OG720 Data Protection Act 1998

Last reviewed:
24 January 2014
Last updated:
29 April 2014

Policy Statement/Overview

The purpose of the Data Protection Act 1998 (DPA) is to protect individuals from the unauthorised and unreasonable use or disclosure of information about themselves whilst balancing the legitimate needs of organisations, such as the Charity Commission, to collect and use personal data for its business purposes (in the case of the Charity Commission these purposes are set out in section 15 of the Charities Act 2011).

The main aspects of data protection are privacy and respect for the individual. For us, this means:

  • not prying into someone's personal details without good reason, such as asking for personal information that is not necessary for the intended purpose
  • allowing individuals to have access to the information we have about them
  • protecting data by keeping it secure, particularly where it is sensitive personal data 
  • treating the information with respect in terms of how it is used and to whom it is disclosed

The DPA applies not only to electronic data but also to the information we hold on paper.

This guidance considers how we employ the legal principles contained in the DPA in the course of our work and how the DPA sits alongside other legislation such as the Freedom of Information Act, the Human Rights Act and the Environmental Information Regulations. It also explains the specific terminology used in connection with this legislation. 

This guidance looks primarily at operational casework issues but it applies equally to all areas of our work where we process information (it therefore includes policy, finance, business services who all use the Commission's systems and handle personal information). 

The way we operate within data protection legislation is overseen by the Information Commissioner's Office (ICO) which is the UK's independent authority set up to uphold information rights in the public interest promoting openness by public bodies and data privacy for individuals. This guidance draws on the ICO's public guidance and also links to that guidance for further detail as appropriate.

It is important for us to remember that we may be subject to monetary sanctions from the ICO if we breach the legislation.

Summary of the guidance

The Legal/ Policy Framework looks at the question of openness in government generally and considers how the specific areas of the Data Protection Act 1998 (DPA) affect our work. It sets out in some detail how exemptions for processing data might apply to our work. Exemptions are a complex area and caseworkers are not expected to understand how the different exemptions work without taking legal advice. 

Casework Guidance sets out how the Commission manages its responsibilities in processing personal data. It looks at how we assess initial enquiries for information and who should deal with the request. 

Whilst the Act applies to the processing of personal data of the Commission's own staff it is not the subject of this OG (although the principles will still apply). Details of how data is processed for Commission staff can be found in the relevant sections of the Staff Handbook.

OG Contents (Site map)

Casework Guidance 

B1 The effect of the Data Protection Act 1998 (DPA) on the work we do 

Data protection is about privacy and respect for the individual balanced against the needs of organisations to process personal data for legitimate purposes. Processing information in the context of the DPA has a wide meaning and application. It covers all areas of our work and the processes we use when dealing with personal data; it covers collecting, holding, using, retaining, disclosing and destroying information.  


B1.1 Our general responsibilities in relation to the DPA  

As part of our general responsibilities under the DPA we need to ensure that the way we work embodies its legal requirements as well as elements of good practice. 

In addition to this guidance there are other specific instructions on data handling and document security; these include, amongst other things, the Guide to Protective Marking, Reporting Security Related Incidents, Manager and Staff Guides to Security Policy Framework. These instructions are part of the Commission's compliance with the DPA. We also have duties in line with the Government's Security Policy Framework whereby individuals are nominated for roles associated with protecting personal data in line with the DPA. Those roles are set out in section B4 below. Where you need advice about data protection matters you should contact the Information Knowledge Management Unit (IKM Unit).

The IKM Unit has a lead role in ensuring that Commission staff know how personal data should be handled within the Commission to prevent any breach of the DPA and ensure that any exemptions from the DPA provisions are properly applied.

Our compliance with the DPA is overseen by the Information Commissioner's Office (ICO) which is the UK's independent authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals. We must remember that the ICO has the ability to impose penalties for breaches of the DPA. Most serious breaches can incur penalties up to £500,000 in addition to any reputational damage that may be suffered.   

Top of page 

B1.2 What we mean by personal data

With the amount of information we process it is important be able to identify personal data so that it can be handled appropriately. The legal definitions of personal data and sensitive personal data are set out in the table at section E2.

The test we apply that confirms whether we are dealing with personal data is whether a living individual can be identified from:

  • the data we hold


  • from the data and other information in our possession (or likely to come into our possession) 

In most cases an individual's name together with some other information will be sufficient to identify them. In other cases, however, simply having a name does not mean that a particular individual can be identified, for example people who have the same name - there may be many John Smiths who are trustees, they cannot be identified as an individual without other information such as a date of birth or address. 

Top of page

B1.3 The systems we use in processing personal data 

We use a number of systems and tools for processing and storing personal data. All of our systems or tools are subject to the requirements of the DPA which includes everyone using them regardless of the work they do.

Protective marking of information helps us determine its sensitivity and the way that information should be treated. The guide to protective marking can be found in the Staff Information area of Connect.

Top of page

B1.4  The DPA principles under which we carry out our work  

The DPA sets out eight principles that must be followed in processing personal data. Those principles and what they mean for us are set out in full at section E3. In brief, those principles are:

  1. Personal data must be processed fairly and lawfully and, in particular, shall not be processed unless:
      • at least one of the conditions in Schedule 2 is met, and
      • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
    • NB - Where a condition in Schedule 3 is the same as one in Schedule 2 and the Schedule 3 condition is met, this requirement is met.
  2. Personal data must be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data must be accurate and where necessary kept up to date.
  5. Personal data processed for any purpose or purposes must not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data must be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of the data.

Top of page

B1.5 Actions we take to comply with the principles and how breaches might occur

This section sets out measures we employ at a corporate and an individual level in complying with these principles and goes on to consider how a data security breaches can happen. 

Corporate actions:

  • Publishing and maintaining our 'Information Charter' and 'Publication Scheme' so that they are accessible, accurate and up-to-date
  • Registering with the ICO and ensuring our registration reflects what we do with the personal data we hold
  • Making sure our 'privacy notices' (also known as 'fair collection notices') give people enough information about what we do with their personal data
  • Ensuring staff know who is responsible for different elements of information security in the Commission
  • Having and following best practice guidance on records management, including records retention policies

Individual actions:

  • Knowing where corporate information can be found on data protection issues
  • Using the correct protective markings on our records
  • Following the Commission's security protocols for handling data
  • Processing changes to personal data quickly and accurately
  • Prompt reporting of incidents where personal data has been, or could have been, accidentally or deliberately compromised or lost
  • Dealing with subject access requests within 40 calendar days - See section B3 and section C1 
  • Taking care not to disclose personal data when we should not (for instance when dealing with other types of requests for information such as Freedom of Information)
  • Not sending out documents where deleted information can be recovered by recipients
  • Compliance with the ICO's data sharing Code of practice, particularly where we employ other organisations to process personal data on our behalf
  • Ensuring that projects or other Commission initiatives complete Privacy Impact Assessments where the work affects personal data that we use    

In carrying out our work we need to realise how easy it can be to breach the DPA and our data handling should be built on good practice.

Information breaches can cause real harm and distress to those affected. We should be aware that certain individuals, organisations or groups may be particularly vulnerable because of breaches.

Those affected by breaches may include:

  • service personnel
  • police and prison officers
  • those at risk from domestic violence
  • organisations that undertake animal research
  • organisations dealing with emotive issues, such as abortion
  • organisations working in areas of civil unrest, war zones or where terrorist groups are known to operate

Dispensations from release of information about vulnerable groups apply under sections 40(4) and (41)(4) of the Charities (Accounts and Reports) Regulations 2008.

Top of page

B1.6 Preventing breaches to the DPA - common sense rules

In a practical sense we can limit our exposure to breaches with some common sense rules when handling personal information:

  • treat everyone as you would wish to be treated - fairly, politely and without discrimination
  • ask for personal data only if it is needed and do not disclose it to others without good reason
  • make sure that all decisions we take (and especially those which deny something to someone) can be seen to be fair and reasonable; by:
    • ensuring those involved have an opportunity to state their case
    • explaining clearly why a decision has been made
    • explaining how a decision can be reviewed
  • never express opinions about people, orally or in writing, on the computer or elsewhere, that cannot be substantiated by fact
  • use good housekeeping methods for working with documents and storing information; by:
    • not keeping duplicate papers
    • not retaining drafts once the finished item has been processed (unless it is relevant to the decision making process, for instance a document with track changes or added comments)
    • not annotating paper documents or using Post-it notes to add comments
  • where it is necessary to record personal data about someone, for instance in an email, always assume that they have a right to see it and do not write anything that you would not be prepared to justify if they did see it
  • when you provide information to other people, including Commission colleagues, think about whether it contains personal data about someone else, and if so, whether there is an adequate reason to pass it on
  • redact any personal data that is not necessary from the information being passed on
  • when saving information, for instance, in CeRIS, think about whether it contains personal data; where it does, make sure it is given an appropriate security marking and availability is restricted only to those people who need to use it for its intended purposes, but taking care not to restrict it unnecessarily 
  • avoid generating duplicates - create an 'Alias' in CeRIS rather than copying information
  • dispose of information that is no longer in accordance with our Records Retention Policy

If you have any doubts about how personal data should be handled seek advice from Information and Knowledge Management. 

Top of page

B2 How we filter requests for information so that they are dealt with appropriately 

Requests for all types of information are received by the Commission on a regular basis. It is important for us to identify, quickly and accurately, the type of request and whether it involves disclosure of personal data. In some cases it can be important to consider the legal basis for the request as it helps in directing the request to the appropriate team and the tests for disclosure can differ; a request under FOI or environmental legislation can be to anyone whereas under DPA it is only to the requester. If personal data is mistakenly disclosed under FOI to the world at large it could lead to a breach of one or more of the data protection principles.  


B2.1 Chart showing types of information request by legislation


























Requests for information will be filtered still further where the request would involve disclosure of personal information.

Top of page

B2.2 Chart showing how requests for personal information are identified

Under section 7 of the DPA people have a right to access the information we hold about them and we can only process that information if we allow them access. Only in very limited circumstances can personal data be exempt from the right to access, see section E6.

The chart below provides an overview of the types of information requests we receive that involve personal data and who should deal with them.































Top of page

B3 Subject Access Requests (SAR)

SARs are a key element of the DPA. They give individuals a right of access to personal information we may hold about them and will be identified through the information filtering process described above. The law allows us to make a charge of £10 for such requests but our policy is not to make a charge. 

B3.1 The rights of individual in relation to SARs

When dealing with a SAR the requester will usually be entitled to:

  • be told whether their personal information is being processed
  • a description of the personal information, the reasons for processing and whether it will be given to any other organisation or people
  • a copy of the personal data
  • details of the source of the personal data

We must respond to a SAR within 40 calendar days of its receipt. Our response may not always include the information requested as some types of personal information are exempt from the right of subject access and so cannot be obtained by making a SAR - see section E6.

Individuals may challenge us about the accuracy of the personal data we hold and may approach the court for an order to rectify, block, erase or destroy the inaccurate information. This shows the importance to us of observing Principle 4 in maintaining accurate records - see section E3.2 which explains this principle in more detail.

An individual is entitled to claim compensation from us where they suffer damage or distress because we have breached the DPA. However, this right can only be enforced through the court and not the ICO. We have the right to defend such a claim on the basis that all reasonable care was taken to avoid the breach.

SARs are dealt with in the Information and Knowledge Management Unit. Personal data usually amounts to more than someone's name and in most cases it will be obvious whether the information requested amounts to personal data under the DPA. However, if you are unsure there is further advice produced by the ICO for determining what constitutes personal data.

Individuals may appoint someone, such as a solicitor, to make the enquiry on their behalf.

Top of page

B3.2 Disproportionate effort and repeated or unreasonable requests

The right of subject access is central to data protection law so occasions where we would use the disproportionate effort exemption are likely to be rare - see the ICO's Subject Access Code of Practice on this point. Even where it does apply we must consider other ways of providing the information other than in 'permanent form'. This might involve inviting the individual to our office to view the records themselves.

The DPA provides that we are not obliged to comply with an identical or similar request to one we have dealt with unless a reasonable time has elapsed. The ICO's Subject Access Code of Practice gives more detailed guidance on what is considered reasonable which includes:

  • the nature of the data - this could include considering the sensitivity of the information
  • the type of processing - for example whether it could cause detriment to the requester  
  • how often the information changes

Top of page

B3.3 Refusing to supply the information

We can refuse to supply information where:

  • we are not satisfied that we are corresponding with the data subject or their properly appointed representative
  • subject information rights do not apply
  • all the information is exempt
  • all the information is exempt for now but we indicate that it may be available in future (for instance, information being used in inquiry cases)
  • meeting the request requires disproportionate effort on our part or is unreasonable,  but see B3.2 above

Top of page

B4 Key people involved with data protection issues within the Commission

In fulfilling our obligations under the Data Protection Act and in line with the Government's final report on Data Handling Procedures in Government (June 2008), which sets out mandatory minimum measures for data handling, we have individuals who have specific roles in protecting personal data that is processed within the Charity Commission. If you are unsure who the individuals are they can be found on Connect in Staff Information or by contacting the Information and Knowledge Management Unit.

Senior Information Risk Owner (SIRO)

The SIRO is someone at Senior Management Team level who, as part of their role, owns the Commission's risk policy and assessment process. This ownership means ensuring that we take a responsible attitude to information assurance and that we monitor and assess compliance with the Government's Information Assurance Guidelines and the mandatory and other measures set out in the Data Handling Procedures in Government report. The SIRO role is a mandatory requirement set out in HMG Security Policy Framework April 2014

Data Protection Officer (DPO) Cabinet Office guidance about data protection specifies that relevant government departments should have Data Protection Officers. Amongst other things the DPO has responsibility for advising the SIRO on data protection matters, ensuring that appropriate ICO notification process is adhered to; that our registration with the ICO is kept up to date and ensuring that Subject Access Requests are dealt with properly within the organisation. The day to day handling of SARs and liaison with the ICO are dealt with by the Information and Knowledge Management Unit
Information Asset Owners (IAO)

The Commission has several IAOs. These are people that act as named officers for specific information assets. Details of the assets themselves are held on an Information Asset Register. An IAO needs to know exactly what information is held, who has access to it what enters and leaves it and why. They also help the SIRO to foster a responsible attitude towards the protection of information in the Commission. IAOs will usually be senior individuals and may often be the head of a particular business area where the asset has highest priority and/ or essential usage. It is also usual for the IAO to have nominated deputy who can act on their behalf.

Departmental Security Officer (DSO)& Accreditor

The DSO has overall responsibility for protective security issues and ensuring that appropriate security measures are in place to protect our assets (property, people and information).

In the Commission the roles of DSO and Accreditor have been combined. The Accreditor's role is to make an impartial assessment of the risks to which information systems may be exposed whilst meeting business requirements. They are responsible for advising the SIRO on information risk and formally accrediting systems on behalf of the Commission's Board.

IT Security Officer (ITSO) This is a specialist role providing an IT perspective on security matters. The ITSO works with the DSO/ Accreditor and the SIRO to ensure proper balance between business opportunity, risk and the cost of systems is acceptable to the Commission. They also ensure that the accreditation processes comply with relevant standards and procedures laid down within government guidance.
Accounting Officer (AO) Our Chief Executive acts as the Commission's AO and has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level.
Departmental Records Officer (DRO) We are bound by the Public Records Act 1958 to appoint a DRO. All our records are public records and the DRO is responsible for their care; this includes electronic records. The DRO works under the supervision and guidance of the National Archive. The DRO selects records for permanent preservation at the Archive. Where those records contain personal data care must be taken to ensure the DPA is not breached and the DRO has a coordinating role in making sure such information is identified. The DRO has responsibility of ensuring the organisation has good records management practices in place and that where information containing personal data is no longer needed we dispose of it securely.
Those who may have general responsibilities

Anyone acting as a project manager will need to identify where personal data or sensitive information is likely to be used in the delivery of their project. Project managers must engage with the Commission's Accreditor at an early stage to ensure that accreditation and assurance measures are built into both delivery and resource plans. This may include a Privacy Impact Assessment and advice should be sought from the IKM Unit if there is uncertainty about whether this is required.

All line managers are responsible for ensuring that their staff understand their own responsibilities for protecting information. All staff must complete the appropriate training on the Civil Service Learning website annually.

Top of page

Legal/ Policy/ Accountancy Framework 

E1 Transparency and openness in government

Whilst we promote openness and transparency in government we must remember the legal duty to protect the privacy of individuals where it is appropriate to do so. In doing this we must consider the effect of the Data Protection Act where we deal with personal information in terms of obtaining, storing, using or disclosing it (which, amongst other things, are termed as 'processing').

The Data Protection Act may be repealed in 2014 and replaced by a European Regulation which will have direct effect in England and Wales.  However, until the law changes, the Data Protection Act remains good law and is what we must work within.

As part of our commitment to transparency the Charity Commission publishes its Information Charter. The Charter sets out the standards anyone can expect from us when we deal with personal and other information. The standards we set out are in keeping with the legal principles of data protection, human rights and freedom of information. The Web information includes our Publication Scheme setting out our commitment to making available information which is in the public interest.

The Freedom of Information Act 2000 (FOI), Environmental Information Regulations 2004 (EIR) and Data protection Act 1998 (DPA) provide the framework within which requests for information can be made from government. 

There is other domestic/ European legislation which relates to information we hold, such as the:

  • Privacy and Electronic Communications Regulations 2003, which govern matters such as direct marketing
  • Open Government Licence, which licences the re-use of public information such as that on the Register of Charities by anyone wanting to use it but it specifically does not cover personal data
  • Re-use of Public Sector Information Regulations 2004
  • Regulation of Investigatory Powers Act 2000

However, it is the FOI and DPA that apply most often in our work. The Acts operate along side each other allowing requests for access for personal information to be dealt with under the Data Protection Act and requests for access to other sorts of information to be dealt with under the Freedom of Information Act (and in some cases the EIR). Importantly, disclosure under the Data Protection Act is usually only to the individual concerned and under the Freedom of Information Act the disclosure can be to the whole world.

The Information Commissioner's Office oversees the operation of the Freedom of Information Act and the Data Protection Act and produces detailed guidance and codes of practice as part of its function. Further information about the ICO's role can be found on the ICO website.

The principles of data protection are mirrored in human rights legislation particularly the provisions of Article 8 of the Human Rights Act 1998 which considers the right of respect for private and family life and can be found in OG71 C2

It is also important to note that the DPA applies only to living individuals and so the Law of Confidence can take over when the individual dies. The law of confidence protects information from unauthorised disclosure if it has the necessary quality of confidence and if it was received under an obligation to keep the information confidential (this should not be confused with a protective marking of 'Confidential').

Top of page 

E2 Specific terms used when dealing with data protection issues

Before applying the data protection legislation we need to understand the particular terms used in the Act and within our own organisation.The terms are set out in Part 1 of the Act; the ones that we are most likely to come across are set out below with the corresponding section from the Act. More extensive information can be found in the ICO's Guide to Data Protection part A3


E2.1 Key terms used



This is information which:

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose.

(b) is recorded with the intention that it should be processed by means of such equipment.

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.

(d) does not fall within (a), (b) or (c) above but falls part of an accessible record as defined by section 68 (of the Act); or

(e) is recorded information held by a public authority and does not fall within (a) to (d) above.

Personal data


This means information from which it is possible to identify a living individual, either directly from that information or from additional information held (or likely to be held) by the data controller or which can lead to identification of an individual when coupled with information held outside of the organisation. This includes factual information or expressions of opinion about the individual and any indications of the intentions of the data controller or any other person in respect of the individual.

Sensitive personal data


This is personal data that consists of:

(a) the racial or ethnic origin of the individual

(b) his or her political opinions

(c) his or her religious beliefs or other beliefs of a similar nature

(d) whether he or she is a member of a trade union (under the Trade Union and Labour Relations (Consolidation) Act 1992)

(e) his or her physical or mental health condition

(f) his or her sexual life

(g) the commission or alleged commission by him or her of any offence

(h) any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such proceedings or the sentence of any court in such proceedings

Data subject


The individual about whom personal information is held 

Data controller


A person who (either alone, or jointly, or in common with other individuals) determines how and for what purpose any personal information is to be processed. The Charity Commission is a data controller and is registered as such with the ICO.



Obtaining, recording or holding data or carrying out any operation or set of operations on that data. Organising, storing, adapting and amending the data, retrieval, consultation and use of data; and disclosing and erasure or destruction of data. It is difficult to envisage any activity involving data that does not amount to processing.

Data Processor


This is any person other than the employee of the data controller who processes data on behalf of the data controller, eg someone working for a company to which we have contracted data processing work.

Subject access



This is the right of any individual to have access to personal information about themselves held by a data controller. Applications from individuals for access to their own data are called subject access requests (SAR). 

Privacy or fair collection notice (Sch I Part II paras 2 & 5)

A privacy or fair collection notice is the means the ICO recommends for organisations to set out how they comply with the DPA requirements to collect information fairly and transparently.

Top of page 

E3 The data protection principles and what they mean for our work 

E3.1 General points about using the data protection principles

Schedule 1 of the Act contains eight principles known as the data protection principles that must be followed in all dealings with personal data. The DPA applies to all organisations, not just public authorities. Section 4(4) of the DPA provides a duty for data controllers to comply with the principles and the Commission is a data controller for the purposes of the Act, except where an exception applies. These principles are the starting point for when we consider processing of personal data and sensitive personal data.

This means that when dealing with personal data all of the 8 principles must be met, in addition to one or more of the processing conditions. The specific conditions for processing are set out in Schedule 2 (for personal data) and Schedule 3 (for sensitive personal data) of the DPA. At least one of the conditions must be met from Schedule 2 in order to process personal data and when dealing with sensitive personal data a processing condition from Schedule 3 must also be met. 

The DPA also allows for exemptions to its provisions in particular circumstances and rights that individuals have in connection with their personal data held by organisations. 


E3.2 The principles in detail

Schedule 1 Part II sections 1 to 15 are concerned with interpretation of the Data Protection Principles.  

Principle 1

Personal data shall be processed fairly and lawfully and in particular shall not be processed unless:

  • at least one condition in Schedule 2 is met


  • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met 

(Where a condition in Schedule 3 is the same as one in Schedule 2 and the Schedule 3 condition is met, this requirement is satisfied.)

To comply with the first principle we must:

  • have legitimate grounds for collecting and using the personal data, meaning it must be to enable us to carry out our functions as set out in the Charities Act 
  • not use the information in ways that have unjustified adverse effects on the individual concerned 
  • be transparent about how we intend to use the data and give individuals appropriate privacy notices when collecting their personal data (see the Commission's Information Charter and privacy statement)
  • handle people's personal data only in ways they would reasonably expect
  • make sure we do not do anything unlawful with the data

Fairness of processing data requires transparency, this means being clear and open with individuals about how their information will be used. Assessing whether information is processed fairly depends partly on how it is obtained, in particular, if anyone is deceived or misled when the information is obtained, then it is unlikely to be fair. In Schedule 1 Part II of the DPA it provides that information should be treated as being obtained fairly if it is provided by a person who is legally authorised or required to provide it. Examples here would be where a bank provides us with a charity's bank account details where we have asked for it by Order, or where we ask for trustee details when a charity applies for registration.

In assessing fairness we must consider more generally how it affects the interests of the people concerned, as a group and individually. Even if the information has been obtained and used fairly in relation to most of the people it relates to but is used unfairly to one individual there is a breach of the first data protection principle. However, there may be instances where the way the data is used has a detrimental effect on an individual without it necessarily being unfair. What matters is whether that detriment is justified. This is where an exemption may be applicable.

As the charity regulator we may share information with other regulators or areas of government. This may be done under sections 54 to 59 of the Charities Act 2011 and is dealt with in OG405. Even though we share information under the Charities Act we must still take account of the DPA provisions in the act of sharing personal data - see OG405 section B2.4 which outlines what we must consider. This is part of acting fairly and we make this clear through our Information Charter which confirms the circumstances under which we may decide to share information.

Schedule 1 Part II para 2(3) provides the criteria involved when considering whether we are acting fairly. This may be summed up as follows:

  • being open and honest about our identity
  • telling people how we intend to use any personal data collected about them (unless it is obvious) - we tell charities which data we collect as part of our annual return may appear on our website 
  • handling the personal data only in ways that they would reasonably expect
  • not use their information in a way that has an unjustifiably negative effect on them

The lawful nature of processing data is not specifically defined by the DPA. Processing must be done in accordance with common, civil and criminal law and is therefore a wide-ranging requirement. Processing may be unlawful if it results in:

  • a breach of duty or confidence. Such a duty may be stated or implied by the content of the information or because it was collected in circumstances where confidentiality is expected, for instance whistle blowing information.
  • exceeding our legal powers or using those powers improperly
  • an infringement of copyright
  • a breach of an enforceable contractual agreement
  • a breach of industry specific legislation or regulations
  • a breach of the Human Rights Act 1998 - see section E1 above
  • runs contrary to our duties under the Public Records Act

The Conditions for processing as required by Schedule 2 and Schedule 3 are explained separately in section E4 below. 

Satisfying one or more of the processing conditions will not automatically guarantee that what we are doing with personal data is 'fair and lawful'. Fairness and lawfulness must still be looked at separately. Also, when dealing with sensitive personal data, such as someone's health or criminal record, the processing conditions in Schedule 3 are much more exacting.

More detailed information about the first principle and processing data fairly and lawfully can be found in the ICO's Guide to Data Protection at section B1


Principle 2

Personal data shall be obtained only for one or more of the specified or lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes

The aim of the second principle is to ensure that organisations are open about the reason why personal information is required and that the information is processed only in line with the reasonable expectations of the individual concerned. This means we must be open and transparent about what we do with the personal data we collect. If we want to use their information for a different purpose we would normally need to obtain their consent or risk being considered unfair and being in breach of both this principle and the first data protection principle.

Generally to comply with Principle 2 we must:

  • be clear from the outset about why we are collecting the personal information and what we intend to do with it
  • follow the fair processing requirements set out in the DPA including the duty to give privacy notices to the individuals at the time their personal data is being collected 
  • do what the DPA says about notifying the ICO of how we use the personal data we collect - failure to notify the ICO is a criminal offence 
  • ensure that if we want to use or disclose personal information for a purpose that is additional or different from the original that the new use or disclosure is fair

In our dealings with charities and their trustees we should always be clear why we are asking for any information, not only personal information, at the point of collection. This includes in correspondence, orders, telephone or face-to-face conversations. Being clear about our purpose provides a reasonable expectation of how the information will be used. Drawing attention to the Information Charter will further endorse the way we may use the information.

lawyer_referLegal advice should be taken where we intend to use personal data for a purpose that is additional or different from that originally notified.


More detailed information about the second principle can be found in the ICO's Guide to Data Protection at section B2.


Principle 3

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.

The third principle is concerned with the nature and extent of the information we have about an individual and sets a standard in terms of its adequacy, relevancy and that it is not excessive. Principle 3 is closely linked with Principles 4 and 5 as failure of one principle may cause failure in one of the others.

The terms adequate, relevant and not excessive need to be looked at in the context of:

  • the purpose for which the information is held


  • separately for each individual we hold information about (or each group of individuals where individuals in the group share relevant characteristics)

Assessing whether we hold the right amount of personal data depends upon being clear about why it is being held and used. This may differ from one individual to another. We should not hold more personal information than is needed for our purposes and it is particularly important where sensitive personal data is concerned to collect and retain only the minimum amount we need. 

In checking whether this standard is met the following issues should be considered:

  • the number of individuals whose personal data we hold
  • the nature of the information
  • what it is used for and how we use it
  • how it was obtained
  • for how long the information needs to be held
  • the possible consequences for the individuals concerned of retaining or deleting the data

Whilst we hold a lot of personal data about trustees for the particular purpose of being a trustee of a registered charity, we also obtain personal data in the course of our casework, particularly in inquiries or compliance work. This type of work may require us to form opinions or make judgements on the information we hold. Where we form such opinions and take action based on personal data we need to provide the reasoning for that opinion and point to any other records that provide more in depth analysis. 

More information about how we apply the third principle can be found in the ICO's Guide to Data Protection section B3.


Principle 4

Personal data shall be accurate and where necessary kept up to date.

This ties in with the previous principle in terms of the standards that are set when we hold personal data. If data we hold is no longer accurate it raises questions of adequacy and relevancy set out in principle 3. The Commission has a retention policy that applies these aspects of principle 4 to paper records and work is ongoing to develop the same for our electronic information.

The law recognises that it may not be practical to check every item of personal data received and makes special provision about information we receive from individuals about themselves or that is obtained from third parties. The extent to which we check the data will be in keeping with the nature of what is being obtained and the purpose to which it is put.   

In complying with this principle we should:

  • take reasonable steps to ensure the accuracy of any personal data we obtain ensure that the source of any personal data is clear
  • consider carefully any challenges we receive about the accuracy of the information
  • consider whether it is necessary to update the information

Data will not be accurate where it is unclear or misleading as to any matter of fact. In our casework or other work where we compile information about individuals we must ensure the data is correct. The Commission uses the Annual Return to update personal data; this is a good way to ensure that data is correct as the Return is expected to be a reliable source.

If data is not correct it could have serious implications for the individual. This does not always mean that the data must be current; data that is no longer current can often confirm past events and subsequent changes may not be relevant. An example of this is inquiry reports that are available in archived material in that they were correct, factual and related to a charity at a particular time. We would not seek to update such material. It is also possible for such reports to be obtained from the National Archive which holds previous copies of our website. 

In some cases it may not be practical for us to check the accuracy of information we receive or obtain. Schedule 1 Part II paragraph 7 of the Act recognises this provides that for holding inaccurate personal data will not be considered a breach of this data protection principle so long as 

  • we have accurately recorded the information as provided to us
  • we have taken reasonable steps in the circumstances to ensure its accuracy
  • if the individual concerned has challenged the accuracy of the information this is clear to those assessing it

We must record where we have been challenged about the accuracy of personal data and whether or not changes have been made and why. Opinions we form about individuals are also classed as personal data. Recording of opinions may also be challenged and, again, careful recording on the basis of accurate data is important and should also indicate who made the opinion.

More information on applying the fourth principle can be found in the ICO's Guide to Data Protection section B4


Principle 5

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

This principle is concerned with standards and not keeping processed personal data for any longer than is necessary. This is why we have a file retention policy.

 In practice it means we must:

  • review the length of time we keep personal data
  • consider the purpose or purposes for which the personal data is kept in deciding whether and for how long it should be kept
  • securely delete information that is no longer needed for the purpose or purposes for which it was obtained or given
  • update, archive or securely delete information if it is out of date

This will involve judgements on our part of the business needs for different sort of personal data, including

  • the current and future value of the information
  • the costs, risks and liabilities associated with retaining the information
  • the ease or difficulty of making sure it remains accurate and up to date
  • other legal reasons for retaining the information for a particular time, such as compliance with limitation periods 

Owing to these considerations we may decide that we do not wish to keep information, for instance, medical information about a person where there is no value to keeping it - we may decide to return it straight away to the sender or destroy it and inform the sender.  

More information about the fifth principle can be found in the ICO's Guide to Data Protection section B5


Principle 6

Personal data shall be processed in accordance with the rights of data subjects under this Act.

The sixth principle gives rights to the individual so that data may only be processed in accordance with those rights. The rights of the individual are set out in Part II sections 7 to 15 of the Act and comprise:

  • a right of access to a copy of the information comprised in their personal data
  • a right to object to processing that is likely to cause or is causing damage or distress
  • a right to prevent processing for direct marketing
  • a right to object to decisions being taken by automated means
  • a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
  • a right to claim compensation for damages caused by a breach of the Act

The most common right to be used in connection with our work will be the right of access to a copy of the personal data we hold. We call these subject access requests (SARs) - see section B3 which sets out what we do with these requests. 

Schedule 1 Part II paragraph 8 provides that in the circumstances set out in that paragraph we will be considered to have breached the sixth data protection principle if we 

  • fail to supply information in accordance with section 7 of the Act (rights of access to personal data)
  • fail to comply with a notice given under section 10(1) of the Act (right to prevent processing – damage or distress) which was justified 
  • fail to give notice under section 10(3) of the Act (right to prevent processing – damage or distress)
  • fail to comply with a notice given under section 11(1) (right to prevent processing – direct marketing)
  • fail to comply with a notice under section 12(1) or 12 (2)(b) of the Act (rights concerning automated decision-taking)
  • fail to give notification under section 12(2)(a) or 12(3) of the Act (rights concerning automated decision-taking)   

  More information on the rights of individuals can be found in the ICO's Guide to Data Protection section C1.


Principle 7

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The seventh principle is concerned with information security. In practice it means that we must have appropriate security to prevent personal data being accidentally or deliberately compromised. In particular we need to:

  • design and organise security to fit the nature of the personal data we hold and the harm that might result if a security breach occurs
  • be clear about who in the Charity Commission is responsible for ensuring information security 
  • have the right physical and technical security backed up by robust policies and procedures and reliable well trained staff
  • ensure that data being processed for us by another organisation is done under written contract which has clear instructions for processing personal data and that it is confirmed that the organisation will work in accordance with this principle
  • be able to respond to security breaches swiftly and effectively, and employ sanctions for breaches where appropriate 

Information security breaches may cause real harm and distress to individuals affected. Examples of the harm caused by the loss or abuse of personal data may include:

  • victimisation of whistleblowers
  • attacks on trustees (especially where trustees are involved in emotive charitable activities, eg medical research, sexual orientation, religion and in particular where we have recognised this by granting dispensations to protect them) 
  • witnesses at risk of physical harm or intimidation
  • offenders at risk from vigilantes
  • beneficiaries at risk from domestic violence
  • complainants that require protection 

In the context of our work there are also reputational issues for the Commission or charities which could result from breached security. Security measures need to ensure that:

  • only authorised people (which can include contractors and agency staff) can access, alter, disclose or destroy personal data
  • those people act only within the scope of their authority
  • if personal data is lost, altered or destroyed accidentally it can be recovered

The DPA cannot stipulate exactly what systems should be put in place as all organisations are different with differing levels of personal data storage. However, any system will need to meet the minimum standards laid down by government for compliance with the DPA (as set out in the Government's Security Policy Framework). Systems and processes will need to reflect the level of risk to the data held and the way it is assessed, how valuable it is, how sensitive or confidential it is and the way it is used. It should be noted that the government's definition of personal data that should be protected is broader than that defined as sensitive personal data in the DPA.

Section B1.5 of Casework Guidance considers situations that must be avoided in order to prevent security breaches and the penalties incurred by us if we get it wrong.  

More information about security can be found in he ICO's Guide to Data Protection section B7.


Principle 8

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of the data. 

The eighth principle is concerned with sending personal data (a 'transfer') outside of the European Economic Area (EEA). This principle involves other principles such as principle 1 about fair and lawful processing and principle 7 concerning security. Personal data must not be transferred to a country or territory outside of the EEA unless that country or territory can ensure an adequate level of protection for the rights and freedoms of data subjects when processing personal data.

Schedule 1 Part II section 13 provides that:

An adequate level of protection is one which is adequate in all the circumstances of the case, having
regard in particular to
(a) the nature of the personal data,
(b) the country or territory of origin of the information contained in the data,
(c) the country or territory of final destination of that information,
(d) the purposes for which and period during which the data are intended to be processed,
(e) the law in force in the country or territory in question,
(f) the international obligations of that country or territory,
(g) any relevant codes of conduct or other rules which are enforceable in that country or
territory (whether generally or by arrangement in particular cases), and
(h) any security measures taken in respect of the data in that country or territory.

A transfer involves sending personal data to someone in another country. A transfer is not the same as a transit of information through a country, for example, personal data from country X to country Y via a server in country Z, which does not access or manipulate the data whilst in country Z. The transfer is to country Y only with the information being in transit through country Z. Where we need to share information with a country that is outside the EEA advice should be taken from the Intelligence Team. You should also refer to the Commission's guidance on data handling procedures which includes information on transfer of electronic and other data - this can be found in Staff Information on Connect. The ICO website also contains useful advice about transfer of data abroad.

Before sending data to a country outside the EEA you should consider if information can be sent without personal data. Details of countries within the EEA and other countries that are recognised as having adequate levels of protection can be found in the ICO's Guide to Data Protection at section B8.12. This principle may need to be applied in the course of our overseas work in Investigations and Enforcement and the Overseas Programme, for instance, liaison with authorities in local areas overseas. Staff working in these areas should also take care about their own personal data and its use - see security awareness information for staff in Staff Information on Connect and also our policy for redacting information (link once available).

There are exceptions from the provisions of Principle 8 and these are contained at Schedule 4 of the Act.

Exceptions apply to transfers of personal details beyond the EEA where:

  • you have the individual's consent
  • it is necessary for carrying out certain types of contract or the transfer is necessary to set up the contract, where that contract:
    • is entered into at the request of the individual; or
    • is in the interests of the individual; or
    • is necessary for the performance of the contract
  • there is substantial public interest, for instance where it is needed for detection of crime or national security matters
  • it is in the vital interests of the individual, this relates to matters of life and death such as transfer of medical records
  • the personal data is already part of a public register where the recipient of complies with any restrictions on access or use of that information.
  • it is necessary for legal proceedings (including future proceedings) including:
    • obtaining legal advice; and
    • establishing, exercising or defending legal rights
  • the transfer is authorised by the Information Commissioner as being made in such a manner as to ensure safeguards for the rights and freedoms of the individual
  • the transfer is made on terms which are of the kind approved by the Information Commissioner in ensuring safeguards for the rights and freedoms of the individual

The ICO website gives further information about the exceptions from Principle 8.

Top of page 

E4 The conditions for processing (Schedule 2 and Schedule 3)

The first data protection principle requires the Commission as a data controller to:

and in addition

  • to satisfy one or more of the conditions for processing in Schedule 2 (personal data) and, if applicable, one or more of the conditions for processing in Schedule 3 (sensitive personal data)

before the processing of personal data can take place.

The conditions for processing take account of the nature of the personal data in question and are more stringent where the information being processed is sensitive personal data such as information about a person's health or criminal record - see the definition at section E2 above. It should be noted that simply meeting the conditions for processing does not mean that the processing is automatically fair and lawful as set out by principle 1.The Cabinet Office has produced cross government guidance on Mandatory Minimum Measures that must be applied to protect personal data.

The table below sets out the conditions for processing required under Schedule 2 and Schedule 3.

Schedule 2 Schedule 3

The individual data subject has consented to the processing.

The individual has given explicit consent to the processing

The processing is necessary:

  • in relation to a contract which the individual has entered into;


  • because the individual has asked for something to be done so that they can enter into a contract.
The processing is necessary to comply with employment law

The processing is necessary because of a legal obligation that applies to us (except an obligation imposed by a contract).

The processing is necessary to protect the individual's 'vital interests'. This condition applies only in the case of life or death, such as, contacting Samaritans or the police in the case of distressed callers who we think may do themselves harm.

The processing is necessary to protect the 'vital interests' of;

  • the individual (where the individual's consent cannot be given or cannot be reasonably expected to be obtained by the data controller;


  • another person (where the individual's consent has been unreasonably withheld).

The processing is carried out by a not for profit organisation which exists for political, philosophical, religious or trade-union purposes; where

  • it is carried out with appropriate safeguards for the rights and freedoms of the data subjects;


  • it relates only to individuals who are either members of the body or association or have regular contact with it in connection with its purposes;


  • does not involve disclosure of the personal data without consent of the data subject.
The processing is necessary for administering justice, or for exercising statutory, governmental or other public functions. The process is necessary for administering justice, or for exercising statutory or governmental functions.
The processing is necessary in accordance with the 'legitimate interests' condition - see below.
The individual has deliberately made the information public.
The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
The processing is necessary for medical purposes, and is undertaken by a medical professional or by someone who is subject to an equivalent duty of confidentiality.
The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.
Further conditions exist for processing sensitive personal data to those set out above. These conditions are set out in the Data Protection (Processing of Sensitive Personal Data) Order 2000 (link to Legislation. gov) and subsequent orders. Typically they relate to purposes that are in the substantial public interest and which must necessarily be carried out without the explicit consent of the individual, for instance detecting crime or protecting the public against malpractice or maladministration.


lawyer_referThe following explanations, mainly relating to Schedule 2, looks at the conditions in the context of the work we do. Legal advice should be sought if you require further explanation of these conditions, and particularly where they relate to Schedule 3.


Consent: In considering whether consent has been given we need to show that the individual has given some form of a positive agreement to their personal data being collected and used in the manner and for the purpose in question. It is not always obvious that consent has been given and will depend on the circumstances in each case to decide whether those circumstances are sufficient to indicate consent. For this reason, together with the fact that it can be withdrawn at any time, consent should not be the preferred processing condition.

The DPA does not give a definition of consent but it does give effect to the European Data Protection Directive which defines an individual's consent as

"...any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". 

Consent to processing data does not have to be in writing. However, it cannot be inferred by non-response to a communication, for example failure to respond to a form or letter from us; consent must be actively "signified" by the individual in some way. Consent must be appropriate to the age and ability of the person to understand the nature of what is being asked in the circumstances of the case. In certain cases the consent may be needed even after our case has concluded and we should be prepared to review the continuing adequacy of any consents previously given, for instance, where there is a change of circumstances. However, where a consent is subsequently withdrawn it does not affect the validity of anything already done on or on the basis of misleading information does not satisfy the condition for processing.

  • Schedule 3 differs from Schedule 2 due to the nature of the data being processed. The consent required in processing sensitive personal data must be "explicit"

In cases where we require explicit consent, we will need to make clear:

  • the type of information we require or if appropriate the specific information we require
  • the specific details of how data is to be processed
  • the purpose of the processing

And, find out and consider:

  • any special aspects that may affect the individual, for instance the potential impact of the disclosure

Occasionally, the question of consent arises in complaint cases. It is not generally our policy to disclose complainant names but sometimes it becomes obvious, when pursuing allegations, who the complainant is. Our public statement on disclosure in complaint cases can be found in CC47 B5. We claim exemption under section 31 of the Act (Regulatory Activity) when dealing with disclosure in complaint cases - see section E6 below about exemptions. Whilst we could ask for consent to disclose the names of those making allegations we also realise that continually seeking permission to disclose the information could make us an inefficient regulator. If disclosure is being considered we should first think about whether its is fair, lawful and necessary to make such a disclosure. Before asking whether the individual will give consent to the disclosure we should first think about whether it is fair, lawful and necessary to require such a disclosure. Where an individual refuses consent but an inquirer is persistent we may seek advice from the ICO if circumstances warrant it. These principles apply also to other circumstances, for example, we had information about a charitable benefactor who refused to be named and we were backed by the ICO in refusing to name the donor.

Necessary: The question of necessity is important as it underpins other conditions; we need to show that collecting the information is necessary both in the reason for its collection and the way in which it is collected before we can consider meeting the other conditions. 'Necessary' is not defined by the DPA but case law holds that we would need to demonstrate that the data is processed to the minimum amount necessary for us to carry out our purposes and, as a result, is proportionate to our needs. This means that we must collect the minimum amount of data necessary and, for further processing of that data, it must relate only to the purposes for its collection. It follows that data cannot be collected for one purpose and then used subsequently for some other purpose (unless an exemption applies, eg where we disclose for legal purposes). Additionally, collection of data cannot be deemed necessary if we can achieve the purpose by some other reasonable means (ie without this data) or where the processing is necessary simply because we have decided to operate or go about our business in a particular way (ie the data facilitates the way we work rather than being required for what we do). For example, it would not be necessary for us to collect personal details of participants to a survey where the results of the survey are anonymised and this data has no bearing on the results of the survey - to collect names and other personal data simply shows that it is not the same person filling out the same form but other processes can be implemented to prevent this. 

Vital interests: The vital interests condition allows for processing of personal data where the purpose of the processing is vital to the data subject's survival. ie in matters of life or death.

Administering justice, or for exercising statutory, governmental or other public functions: As a government department which has a public function conferred by Act of Parliament the Charity Commission fulfils this condition. We have a legal obligation under the Charities Act to keep an accurate register of charities and to protect charities against misconduct and mismanagement. 

Legitimate interests: Schedule 2 recognises that there may be legitimate reasons for processing personal data that the other conditions for processing contained in that Schedule do not specifically deal with. The legitimate interest condition allows such processing provided certain requirements are met. There are two parts to the requirement.

The first part is that the processing of data (which may appear to go against the wishes or rights of the individual) can be allowed where an organisation or a third party has a legitimate reason for the processing. For instance, the Commission has legitimate interests in sharing personal data with third sector researchers but is not under a legal obligation to do so.

The second part of the requirement is that once a legitimate interest has been established the processing cannot go ahead without those interests being balanced against the interests of the individual data subject. The legitimate interests conditions will not be met if processing is unwarranted due to its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. Our legitimate interests would not need to harmonise with those of the individual for the condition to be met. However, where there is a serious mismatch between competing interests, the individual's legitimate interests come first. An example where individual interests are taken before the Commission's legitimate interests is found in women's refuge charities where we decline to publish charity and trustee details on the register (as required by sections 40(4) and 41(4) of the Charities (Accounts and Reports) Regulations 2008) in order to protect those individuals from potential violence - see OG23.  

Top of page 

E5 Individual Rights

Individuals have legal rights in connection with their personal data and its processing. Those rights are set out in section 7, and 10 to 15 of the Data Protection Act. They are:

  • a right of access to a copy of the information comprised in their personal data
  • a right to object to processing that is likely to cause or is causing damage or distress
  • a right to prevent processing for direct marketing
  • a right to object to decisions being taken by automated means
  • a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
  • a right to claim compensation for damages caused by a breach of the Act

Although the law starts with individual rights of allowing data subjects access to all personal data held that information can be withheld if an exemption applies - see section E6.

The provisions of section 7 of the Act  allowing a right of access to a copy of personal data often give rise to subject access requests, where individuals ask what personal data we may have about them.

This provision is clear about the rights of access and what must be disclosed where we receive an application. The application must be in writing. Although the Commission is legally entitled to charge a fee for such requests, currently its policy is not to do so.

An individual is entitled to be:

  • told whether any personal data is being processed
  • given a description of the personal data, the reason why it is being processed and whether it will be given to any other organisations or people
  • given a copy of the information comprising the data
  • given any details of the source of the data (where this is available)

More information about the rights of access to personal data and subject access request (including fee charging) can be found in the ICO's Guide to Data Protection section C1a and the Subject Access Request Code of Practice.

An individual can also request information about the reasoning behind any automated decisions, such as a computer generated decision to grant or deny credit, or an assessment of performance at work (except where this is a trade secret). This is contained at section 12 of the Act with further information in the ICO's Guide to Data Protection section C1d.

An individual is entitled to see only their own personal data and not data relating to other people (unless an exemption applies - see section E6). They are usually entitled to see only the personal information we hold about them and not the actual documents containing the information. However, in some cases it has been determined that the document itself constituted personal data and was therefore disclosable.

The way we handle subject access requests is outlined in the Charts section C1.  

Section 10 of the DPA provides the right to object to processing that is likely to cause damage or distress, which applies in certain limited circumstances. The individual has the right to object to the processing but only if it causes, or is likely to cause, unwarranted and substantial damage. If it does then they have the right to require the processing to stop, or for it not to begin; or to stop or not start processing it in a certain way or for a certain purpose. Anyone exercising this right must put it to us in writing and state the reason for the damage or distress and what is required of us to stop or avoid the damage or distress. This is known as an 'objection to processing' or 'section 10' notice. The notice may only refer to their own personal data; and they have no right to object where we have complied with the provisions of Schedule 2 (see section E4 above) in that:

  • they have consented to the processing
  • the processing is necessary;
    • in relation to a contract that the individual has entered into; or
    • because the individual has asked for something to be done so they can enter into a contract
  • the processing is necessary because of a legal obligation that applies to us (other than a contractual obligation)
  • the processing is necessary to protect the individual's vital interests

Substantial damage or distress is not defined by the Act but in most cases:

  • substantial damage would be financial loss or physical harm
  • substantial distress would be a level of upset or emotional or mental pain that goes beyond annoyance or irritation, strong dislike or a feeling that processing is morally abhorrent.

Principle 3 of the DPA considers the adequacy and relevance to holding personal data and whether it is excessive for the particular purpose for which it is held. In accordance with this principle we may have legitimate reasons for keeping records about individuals which may have a negative effect on them. This might include information that leads to their arrest or to them having to face other legal actions. The DPA does not give individuals the right to prevent such actions even where damage or distress is caused and limits such a request to where the effects are unwarranted.

More information about the rights to object to processing in the ICO's Guide to Data Protection section C1b.


lawyer_referLegal advice must be taken in cases where the likelihood of damage or distress in processing is raised. 

The right to prevent processing for direct marketing allows an individual to prevent their data being used for direct marketing. Direct marketing materials are:

  • directed to particular individuals (this does not include mail that is simply addressed to 'the occupier')
  • is communicated by whatever means (we mostly think of mail shots or telephone calls but emails and texts are also included)
  • advertising or marketing material (materials are not simply about selling products or services, they may also promote particular views or campaigns, such as political campaigns); typically publications such as CC News could fit into the definition of marketing material

If an individual writes and asks an organisation to stop sending marketing materials they must comply with the request. More information can be found in the ICO's Guide to Data Protection section C1c. We will not provide copies of the Register for direct marketing purposes.


Section 12 of the DPA provides the right to object to decisions being taken by automated means allows an individual access to information about the reasoning behind any decisions taken where that decision happens automatically as a result of personal data input to the system. 

This right arises only where:

  • the decision is taken using personal data processed solely by automatic means


  • the decision has a significant effect on the individual concerned

Where this right arises the ICO advises that the individual:

  • can give written notice requiring the organisation not to take any automated decisions using their personal data
  • should be informed when such a decision has been taken (irrespective of whether written notice has been sent to the organisation)
  • can ask for an automated decision to be reconsidered

These provisions are safeguards against a risk that a potentially damaging decision is taken without human intervention.

Decisions about casework are not taken by automated means there is always an element of human judgement even where on line forms or applications are used.

More information about the rights surrounding automated decision taken can be found in the ICO's Guide to Data Protection section C1d. 


Section 14 of the DPA provides the right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed. This right accords with Principle 4 which requires personal data to be accurate. It recognises that inaccurate data may come from the individual themselves or from third parties. The fourth principle will not be breached by holding such inaccurate data provided that:

  • inaccurate data was recorded accurately
  • reasonable steps were taken to ensure the accuracy of the information (considered to be what is practical in the circumstances)
  • if the accuracy of the information has been challenged, this is clear to those accessing the information that a challenge has been made and action has been taken in accordance with paragraph 7 of Part 2 of Schedule 1 of the DPA

Where an individual has suffered damage because of inaccurate data section 13 of the DPA allows for compensation to be awarded. We need to ensure that any casework or other decisions based on incorrect data are properly reviewed - see the ICO's Guide to Data Protection sections C1d and C1f.


Section 13 of the DPA allows individuals to claim compensation for damages caused by a breach of the Act. This can be enforced only through the court (not the ICO) and the DPA allows for a defence of the claim on the basis that reasonable care was taken in the circumstances to avoid the breach.  A claim can be brought only where the individual has suffered damage. The ICO's Guide to Data Protectionn considers what damage or distress might mean and levels of compensation at section C1f.

Top of page 

E6 Exemptions

E6.1 What is an exemption?

An exemption is a permitted departure from:

  • the general requirements of the DPA (set out in sections E1 to E4)


  • the requirement to comply with an individual's rights under the DPA (set out at section E5) in whole or in part

in particular circumstances.

Any exemption only allows a departure from the DPA's general requirements to the minimum extent necessary to protect the particular function or activity of the exemption concerned. More than one exemption may apply depending on circumstances. Also, an exemption may apply to some, but not necessarily all, of the personal data or its processing. Each application for exemption must be looked at on its own merits and considered against the reasons why the personal data is being processed.

In practical terms the exemptions allow for:

  • the disclosure of information which would otherwise not be disclosed
  • information to be withheld that would otherwise have to be disclosed
  • a relaxation of certain notification requirements of the ICO

which would otherwise be a breach of the Act for non-compliance.


Because of the complexity involved in applying the exemptions and the impact an exemption can have on other provisions of the DPA legal advice should be taken. 


E6.2 Under what circumstances do exemptions apply

The exemptions are contained in Part IV (sections 28 - 39) and Schedule 7 of the DPA. They have been added to by various Statutory Instruments. Section 37 of the DPA brings the exemptions contained in Schedule 7 into effect which are referred to as 'the miscellaneous exemptions'.

The exemptions consist of:

Part IV

Those circumstances are:

  • national security - section 28
  • crime and taxation - section 29
  • health, education and social work - 30
  • regulatory activity - section 31
  • journalism, literature and art - section 32
  • research, history and statistics - section 33
  • manual data held by public authorities - section 33A
  • information available to the public by or under enactment - section 34
  • disclosures required by law or made in connection with legal proceedings etc - section 35
  • parliamentary privilege - section 35A
  • domestic purposes - section 36

Schedule 7

  • confidential references given by the data controller - para 1
  • armed forces - para 2 
  • judicial appointments and honours -  para 3
  • crown employment and crown or ministerial appointments - para 4
  • management forecasts - para 5
  • corporate finance - para 6
  • negotiations - para 7
  • examination marks - para 8
  • examination scripts - para 9
  • legal professional privilege - para 10
  • self incrimination - para 11

Schedule 8

  • various transitional exemptions available after and before specific dates

Not all of these circumstances apply to the work that we do. The most common areas in which exemptions are liable to affect our work are explained at section E6.4 below:


E6.3 How are exemptions applied?

The chart below shows the way in which exemptions work under the DPA. The chart is followed by a more detailed explanation of this process.



























Exemptions concern the overlap between rights and duties created by Act and the way we balance the subject information provisions with the non-disclosure provisions in particular situations. This occurs where the legal rights (link here to section E5) of the individual to access personal data, have data changed and block aspects of processing may not be compatible with our duties under the Act to process personal data (link to E3) where other circumstances occur. These circumstances arise from legislation concerned with other aspects of public life. The overarching circumstances in which exemptions may apply can vary and are considered in more detail at section E6.4 below.  

When using exemptions we must look at each one carefully to consider the effect it has in order to avoid inconsistency in applying the provisions of the Act. To avoid inconsistencies section 27 of the Act divides the rights and duties affected into two groups - 'subject information provisions' and 'non-disclosure provisions'.

The subject information provisions set out at section 27(2) and (5) concern:

  • an organisation's duty to provide an individual with a privacy notice when their personal data is collected (in general terms a privacy notice gives information on the purpose for collecting the information and its processing)


  • an individual's right to make a subject access request

The non-disclosure provisions set out at section 27(3) and (4) concern:

  • an organisation's duty to comply with the first data protection principle (processing data fairly and lawfully), however, in applying the exemptions the duty to satisfy one or more of the conditions for processing set out in schedule 2 and (if applicable) 3 must still be observed.
  • an organisation's duty to comply with the second third, fourth and fifth data protection principles
  • an individual's right to object to processing that is likely to cause or is causing damage or distress
  • an individual's right in certain circumstances to have inaccurate personal information rectified, blocked, erased or destroyed 

An exemption from the non-disclosure provisions (which, for example, would allow us to disclose personal data that would otherwise be protected from disclosure) is not an automatic exemption from all or any of those provisions. This is because an exemption can only be relied upon to the extent that the general legal duties under the DPA are inconsistent with the disclosure in question. So if we think an exemption applies we need to look at the non-disclosure provisions in turn to decide:

  • which, if any, would be inconsistent with the disclosure in question


  • the extent of the inconsistency  


E6.4 Exemptions that may apply to our work


Crime and taxation (section 29)

Section 29 of the DPA contains 4 categories of exemption, 3 of which may be claimed by us under this heading.

They concern:

  • the prevention or detection of crime
  • the apprehension or prosecution of offenders
  • the assessment or collection of any tax or duty or of any imposition of a similar nature

These are the crime and taxation purposes mentioned in the exemptions below.

The first crime and taxation exemption (section 29(1))

Personal data processed for any of the crime and taxation purposes are exempt from:

  • the first data protection principle (but conditions in Schedules 2 and 3 for processing personal data and sensitive personal data still apply)
  • subject access

But only to the extent to which the application of those provisions to the data would be likely to prejudice any of the crime and taxation purposes. In other words we must not disregard those provisions unless their application would be likely to prejudice any of the crime and taxation purposes.

The second crime and taxation exemption (section 29(2))

Personal data which is processed for the purpose of discharging statutory functions, and consists of information obtained for such a purpose from a person who had it in their possession for any of the crime and taxation purposes, are exempt from the subject information provisions. But only to the extent to which the application of the subject information provisions to the data would be likely to prejudice any of the crime and taxation purposes.

The third crime and taxation exemption (section 29(3))

Personal data is exempt from the non-disclosure provisions in any case where the disclosure is for any of the crime and taxation purposes and where the application of those provisions in relation to the disclosure would be likely to prejudice any of the crime and taxation purposes.  

Using the crime and taxation exemptions

In applying crime and taxation exemptions the case of Equifax Europe Limited v The Data Protection Registrar [Tribunal Case DA/90/25/49/7 - 28 June 1991] held that in the context of equivalent provisions in the 1984 DPA the term "in any case" means "in any particular case" meaning that the provision can apply only on a case by case basis.

These three exemptions apply only where there is likely prejudice to one of the crime and taxation purposes. The DPA does not explain the meaning of "likely to prejudice". Therefore we cannot regard this as a blanket exemption that would justify withholding subject access to whole categories of data where in fact those purposes would not likely to be prejudiced in the case of all data subjects. Also, it would not justify withholding of all the personal data about a particular data subject when only part of the personal data would be likely to prejudice those purposes.

The ICO takes the view that, for any of these three exemptions to apply, there would have to be a substantial and weighty chance rather than a mere risk that in a particular case the purposes would be noticeably damaged. We need to make a judgement as to whether or not prejudice is likely in relation to the circumstances in each individual case.

In using these three exemptions we must note the limitations on their use and consider each of the provisions in turn and decide which, if any, would be likely to prejudice any of the crime and taxation purposes. We can only disapply those provisions which would be likely to prejudice one or more of the crime and taxation purposes and then only to the extent to which the prejudice would be likely to result.

lawyer_referIf challenged, we must be prepared to defend this decision to rely on the exemption either to the ICO or to the court. Accordingly this type of decision must be subject to legal advice and the reasons for applying the exemption must be documented. 


Regulatory activity (section 31)

This exemption is relied upon regularly by the Commission. Section 31 provides an exemption from the subject information provisions for the processing of personal data by reference to numerous different categories of regulatory function exercised by public "watch-dogs" which are all variously concerned with the protection of members of the public and charities or fair competition in business. Again, this is not a blanket exemption from the subject information provisions and is only available, in any case, to the extent that the application of such provisions would be likely to prejudice the proper discharge of our functions.

Certain provisions only apply to functions conferred by enactment upon specified individuals or organisations, but others apply to any "relevant function". A "relevant function" is a function conferred on any person by or under any enactment, any function of the Crown, a Minister of the Crown or a government department, or "any other function which is of a public nature and is exercised in the public interest".   Whilst this phrase is not defined by the DPA it will include the Commission's work.

This exemption does not 'disapply' the non-disclosure provisions; so, where we rely on section 31 the exemption only applies to the provisions relating to privacy notices and an individual's subject access rights. In every other respect we are obliged to comply with the requirements of the DPA where we are using personal data in conducting our regulatory work.   

Processing for special purposes (section 32)

"Special purposes" as defined in section 3 of the DPA means any one or more of the following:

  • the purposes of journalism
  • artistic purposes
  • literary purposes  

This exemption is likely to be used only in very limited circumstances within the Commission, mainly to do with Press Office and, in particular, where publication would be in the public interest.

lawyer_referThis exemption should not be used without first having taken legal advice.



Research, history and statistics (section 33)

The DPA does not define "research purposes" comprehensively but confirms that it includes statistical or historical purposes. Section 33 provides for various exemptions in respect of the processing (or further processing) of personal data for research purposes provided that the processing (or further processing) is exclusively for those purposes, and, also, that both the following conditions are met:

  • the data is not processed to support measures or decisions relating to particular individuals
  • the data is not processed in such a way that substantial damage or substantial distress is, or is likely to be, cause to any data subject  

Where the exemption applies:

  • the further processing of personal data will not be considered incompatible with the purposes for which it was obtained


  • personal data may be kept indefinitely despite the Fifth Data principle


  • subject access does not have to be given provided that the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them

The Commission can get requests for information on which we base our policies or decisions, including statistical data. When providing statistical data we will anonymise that data as a matter of course; in which case we do not use the section 33 exemption as we will not be making considerations about particular personal data.


Information made available to the public by or under enactment (section 34)

Section 34 provides that when personal data consists of information which the data controller is obliged by, or under, any enactment (other than the Freedom of Information Act 2000) to make available to the public; the personal data is exempt from:     

  • the subject information provisions
  • the Fourth Data Protection principle (accuracy)
  • section 12A of the DPA (applicable to exempt manual data during transitional periods)
  • section 14, sub sections (1) to (3) of the DPA (rectification, blocking, erasure and destruction)
  • the non-disclosure provisions

In addition, there is no requirement for the data controller to submit a notification to the ICO where the sole purpose of any processing is the maintenance of a public register, for example, the Register of Births, Deaths and Marriages. However, in the case of the Commission where the publication of the Register of Charities is not our sole function we must submit a notification to the ICO. This is done annually by the IKM Unit.

The exemption applies only to the information that the data controller is required to publish. If the data controller holds additional personal data about the individuals concerned that additional data is not exempt even where, in practice, the data controller does not publish it.

Section 29 of the Charities Act 2011 requires us to keep a Register of Charities and we may decide what is made public and what is not. The exemption will be applicable only to that information we choose to make public and will not apply to the other personal data we hold on the register.  


Disclosures required by law (section 35(1))

Where the disclosure is required by or under any enactment, by any rule of law or by order of a court, personal data are exempt from the non-disclosure provisions. In these circumstances, the legal obligation overrides any objection which the data subject may have, but an element of fairness can still be applied.

For instance, if a data controller is aware when they collect data that at some point they are likely to have make disclosures of that data by law, it would be incompatible with the legal requirements to disclose such information not to notify data subjects at the time the data is collected from them, of the legal requirement to do so. The First data protection principle (fair and lawful processing) should not be completely dis-applied.


Disclosures made in connection with legal proceedings (section 35(2))

Personal data is exempt from the non-disclosure provisions where the disclosure is necessary:

  • for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings)
  • for the purpose of obtaining legal advice
  • is otherwise necessary for the purposes of establishing, exercising or defending legal rights

This provision allows the data controller to disclose personal data in cases where:

  • the data controller is satisfied that the nature of the request is such that the disclosure of the personal data falls within this section, ie the disclosure is necessary for one or more of the above


  • the data controller is satisfied that to apply the particular non-disclosure provision would be inconsistent with the disclosure in question

The data controller has to remember that Schedule 2 and (where processing is of sensitive personal data) Schedule 3 still have to be complied with.

Where the disclosure relates to personal data of complainants we would generally not disclose the data without a court order unless they had given their consent to disclose the requested information. It is important to remember that this applies to any information that might identify them, not just the obvious items such as their name.


Exemptions contained within The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (SI No 419)

Statutory Instrument 2000 No 419 (as amended) contains a list of enactments and instruments which restricts disclosure of certain personal data such as information relating to:

  • human fertilisation and embryology
  • adoption records and reports
  • statements of a child's special educational needs
  • parental order records and reports

Whenever those restrictions apply the data or information within that data is also exempt from section 7 of the DPA (Subject Access)

We cannot control what personal data we receive by way of background information so it is essential that where disclosure of the personal data sent to us is restricted we mark the records so that this is clear and that extra care needs to be taken. 

The Miscellaneous Exemptions (Schedule 7)

The exemptions listed below all come within Schedule 7 of the DPA.

Confidential references given by the data controller

Personal data contained in a confidential reference given by the data controller for specified purposes (education, training or employment, appointment to office or provision of any service) are exempt from subject access.

This exemption is not available to the data controller receiving the reference. However, other exemptions may still apply depending on circumstances.  

Crown employment and crown ministerial employment

The DPA provides for exemption from the subject access provisions in the case of personal data processed for assessing the suitability for employment by the Crown or ministerial appointments as listed in The Data Protection (Crown Appointments) Order 2000 SI No 416.  

Management forecasts/ management planning

This exemption is available to businesses to protect confidentiality of personal data processed for the purposes of management forecasting or management planning. The exemption can be used to the extent to which the application of any of the subject information provisions to personal data processed for such purposes would be likely to prejudice the conduct of the business or other activity of the data controller and such data is exempt from the subject information provisions.  


Where personal data indicates the intentions of the data controller in relation to any negotiations with the data subject, such personal data is exempt from the subject information provisions to the extent to which those provisions would be likely to prejudice those negotiations.  

Legal Professional Privilege

This is an exemption that is used often by the Commission. If personal data consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings, the personal data is exempt from the subject information provisions forever unless the privilege is waived.  

Information received by a lawyer in the course of advising a client is confidential and usually disclosed only with the client's authority.  


If by complying with any subject access request or order under section 7 of the DPA a person would, by revealing evidence of the commission of any offence, other than an offence under the DPA, exposing himself or herself to proceedings for that offence, that person need not comply with a subject access request or order.

Top of page 


F1 An individual has asked what information we hold about them, what do I do?

You need to consider what exactly has been asked for and which is the appropriate team to deal with the inquiry, section B2 looks at the way we filter requests for information coming to the Commission. Section B3.1 sets out what information a person can request about him or herself. 

F2 A correspondent has sent me information that contains personal data, what should I do with it?

Common sense principles for data handing are set out in section B1.6.

F3 Where can I find what all these data protection terms mean?

Section E2 sets out the most common terms we are liable to use in our work about data protection. Also, the Information Commissioner has extensive guidance 'The Guide to Data Protection' which contains a section on key definitions if you cannot find what you need in the OG.

F4 Can I use my own laptop, PC or other devices to store work information?

No, as this may make us vulnerable to a security breach. See section B1.5 which highlights the importance of processing any data, including personal data, correctly. 

F5 Can a person insist that we give them information?

Individuals have rights within the law these are set out at section E5. However, there may be circumstances where we may refuse to disclose information, these are called exemptions and are set out in section E6.

F6 Why do we go to these lengths to process data?

The Data Protection Act has meaning for all of us. It applies equally to our own personal data as it does to data we process about other people. The ICO has the power to impose stringent fines for breaches of the DPA.