Data Protection and Tendering

Pre-qualification Questionnaires usually include questions on Data Protection, the best source of information to assist you with these questions is the Information Commissioner's Office.

The first question is likely to be:

     Does your organisation have a valid Notification in the Register      of Data Controllers published by the Information Commissioner?

  • If yes, please provide your organisation’s registration number
  • If no, please state the reason for the exemption

The answer to this question can be found on website of the Information Commissioner's Office and within the Data Protection Act.

computer mouse Search the register online here:


The Data Protection Act 1998 requires every data controller (e.g. organiation, sole trader) who is processing personal information to register with the ICO, unless they are exempt.

The Information Commissioner Office has an on line Self-Assessment Tool that will tell you if organisation needs to register or not.

comp mouse Visit:

If you do need to register you can register via the Information Commissioner Office website.

comp mouse Visit

Additional Questions

The Pre-qualification Questionnaire may go on to ask some more detailed questions around your organisation’s approach to Data Protection. Below are the areas you are likely to be asked to respond to and again the best sources of information are the Information Commissioner's Office and the Data Protection Act.

Organisational and Technical Security Measurers

The Data Protection Act states: 
Appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:

  • design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
  • be clear about who in your organisation is responsible for ensuring information security;
  • make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
  • be ready to respond to any breach of security swiftly and effectively
mouse comp

More information:

Staff Training

Advice from the Information Commissioner’s Office:

It is vital that your staff understand the importance of protecting personal data; that they are familiar with your organisation’s security policy; and that they put its security procedures into practice. So you must provide appropriate initial and refresher training, and this should cover:

  • your organisation’s duties under the Data Protection Act and restrictions on the use of personal data;
  • the responsibilities of individual staff members for protecting personal data, including the possibility that they may commit criminal offences if they deliberately try to access, or to disclose, information without authority;
  • the proper procedures to use to identify callers;
  • the dangers of people trying to obtain personal data by deception (for example, by pretending to be the person whom the information is about or by making “phishing” attacks) or by persuading you to alter information when you should not do so; and
  • any restrictions your organisation places on the personal use of its computers by staff (to avoid, for example, virus infection or spam).

The effectiveness of staff training is dependent on the individual’s concerned being reliable in the first place. The Data Protection Act requires you to take reasonable steps to ensure the reliability of any staff who have access to personal data.

Incident Management and Reporting

Advice from the Information Commissioner’s Office:

Reporting a breach

Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be brought to the attention of his Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA.

comp mouse

‘Serious breaches’ are not defined. However, the following should assist data controllers in considering whether breaches should be reported:

Complaint Management

This is the Advice from the Information Commissioner’s Office:

What happens when someone complains?

If a member of the public is concerned about your information rights practices, we believe that you, as the organisation responsible, should deal with it. We expect you to respond to any information rights concerns you receive, clarifying how you have processed the individual’s personal information in that case and explaining how you will put right anything that's gone wrong.

If a member of the public has engaged with you but is still dissatisfied, they may report their concern to the ICO.

comp mouser For further information, read the ICO’s more detailed guidance:

The Information Commissioner’s Office have identified a top five tips on data protection for small and medium sized charities and third sector organizations

Top five tips:

  1. Tell people what you are doing with their data. People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
  2. Make sure your staff are adequately trained. New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
  3. Use strong passwords. There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
  4. Encrypt all portable devices. Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
  5. Only keep people’s information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.
 comp mouse Salford CVS also has a Data Protection Fact Sheet on our

contact us

sign up

Join us

Get In Touch

Salford CVS & Volunteer Centre
Registered address 
The Old Town Hall 
5 Irwell Place 
Salford, M30 0FN

Tel: 0161 787 7795 


Salford CVS is the city-wide infrastructure organisation for the voluntary, community and social enterprise sector; providing specialist information, advice, development support and opportunities for influence and collaboration.

Latest Blogs

I started with Salford CVS as a Neighbourhood Volunteer Worker in the middle of the pandemic in

Volunteers’ week takes place from 1st -7th June every year and is always special to us at Salfor

As life slowly gets back to some form of normality, we need to look at restarting face to face a