If you have a business, then you have customers (definitely), suppliers (probably) and employees (possibly). And that means you have the Data Protection Act. Many people aren’t sure of their responsibilities under the DPA – partly because it’s a complex area, and partly because it’s about as interesting as a snail race. So here is an overview of the key things you need to know about the DPA – keeping it simple (and not so tedious…)
- The ‘data subject’ is the person concerned – not the topic of information! It only applies to living, identifiable individuals. So info relating to companies or the dearly departed isn’t covered.
- If you hold the information, you are the ‘data controller’, and have to register with the Information Commissioner. The data must be held on a ‘relevant filing system’ – this can be electronic or manual records. A shoebox of old Post-Its and notes scribbled on the back of an envelope don’t count as a filing system, but information captured on CCTV, recorded phone calls, Blackberries etc. does.
- ‘Processing’ data simply means using it in any way. So the ‘data processor’ can be you, or can be any 3rd party that uses the data to provide a service (e.g. sending out mailshots to your client list). The data controller is liable for the data processor’s actions – so make sure that your data processor isn’t falling foul of the DPA! It’s a good idea to check their security measures, systems etc. and ensure they only act on your instructions.
- ‘Personal Data’ refers to – well, anything really. ‘Sensitive Personal Data’ refers to very personal info, including anything relating to someone’s race, health, political or religious views, sex life or criminal record – and the rules of the DPA are even tighter when it comes to that information! So avoid collecting anything sensitive unless you really, really need it – e.g. for legal or medical reasons, or for equal opportunity monitoring.
- There are 8 Principles of the DPA that you have to comply with (here comes the science bit…)
- Process data fairly and lawfully.
- Obtain and further process data only for specified and lawful purposes.
- Process adequate, relevant and not excessive data.
- Keep data accurate and up to date.
- Keep data no longer than necessary.
- Process with regard to the rights of data subjects.
- Keep data secure.
- Only transfer data outside the EEA if there is adequate protection
Obviously what constitutes ‘adequate’, ‘necessary’, ‘relevant’ etc. is pretty much open to interpretation – so that means you need to be able to completely justify what data you collect and how you use it! So make sure you have a very valid reason for anything you do concerning personal data.
- To collect and use any data, you need the data subject’s consent – for most data this can be implied (e.g. by not actually refusing consent) but for sensitive data, the consent has to be explicit (such as ticking an opt-in box). Either way, make sure they know what specific thing you are using the data for – such as for marketing – and don’t use it for any other reasons!
- Don’t keep data forever ‘just in case’ you need it! There may be legal or regulatory reasons to keep information for a minimum period of time, such as tax or accounting information or limitation periods for claims or contracts, which you can use as guidance. So stay on top of your records management, and every now and then, have a cleanup of your database. This will also help you make sure your info isn’t out of date. Besides, like clearing out your wardrobe, it can be very therapeutic, and a good way to start the New Year!
- The data subject has various rights, including to see any data on them, have their data removed or corrected, to object to how it’s used, and to complain to the Information Commissioner – even get compensation – if they are unhappy. So don’t risk upsetting your data subjects, as it only takes one disgruntled punter for it to come back and bite you on the bum.
- One of the key issues is security, both organisational and technological, against not only dodgy use, but also against accidental loss or damage. Unlocked cabinets, unpassworded documents, or unshredded papers scrumpled up in a bin could all be breaches of Principle 7. Not to mention leaving a file open on a train while you nip to the buffet compartment, or even someone looking over your shoulder at your laptop screen in Starbucks – so stay vigilant!
- Be careful who you pass someone’s data to – these disclosures could be dodgy! Be sure of someone’s identity if they ask to see their own data (bad news; you only have 40 days to comply if they ask – good news; you can charge them £10 for the privilege if you like). And never pass someone’s information to a 3rd party without the data subject’s consent unless there is an exemption in place, such as a legal requirement. Make sure you know what the other party will be using the info for, and edit the data if necessary to remove any info relating to another data subject who hasn’t consented.
- If you have employees, or are recruiting some, there are 4 specific Codes of Practice regarding employee data. These relate to (another science bit):
- Recruitment and selection
- Employment records
- Monitoring at work
- Medical information
There are various implications for record keeping and use, disclosures and keeping people in the loop about their data and what you’re doing with it. So your best bet here is to get some professional advice on what to do/not do to ensure you don’t inadvertently mess up, because the Information Commissioner won’t take ignorance as an excuse, and neither will an employment tribunal!
- Finally, ‘Commander Data’ works on the Starship Enterprise and has nothing to do with the Data Protection Act. Just thought I’d clear that up.