More NewsAdviser: look after your sensitive information

Adviser: look after your sensitive information

Failure to comply with data protection legislaion could prove a costly business - so it's best to act now and ask questions later

As recently revealed in Accountancy Age, the information
commissioner has decided to target accountancy firms in a new campaign to
improve levels of compliance with the Data Protection Act 1998.

Private enquiries by the information commissioner’s office (ICO) have found
that less than half of the practices it checked had notified it that they were
holding and processing personal data, as required by the Act.

Just because less than half of the sample researched had not registered their
details with the ICO, it does not technically follow that all should necessarily
have done so. Whether any business needs to notify depends ultimately on whether
it processes and controls personal data under the terms of the Act and if it is
entitled to take advantage of the available exemptions.

Since the Act significantly restricted the scope of the pre-existing
exemptions, however, it would appear there may be a sizeable incidence of
under-compliance.

In the light of the ICO’s campaign, it would be well worth firms spending
some time checking whether or not they are in fact registered as data
controllers with the ICO and whether their notifications are up-to-date. Details
must be updated annually. This can be done online, at
www.ico.gov.uk.
If your firm is not registered, you should consider whether you should be. The
easiest way to do this is by consulting the advisory information on the site.

To paraphrase, the basic rule of the Act is that if any business is
‘processing’ personal data, which means obtaining, recording, holding or
amending personal data, and does so via computerised or other automatic means,
it is required to notify the ICO of that fact and provide details of the sort of
data being processed and the purposes for which it is being done.

So if you hold personal data on this basis, the initial assessment must be
that you should notify the ICO that you are a data controller.

It may not always be as simple as that though. One of the difficulties, which
has faced regulators and businesses alike since the requirement to register was
first brought in under the Data Protection Act 1984, is that there have been,
and still are, a fairly lengthy list of detailed exemptions.

It may be that many businesses have been operating for some time under the
innocent but mistaken belief that they are entitled to take advantage of one or
other of the statutory exemptions.

What makes this more complicated is that some of the exemptions apply for
certain purposes and not for others.

The exemptions are quite restricted and are generally limited to cases where
controllers process personal data only for (wholly internal) payroll, staff
administration and accounting purposes.

The ICO has set up a regulatory action division to try to give more teeth to
its enforcement of the law. As fines for non-compliance can be up to £5,000, the
£35 annual cost of notification is a modest price to pay.

John Davies is head of business law at ACCA

Related Articles

Amazon UK halves its corporation tax bill despite increased turnover

More News Amazon UK halves its corporation tax bill despite increased turnover

4m Alia Shoaib, Reporter
Increase in UK business confidence despite Brexit, according to ICAEW

More News Increase in UK business confidence despite Brexit, according to ICAEW

7m Alia Shoaib, Reporter
Live blog: Spring Budget 2017

Corporate Tax Live blog: Spring Budget 2017

9m Accountancy Age editorial
The Curious Incident of the Insolvency Sector in the Light of Economic Turbulence

Insolvency The Curious Incident of the Insolvency Sector in the Light of Economic Turbulence

11m Accountancy Age editorial
Leonard Curtis called in as administrators for builders Boshers

Legal Leonard Curtis called in as administrators for builders Boshers

11m Stephanie Wix, Writer
New Year Honours of 2017

Accounting Standards New Year Honours of 2017

11m Stephanie Wix, Writer
"Not enough time" to implement MTD by 2018, says Tyrie

Corporate Tax "Not enough time" to implement MTD by 2018, says Tyrie

1y Stephanie Wix, Writer
Colin: A spoonful of investment...

Governance Colin: A spoonful of investment...

1y Stephanie Wix, Writer