In addition to personal data, the United Kingdom defines certain personal information as sensitive data. This data may have additional requirements related to data protection, data subject access, etc.
Sensitive personal data includes, but not limited to:
- The racial/ethnic origin of the data subject,
- Political opinions, religious beliefs or other beliefs of a similar nature,
- Trade Union membership information,
- Physical or mental health or condition,
- Sexual life,
- The commission or alleged commission by the data subject of any offence, or
- Any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
Registration under the United Kingdom’s Data Protection Act requires individuals and organisations that process/control personal information to register with the Information Commissioner's Office (ICO).
- The ICO considers it a best practice to register for those businesses that may:
- Use CCTV for crime prevention and/or
- Process information by doing any of the following with the information: obtaining it; recording it; storing it; updating it; and sharing it.
There are exceptions to ICO registrations. For more information on registration requirements and exemptions visit the ICO website.
- Registration fees are processes are different in every EU country. For more information on the United Kingdom's Data Protection registration fees visit the ICO website.
Codes of Practice
The Information Commissioner has formally approved several Codes of Practice related to personal data; a few of which are listed here:
- Data Sharing Code of Practice
- Subject Access Code of Practice
- The Employment Practice Code
- Direct Marketing Guidelines
- Anonymisation: Managing Data Protection Risk Code of Practice
- Personal Information Online Code of Practice
For more information or updates on United Kingdom’s Data Protection Codes of Practices visit the ICO Website.
Each Code of Practice is comprised of requirements related to a specific element of personal data control or processing. For example, the Personal Information Online Code discusses encryption and anonymisation related to certain types of personal data.
Breach Reporting & Notification
In the ICO's breach reporting information, they ask:
- Are there any legal or contractual requirements?
- Can notification help you meet your security obligations?
- Can notification help the data subjects?
- Were a large number of people are affected, or there are very serious consequences?
If so, it is advisable that you inform the Information Commissioner’s Officer (ICO) of the breach.
The ICO does not have a set time limit for reporting (unless you are PECR; however, the upcoming GDPR mandates 72 hours.
Beyond the ICO, you must know who else to notify after the discovery of a breach. Consider notifying the police, individuals affected, regulatory bodies, third parties, banks and other financial entities, or the media.
Data Subject Rights Requirements
The Data Protection Act establishes several requests data subjects could make to data controllers/processors in which such entities must comply. A few of these rights include; the right to:
- Access information/update one's information;
- Data portability;
- Be forgotten; and
- Request automated decision-taking reasoning.
For data deletion or cease processing compliance, the UK ICO mandates that under normal circumstances, electronic communications should stop within 28 days of receiving the notice, and postal communications should stop within two months.