My company is streamlining many of our manual files and
transferring these onto a computer-based system. These files
include personnel records and marketing data. Should we revert back
to a manual filing system in view of the Data Protection Act?
A new Data Protection Act came into force on 1 March 2000 which
has many implications for business. The new Act covers personal
data held in certain manual filing systems, such as card indexes
and microfiches, so reverting to your original system will not
necessarily mean that you do not have to comply with data
protection laws.
You should carry out an audit of what information you have and
how it is used. It is critical that an analysis of working
practices and systems be undertaken and that the relevant training
is given to those who use and process personal data.
Any information which can be manipulated for marketing purposes
also needs to be addressed. Restrictions have been placed on the
automatic processing of data to evaluate matters relating to
individuals, such as an individual's credit worthiness.
If you have any involvement in overseas business, particularly
countries outside the European Economic Area, you should be aware
that special rules apply to the transfer of personal data to those
countries. Special rules also apply in relation to the processing
of sensitive information such as details of a person's health,
race, religion, political opinion and trade union membership.
Whether you are addressing personnel files or marketing data,
individuals will have greater rights of access to personal
information - and in some circumstances, rights to prevent
processing. Consent from individuals to process their personal data
may require more explicit notification on forms than those
currently used.
Apart from reviewing systems and processes, you need to be aware
that individuals have the right to take action where certain
breaches of the Act occur. There are new requirements for the
overall protection and security of the data, including the need to
enter into appropriate legal agreements where data is processed by
someone else on your behalf.
In view of the changing pace of legislation, it is important
that you keep abreast of any modifications as secondary legislation
is introduced.
Solution provided by Peter Vass, Eversheds