Contractors running their own business via a contractor limited company, partnership or as sole traders may have obligations under the Data Protection Act 1998 (DPA) and be required to register with the Information Commissioners Office. This applies to all companies that electronically store and/or process certain personal information.
Fortunately, the vast majority of contractors only have to register as Data Controllers when their contractor limited company processes non-exempt personal data about individuals. They might also have to register if their activities are on the mandatory registration list, which includes sectors such as consulting, accountancy, marketing and journalism.
Failure to comply with the act is a criminal offence that can result in steep fines from the Information Commissioner. These could arise, for example, as a result of failing to register or losing/inadvertently publishing records containing personal information about an individual.
What’s covered by the act?
The DPA applies to all commercial organisations – including contractor limited companies, partnerships and sole traderships – that store and use personal data, or information about individuals.
Personal data about a living person that is held by a contractor’s business could include information on clients, agents, employees or subcontractors. A contractor may be holding other databases containing personal data if, for example, the contractor is a freelance market researcher who has bought-in lists of consumers.
According to the requirements of the DPA, contractors processing personal data must register as a Data Controller with the Information Commissioner’s Office, a process called ‘notification’. Processing includes a number of activities, including organising, storing or even destroying data.
The DPA applies to all commercial organisations including contractor limited companies, partnerships and sole traderships that store and use personal data, or information about individuals
The Information Commissioner’s Office has published a self-assessment guide to help contractor businesses determine whether they have to notify. It specifically lists a range of activities that automatically require a contractor to notify; this includes accountancy, law, consulting and advice, marketing, journalism, media and research.
Exemptions from the DPA
There is no need for a contractor to notify the Information Commissioner’s Office if their business is holding personal information purely for the ‘core business purposes’ of:
- Marketing their contractor business, including agent’s details
- Employee and staff administration, including payroll – this includes temporary and casual workers
- Accounts and records.
Similarly, personal details held by a contractor for personal, domestic applications, such as a Christmas card address list or dates of birth for birthday cards is also exempt.
But a contractor who is exempt from notification must still comply with the provisions of the act, and specifically the eight data protection principles. These require that data shall be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate
- Not kept longer than necessary
- Processed in accordance with the data subject’s rights
- Secure and
- Not transferred to countries outside the EEA (European Economic Area) without adequate protection.
Notification fees and scams
Contractors who are required to notify the Information Commissioner’s Office can do so online or over the phone. There is a notification fee of £35 for contractor businesses. Larger firms with more than 250 staff pay £500.
The Information Commissioner’s Office warns of scams where private companies approach small firms demanding £95 for compulsory registration. Contractors should ignore such requests and only deal with the Information Commissioner’s Office direct.
Some contractors, particularly in IT, marketing and interim management, require in-depth professional knowledge of the Data Protection Act and privacy laws, because their day-to-day activities involve processing information about individuals. If a contractor’s role expands to include processing information about individuals, the contractor should seek specialist training.