The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

The Data Protection Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles that state that the personal information is:

1. Fairly and lawfully processed

Have legitimate grounds for collecting and using the personal data; do not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their data; handle people’s data only in ways they would reasonably expect; and make sure nothing is done unlawfully with the data.

2. Processed for limited purposes

Be open about the reasons for obtaining personal data, and that what is done with the information is in line with the reasonable expectations of the individuals concerned.

3. Adequate, relevant and not excessive

Identify the minimum amount of personal data needed to fulfil the purpose. Do not hold more.

4. Accurate and up to date

The law recognises that it may not be practical to double-check the accuracy of every item of personal data received, but reasonable steps should be taken to ensure that it is. Identify the data’s source.

5. Not kept for longer than is necessary

Review the length of time personal data is kept; consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; securely delete information that is no longer needed for this purpose or these purposes; and update, archive or securely delete information if it goes out of date.

6. Processed in line with your rights

A person has the right: of access to a copy of the information comprised in their personal data; to object to processing that is likely to cause or is causing damage or distress; to prevent processing for direct marketing; to object to decisions being taken by automated means; in certain circumstances to have inaccurate data rectified, blocked, erased or destroyed; and to claim compensation for damages caused by a breach of the Act.

7. Secure

Design and organise security to fit the nature of the personal data held and the harm that may result from a security breach; be clear about who in the organisation is responsible for ensuring information security; make sure the correct physical and technical security is deployed, backed up by robust policies and procedures and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively.

8. Not transferred to other countries without adequate protection

Data should not transferred to a country or territory outside the European Economic Area unless there is an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of their personal data.

Principle Eight is designed to protect personal data being sent to countries with inadequate data protection regimes. Cloud computing is making it difficult to know where in the world data is being held, and this has prompted the Information Commissioner to draft a new code for keeping personal information online.

The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held about them in both electronic form and in most paper records.

Do you need to notify?

The Data Protection Act states that, depending on how they handle personal data, some organisations may need to 'notify' the Information Commissioner's Office (ICO).  The ICO is the independent body set up to uphold the Act.  Notifying is a simple process of registration that can be completed online and costs £35.00 per year.  The Act is complex, and understanding exactly who needs to notify can be confusing, however, failure to notify is a criminal offence.

ICB expects all Practice Licence holders to register under the Data Protection Act. 

If you are employed by a company, you do not normally need to be registered.  Similarly you do not normally need to register if all the work you do as a Practice Licence holder is subcontracted to you by a firm of accountants which is itself registered and which provides instructions to you for how the data should be processed.

Register online with the ICO


The DPA states that an organisation needs to be registered if they 'process' 'personal information' using automated/'computer' systems and if they 'control' that data.  The Act also states that the requirement to register falls on organisations who satisfy those criteria and whom are processing the data for the 'purpose of accountancy and auditing'.

Personal information means information which relates to a living individual who can be identified from that information. It is also any other information which is in the data controller’s possession, or that is likely to come into their possession.

Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on that data. Processing includes the following activities: organising, amending, consulting, disclosing, destroying, adapting, retrieving, using, erasing, storing

Processing on computer If none of your processing is carried out on computer, there is no requirement to notify. The term ‘computer’ includes any type of computer and also includes other types of equipment which, although not normally described as computers, nevertheless have some ability to process automatically; eg automatic retrieval systems for microfilm and microfiche, audio and visual systems, electronic flexi-time systems, telephone logging equipment and CCTV systems.

Data controller means a person who (either alone, or jointly, or in common with others) decides how and why any personal information is to be processed. You do not need to notify if you are a data processor. Data processors only process personal information in-line with instructions from data controllers.

Crucially, as a 'data processor' you are not necessarily required to register.  It is when you control how and why the information is processed that you are required to register, and you are considered to be a 'data controller'.

Historically the ICO has presumed that bookkeepers merely provide a recording service of financial transactions and that they are not called upon to provide 'advice' or to guide clients as part of their contract. Accountants, on the other hand, have always been expected to register as they are deemed to provide advice and are therefore considered to be data controllers.

In ICB's experience, bookkeepers are called upon for all sorts of advice and many will complete Tax Returns and other company documentation. They may also be required to pass on information to a third party, for example a firm of accountants. It is also significant that bookkeepers have been included along with accountants as Accountancy Service Providers under the money laundering regulations.


Further reading

External Links:

Data Protection Toolkits


To maintain their status as the UK's leading bookkeepers, members are committed to following the ICB CPD Policy.

Read more

Ready-made templates for your business cards & letterheads, and a guide to the compulsory information they must include.

Read more

Read our selection of helpsheets & case studies for help with your professional work & bookkeeping studies.

Read more

Students and members can update account details, book an exam, apply for a job or choose a new password all in MyICB.

Read more