Data Protection Principles spotlight
More or less all businesses in the UK hold information about their employees, customers and clients. The Data Protection Act 1998 (DPA) protects data which is capable of identifying a living person whether in their personal or professional capacity. This includes names and addresses of clients, customers and employees. So, if you think your organisation is not going to caught by the DPA and its principles because you are a small employer, think again!
However the Data Protection Principles are pretty simple to follow and really just articulate common sense. This handy guide will help you keep you up to date with your obligations.
What is processing?
The DPA regulates the ‘processing’ of data – but what is processing? Processing is generally understood to include holding, storing, using, deleting, obtaining, recording, disclosing or having personal data. In other words: if you have data, then you are processing it.
The Data Protection Principles
Businesses have to hold data in accordance with the Data Protection Principles. These are the commandments for processing data:
- Data must be processed fairly and lawfully
‘Lawful’ relates to the method of obtaining that specific data. If the data has been stolen, or obtained by duress, deceit, bribes or inducements, then it has been (and will be) processed unlawfully.
‘Fair’ relates to how that data is processed once it has been obtained. For example, a customer may provide personal data to purchase a service, which is a lawful collection of data. However, if that data is then used to send unsolicited spam mail, this is not fair processing.
We have a lot more information on fair and lawful processing here.
- Data must only be obtained for a specific lawful purposes.
You should have a reason to hold the data and that reason should be legitimate. This is generally common sense. If you’re processing someone’s address so that you can send them a payslip this is clearly lawful. If you’re processing someone’s address so you can spam them, this is not going to be lawful. Generally speaking, an individual must be informed of the purpose for which data is being gathered.
- Data must be adequate and relevant in relation to the purposes for which it is processed.
Don’t get what you don’t need, or more than you need!
- Data must be accurate and, where necessary, kept up to date.
This really refers to the method in which data is held: the data needs to be “clean”. In other words, if you are holding a large database, you must have a strategy for keeping it up to date and accurate.
- Data must not be kept for longer than is necessary
This is more or less self explanatory. If you are not processing the data you don’t need it. One consideration here is the limitation periods in legal claims of 3, 6 or 12 years depending on what is being claimed. If you need someone to give evidence in court it’s going to be hard if you cannot find the evidence. Always consider why you have data and whether you need it. The DPA gives businesses a positive obligation to review their data and make sure they are not holding it for longer than is needed.
- Data must be processed in accordance with the rights of data subjects under the DPA and be provided in accordance with the rules surrounding Subject Access Requests.
Subject Access Requests are where an individual (or data subject) asks (or requests) to see all data related to them. Data controllers must comply with requests promptly and within 40 days from receipt of the request. These can be tricky as you cannot disclose information about others who also have data protection rights. If you do disclose protected personal data then this will be a breach of the DPA. Equally if you do not disclose enough then you will also be in breach. It’s a careful balance here and you need to be up on your obligations.
- Appropriate security measures must be taken to prevent unauthorised, or unlawful processing, accidental loss, destruction or damage to personal data
Maintain good encryption software or have restricted password access to comply with this principle. Don’t leave a laptop or mobile phone full of people’s names and addresses on a bus either. This also means ensuring your staff follow good practice too, which may require specific training if your staff deal with data, sensitive issues, the public or with subject access request generally.
- Personal data must not be transferred outside the European Economic Area unless the destination country ensures an adequate level of protection.
You can find a full list of the European Economic Area countries here http://www.companieshouse.gov.uk/about/miscellaneous/listeeaCountries.shtml. Even if a country appears to be safe for your purposes to comply with this obligation you will need to ensure that they have systems in place. So if you have your manufacturing undertaken in China or the United States of America and you send them lists of customers to ship to you will need an express statement from them that they will comply with data protection principles.
Good ways to limit problems with the processing of data is to adopt a Data Protection Policy and appoint a Data Controller to manage your businesses compliance. This is not too complex, but if you get a Subject Access Request and do not know how to respond then this can be tricky to implement after the fact. Make sure you train your staff on data protection issues.
Feel free to check out our main data protection pages for more information.