chapter  21
4 Pages


The Data Protection Act 1984 introduced the requirement for organisations and

individuals involved in certain industries to register for data protection purposes.

Registration is now known as ‘notification’ in accordance with the EC Directive on

Data Protection. 1

Under the Data Protection Act 1998 (the Act), all data controllers are required to

notify unless they are exempt. 2

The exemptions are set out in The Data Protection

(Notification and Notification Fees) Regulations 2000 as amended. Most, if not all,

organisations involved in financial services activities are required to notify for data

protection purposes, as the exemptions apply to smaller businesses that do not

process personal information except in relation to their staff and to administer client

accounts. Any organisation that processes personal information as part of its

key service offering, such as pensions administration, consulting and insurance

administration is not within the terms of the exemption. Here is a list of some financial

services activities (‘purposes of processing’ in the terminology of notification) that are


• Credit referencing: The provision of information relating to the financial status of individuals or organisations on behalf of other organisations. This

purpose is for use by credit reference agencies, not for organisations who

merely contact or use credit reference agencies.