Cabinet Office Homepage
Issue
Notification is the term used to describe the process by which departments register their data holdings under the DPA. Subject to some limited exceptions, it is a legal requirement that all data holdings of personal information must be notified. The particulars which must be notified include a description of the personal data being processed and of the categories of data subject to which they relate, a description of the purposes for which the data are being processed, and a description of any recipients to whom the data controller intends to disclose the data. All departmental personal data processing activities must fit within the terms of the notification.
2. There is a list of 33 standard business and other purposes that can be used to notify the processing of personal data to the Information Commissioner. There are also 10 categories of data subjects, 14 types of data classes, and a list of 26 types of recipient. For the larger departments to gather and keep up to date the information concerning each and every processing of personal data may involve considerable organisation and effort.
Standards
3. Ensure that staff of the department know of the requirement to notify under the DPA, and of their need to tell the person nominated for compliance with the Act of any new or altered data processing in their area.
4. Ensure that notifications with the OIC are up to date and complete.
Recommended best practice
5. Representatives of the Home Office, Foreign and Commonwealth Office and Cabinet Office have discussed with the Office of the Information Commissioner (OIC) the possibility of simplifying the Notification process for government departments. The OIC advised that the use of only one single purpose to cover government administration would not be acceptable to the Information Commissioner.
6. The OIC felt, however, it should be possible for departments to consolidate their notifications into a limited number of the standard purposes and thereby to radically reduce the size of their overall entries and the ongoing burden of keeping them up to date. The OIC advised that only a generic description of the purpose for which personal data was being processed, regardless of the number of data holdings, needs to be included under each purpose. It would, nevertheless, still be necessary to reflect the categories of data subjects, the type of data being processed and the recipients for each data holding. The OIC have however agreed to the FCO’s proposal to consolidate their notification into three standard purposes and one tailor-made purpose – “promoting and protecting the interests of the UK and its citizens abroad and contributing to a stronger world community”.
7. The second data protection principle (see Schedule 1 to the DPA) allows personal data to be further processed only for purposes which are not incompatible with the purpose for which the data was obtained. This should be borne in mind when defining the “other purposes” of a department’s processing of personal data.
8. The OIC have indicated that they believe that agencies should not be separately notified, but should be included in the notification of their parent body. The position where a department sponsors a non-departmental public body (NDPB) such as a committee or commission whose members are independent of government, and the department provides the support staff, is a rather grey area. Our legal advice suggests that the position of the data controller in such a situation is not clear cut. However, the OIC have said that they consider that where such bodies have been established by statute, they should be considered to be a data controller in their own right. Where they have not been established under statute but have been set up, for instance, by administrative action, they should be included in the notification of the sponsoring department. We recommend that this advice should be followed.
Data Protection Handbook [PDF, 710KB]