More than ever before, organizations must ensure they protect personal information. New powers accorded to the Information Commissioner's Office allow it to impose hefty fines on any organization
Data Protection Act compliance requires not only good technology to guard files, but also employee security training to develop a culture among staff that recognizes both the importance of good security and the consequences of a data breach.
In order to help companies get the message out to their teams, IT Governance Publishing Ltd. has produced a Data Protection Act handbook, entitled Data Protection Compliance in the UK – A Pocket Guide. As the name implies, it is small enough to fit into a pocket, and provides a simple and straightforward rundown on the provisions of the Act, and the responsibilities of those who handle personal data.
It is co-authored by Rosemary Jay, a partner at law firm Pinsent Masons LLP, and Jenna Clarke, who was a trainee at the firm at the time of writing. Through our exclusive partnership with IT Governance, we at SearchSecurity.co.UK are pleased to publish here an extract from the guide, which provides a checklist of what staff should do to ensure they and their employers stay within the law.
CHAPTER 13: COMPLIANCE CHECKLIST
This checklist is intended as a good practice guide for staff (particularly those in the IT section). It is not a general checklist for the organisation as a whole.
- Know who the data protection officer is in your organisation, so that queries can be raised with the appropriate person.
- Check that your registration with the Information Commissioner covers everything for which your section is responsible and, if there are any gaps, ensure your data protection officer is alerted to this.
- Be aware of those circumstances in which personal data may be collected by your section or your business unit, and check that all of those points of collection have data protection notices that comply with your organisation's policy.
- If you are responsible for special services, such as the website or setting up marketing emails, ensure you are up to date on the relevant rules and are wholly compliant.
- Check what training is available within the organisation for staff on data protection security and related issues. Make sure that you have attended any appropriate training and take responsibility for other people in your section.
- Be alert for any changes in business practice and ensure that your processes and procedures take account of these.
- Make sure that you and those in your section are aware of security and confidentiality rules and that these are applied stringently. In particular, do not leave passwords around, ensure that any personal data on laptops is securely encrypted and that there are rules to restrict the movement of laptops which hold personal data.
- Be vigilant to ensure that personal data cannot be stolen or removed from your offices by the use of mobile storage (for example, USB keys).
- Check that there are proper guidelines in place to cover disclosures of information and make sure that no inappropriate disclosures are made, particularly in response to telephone calls.
- Ensure that you and any staff for whom you are responsible follow security guidance on disclosures and do not make disclosures of personal data outside the rules.
- Be aware of the rights which individuals have in relation to their personal data and, in particular, be alert for subject access requests or objections to processing where the individual does not need to say that they are acting under the DPA.
- Alert your data protection officer to any changes in business practice that would impact your data protection act compliance, for example the use of a new processor where a processing contract would be required or a request to transfer personal data outside the EEA where you need to ensure that there are proper provisions in place.
- Be aware of the retention procedures in operation and ensure that data are not kept longer than necessary for the purposes of your section or unit.
- If any systems use an automated decision-making process, be alert to objections and recognise that individuals should be notified of the use of such systems.
- When you record information about individuals, ensure that it is appropriate, adequate, correct and fair. Do not record unverified or inadequate information.
- Do not allow staff to make marketing telephone calls or send marketing e-mails without having checked that your organisation is compliant with the appropriate rules.
- Ensure that you respond swiftly and professionally to any communications from the Information Commissioner's Office.
More resources on Data Protection Act:
This extract and the original text it is taken from are both subject to IT Governance Publishing copyright. It may not be reproduced in any form without prior written consent from IT Governance Ltd.
The full guide is available from IT Governance, price £19.95. It can also be downloaded as an eBook.
This was first published in August 2010