The Data Protection Act 1998 covers the ‘processing’ of any personal information – which means obtaining, holding, retrieving, disclosing, erasing or destroying that information. The Act governs the use of personal information by businesses and others. It covers information held on computers and in certain manual filing systems, so if your business processes personal information you may need to notify the Information Commissioner.
Businesses which process information using computers, or which use CCTV equipment, generally have to notify the Information Commissioner about the information they are collecting and for what purpose. Any information processed for credit referencing, pensions administration and debt factoring must also seek notification. Check whether your business needs to notify. The general idea is that people can find out what personal information is available on them. Notification costs £35 and must be renewed annually. However many businesses are exempt and do not need to notify.
Your company will be exempt if you only process people’s personal information for a limited number of business activities. For example information kept for staff administration is exempt. This includes processing information for personnel purposes such as hiring, paying, managing, disciplining and dismissing staff. Advertising, marketing and public relations activities which relate to your business, or its goods and services are also exempt. This exemption applies even if you buy in information for marketing purposes. Keeping information for your accounts on past, existing or prospective customers and suppliers is also excluded (but data obtained from a credit reference agency is not and must be notified). Information that helps you make decisions about whether to do business with a particular customer or supplier, and make financial and management forecasts is also exempt.
However, even if you do not need to notify, you must still comply with the Data Protection Act. These laws are a set of eight rules, known as ‘principles’ and you must follow them to protect personal information.
Stay within the law
If you collect personal information the law says that the information must be:
- processed fairly and lawfully
- processed only for one or more specified and lawful purposes
- adequate, relevant and not excessive for those purposes
- accurate and kept up to date
- not kept for longer than necessary
- processed in line with the rights the person that the information is about
- Not transferred to countries outside the European Economic Area – the EU plus Norway, Iceland and Liechtenstein – that do not have adequate data protection.
To comply with the above eight principles, you must only collect the information you need. Work out exactly what information you need, and about whom, and make sure you inform the individuals concerned why you want the information and what you are going to go with it. If you intend giving the information to anyone else, for example a specific third party or a more general description such as ‘other companies’ or ‘suppliers’ you should make this clear to the individuals concerned. Give people the chance to opt out of having their personal information processed.
If someone tells you the information you hold is inaccurate you must correct it within 28 days. Erase information you no longer need. Make sure the information is secured against accidental loss, destruction or damage and also against unauthorised or unlawful processing. You should make sure to use a dry, secure and alarmed system so calamities such as floods, fire and theft do not impact on your data. Even if your business uses a third party to process personal information on your behalf, this still applies. Train staff in good information-handling practices and consider making someone responsible for keeping data safe by having a designated key holder.
If an individual makes a written request for information (known as a ‘subject access request’) you must provide them with a copy of the information but you can charge a fee of up to £10. Any request must be dealt with within 40 days and you must make the information easily understandable with details of why you are processing their information, anyone it may be passed to, plus any information you have about the source of the information. Do not use the information for direct-marketing purposes if asked not to do so and do not transfer information to a country unless you are sure the country have adequate data-protection laws or you have the individual’s consent.
Take particular care with sensitive information – for example a person’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sex life, any actual or suspected criminal offence and any connected proceedings. You can only process such information if the person involved has given specific written consent to its use for clearly stated purposes, or it is needed for legal reasons or for ethnic or anti-discriminatory monitoring.
Notifying the Information Commissioner
The Information Commissioner enforces the Data Protection Act and promotes good practice in handling personal information. It publishes guidance and has a helpline to encourage good codes of practice. It also takes enforcement action where necessary and maintains a register of data controllers – those responsible for processing personal information. Complaints are also looked at and publicity undertaken. The Information Commissioner also enforces the Freedom of Information Act 2000 which regulates access to information held by public authorities.
If you are not exempt you must give details about the processing of personal information to the Information Commissioner so it can be included in a public register and people can find out what personal information is held on them. The details to be notified are:
- name and address of the data controller or their representative
- description of the information being processed
- purpose of processing the information
- those to whom the information will be or may be disclosed
- countries outside the European Economic Area – the EU plus Norway, Iceland and Liechtenstein – where data may be transferred
- Certain details on information security measures
Either call the information Commissioner Notification Line: 01625 545 740 or send a notification form. Notifications must be renewed annually for a £35 fee. Changes, which must be notified as soon as possible, are made free of charge.
Monitoring is defined as activities that set to collect information about workers by keeping them under some kind of observation. If you monitor email and Web use you must inform employees – preferably making it part of their employment contracts. You can only inspect the content of individual emails in a number of restricted circumstances. The law on this area is complex and you should consult a solicitor.
Monitoring can also include video and audio monitoring, covert monitoring, in-vehicle monitoring and using information from others. However covert monitoring will rarely be justified and you must be sure there are clear grounds for suspecting criminal activity or equivalent malpractice. Consider whether the activities you wish to monitor are serious enough to involve the police (even if you do not involve them), before you consider covert monitoring.
Anyone responsible for monitoring in your business must be aware of the Act and its implications. Keep to minimum the number of workers who have access to personal information obtained through monitoring.
Any adverse impact of monitoring on employees should be justified by the benefits to employers and others. Consider the purpose behind monitoring. Could monitoring have an adverse impact, for example by creating resentment and lack of trust? Think about alternatives and take into account obligations that arise from monitoring such as setting up new processes to ensure records are secure. Best practice suggest workers should be made aware of the nature, extent and reasons for monitoring, unless covert monitoring is justified. Make sure that if you monitor employees to enforce your business’ rules and standards, everything is clearly outlined in the company policy statement which also refers to the nature and extent of any associated monitoring.
Enforcement and penalties
Offences include notification (where a data controller has failed to notify or make changes to their notification entry), also knowingly or recklessly obtaining, disclosing, selling etc of personal information without the consent of the data controller and also non-compliance with a notice issued by the Information Commissioner. The Information Commissioner can bring a criminal prosecution. Failure to notify carries a maximum penalty of £5,000 plus costs in a Magistrates’ court or an unlimited fine in the Crown Court. If an individual suffers damage and /or distress as a result of non-compliance he or she can apply to the Court for compensation.
Beware of bogus data protection agencies
There are bogus data protection notification agencies which you should be aware of. In fact over 200 businesses a month can fall victim to bogus agencies and scams. Fake agencies target unsuspecting businesses and demand money in order to register their business with the Data Protection Act. Remember that the Information Commissioner is the only statutory authority for administering and maintaining the public register of data controllers. Do not trust anyone else. It only costs £35 per year for official notification. Be aware of official looking headed letters or letters that use threatening language to scare businesses into paying and contact the Information Commissioner’s Office if in any doubt.
For further information contact www.ico.gov.uk or call 01625 545 745 or 08456 30 60 60