Privacy & Information Security Law Blog

On October 31, 2012, the UK Information Commissioner’s Office (“ICO”) published a consultation on changes to the notification process in the UK (the “Consultation”), which will be open for comment until November 30, 2012. The purpose of the Consultation is to provide the ICO with feedback on its proposed changes regarding: (1) whether an online and telephone payment service would be beneficial to data controllers, (2) whether the inclusion of contact details for information requests is useful and (3) whether the format of the public register should become narrative-based. The ICO is also seeking input regarding whether these changes would make the public register more meaningful and notification simpler for data controllers.

Item 3 above may affect data controllers most significantly. Under section 18 of the Data Protection Act 1998, a data controller must provide a description of its processing activities. Currently, the ICO provides standard templates for specific types of data controllers, which may be amended as necessary to describe the relevant processing. The ICO is proposing to take a more narrative-based approach to notification by making a data controller describe in its own words how it will process personal data. The ICO suggests that this would offer a data controller the opportunity to provide links to its website, and possibly to its privacy policy or contact details.

This proposed change appears to respond to feedback the ICO has received regarding how the public register makes it “difficult to understand how a data controller is likely to process personal data.” The ICO stated that it wishes to “make it easier for those who need to notify and to make the public register itself more helpful and accessible.” Meanwhile, the ICO has emphasized that it will continue to provide standard templates for specific types of processing, which it suggests “provides a good starting point for a notification entry.”

Proposed changes to the notification process are likely to change further, however, as the current draft General Regulation on Data Protection seeks to abolish notification or registration to a national data protection supervisory authority.