Back to Basics - Collection Notices

One of the keys to collecting information in line with the Data Protection Act is to ensure that you are telling the person providing the information a few key things. Collection notices aren't properly understood and are sometimes overly complicated.

So here are the basics, a collection notice must tell the person providing their information:

(a) who the organisation collecting the information is

(b) what the information provided will be used for

(c) how the information will be stored and for how long

(d) whether the information will be shared with another organisation or organisations

The wording does not have to be formal, you can just write in plain english the information required.

Collection notices should be provided on both paper and electronic forms. Frequently individuals do not remmebr signing up for something or when they gave information so to ensure that you stay off the ICO's naughty step you should record when the information was collected and this should be retained for the life of your relationship with the individual. Additionally, if it is a paper form you either need to hold the hard copy or have a scanned copy for your records. This will all help with proving that you are protecting the individuals privacy should you need to.

Remember that regardless of whether you are registered with the ICO you have to comply with the Data Protection Act so any forms that you use for the collection of information MUST have a data collection notice on it. Without a valid collection notice you are breaking the law! 

Back to Basics - What is personal information?

There was a discussion on one of the forums that I belong to about what is considered personal information.

Personal information is any information which relates to a living individual who can be identified -
(a) from that information, or (b) from that information and other information which is in, or is likely to come into the possession of your organisation.

So if you code an account with the reference 123 and in another file link reference 123 with John Smith, then both pieces of information are considered personal information as they can then relate to a living individual.

For example a hairdresser who retains details of their clients, even something simple like a phone and contact number and dates of appointments, are retaining personal information under the Data Protection Act. 

How many complaints before you need to take action?

I am often asked how many complaints the Information Commissioners Office (ICO) need about a company before they start to take action. There is no definitive answer. I have known companies have as few as 12 complaints raised with the ICO before they start to make enquiries into a businesses practices. It is easy for someone to complete the online form and raise a "concern" with the ICO. When the ICO starts to investigate your practices, it can take up to six months to resolve the queries raised and receive a conclusion from the ICO as to what action they intend to take against your business.


If you are working on the basis that you won't improve your information security practices until the ICO starts to take an interest, you might not have to wait long. Data Protection is becoming more high profile and, as can be seen from the bad publicity, something that is featured in the news on a regular basis. The outcome of any investigation will depend on the type of complaint, number of complaints and the personal information involved. We regularly provide support to businesses as they go through the investigation process.

What would you do?