Data Protection

How you handle and protect your organisation’s data i.e. your digital or electronic data (including CCTV images) and any data held in structured, easy to access manual filing system is subject to legislation, and by 2018 will also be subject to more stringent EU regulations under the GDPR. It is important to remember that your organisation’s data protection responsibilities exist in order to protect the rights of your staff, your customers, and your stakeholders. The importance of this is underlined by the scale of the penalties that the Information Commissioner could impose on your organisation for breaches of the principles of the Data Protection Act which could be fines of up to £500,000.

What Is Meant By Data?

  1. The data defined within the Act includes any information that is:
  2. Being processed using equipment operating automatically as a response to instructions given for that purpose.
  3. Recorded with the intention of processing that information using that equipment.

Recorded as part of a relevant filing system or with the intention that it should become part of a relevant filing system. A relevant filing system for example could be where you have manual files that contain single categories of information about an individual’s complaint, account, or personal information, and where that information is readily accessible.

The definition can also include information that:

The information relating to data in relation to the DPA included on this web page is intended to be as a general guide and is by no means definitive and complete. For more information follow the links below, or contact us.

Notifying The Information Commissioner’s Office (ICO)

Under the Data Protection Act 1998, as a data controller (e.g. as a company / organisation or sole trader) who is processing personal information, you will need to register with the ICO (known as “Notification”) unless you are exempt. N.B. At the time of writing this 400,000 organisations are registered.

Is There a Fee?

Yes. Registration with the ICO costs £35 each year for organisations turning over up to £23.9m, and £500 for companies exceed this turnover and with more than 250 employees.

What Exemptions Are There?

Exemptions include:

Finding Out If You Need To Register

Find out if you need to register by taking the ICO’s own 5 minute self-assessment test here : https://ico.org.uk/for-organisations/register/self-assessment/

Understanding The Terms

As with any area where the law and regulations are involved it is important to be familiar with the terms.

In this case the “personal data” means any information that relates to a living person, and the individual that the information relates to is known as the “data subject”. The “data controller” is you i.e. the organisation or body using / processing personal data, and “processing personal data” refers to storing, accessing, viewing transferring, and analysing that data. When data is described as “sensitive personal data” this refers to personal data that relates to a person’s sexual orientation, health, race or ethnicity, religious or other beliefs, criminal record, political views, and trade union membership(s).

The Data Protection Act (DPA) 1998

The purpose of the DPA is therefore to create a framework of rights and duties which are designed to safeguard and regulate the use of personal data. This refers to data that is about any living person from which they can or are likely to be (in conjunction with other information held) identified.

More Information

More detailed sources of information about the exact contents and application of the DPA can be found in a series of guides here:

Data - Find out more about what constitutes ‘data’ for the purposes of the DPA by clicking here for a 29 page guide from the Information Commissioner’s Office (ICO).

Relevant filing system - Find out more about what constitutes a ‘relevant filing system’ by clicking here, a 4 page ICO guide.

See also: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/ and how it relates to The Freedom of Information Act 2000.

What Are The 8 Principles of the DPA?

Schedule 1 of The Data Protection Act is essentially laid out in 8 principles that should be followed in order to ensure compliance to ensure that you are following ‘best practice’ for handling, processing and transferring Personal Data. The Principles say that everyone responsible for using the data in your organisation must ensure that it is:

  1. Used / processed fairly and lawfully. This means telling people why the information / data is being collected e.g. as part of a contract of sale or with the person’s consent.
  2. Used for limited, specifically stated purposes. This clearly means that you do not use the data you’ve collected for another purpose. N.B. There should reasonable and lawful purpose for collection of that data in the first place.
  3. Used in a way that is adequate, relevant and not excessive.
  4. Accurate and kept up to date where necessary. This means that you will need to enable / allow persons to update their data e.g. online, and e.g. allow an opt-in (tick to opt-in) approach to marketing.
  5. Kept for no longer than is absolutely necessary.
  6. Handled according to people’s data protection rights. Remember that under the Data Protection Act an individual can make a data subject access request i.e. they can ask your organisation for to supply them you with copies of both paper and computer records and related information that you hold about them. You can charge a fee of up to £10 (this would be £2 if it is a request made to a credit reference agency for information about a person’s financial standing only). If you receive such a request you will need to make sure that you respond promptly and the data is provided within 40 days. N.B. There are exemptions under the Act - find out more here.
  7. Kept safe and secure.
  8. Not transferred outside the European Economic Area without adequate protection. This means countries in the EU plus Iceland, Lichtenstein and Norway. A list of EEA countries can be found on the UK government’s website here.

The Act and Your Staff

Remember that the Data Protection Act applies to the recruitment process of your staff, managing your employee records, and giving workers access to a copy of the information that you hold about them on request. This includes grievance and disciplinary issues, and information you may have obtained through monitoring. Staff monitoring for example could include monitoring of emails and voicemails, P-O-S terminals, CCTV, and information given by other people or agencies.
For more information see the ICO’s Employment Practice Guide: https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf

How We Can Help

If you are a UK business looking for help with any (or all) of your IT requirements, click here.