with the Data Protection Act 1998.

Private enquiries by the information commissioner’s office (ICO) have found
that less than half of the practices it checked had notified it that they were
holding and processing personal data, as required by the Act.

Just because less than half of the sample researched had not registered their
details with the ICO, it does not technically follow that all should necessarily
have done so. Whether any business needs to notify depends ultimately on whether
it processes and controls personal data under the terms of the Act and if it is
entitled to take advantage of the available exemptions.

Since the Act significantly restricted the scope of the pre-existing
exemptions, however, it would appear there may be a sizeable incidence of

In the light of the ICO’s campaign, it would be well worth firms spending
some time checking whether or not they are in fact registered as data
controllers with the ICO and whether their notifications are up-to-date. Details
must be updated annually. This can be done online, at
If your firm is not registered, you should consider whether you should be. The
easiest way to do this is by consulting the advisory information on the site.

To paraphrase, the basic rule of the Act is that if any business is
‘processing’ personal data, which means obtaining, recording, holding or
amending personal data, and does so via computerised or other automatic means,
it is required to notify the ICO of that fact and provide details of the sort of
data being processed and the purposes for which it is being done.

So if you hold personal data on this basis, the initial assessment must be
that you should notify the ICO that you are a data controller.

It may not always be as simple as that though. One of the difficulties, which
has faced regulators and businesses alike since the requirement to register was
first brought in under the Data Protection Act 1984, is that there have been,
and still are, a fairly lengthy list of detailed exemptions.

It may be that many businesses have been operating for some time under the
innocent but mistaken belief that they are entitled to take advantage of one or
other of the statutory exemptions.

What makes this more complicated is that some of the exemptions apply for
certain purposes and not for others.

The exemptions are quite restricted and are generally limited to cases where
controllers process personal data only for (wholly internal) payroll, staff
administration and accounting purposes.

The ICO has set up a regulatory action division to try to give more teeth to
its enforcement of the law. As fines for non-compliance can be up to £5,000, the
£35 annual cost of notification is a modest price to pay.

John Davies is head of business law at ACCA

Related reading