Lawyer Usha Jagessar explains your duties and liabilities
under the Data Protection Act.
The Data Protection Act 1998 introduced the right of individuals to
privacy for data processed about them. It sets out rules and
procedures for any business or organisation that processes personal
data.
If you obtain, record, delete, disclose or access personal data you
must comply with the Act. This affects data relating to a living
individual, where he or she can be identified from the data or the
data and other information you hold, or which is likely to come
into your possession.
For example, data not apparently identifying an individual, such as
a reference number, that you can link to data which you hold or
data which you are likely to obtain might then allow you to
identify the individual is covered by the Act.
Which staff are affected?
People who determine the manner and purpose in which personal data
is processed are identified under the Act as "data controllers".
Those who follow a data controller's instructions about how to
process such data are described as data processors.
It is important to understand the flows of data in your business to
establish how the Act applies to you. It is possible to be both a
data controller and a data processor in different parts of the
business.
Business activities
The Act can affect an organisation's internal business activities
in a number of areas.
Human resources: the draft Employment Practices
Data Protection Code deals with "the use of personal data in
employer/employee relationships". It sets out how you should
process personal data in relation to recruitment and selection,
employment records, employee monitoring, and medical and related
issues.
Employee data will contain "sensitive personal data", defined as
anything that consists of information in respect of racial or
ethnic origin, political opinions, religious beliefs, trade union
membership, physical or mental health, sexual life and/or the
commission or allegation of any offence. There are specific rules
for processing sensitive personal data.
Data processing: where any internal business
processes are outsourced, for example payroll. You will need to
ensure the data is processed in accordance with the Act and your
instructions.
Transferring data outside the European economic
area: you will either need to ensure you have the
appropriate consent to do so from the individuals concerned, or
that the recipient of such data has "adequate protection" in place
to process the data securely. A contract with the recipient setting
out the obligations placed upon them is likely to be required.
Business processes must be able to deal with "data
subject access requests". You must be able to find data in a
limited time.
You will need to have a data protection policy, a
document retention policy and an e-mail and internet policy
governing compliance. These may simply be documents that can be
consulted by staff to see what their working practices should
be.
External business activities can also be affected, for
example:
Where your external business activities involve
the collection of personal data you will need to ensure that such
data is fairly and lawfully obtained.
Customer data will need to be collected for a
specified purpose and with the consent of the customer. The medium
with which data is collected must be considered in order to
effectively obtain consent. For example, data can be collected
online from websites, using SMS text, from hard copy submission
cards, competition entries, or rented customer lists.
Websites should have accessible and accurate
privacy policies.
Contracts should be in place with third parties
which transfer data to you or receive data from you, to ensure
appropriate data protection provisions are in place.
Your obligations under the Act will be directly related to whether
or not you are a data controller and/or a data processor.
Where data is processed you will need to ensure you are notified
(registered) with the information commissioner, accurately
reflecting the data processed and covering both internal and
external business activities.
Usha Jagessar is a solicitor with law firm
DLA's technology, media and communications groupSix ways to stay within the lawEstablish whether you are a data processor or a
data controller
Re-assess your data processes and how the Act
applies to you
Ensure appropriate contractual obligations are in
place between you and third parties
Ensure you have a data protection policy
Appoint a data protection officer
Notify the Office of the Information Commissioner
Click here for more SME features >>
Click here for Part One of the SME supplement
>>