Accessibility Page Navigation
Style sheets must be enabled to view this page as it was intended.
ebizinfo

Sign up to receive updates in ebizlaw and details of our ebizlaw events.

Before you provide your details to register, we want to tell you how we'll use your data. »

ebizsearch

Search all of ebizlaw

See all Legal Guidance items by topic

Fox Williams websites
Please visit our other specialist websites

Data Protection in a nutshell

Many businesses continue to bury their heads in the sand, thinking that data protection laws are little more than toothless red tape. At the same time, gruesome examples of data protection breaches hit the headlines with increasing regularity.
While the criminal fraternity has long realised the value of personal data and the potential spoils from identity theft, the business community has been slow to appreciate the need to respect the personal data of its customers and clients.
Recently, the Financial Services Authority (FSA) fined The Nationwide Building Society £980,000 for the loss of a laptop which contained "confidential customer data". The Nationwide was found to have failed to implement adequate risk management systems. The fine is substantial. However, where a business has been found to have breached data protection laws, the greater damage (albeit harder to quantify) can be in terms of loss of reputation, trust and goodwill and damage to the brand.
The Information Commissioner (the IC) – who polices the Data Protection Act (the Act) - understands that adverse publicity can be a more potent sanction than a relatively small fine. On 13 March 2007, he “named and shamed” 11 banks and other financial institutions in breach of the Act after investigating complaints concerning the disposal of customer information. Household names such as Alliance & Leicester, Royal Bank of Scotland, Natwest, Barclays Bank, Nationwide Building Society and The Post Office were all found to have discarded personal information in waste bins outside their premises. The IC required these organisations to sign formal undertakings, breach of which could result in prosecution.
If the message were not already clear enough, the climate for enforcement of data protection is set to tighten further. The Government has announced that it will introduce much tougher powers on those found guilty of trading in - or deliberately misusing - the personal data of others.   Judges will have the power to impose prison sentences of up to two years in addition to unlimited fines. Although these changes are aimed primarily at those who are deliberately misusing personal data for profit, they are an indication of the seriousness with which the government is treating the issue of personal data privacy.
And, under the Act, company directors as well as other managers, the secretary or similar officers can be found personally guilty of offences where committed with their consent or connivance or where attributable to their neglect.
Lawyers and accountants – while used to advising their clients – also need to take care in their own businesses. The Information Commissioner announced a crackdown against solicitors and accounting firms who consistently fail to fulfil their obligations under the Act. Recently, the IC prosecuted an accountant for offences under the Act.  Abdul Ghafoor of Yorkshire Business Management was convicted following a trial and fined £350 and ordered to pay £500 costs. This follows prosecutions last year when Acorn Accounting of Leeds was fined £300 and ordered to pay costs of £150, and its officers were also personally fined.   In March 2005, solicitors Feld Mckay and Donner were fined £3,150 for breaching the Act.
So, what do you have to do to comply with the Act?
Data protection in a nutshell
The Act regulates the processing of personal data by data controllers (see the definitions table).
Broadly, to comply with the Act you have to:
o                    notify your processing operations to the IC and obtain a registration under the Act, and
o                    process personal data in accordance with the Eight “Data Protection Principles”.
Notification
All computer processing of personal data must be notified to the IC. It is a criminal offence to process personal data without being included on the register maintained by the IC.
This is the simplest aspect of the Act to comply with, and it is also the failure to comply with this aspect that is most likely to be identified by the IC and penalised.
Notification is relatively straightforward and can be carried out by completion of a form on the IC’s website (http://www.ico.gov.uk) and payment of the official fee of £35.
There are some exceptions to the requirement to notify (e.g. some not-for-profit organisations) but, even if an exception may apply, it is advisable to notify in any event to avoid committing an offence.
Data protection principles
Anyone who processes personal information must comply with the Eight Data Protection principles as follows:

Processed fairly and lawfully
In practice, this is the most important principle. To comply, you must ensure that processing can be justified under one of several conditions set out in the Act. The most important condition is that the person has given his / her consent. Where the data is “sensitive”, consent must be “explicit”.
Also, under this principle, a person must be fully aware of the ways in which their personal data may be processed in order for that processing to be considered fair. This information is usually provided through use of a privacy policy.
Processed for limited purposes
Where you are collecting data pursuant to a privacy policy, then you may use that data only in accordance with the policy and not for other purposes.
Adequate, relevant and not excessive
You should not collect more information than you need. For example, applicants for jobs should not be asked to provide information which, in fact, will only be needed for the successful candidate.
Accurate and up to date
You need to take reasonable steps to ensure the accuracy of information. This could include periodically checking with clients and contacts that their data in your CRM database is up-to-date.
Not kept for longer than is necessary
Personal data should not be kept for longer than is necessary. Equally, it should not be discarded if doing so would render the record inadequate. 
Specific legal provisions may require the retention of records for a set period (for example, tax/compliance records). It may be necessary in some cases to retain information to defend legal claims which may be made in the future. Unless there is some legitimate reason for keeping them, personal data should be deleted when the possibility of a claim arising no longer exists (i.e. when the relevant statutory time limit has expired). 
Processed in line with individuals' rights
Individuals have a right to see information that is held about them.   This is known as the right of “subject access”. 
If you receive a subject access request, you must deal with it promptly and in any case within 40 days of the date of receiving it.
Not all information should be disclosed. For example, you should not disclose information about other people or which was received in confidence.
Individuals also have the right to require a business to stop sending them direct marketing materials.
Data security
This principle requires that appropriate policies and procedures are in place to safeguard personal data. This includes implementing a data security policy; restricting access to data to authorized personnel; making sure that data is physically secure; training and educating staff on organizational security measures; ensuring IT systems can withstand unauthorized access.
If you appoint a service provider to carry out any data processing services, you must put in place a contract with the service provider which includes clauses giving appropriate guarantees regarding data security.
Not transferred to other countries outside the EEA without adequate protection
Transferring personal data outside the EEA without taking adequate legal precautions is a serious breach as it effectively means that data subjects lose the protection of the Act. There are a range of options as to how to carry out international data transfers legally.

Because the Act sets out broad general principles, it can be difficult to comply with as it is not always clear what you need to do in any given situation. In such cases, firms need to make an assessment by seeking to balance their legitimate need for business information against the sometimes competing right of the individual to respect for his or her private life.
The following checklist was compiled by the ICO to help firms to comply with the Act.
o                    Do I really need this information about an individual? Do I know what I'm going to use it for?
o                    Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for?
o                    If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this?
o                    Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure?
o                    Is access to personal information limited to those with a strict need to know?
o                    Am I sure the personal information is accurate and up to date?
o                    Do I delete or destroy personal information as soon as I have no more need for it?
o