The Data Protection Act 1998 was written by the government to ensure high standards are promoted in the way personal information is handled, and to ensure that an individual whose data is held by a company is given their right to privacy.
Data Protection Act – the basics
It is an Act that should be adhered to by all companies, big and small, dealing with data, especially so when the data in question belongs to external individuals or organisations. It covers all types of information held concerning living individuals, whether in an electronic format or on paper. There are eight data protection principles written up that should be followed. These include:
1. Personal information should be processed fairly and lawfully
2. It should only be processed for specific purposes
3. Data being held must be adequate, relevant and not excessive
4. Any data being stored should be accurate and up-to-date where necessary
5. Data shouldn’t be stored for any longer than is required
6. It should be processed in accordance with the rights of the individual
7. Any data that is stored should be kept secure, with the utmost effort made to ensure this
8. Data shouldn’t be transferred to any countries external to the European Economic Area, unless the information has been protected appropriately.
Your responsibilities as a company owner
If you are dealing with data as part of your business, you may feel it appropriate to take out business insurance that would also cover you in the event that you had a legal case relating to such data – for example, if a person or company feels you are in breach of the Data Protection Act.
You might also want to consider working with a tech support agency who will be able to support you in the best ways of ensuring data is secure, protected and regularly updated. With online hacking becoming more commonplace, cybercrime is a pertinent concern for data. Hackers are typically looking to get hold of this and are finding increasingly innovative ways to do so.
If you are capturing data through your organisation, be aware that if you want to send communications out to people whose data you hold, they must have ‘opted in’. It is no longer possible to work on the ‘opt out’ system. This means they have either signed up for your newsletter and agreed to you sending out your communications, or they signed up for this at an event and ticked a box saying they are happy for you to contact them.
You must keep a record of whichever way they came to you, so you can prove it if required. Also, if a customer wants to know what data you have on file, you must let them know and delete this data if requested – you cannot keep it without their permission. They also have the right to see if data is wrong and to ask for it to be corrected if so. The power is very much in the hands of the person whose data you hold, rather than the other way around. This is why ‘buying’ data has become increasingly more frowned upon, because it carries significant risk to the businesses who are using it to cold contact customers.
As part of the Data Protection Act, you may be required by the Information Commissioner to keep a register of the purposes in which you are using personal information. The commissioner is also required to maintain a register of data controllers, such as firms and people responsible for processing information, which may mean they need to know that you are in the business of dealing with people’s data.
If you are holding or processing information, you will need to record yourself on the register so they are aware. This is referred to as a ‘notification’. You are able to refer to the register online. You won’t need to notify them if you only process personal information for business purposes that are core to your business, such as for your accounting, marketing or staff administration needs.
Not complying with the Data Protection Act can be punishable, and in some cases may involve fines up to £5,000. You can find out more details about the Act on the ICO website.