Data Protection Act 1988

March 25, 2003

Data Protection Act 1988


Data Protection Act 1988

If your business processes information on individuals either on computer or manually, you are known as a Data Controller and there is a legal requirement for you to comply with the Data Protection Act. If you don’t you could face a fine of up to £5000.

The Act came into force on 1 March 2000 and works in two ways:

  • Anyone who records and uses personal information about identifiable living individuals must be completely open about how the information is used and must follow the eight principles of good information handling (see below).
  • It gives all individuals certain rights, including the right to see information that is held about them and to have it corrected if it’s wrong.

The eight principles of good information handling

These state that data must be:

  • Fairly and lawfully collected and processed.
  • Only used for a limited, clear and well-defined purpose.
  • Relevant to the user’s needs and not excessive in detail.
  • Accurate and up to date.
  • Kept no longer than is necessary.
  • Processed in accordance with the rights of the individual.
  • Securely stored to prevent unlawful or unauthorised processing, loss, destruction, damage or disclosure.
  • Not transferred to countries outside the EU.


All Data Controllers who process manual and automated data about individuals must notify the Information Commissioner.

  • If a Data Controller only processes manual information, there is no requirement to notify, but they must comply with the other requirements of the Act.
  • Notification can be made by post with an application form or on line (Information help line 01625 545 745.)
  • The registration fee is £35 and notification must be renewed annually.
  • Beware! A number of organisations have sprung up who send official looking warning notices to obtain registration through them for a significantly larger fee.

Barnes Roffe Topical Tips

  • Notify your business as a Data Controller with the Information Commissioner.
  • Appoint a Data Controller for responsibility for compliance with the requirements of the Act.
  • Communicate the requirements and the importance of the Data Protection Act to all members of staff and how it effects their work.
  • Review information systems to see what data is held, by whom, why held, how used and whether it is processed in line with the ‘eight principles’.
  • Ensure that all data, manual and electronic is kept securely, confidential and only accessible by relevant staff, with adequate measures for security – both physical under lock and key and electronic by password protection.
  • Implement a code of practice for dealing with the Data Protection Act in your business, and ensure it is communicated to customers and other relevant individuals.

We believe we are more than just your average accountancy firm. Our goal at Barnes Roffe is to engage our clients through a proactive relationship, which provides you with the resources and tools you need to enable you to take charge of your finances with confidence.

Tax news, audit news and any new accounting news ... with the help of our topical tips, blogs and key guides you can enjoy the benefit of being regularly informed of business and accounting updates which are likely to be relevant to you and your business.

PLEASE NOTE: By the very nature of this type of information the details of tax law might have changed since they were published, so contact your Barnes Roffe partner before acting on any matter contained in these documents.