With more and more businesses using computers to store information about their customers, staff and suppliers, the danger of personal information being misused or getting into the wrong hands increases.
The Data Protection Act 1998 lays down a number of important principles which govern how personal data is collected, held and processed by businesses.
The Information Commissioners Office now has enhanced powers and can fine up to £500,000 for breaches of the rules. They have now been given real "teeth"!
The eight principles of data protection
There are eight principles which apply to the data controllers within an organisation, data controllers being the nominated people within an organisation that collect and store data about people.
Examples of the principles include:
- Information should be accurate and kept up to date, for example, to change an address when people move
- The information must be kept safe and secure, it would be wrong to leave personal data open to be viewed by just anyone
- Data must not be transferred outside of the EU unless the country to which the data being sent to has a suitable data protection law.
The full set of principles can be found on the Information Commissioner's Office website.
Data protection policy
Many businesses actually comply with the legislation without even realising it, however, it is easy to fall foul of the Data Protection Act if your organisation doesn't have a fixed data protection policy. A typical data protection policy will clearly set out the data protection obligations of an employer and lay down a number of organisational and procedural measures to ensure compliance with the Act. Given the large amount of data held by businesses regarding their employees, the rights and obligations for employees as subjects of the data, should also be included in the policy. Given that employee data may be passed onto organisations such as trade unions and pension and private healthcare companies, many data protection policies also address the obligations of those third parties.
Consequences of not complying with the Act
Your organisation, as the data controller, could be found criminally liable, also managers and employees could be personally liable. As well as paying a fine, such negative publicity could adversely affect your business.
If you would like further information about data protection, or you would like to speak to someone about having a data protection policy drawn up for your business, please contact Rob Siderfin at Hopkins Solicitors on 01623 468 468.
