In relation to shooting clubs and syndicates there is no definitive answer to the question “Do we have to register under the Data Protection Act?” however, in the majority of cases the answer is likely to be “no”:
Individuals who are processing personal data (see definitions) for personal, family or household affairs are exempt from notification and most of the other provisions of the Data Protection Act 1998. Examples might be a personal address list, Christmas card list or data held in connection with a hobby. This exemption does not apply to individuals who hold personal data for business or professional purposes. Therefore, if there is a commercial aspect to a shoot, even if it is run by an individual, registration will be required.
However, the exemption that is more likely to be relevant for clubs and syndicates is that for “Not for Profit” organisations. This exempt purpose is intended for small clubs, voluntary organisations, church administration and some charities:
To benefit from the exemption:
The data subjects (see definitions) are restricted to any person the processing of whose personal data is necessary for running the club or syndicate (e.g. past, existing or prospective members or those who have regular contact with the organisation).
The data classes (see definitions) are restricted to data which are necessary for running the club or syndicate (e.g. names, addresses, identifiers or eligibility for membership).
Permitted disclosures, other than those made with the consent of the data subjects, are restricted to those third parties that are necessary for running the club or syndicate (BASC, for example).
Retention of the data – After the relationship between the shoot and the data subject ends, data should only be retained for as long as it is necessary for the purposes of running the club or syndicate.
Further written guidance on this exemption is available by telephoning the Information Commissioner’s notification helpline (see below for contact details).
If there is a commercial aspect to the club or syndicate of if for any other reason it is not exempt, notification under the Data Protection Act basically means that the organisation tells the office of the Information Commissioner who it is, the type of personal data it is holding, the purpose(s) for which it is being processed and the types of bodies to whom that information might be passed on. All this information is held on a public register. Registration lasts for one year and currently costs £35 (beware of “registration agents” who tell you otherwise).
Personal data means data which relates to a living individual who can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on the data. It includes organising, adapting and amending the data, retrieval, consultation and use of the data, disclosing and erasure or destruction of the data. It is difficult to envisage any activity involving data which does not amount to processing.
The people whose details you hold
Data controller means a person who (either alone or jointly or in common with other persons) determines the purpose for which and the manner in which any personal data are, or are to be, processed.
Further information, including a “self assessment” questionnaire to establish whether or not you need to register, can be found on the Information Commissioner’s website: www.ico.gov.uk
Other contact details for the Information Commissioner follow, however, they are inundated with enquires and getting through can take some time so you are encouraged to use the Internet:
Data Protection Help Line
Try the FAQ section on the website first but if you still need the helpline:
Telephone: 0303 123 1113 or 01625 545 745
Enquire about notification
Notifying with the ICO is the process by which organisations’ details are added to the data protection public register. If you would like to ask about the obligation to notify under the Data Protection Act please ring the Helpline or email the Notification Team at email@example.com
Advice about the law
If you would like to ask about the legislation the Information Commissioner’s office covers please ring the Helpline or contact the First Contact team at firstname.lastname@example.org
Report a breach of security in your organisation
Please read the ICO guidance to help you decide whether you need to tell the ICO about a breach of security in your organisation and how to do this.
Request for information
If you would like to request information held by the ICO in its capacity as a public authority, or request information about you that is held by the ICO, please contact the Internal Compliance Department at email@example.com
Got an ongoing case?
If you are contacting the ICO’s office about an ongoing case it is really important that you make this clear. If you have an email from them with your case reference number in the subject line please reply to it and your message will automatically be added to your case.
If you do not have an email from the ICO’s office but do have a reference number please email firstname.lastname@example.org and copy the following to the subject line, including the square brackets. Instead of the ‘X’ characters insert your case reference number complete with its three letter prefix. [Ref. XXXXXXXXXX]
Information Commissioner’s Office
01625 524 510
In addition to the head office in Wilmslow, there are also offices in Scotland, Wales and Northern Ireland. Please send notification forms to the Wilmslow office, not the regional offices.
The Information Commissioner’s Office – Scotland
45 Melville Street
Tel: 0131 244 9001
Information Commissioner’s Office – Wales
Tel: 029 2067 8400
Fax: 029 2067 8399
Information Commissioner’s Office – Northern Ireland
51 Adelaide Street
Belfast, BT2 8FE
Tel: 028 9026 9380
Fax: 028 9026 9388