Data protection has made the headlines in recent months, with stories of organisations which have ‘lost’ vast swathes of customers’ and clients’ precious personal information. These losses damage trust in an organisation and people’s willingness to part with information to receive services, not to mention leaving their personal data vulnerable to unscrupulous identity fraudsters. Data protection and privacy practices have never felt more important.
The Data Protection Act 1998
The Data Protection Act 1998 (DPA) is a key piece of legislation which enshrines people’s right to have their personal information handled responsibly and fairly by organisations and companies with whom they choose to share it. The DPA applies to electronic information and sometimes information on paper too. It is based on 8 key principles of good information practice.
Personal information must be:
Fairly and lawfully processed;
Processed for specified purposes;
Adequate, relevant and not excessive;
Accurate and where necessary, up to date;
Not kept for longer that is necessary;
Processed in line with the rights of the individual;
Kept secure, and;
Not transferred to countries outside of the European Economic Area unless the information is adequately protected.
Understanding the DPA
The term ‘personal information’ means any information which refers to a living individual. This could be names and contact details, opinions, or any information from which a person could be identified. Data controllers are firms and other organisations which process personal information. So a company that holds, records and uses information about customers in the course of its operations would probably be considered a data controller. Most data controllers are legally required to register with the Information Commissioner, to declare their data controller status and to describe how they generally use personal information, a step known as notification.
However some data controllers are exempt from notification if they meet certain conditions. For example a company only processing personal data for its own staff administration, marketing or accounting purposes, i.e. its core internal operations, would probably not need to notify. The Information Commissioner’s website has detailed information and a printable leaflet which will help you work out whether you are legally required to notify.
The DPA also contains provisions which allow individuals to see a copy of all information that you hold about them, and to correct it if it is wrong. This is known as a subject access request, and normally data controllers must comply with these, or have good reasons not to comply (such as if in complying another individual’s data would be revealed) otherwise they risk breaching the DPA.
Information security is a key consideration of the 8 principles; you should be able to show that you have assessed and minimised the risks to the danger you store, and that you are able to keep it safe.
The DPA is in existence to try and give clarity and accountability to the individuals who use your services. High standards for the processing of personal information prove that you can conduct the rest of your business in a similar manner. Most organisations need personal information from the individuals they work with in order to provide services, and studies have proven that people are more willing to provide personal details to organisations that they trust (e.g. the LSE, 2005). Be a trustworthy company, and your business is set to thrive.
Legally speaking, if you fail to meet your obligations under the DPA you could open yourself up to a hefty fine and a severely damaged reputation. If you fail to comply with the DPA you are breaking the law.
Visit the Information Commissioner’s website for more information, or look for a data protection training course in your local area.
This article provides the briefest of introductions to data protection in the UK. It is the work of a qualified information professional, but does not constitute legal advice. Wherever possible it is advisable to take a training course or seek specialist advice from legally trained professionals. In the meantime follow the embedded links given here to find out more about specific areas of data protection.