We live in an age where personal information is recorded, stored and used for lots of purposes, and so it is crucial that this data is adequately protected from abuse or misuse. This article is designed to help you with understanding the Data Protection Act, and how it affects your organisation. There are six sections covering:
- Introduction to Data Protection Act
- What the Data Protection Act means to your organisation
- What the exemptions are to the Act
- What rights individuals have in having their data used
- How to deal with data held about employees
- Guidance of using data for marketing
SECTION ONE – INTRODUCTION TO THE DATA PROTECTION ACT
This Section introduces you to the data protection act and how it is policed.
The Data Protection Act was introduced in 1998 and was designed to regulate how personal information is used. Organisations and individuals that handle personal information must comply with the legal requirements of the act.
The Act requires organisations to give details of the personal information that they process to the Information Commissioner’s Office through a notification process unless the information is exempt. The Act covers two main areas.
1. Organisations who handle and process personal information
Organisations who handle and process personal information must comply with the Data Protection Act’s eight basic principles.
- Information must be processed fairly and lawfully
- Data must be obtained for one or more specified purposes
- Data must be adequate, relevant and not excessive
- Information must be accurate and up-to-date
- Data must not be kept for longer than necessary
- Data must be processed in line with the right’s of the individual
- Information must be kept confidentially and securely
- Data must not be transferred to other countries outside the EEA without adequate protection
Section Two provides more information about the eight principles.
2. The rights of individuals regarding their personal information
The Data Protection Act gives individuals the right to stop organisations holding and processing personal information if it causes them damage or distress.
If an organisation contravenes the Data Protection Act, it may be required to pay compensation to the aggrieved person. Accordingly, if someone wishes to prevent an organisation from processing their information, they must contact them in writing stating:
- their name,
- the nature of the information they object to and why they object to it,
- why it is causing them harm.
An individual can also write to an organisation if they believe the information they hold is inaccurate. The organisation has 21 days to reply and explain what they intend to do. If they feel the request is unjustified, they should let the individual know in writing.
There are some exemptions to the data protection act where an individual cannot prevent an organisation from processing their information.
- The individual gave their consent or actually requested the information
- The information is necessary to enter into or carry out a contract
- The information is necessary to carry out the legal obligations of the organisation or is required by an Act of Parliament
- Steps have been taken to protect the individual’s legitimate interests
Section three examines general exemptions to the Data Protection Act.
An independent body called the Information Commissioner’s Office was set up to help people access official information concerning them and to promote good practice data usage.
What is the ICO’s role?
The ICO advises organisations on how to adhere to the stringent rules governing data and has a register of all organisations that hold and process personal information.
What is the ICO’s primary objective?
The primary objective of the ICO is to protect the rights of individuals while recognising that organisations need to handle and process information as part of their business activities.
What do organisations have to submit to the ICO?
Unless the information is exempt, all organisations must provide details to the ICO outlining their methods for processing personal information. This is called the notification process and it costs £35 a year. The details provided to the ICO are included in a public register.
What power does the ICO have?
If someone believes an organisation has not complied with the relevant regulations, they can complain to the ICO. If the ICO believes that an organisation is not complying with the Data Protection Act’s regulations, it can investigate and even prosecute the organisation concerned. The ICO therefore has considerable powers and will take action when necessary.
SECTION TWO – WHAT THE DATA PROTECTION ACT MEANS TO YOUR ORGANISATION
This Section looks at what the Data Protection Act means to your organisation. We have already examined the way the Data Protection Act works through eight principles which are based on the fair and lawful use of personal data. Now we will look at each of these principles to see how they affect your organisation’s handling of data.
1. “Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met.”
This relates to the initial obtaining of personal information – whether manually or electronically – and the way it is processed.
Keep subject informed
Your organisation must ensure they keep the subject of the data informed regarding their purposes.
Why and how
The data subject must be told how and why the information has been collected and how they can access these details or correct them if they are inaccurate.
Most organisations provide an explanation of their procedures on official documents which are given to the data subject.
2. “Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes.”
Your organisation must identify their purpose for storing and processing data and must only use it for that purpose. It is imperative that data is not passed to other organisations and used for different purposes without notifying the data subject.
Your organisation can identify more than one purpose when it first collects the data as this will cover it for any additional purposes. However, you must make sure the data subject is fully aware of all purposes.
3. “Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which it is processed.”
This relates to the amount of data kept and the reasons for doing so.
Your organisation must justify their purposes and ensure that the data is really necessary.
It is also vital that the data is reviewed periodically to ensure it is still relevant and still needed for its original purpose.
4. “Personal data shall be accurate and, where necessary, kept up-to-date.”
This principle is emphasizing the importance of keeping data totally accurate and up to date.
Keep subject aware
The data subject must be made aware of their rights so that they know how to notify your organisation if their details change. For example, they should be able to contact you if they change their name, address or any other details.
Aware of procedures
The data subject may not contact your organisation to update their records, and you can do nothing about this, but the important thing is that the data subject is aware of the relevant procedures if they wish to update their details.
5. “Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose or those purposes.”
It is important that data is stored for a specific purpose which has been notified to the data subject. It is vital that the data is not stored for longer than is necessary and, when the time comes to dispose of the information, this should be done securely and safely. Talk to Shredsec about our secure shredding services
6. “Personal data shall be processed in accordance with the rights of data subjects under the Act.”
This principle governs the rights of data subjects and includes an individual’s rights to gain access to their personal data.
Scope of principle
It includes the right to amend data, the right to prevent direct marketing and the right to claim compensation if there has been a breach of the Act which has caused them harm or distress.
Automated decision-making procedures
This principle also covers automated decision-making procedures and states that data subjects must be told if decisions are made by automated methods.
7. “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
This principle stipulates that measures must be taken to protect against unauthorised or unlawful processing of data.
Personal data must be totally secure, particularly when data is processed off-site or in a public place. This is where you should contact Shredsec to discuss our shredding services. We provide secure on-site or off-site shredding for a variety of organisations.
8. “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
This principle protects data from being transferred to a country outside the European Economic Area or EEA unless the country has adequate levels of data protection and security.
When data is transferred to another country, the level of security must be of the same level as that in the UK.
Before the data can be transferred to another country, it is necessary to get consent from the data subject who may wish to check the level of data protection in the country to where the data is being transferred.
SECTION THREE – WHAT THE EXEMPTIONS ARE TO THE ACT
This Section examines the exemptions to the Data Protection Act which mean that data handlers do not have to observe all of an individual’s rights.
- The information is for personal, family or household requirements
- The information is needed to protect national security
- The law states that the information must be made available to the public
- The information will be used for the purposes of art, literature or journalism
- The information will help prevent or detect a crime
- The information will help prosecute an offender
- The information is required to help with the assessment or collection of taxes
- The information is needed to prevent harm coming to the public or charities
- The information is required for historical or statistical purposes
- Where the law requires legal advice to be accessed or legal proceedings to take place
- The information is needed to provide a confidential employment reference
- The information is required by the armed forces prior to combat
- The information is needed to provide exam marks and scripts
- The information will help provide management forecasts
- The information is covered by legal privilege
- The information will be used to appoint judges, QCs, Honours etc
- The information is required by corporate finance services
- The information is related to aspects of health, education or social work
Here are some questions that you should answer in satisfying yourself that your organisation is complying with the Data Protection Act
Have I informed those whose information I hold and are they totally clear what their information will be used for.
What would I do if I am asked to pass the personal information to another organisation? How would the people I hold information about feel about this?
Is it necessary to keep information about an individual? Do I know what it will be used for?
Is the information held securely whether it’s held manually or electronically?
Access to information
Do a strictly limited number of people have access to the personal information?
Have I done all I can to ensure the information is accurate and up to date?
Do I have a policy in place to ensure personal information is deleted or destroyed if it is no longer needed?
Should the company register with the Information Commissioner? If this has been done, is the notification up to date?
Have all staff members received training regarding the Act, and do they understand their obligations?
SECTION FOUR – WHAT RIGHTS INDIVIDUALS HAVE IN HAVING THEIR DATA USED
This Section looks at how the Data Protection Act protects individuals’ rights.
1. The right to access data
The right to access data gives individuals the right to know if an organisation has information about them as well as the right to access this data.
What information is being processed
They also have the right to know what information is being processed and why.
They can request a copy, in writing, of all the information held about them
They must first send a subject access request or SAR and they may be charged up to £10 by the organisation concerned. Your organisation has 40 days to respond to a SAR and can ask for additional information to enable you to respond to the request.
You must provide the information in a permanent format such as a letter, form or computer printout which is easy to understand with any codes or abbreviations clearly explained.
Certain information is classed as sensitive including data regarding:
- race or ethnicity
- political beliefs
- physical or mental health
- sexual orientation
- trade union membership
- and criminal record/activity
This information is covered by stricter rules and an organisation can only process this information if it meets the narrow conditions set by the ICO. Information of this type should only be used if absolutely necessary and you must have the consent of the data subject unless the information is required for legal or employment reasons.
2. The right to prevent marketing
There are a number of requirements that an organisation must adhere to when undertaking any form of direct marketing such as by phone, fax, mail or mail. More information is provided in Section 6.
3. The right to have incorrect information corrected
An individual can request that information is amended if they believe it is incorrect or misleading.
If your organisation fails to correct the information, the individual can obtain a court order directing you to correct, delete or destroy the information. The court will then decide what action to take.
4. The right to compensation
An individual can claim damages if they have suffered physical or financial harm as a result of a breach of the Data Protection Act. Any compensation must be claimed through the courts.
In certain cases, an individual can claim compensation for distress but this must be claimed in conjunction with a claim for physical or financial harm.
5. The right to prevented automated decisions
Individuals can stop decisions being made about them if they are made solely by automated means where there is no human involvement. This type of automated decision-making is getting more and more common as businesses rely heavily on computer software to process information.
Types of application
This only applies to important decisions such as those regarding employment and credit worthiness.
Informed of decision-type
Individuals must be told when this type of decision has been made and if they are unhappy they can write to your organisation to ask them not to make decisions on this basis.
Your organisation must respond within 21 days and, if an individual is still not satisfied, they can apply to a court to intervene.
SECTION FIVE – HOW TO DEAL WITH DATA HELD ABOUT EMPLOYEES
The Section examines the Data Protection Act’s rules for employee records and the monitoring of staff. For many organisations, the way in which they process employee records means that they will not need to notify the Information Commissioner’s Office.
You do not need to notify the ICO if your organisation processes data for staff administration purposes as this area is exempt.
You do not need to notify the ICO if your organisation processes data for sales, marketing and public relations information that is solely for the purpose of the organisation. This includes company accounts.
The Act also covers the monitoring of staff including:
- The interception of emails
- The interception of faxes
- The of interception phone calls
- The interception of voicemail
- The interception of Internet useage
- Audio and video monitoring
- The use of CCTV
To help organisations comply with the Data Protection Act regarding the monitoring of employees, the ICO provides a code of best practice called the Employment Practices Code.
The guidelines advise organisations to carry out an impact assessment which identifies:
- The reasons why the organisation wishes to monitor their employees,
- The impact of monitoring,
- Any alternatives that may be used
- Any procedures that will be introduced as a result of the monitoring.
It is important to keep staff fully informed and they must be told the reasons why your organisation intends to monitor its employees.
Covert monitoring must only be done in exceptional circumstances if your organisation has good grounds to suspect criminal activity.
In many cases, an organisation may involve the police although this may not always be necessary.
If an organisation suspects serious malpractice such that it warrants covert monitoring, they should contact the ICO for further advice.
Organisations who are considering carrying out monitoring should set out their plans in their policies and procedures document. This should state the nature and reasons for any monitoring so that all members of staff are informed from the outset. Staff can be given a copy to sign with their employment contract.
Remember that great care must be taken when dealing with employee records and monitoring issues:
As part of its commitment to best practice, your organisation should ensure that all staff members who deal with confidential information or monitoring tasks are familiar with the Data Protection Act and understand the full implications of failing to follow these regulations.
Employees have a right to see all of the information their organisation holds on them and they must be given an opportunity to correct any mistakes.
During job interviews, the interviewer must not be unnecessarily intrusive and should not ask for sensitive, personal information. Applicants have a right to ask to see any notes made by an interviewer.
Many organisations appoint a small number of staff to be responsible for storing and processing personal data.
Human resources departments are responsible for staff administration including a variety of confidential information for payroll and other admin purposes. It is a good idea to appoint one person to be responsible for complying with the Data Protection Act. They can then register as the organisation’s data controller through the ICO website and represent the organisation in all areas regarding data protection.
The ICO provides information packs and videos as well as information days to enable organisations to learn more about the Data Protection Act.
Where data is processed off-site, it is important to ensure that the data is secure.
SECTION SIX – GUIDANCE OF USING DATA FOR MARKETING
This Section looks at unsolicited marketing and the steps your organisation must take to comply with the Data Protection Act.
Individuals have the right to ask organisations to stop sending them any sales or marketing literature.
Individuals have the right to ask organisations to stop processing their personal information for the purpose of direct marketing within a certain time limit.
Individuals must notify your organisation to stop direct marketing or data processing following these guidelines:
- Request must be made in writing and dated
- Instructions must be clear
- Request must specifically state the identity of the individual
- Request must specifically state the reason for the objection
- Request must specifically state the date when the data processing must stop
If any of these details are missing, you should ask the individual to forward them to you as soon as possible.
You organisation should keep copies of all such correspondence including the date when the request was initially made and details of any replies sent.
There are a number of ways that an individual can stop receiving unsolicited marketing material including:
Mailing Preference Service
The Mailing Preference Service is an opt-out register where a record is kept of the type of mail an individual is happy to accept. Organisations must use these records to ensure that they do not send unsolicited marketing literature to someone on the list without their permission.
Telephone Preference Service
The Telephone Preference Service enables people to record their telephone preferences. This allows them to block unsolicited sales and marketing calls to their landline or mobile telephone numbers.
Organisations who make automated, pre-recorded marketing calls must get prior consent from the receiver.
Fax Preference Service
The Fax Preference Service prevents the sending of unsolicited sales and marketing faxes and works differently for organisations and individuals. Organisations should not send marketing faxes to private individuals but may be able to send them to organisations unless they have opted out.
If an organisation does not stop phoning, faxing or mailing an individual or organisation, even though they have opted out of receiving marketing material, a complaint may be lodged with the ICO who will investigate.
Spam is a term that describes unwanted and unsolicited marketing emails. Your organisation should not send marketing electronic mail messages to individuals without their prior permission within the EU. However, if your organisation obtained an individual’s details through a sale, or if the individual failed to opt out of communications when they were given the opportunity to do so, then you can continue to send marketing messages.
With every form of electronic communication, individuals must be given the opportunity to opt out in every message, usually through the inclusion of an ‘unsubscribe’ link or something similar. There is currently no specific legislation to cover electronic communications sent to business addresses.
Organisations that target individuals and organisations with marketing material must remember that they must disclose the information they hold if requested to do so.