Following Shredsec’s article about Understanding the Data Protection Act, here we provide guidance for organisations on storing data and the importance of data shredding.
Defining Personal Data
To comply with the Data Protection Act, any personal data held by your organisation needs to be kept secure. Personal data can mean any information about an individual that could identify the them when used on its own or with other information held by an organisation or third party. Examples of personal data include:
- Date of birth
- Address details
- Telephone numbers
- National Insurance number
- Financial details such as bank account
- Notes written about and individual (eg annual appraisal)
- Medical records. Extra care needs to be taken with highly confidential data.
Personal data covers information about current employees and prospective employees, customers, suppliers and anyone who has come into contact with your organisation including images captured on security cameras.
Collecting Personal Data
Your organisation is permitted to collect personal data if it has a legitimate reason for doing so. If not, you are in contravention of the Data Protection Act.
However, data should only be collected which is relevant to at that particular time. For example, a job applicant should not be asked for access to their medical records unless there is a specific requirement. And when you collect data about an individual, your organisation must inform them about what it intends to do with their data. If the intention changes, your organisation must inform the individual again.
If the intention is to use the data for marketing purposes then the individual must be informed. A common use of data is the collection of email addresses for marketing purposes and organisations need to obtain the individual’s explicit consent if this is the intention.
Using Personal Data
Once an individual has consented to an organisation using their personal data then it can be used in a controlled manner in accordance ensuring that the data is used solely for the reason it was collected.
If the data is being used in marketing material then permission should be obtained from the recipient to ensure they do not object. If the individual is an existing customer then your organisation may be able to market similar products to them without additional consent.
Handling Personal Data
Many organisations use third party suppliers to manage their data. Where this is the case, the Data Protection Act makes it very clear that you are still responsible for protecting the data and will need to ensure a written contract is in place with the third party that protects the security of the data.
Personal data must always be sent in a secure way and all data you store needs to be accurate and up to date; it should only be held for as long as it is required and for the reason it was collected.
Storage of personal data must be kept secure at all times using computer passwords, secure consoles for paper waste, lockable filing cabinets, etc.
Information that is aged or no longer applicable should be destroyed in a secure manner using a data shredding company like Shredsec. We provide:
Contact Shredsec to discuss your data shredding requirements.