Data Protection Act

Last modified: 3/2010

All organisations processing personal information must comply with The Data Protection Act 1998, whether information is stored on computers or manual records.

The role an organisation plays in storing information is called the Data Controller. This is typically an organisation level role i.e. a limited company, but must also be a named individual, such as a Director, who will take responsibility for ensuring the organisation complies with the requirements of the Act.

Who needs to notify/register?

Organisations need to notify (aka register with) the Information Commissioners Office (ICO), unless the organisation can assess that they qualify for certain exemptions, the most common of which is that they ONLY process personal information for: 

  • staff administration
  • advertising, marketing and public relations
  • accounts and records (unless records were obtained from a credit reference agency)

However, there are many exclusions from the above exemption criteria, and you should use the link provided below to complete the online self-assessment to determine if you really are exempt. 

One of the most common exclusions is that an organisation CANNOT be exempt from notification under the above criteria if it carries out any of the following business roles:

  • Accountancy/Auditing
  • Administration of Justice and Legal Services
  • Canvassing Political Support amongst the electorate
  • Constituency Casework
  • Credit Referencing
  • Crime Prevention and Prosecution of Offenders (including use of CCTV for their purposes)
  • Debt administration and Factoring
  • Education
  • Health Administration and Provision of Health Services
  • Mortgage/Insurance Broking/Insurance Administration
  • Pastoral Care
  • Private Investigation
  • Provision of Financial Services and Advice
  • Research
  • Trading and Sharing in Personal Information


You are strongly advised to carry out the self-assessment to determine if you are required to notify the ICO. The self-assessment is available at:

How to notify the ICO

If you have established that you are not exempt, notification can be done at:

This is a simple process for which a charge is made and, once registered, your Data Protection Registration number should be included within your website's privacy policy page.

Conduct of exempt organisations

If you've determined categorically that your organisation is exempt from notifying the ICO, you are not off the hook with respect to compliance with the Data Protection Act 1998.

Whether exempt or not, all organisations must have in place administrative and security policies to protect all personal data under their control.

Privacy policy

It is also recommended that an organisation's policies on the use of personal data are clearly made available to the public in a Privacy Policy.

This is generally a link from the footer of every page on the website to a page containing the policy.

Unless you have a policy already worded, we recommend sourcing a ready made policy from Website Law:

Website Law's standard policy is available free of charge on condition that a link to their website remains at the foot of the document.

Alternatively the policy can be de-badged in return for a modest fee.

Useful links:

Unlimited business broadband from £15 a month

ITw3 Web Solutions is a trading name of ITw3 Limited

Registered in England and Wales

Registered office: Churt Lea Cottage Thursley Road Farnham GU10 2LQ

VAT registration No.
GB 974 3956 68

All prices quoted are subject to VAT at the prevailing rate

ITw3 Web Solutions

The Studio
Churt Lea Cottage
Thursley Road
GU10 2LQ

tel. +44 (0)1428 788242

mob. +44 (0)7788 883230

Contact us

Apollo Aviation


Drain Checker

Glass of French

Happy Drains

Jason White Stunts

London Eye Films

Pooleys Air Pilot Publishing

Pooleys Flying Instructor School

Pooley Sword

Robert Brock Chiropractic

Shoreham Airport Community Memorial




Copyright © 2007-2018 ITw3 Limited