Practically any business in the UK which holds information about its employees, customers, clients or anyone else will fall subject to data protection laws.
The Data Protection Act 1998 (DPA) creates both civil and criminal liability for those companies who do not comply with the provisions and so it is important for businesses to make sure they are compliant. There are a whole host of provisions that unwary businesses could fall foul of and so it is important to ensure that the data protection within the business is secure.
The DPA applies to personal data however this is stored. The information itself does not have to be confidential but to fall under the DPA’s protection the data would need to be capable of identifying a living person whether in their personal or professional capacity.
When a business has personal data, they then have obligations place upon them in how they ‘process’ this information. ‘Process’ is generally the act of holding, storing, using, deleting, obtaining, recording, disclosing or having personal data.
What the DPA requires is that personal data is used in accordance with the Data Protection Principles:
- Data must be processed fairly and lawfully
- Data must only be obtained for a specific lawful purposes.
- Data must be adequate and relevant in relation to the purposes for which it is processed. Essentially the data controller should only obtain necessary data.
- Data must be accurate and, where necessary, kept up to date.
- Data must not be kept for longer than is necessary
- Data must be processed in accordance with the rights of data subjects under the DPA and be provided in accordance with the rules surrounding Subject Access Requests.
- Appropriate security measures must be taken to prevent unauthorised, or unlawful processing, accidental loss, destruction or damage to personal data
- Personal data must not be transferred outside the European Economic Area unless the destination country ensures an adequate level of protection.
So a few practical points if your business could be ‘processing’ ‘personal data’:
- Ensure you have a ‘data protection policy’ that is relevant to the needs of your business.
- Appoint a data controller to keep all existing processed data under review.
- Regularly update all client and customer databases where appropriate.
- You must deal with a Subject Access Requests in a proper manner.
Data Protection is a key area to for which all businesses must be compliant. Call Ironmonger Curtis on 0845 225 2635 / 01142 536 559 for practical legal advice on how your business can navigate this complex area of law.
ACAS produce a guide on personnel data and record keeping.
The Information officer also produces a lot of useful guidance.