Data protection is a big issue
The recent TalkTalk data breach serves to highlight how vulnerable many organisations are in terms of holding data, whether it be customer details as it was in that particular case, or employee information as would be the case for many companies.
Cyber-hacking is a relatively new problem and security measures will continue to evolve. But there is already legislation in place to regulate how personal information should be held by companies: the 1998 Data Protection Act.
With more and more organisations starting to use computers to store and process personal information during the 1990s, there was growing concern that information could be misused or get into the wrong hands. A number of concerns arose, for example; who could access this information? How accurate was the information? Could it be easily copied? Was it possible to store information about a person without the individual’s knowledge or permission? Was a record kept of any changes made to information?
The Data Protection Act was passed by Parliament to control the way information is handled and to give legal rights to people who have information stored about them. Other European Union countries have passed similar laws, as often information is held in more than one country. The 1998 Act covers data about living people which is stored on a computer or in an organised paper filing system. The basic principle is that the act sets up rules that have to be followed when storing and using information and it establishes an official body to enforce the rules, the Information Commissioner. The scope of the Data Protection Act covers use of personal information by organisations, businesses and/or the government.
Roles and registration
Any organisation or person who needs to store personal data must apply to register with the Information Commissioner.
Data Controllers, i.e. those collecting and storing the information, must declare what information will be stored and how it will be used - in advance. This is recorded in the register.
Each entry in the register contains:
- The data controller's name and address;
- A description of the information to be stored;
- What they are going to use the information for;
- Whether the data controller plans to pass on the information to other people or organisations;
- Whether the data controller will transfer the information outside the UK;
- Details of how the data controller will keep the information safe and secure.
Types of personal data
Personal Data: Some data which is stored on a computer is personal and should be kept confidential, for example, bank details and medical records. If someone who is not entitled to see these details can obtain access without permission it isunauthorised access. The Data Protection Act sets up rules to prevent this happening.
Sensitive Personal Data is also about living people, but it includes one or more details regarding:
- racial or ethnic origin
- political opinions
- membership of a trade union
- sex life
- criminal activity
There are fewer safeguards for personal data than there are for sensitive personal data. In most cases a person must be asked specifically if sensitive data can be kept about them.
The 8 Data Protection Principles
- For personal data that is stored and processed, the following rules apply:
- It must be collected and used fairly and within the law;
- It must only be held and used for the purposes as set out to the Information Commissioner;
- It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. You cannot give it away or sell it unless this is what was initially proposed;
- The information held must be adequate, relevant and not excessive when compared with the purpose stated in the register. So you must have enough detail to work with but not too much information for the job that you are doing with it;
- It must be accurate and be kept up to date. There is a duty to keep it up to date, for example to change an address when people move house;
- It must not be kept longer than is necessary for the registered purpose. This rule means that it would be wrong to keep information about past customers or employees longer than a few years and certainly not indefinitely;
- The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. This also includes the secure destruction of information that is no longer needed;
- The files may not be transferred outside of the European Economic Area unless the country that the data is being sent to has a suitable data protection law. This part of the Act has led to some countries passing similar laws to allow computer data centres to be located in their area.
The rights of data subjects
Under the Data Protection Act, people who have data stored about them have certain rights:
- A right of access
Under the terms of the Act, you are entitled to see certain information which is held about you. If you want to do this, you need to submit a request in writing to a company Director. The Company is then obliged under the Act, to provide such data within 40 days from receipt of the request. Companies sometimes charge for this service, usually around £10.
- A right of correction
If the information stored about you is incorrect or out of date, you have the right to insist that the record is corrected accordingly.
- A right to prevent distress
You have the right to prevent the use of information stored about you, if it would be likely to cause you distress.
- A right to prevent direct marketing
You have the right to prevent your data being used in attempts to sell you things (e.g. by junk mail or cold calling.)
- A right to prevent automatic decisions
You may specify that you do not want a data user to make "automated" decisions about you where, through points scoring, a computer decides on, for example, a loan application.
- A right of complaint to the Information Commissioner
You can ask for the use of your personal data to be reviewed by the Information Commissioner who can enforce a ruling using the DPA. The Commissioner may inspect a controller's computers to help in the investigation.
- A right to compensation
You are entitled to use the law to get compensation for damage caused if your personal data is inaccurate, lost, or disclosed without prior authorisation.
There are some complete exemptions and some partial exemptions where personal data is not covered by the 1998 Act.
- Any personal data that is held for a national security reason is not covered;
- Personal data held for domestic purposes only at home, e.g. a list of your friends' names, birthdays and addresses does not have to keep to the rules.
- HMRC or the police do not have to disclose information held or processed to prevent crime or taxation fraud. Criminals cannot see their police files. Tax or VAT investigators do not have to show people their files;
- Doctors are permitted to keep information from patients if they think it is in their best interests;
- school pupil has no right of access to personal files, or to exam results before publication;
- A data controller can keep data for any length of time if it is being used for statistical, historical or research purposes;
- Some research by journalists and academics is exempt if it is in the public interest or does not identify individuals specifically;
- Employment references written by a previous employer are exempt;
- Planning information about staff in a company is exempt, as it may damage the business to disclose it.
When planning and running your business operations, it’s important to remember that the Data Protection Act is not just a list of guidelines, it’s the law. So it is crucial that information about your staff and customers are stored appropriately and that those collating information or with access to personal information are aware of the parameters. Note that there is no exemption for small or micro businesses so the size of your business offers no protection at all.
What happens if you breach the Data Protection Act?
If you breach the Data Protection Act, the maximum fine is £500,000. You could also face prosecution for serious breaches. So it is well worth investing some time to make sure that your systems are secure and that your data is managed properly.
Claire Healy, HR Consultant