Data Protection: Overview
Data Protection legislation governs the right of an individual to privacy and the ability of organisations to use personal data for the purposes of their businesses. In recent months, data protection issues have become increasingly more common and in the forefront of most peoples minds with the continuing phone hacking investigation, the heartbleed security bug, the eBay cyber attack and the increase in data access requests received by businesses.
It is important for business owners to be aware of their legal obligations when dealing with personal data about customers, suppliers, employees or anyone else who they come across in the course of business; individuals captured on a business’ CCTV footage can be included. There could be serious financial, commercial and reputational implications which may include criminal penalties and fines if personal data is not handled properly.
What is personal data?
Personal data is any information about an individual held on a computer or in organised filing systems that could identify the individual, either on its own or together with other information held by a business or a third party.
Personal data needs to be protected and kept secure. Personal data may include an individual’s name, e-mail address,
telephone number, date of birth, and even notes made about someone during their annual appraisal, for example.
When can we collect data?
An organisation can only collect personal data about an individual if it has a legitimate reason for doing so. For example, because a new employee is coming to work for the business. The information collected must also only be retained for as long as is necessary for the purpose for which it was collected.
A condition of the collection of personal data is that the business will need to inform the individual of what it intends to do with their data. It is important to remember that if the purpose for which the data was collected changes that the individual is informed of this new use. If you collect details for the purposes of confirming an order but then want to use this information for marketing then the individual must be informed. In some cases such as text or e-mail marketing you will generally require the individual’s explicit consent to receive marketing communications.
How can we use personal data?
An organisation is generally allowed to use someone’s personal data if the individual has given their consent. The data can also be used in other circumstances, for example, if the business needs to use the data to fulfil a contract with a customer, such as using their address to deliver goods to them or the business has a legitimate interest in using it, although this must be balanced with the individual’s rights. An example is where a part of a business has been sold to a third party and the business needs to transfer customer data to it.
If a business wants a third party to manage data and is considering entering into an agreement with a third party to carry out HR services or payroll services, legal advice should be taken to ensure that the business is fully complying with its obligations. The business will still be responsible for protecting the data and will need to enter into a written contract with the third party providing these services.
Care also needs to be taken and advice should be sought if a business is considering transferring any personal data outside the EU. It is quite easy for data to be transferred especially when using websites or sending an email to a third party outside of the UK.
What are the storage obligations?
All personal data must be accurate and up-to-date. Businesses should ensure that databases are regularly cleaned and out-of-date information deleted.
A business should only retain personal data for as long as it is required and for the reason it was collected. For example, if personal data was collected to deliver a product a year ago and has not been used since, the data should not be held on the basis that it may be needed for another reason at some time in the future.
Personal data must be kept secure at all times. Businesses will need to ensure that computers and files are password protected, personal data on laptops and other portable devices are kept to a minimum, manual filing cabinets containing personal data should be locked and only accessible to authorised personnel, confidential documents should not be left unattended on desks, and personal data should be removed promptly from fax machines, printers and photocopiers.
When working away from the office, businesses need to ensure personal data stored on portable devices is encrypted and kept secure at all times, papers or electronic devices should not be left lying around, members of the public cannot see confidential documents on computer screens and conversations about confidential matters should be avoided when members of the public may be able to hear.
Businesses need to take care when sending personal data to make sure that it is done in a secure way and all personal data must be disposed of securely and not disposed of in general waste or by recycling as this is not sufficient.
What is a data access request?
Under the Data Protection Act1998, all individuals have the right to make a request to a business whether it is their employer, a business they are buying goods and services from or any other organisation who they believe holds personal data about them. Individuals can ask the organisation to supply copies of both paper and computer records and related information about them. A business is permitted to charge an administration fee of up to £10 for responding to this type of request All businesses should have a system in place to deal with individuals who request details of the personal information that the business holds on them as there are specific time periods which need to be adhered to.
This note provides a brief overview of the data protection obligations but if you have any further questions please contact Amy Kerr.