Most businesses in the UK who hold information about employees or customers will need to process personal data. As the sanctions for breach of data protection rules are criminal and civil, and are also likely to attract adverse publicity, it is important to have a good understanding of the regime and obligations to avoid potential data protection issues from arising.
What is a data controller?
The data controller is responsible for carrying out all obligations under the DPA. The data controller can be a person or an entity, such as a company, that determines how and why personal data, which is held by a business, is or will be processed.
What is a data processor?
A data processor is a third party that processes personal data on behalf of the data controller, for example where pay roll functions are outsourced to a third party on behalf of the business.
Who is a data subject?
Any individual whose personal data is processed is a data subject. Data subjects often include:
- individuals on contact lists or marketing lists
- suppliers and consumers
Data subjects can be sole traders, partners of a partnership or members of a limited liability partnership.
A company cannot be a data subject but its officers, directors or employees can be if processing of their personal data is concerned.
What is personal data?
Personal data can be stored manually or electronically. Information is likely to be classed as personal data if it can be shown to relate to an individual in a way which might affect his or her privacy; have the individual as a focus; and go beyond merely recording an individual’s involvement in something.
Examples of personal data include the following:
- telephone numbers
- job titles
- dates of birth
- personal expressions of opinions or intentions
- salary details
- medical history
- spending preferences
What is data processing?
This is defined to include the following activities:
- obtaining data
- recording data
- holding data
- using data
- erasing data
The data controller must notify the Information Commissioner’s Office of various details including a description of the data being processed and the purpose/s for which it is being processed. Notification can be done online. It is a fairly straightforward process but will involve an audit of the business. A fee is also payable which is paid annually on renewal of the notification.
Failure to notify where required by the DPA is a criminal offence. Where there are several companies in a group, each company is required to submit a notification separately. If the data controller only carries out limited data processing activities then there is an exemption to the notification requirement.
Principles of data protection processing
The DPA sets out various principles which must be complied with. In accordance with these, data must:
- be processed fairly and lawfully
- be obtained only for specified lawful purposes and not further processed in any incompatible manner
- be adequate, relevant and not excessive in relation to the purpose for which it is processed
- be accurate and kept up to date
- not be kept for longer than necessary
- be processed in accordance with the rights of data subjects
- not be transferred outside the EEA unless certain conditions are met
In addition, appropriate technical and security measures must be taken to prevent unauthorised or unlawful processing, accidental loss or destruction of or damage to personal data.
Subject Access Requests
Under the DPA, data subjects have the right to request access to certain information in respect of their personal data, including:
whether their personal data is being used
- a description of how their personal data is being used
- details of who personal data is or has been disclosed to
- information relating to the source of the personal data
- copies of any document containing their personal data
Businesses should therefore have a system in place to deal with individuals who request details of the personal information that the business holds on them. A business is entitled to charge an administration fee of up to £10 for responding to this type of request.
Individual employees should not deal with this type of enquiry, unless they have been given specific authorisation to do so. The request should normally be passed to the person within the business who has responsibility for data protection issues.
- Consider anonymising data so that it is not considered to be classed as personal data.
- Keep data records up to date and delete data that is no longer required to fulfill the purpose for which it was collected.
- Data should only be used for the reason that it was collected (for example, if calls between staff and customers are recorded for training purposes only, they should not be used to discipline a member of staff).
- If a business wants a third party to manage data (such as carrying out payroll services) it should take lagal advice. The business will still be responsible for protecting the data and will need to enter into a written contract with the third party.
- Businesses should take legal advice if they are considering transferring any data outside the countries in the European Economic Area.
- If the data is being used in marketing material, businesses should check that the recipient is aware that their explicit consent (opt-in) for email, fax and text marketing. If the individual is an existing customer, the business should take legal advice in these circumstances.
- Keep data secure at all times, for example, by shredding, placing in confidential waste bags, destroying or securely deleting electronic files. Confidential papers should not be put in the recycling bin. Use passwords to keep data secure. Take care when working away from the office or in public areas.