Prefer to talk?
9:00 to 17:30 (Weekdays)

Understanding Data Protection

When you collect and store information about your customers in either printed or electronic format you must ensure that the data is kept safe and is used responsibly. There are laws in the UK and overseas which serve to protect the rights of individuals and businesses with respect to how this information is used by third parties. The data protection Act in the UK covers all issues relating to the collection, storing, retrieving, disclosing and erasing or destroying of personal information.

It is important to be fully aware of all data protection issues as an individual may seek compensation if they suffer damage or distress if your business has handled their information in such a way as to contravene data protection rules.

The Information Commissioner

The Information Commissioner is an independent official appointed by the Crown to oversee the Data Protection Act 1998 and the Freedom of Information Act 2000. The Commissioner reports annually to Parliament. The Commissioner's decisions are subject to the supervision of the Courts and the Information Tribunal.

If your business collects and stores data on computers or CCTV equipment then you are normally required to register with the Information Commissioner informing them of what information you are collecting and how it is used. However many businesses are exempt from registering with the Information Commissioner particularly if you are processing data for a limited range of core business activities.

Rules that apply to all businesses

Even if you are not required to register with the Information Commissioner there are still a number of legal requirements you must adhere to when dealing with personal information, these are referred to as principles. The principles state the following:
  • All personal information must be used for limited purposes and not used in anyway that is incompatible with those purposes.
  • The information must be the minimum that is required to deliver the service.
  • The information is accurate.
  • The information is secure.
  • You should not keep the information for longer than is necessary.
  • The information must not be transferred to other countries that do not have adequate data protection laws.
  • You should always be clear with your customers in relation to what information will be required, how it will be collected and how it will be used and stored. Before any personal information is disclosed you must also advise the individual if their information will be passed onto any third party and how the information will be used.

Keeping information secure

Whenever you collect information about an individual you are automatically obligated to ensure that the information remains secure. This means that whenever you are disclosing sensitive information over the phone you must qualify that you are speaking to the individual who originally provided the information, this can be done by asking a number of security questions that only they would know the answer to. You must also never pass on information relating to any of your customers to a third party unless the customer has explicitly given you the consent to do so.

If you are storing information electronically then you must ensure the systems which you utilise to do this are safe and secure. You should also ensure that once the information is no longer needed to deliver the service to the customer the information is erased or destroyed.

The customer's rights

If you hold personal information about an individual or business then they have a right to request a copy of all the information you hold about them, you may charge up to £10 to the customer as an administration fee for providing this information. This is known as an 'Subject Access Request' and must be made in writing by the customer. The information must be presented to the customer in a clear legible format and delivered with 40 days of making the request.

You must also avoid using the information you collect for direct marketing purposes if they choose not to do so.

Privacy Statements

A privacy statement is a written notice that is made available to all users of your service and clearly defines how personal information will be collected, stored, utilised and disposed of. If you carry out your business online then you should have a privacy statement that is easily accessible from all areas of your website. The Company Wizard provide a downloadable privacy policy for use in your business that cover the key data protection principles.

Return to the list of guides

Recent Support Articles