Data Protection Registration as a planning tool
Our philosophy is that Compliance done right is a benefit, not a burden. Compliance with the Data Protection Acts is no exception.
While registration with the Data Protection Commissioner is a statutory duty under the Data Protection Acts 1988 and 2003, there are a number of exemptions which can be availed of. As a result, many businesses or organisations have not had the statutory need to think in depth about the information they use in their operations.
However, the format and structure of the registration process provides a useful framework to begin thinking about the information that drives your business. This tutorial uses a mind-mapping approach to help drive out the key questions and issues which need to be considered by the business in how it governs its information, primarily for compliance with the Data Protection Act (but it could be extended for other purposes).
We would recommend to organisations that having an external facilitator assist with the development of of this kind of mind map is a worthwhile consideration as they will be able to ask questions and challenge assumptions from an independent and neutral perspective. This is a role we'd be delighted to take on for your organisation.
This tutorial is not intended to be taken as legal advice but as an outline of one possible approach to taming your Data Protection needs and understanding what the drivers are for information quality and the management of the information assets in your business.
The mind mapping tool used is Mind Meister.
Comments
Not for profits & sensitive data
I volunteer at a UK charity (with associated nfp company) that stores information about people's mental and physical health. Does the exemption for nfps still apply? If it does would it not still be a good idea from a probity point of view to register?
Not for Profits & Sensitive Data
Interesting question Keith. Before I make a stab at answering it it is prudent for me to put the obligatory disclaimer and health warning on this as we don't have a contractual relationship so the answer below should be taken as my personal opinion not binding legal advice. If you want that, please check with your own legal advisors. It is also worth pointing out that my comments on the recording were based on current Irish legislation, and there are subtle differences in how the EU regulations are applied across Member States.
In order to answer the question we must think back to the underlying history in Europe behind Data Protection legislation. Apparently we have had issues in the past with the use and abuse of personal data about people, particularly sensitive data. Ultimately, in order to ensure and preserve transparency, organisations gathering and processing personal data are, subject to some exemptions and exceptions, required to publish the fact of their processing so that we can all see who is recording what about whom.
The UK ICO's guidance on Exemptions can be found here. It is a very well put together flow-chart type document which gives some clear advice. In the section on exemptions for NfP's it states that the organisation can claim an exemption if:
"Your processing is only for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it".
So, if your NfP is only capturing information for the purposes of maintaining membership databases and administrative supports you are exempt from registration.
However, the specific scenario you raise has an interesting niggle which is that part of the personal data being processed. This is a grey area based on my reading of the various guidance documents from the UK's Information Commissioner.
The key question as to whether the exemption for NfP's extends to the sensitive data in this case really boils down to whether the information is absolutely necessary for the exempt purpose (in this case managing memberships). I would suggest pondering on that point and then giving the ICO's Notification Helpline to check with the ultimate authority, but if after your consideration of the purposes to which the information is being put you feel that it isn't absolutely necessary, then notification would be a prudent step.
Daragh O Brien (CMIAIDQ, FICS)
Taoiseach
Castlebridge Associates