ABSTRACT
The Data Protection Act 1984 introduced the requirement for organisations and
individuals involved in certain industries to register for data protection purposes.
Registration is now known as ‘notification’ in accordance with the EC Directive on
Data Protection. 1
Under the Data Protection Act 1998 (the Act), all data controllers are required to
notify unless they are exempt. 2
The exemptions are set out in The Data Protection
(Notification and Notification Fees) Regulations 2000 as amended. Most, if not all,
organisations involved in financial services activities are required to notify for data
protection purposes, as the exemptions apply to smaller businesses that do not
process personal information except in relation to their staff and to administer client
accounts. Any organisation that processes personal information as part of its
key service offering, such as pensions administration, consulting and insurance
administration is not within the terms of the exemption. Here is a list of some financial
services activities (‘purposes of processing’ in the terminology of notification) that are
notifiable:
• Credit referencing: The provision of information relating to the financial status of individuals or organisations on behalf of other organisations. This
purpose is for use by credit reference agencies, not for organisations who
merely contact or use credit reference agencies.