The Data Protection Act and Your Business
Everyones heard of the Data Protection Act 1998, but very few business owners know how it relates to their business, or even the full extent of the Act.
The Data Protection Act 1998 defines the UK law on processing information about identifiable living people, although it does not mention privacy, the Act was brought about in order to bring the UK in line with the EU Data Protection Derivative, which does protect peoples fundamental rights such as the freedom of privacy.
Do I really need to comply?
Do you handle or possess clients personal information, such as their name, address or contact details? If the answer is yes, then you have to comply.
Do you handle or possess personal information about your staff? If the answer is yes, then you have to comply.
A full list of what is deemed as personal data can be found below.
What is defined as personal data?
Basically its any information that can be used in order to identify a living individual. Anonymised or Aggregated information is not covered by the Act, providing there is no way to reverse the anonymisation.
Individuals can be identified through their:
- Phone Number
- Address (even if its just a postcode)
- Email Address
This list contains just some of the information that can be used to identify someone.
The Act only covers information that is held, or is intended to be held, in a relevant filing system such as a paper based or electronic system.
The Act creates rights for those who have their data stored, and responsibilities for those who store, process or transmit such data.
The person who has their data processed has the right to:
- View the data an organisation holds on them. A 'subject access request' can be obtained for a nominal fee.
- Request that incorrect information be corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases compensation can be awarded.
- Require that data is not used in any way that may potentially cause damage or distress.
- Require that their data is not used for direct marketing.
The Principles of the Data Protection Act
The Act itself is made up of 8 principles that have to be adhered to. These are:
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- About the rights of individuals e.g. personal data shall be processed in accordance with the rights of data subjects (individuals).
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
What is schedule 2?
In order for the data to be processed in point 1 at least one of these 6 conditions must be met.
- The data subject (the person whose data is stored) has consented ("given their permission") to the processing;
- Processing is necessary for the performance of, or commencing, a contract;
- Processing is required under a legal obligation (other than one stated in the contract);
- Processing is necessary to protect the vital interests of the data subject;
- Processing is necessary to carry out any public functions;
- Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject)
You need to get consent in order to gather any personal information. Consent is defined as any freely given specific and informed indication of their wishes by which the data subject signifies their agreement to personal data relating to them being processed. If consent is given, you shouldnt take this to mean indefinitely. In most cases it should only be held until the purpose for the data has been met.
You may have heard the term Data Controller being used before. If you own a business in which you have access to the personal information of individuals then you need to have an appointed Data Controller.
The following is a definition given by the ICO (Information Commissioners Office) A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Responsibilities of Data Controllers
There are certain obligations that have to be met by data controllers. These are:
All data controllers must comply with certain important rules about how they collect and use personal information, and,
Some data controllers must register annually with the Data Protection Commissioner, in order to make transparent their data handling practices.
Register with the ICO
If your business is handling personal information then you need to have an appointed data controller and this person then needs to register with the ICO. Information about the ICO and how to register can be found here.
Every business is different. What you register for, and how you process data will vary from business to business. If youre unsure, wed recommend speaking to the ICO.