Notification is the process by which a data controller gives the ICO details about their processing of personal information. The ICO publishes certain details in the register of data controllers , which is available to the public for inspection.

To change an existing entry or to add a purpose, see keeping your register entry up to date.

Before making your application, please check the register of data controllers to ensure you are not already registered.

Important: Changes to the notification fee structure will come into effect on 1 October 2009.

All new notifications received from data controllers on or after 1 October 2009 will be subject to new regulations and data controllers will be required to assess which tier they fall within and the fee they are required to pay for notification.

If you are making a new application to notify, your fully completed form and £35 notification fee must be received by the ICO by 30 September 2009. If you are unable to return your notification application before 1 October 2009, please contact the notification helpline on 01625 545740 for further guidance.

There are three ways to make an application to notify

1. On the internet
You can complete the notification form online, print it out and send it to ICO. You must include the notification fee or your direct debit instruction (see the ‘Ways to pay’ section below). The address is:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

2. Request for a notification form
You can complete the request for a notification form. This should be posted to us, marked for the attention of the Notification Department (Notification requests). Alternatively, you can send the form by email (notification@ico.gsi.gov.uk) or by fax. They will send you a notification form for further action.

3. By telephone
You can telephone the notification helpline on 01625 545740 between the hours of 9.00am and 5.00pm, Monday to Friday. You will be asked to provide your name, address and contact details, and to specify the nature of your business. Theywill send a notification form to you.

If you request an application form via the telephone helpline or via the ‘Request for a notification form’ option, a partially completed notification form will be sent to you based on the nature of your business. When you receive your form you will need to check the details in Part 1, complete the relevant sections of Part 2 then return parts to us with the notification fee or direct debit instruction.

There is a fee for notification of £35 (VAT nil), and any change to this fee will be advised to you when you start the process of notification. We do not send invoices but we will acknowledge receipt of payment. The period of notification is one year, after which you will need to renew your notification.

There are three ways to pay

By direct debit
A direct debit form will be sent to you in your notification pack. Alternatively, you can print a direct debit instruction form yourself. They will acknowledge receipt of your direct debit instruction and advise you of the date on which the fee will be collected from your bank account.

By cheque or postal order
Cheques should be made payable to ‘The Information Commissioner’ and crossed ‘A/C Payee only’. Please write your registration number on the back of your cheque.

BACS
In order that they can identify your BACS payment, please quote your reference number on your BACS documentation to ensure that your reference number appears on our bank statement. If possible, remittance advice should be sent to us with the forms, quoting your reference number and the date of your payment. Please note that you have not made a valid notification until we have received your forms and your BACS payment. Their account details are:

Sort code: 16-34-24
Account number: 11663041

The name you provide must be the correct legal title of the individual or organisation. Examples are given below.

Sole traders – provide the full name of the individual, eg Anna Katherine Smith.
Partnerships – provide the trading name of the firm, eg Butterfield & Co. (you do not have to provide the name of the partners).
Limited or public limited companies – provide the full name of the company, eg ABC Limited (not your trading name).
Groups of companies – groups of companies cannot submit a single notification. Individual companies who are data controllers must notify separately.
Schools – provide the name of the school, eg Hazeldown School.
Others, eg voluntary bodies – provide the name by which you are known to the public.

If you are a limited company, you must provide your registered office address, and in all other cases, you must provide the address of your principal place of business. If there is no place of business (eg for a small local voluntary body), you should provide the address of the official who has completed the form.

Only one notification is required per legal entity. This will cover any number of different branches or addresses where the data is processed.

Source: ICO

Hundreds of people complained that their privacy was breached by the service, which launched last month for 25 cities and towns.

Today the Information Commissioner’s Office rejected those complaints but said it would watch Google closely to ensure that it responded quickly to requests for the removal of images that identified individuals.

Google has promised to blur faces and numberplates, but many people have complained that they are identifiable in the photographs.

Scores of pictures, including one of a man leaving a Soho sex shop, were removed the day after the site’s UK launch.

In a statement the Information Commissioner’s Office said an outright ban on Street View would be “disproportionate to the relatively small risk of privacy detriment”.

David Evans, senior data protection practice manager said: “Watch the TV news any day this week and you will see people walking past reporters in the street. In the same way, there is no law against anyone taking pictures of people in the street as long as the person using the camera is not harassing people.

“Google Street View does not contravene the Data Protection Act and, in any case, it is not in the public interest to turn the digital clock back. In a world where many people tweet, Facebook and blog, it is important to take a common sense approach towards Street View and the relatively limited privacy intrusion it may cause.”

He added: “As a regulator we take a pragmatic and common-sense approach. Any images of people’s faces or numberplates should be blurred. We emphasised the importance of blurring these images to protect people’s privacy and limit privacy intrusion. Google must respond quickly to deletion requests and complaints, as it is doing at the moment.”

The Information Commissioner’s Officer confirmed that it met Google last year to discuss how Street View would be implemented. It was satisfied at the time that the company was putting in adequate safeguards to protect privacy.

A Google spokeswoman said: “We are pleased with the ICO’s statement. We took care to build privacy considerations into Street View from the outset and have engaged with the ICO throughout the development process.

“We recognise that a small minority of people may not wish their house to be included in the service, which is why we have created easy to use removal tools.”

Last month the campaign group, Privacy International, lodged a formal complaint with the Information Commissioner’s Office. In a 2,500 word response, the ICO said it was satisfied that Google was not breaching privacy laws.

An American couple lost a legal action against Google earlier this year in which they claimed Street View amounted to trespass and invasion of privacy.

Source: Guardian

The object of the European Data Protection Directive, implemented in the UK by the DPA, is to provide that “Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data”.

‘Personal data’ is defined in Article 2 of the Directive by reference to whether information relates to an identified or identifiable individual.

The Directive provides, in Article 3, that it applies only to the processing of personal data where the processing is wholly or partly by automatic means, or where it is non-automated processing of personal data which forms part of a ‘filing system’ or is intended to form part of a ‘filing system’.

The Directive therefore considers first whether the information relates to an identifiable individual and then describes the two different types of processing (processing by automatic means or non-automated processing within a ‘filing system’) which will bring information within the scope of the Directive.

The Data Protection Act 1998

The DPA repeats the substance of the Directive definition of ‘personal data’ but tackles the definition in reverse order to the Directive. The DPA first considers the nature of the processing to determine whether the information in question is ‘data’ (either processed by automatic means or non-automated processing within a filing system) and, secondly, considers whether the ‘data’ is ‘personal data’ in that it relates to an identifiable individual.

The Directive and the DPA cover two common categories of information:
- information processed, or intended to be processed, wholly or partly by automatic means (that is, information in electronic form)3; and
- information processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).
In most circumstances it will be relatively straightforward to determine:
(a) whether the processing falls within the scope of the Directive and the definition of ‘data’ in the DPA; and
(b) whether the information in question ‘relates to’ an ‘identifiable individual’;
and consequently, to determine whether you are processing ‘personal data’.
In most cases it will be obvious when you are processing personal data. In those relatively few cases where this is unclear, this guidance, and in particular the questions set out in the flowchart, aim to take you through the factors to consider when determining whether you are processing personal data. The guidance offers suggestions, for use in appropriate cases, of considerations which may help you reach a decision about the nature of the information in question.
The additional scope of the Data Protection Act
The DPA introduces two more types of manual processing of information which, if the information relates to an identifiable individual, will involve processing of ‘personal data’. These additional categories of processing are introduced in the DPA definition of ‘data’ and concern:
- processing information as part of an ‘accessible record’5; and
- processing recorded information held by a public authority (referred to as ‘category ‘e’ data’ as it falls within paragraph (e) of the DPA section 1(1) definition of ‘data’).
The DPA is therefore concerned with four types of data which can be broadly referred to as:
(i) electronic data;
(ii) data forming part of a relevant filing system;
(iii) data forming part of an accessible record (other than those accessible records falling within (i) or (ii) above); and
(iv) data recorded by a public authority.