The Data Protection Act: analyse your working practices

My company is streamlining many of our manual files and transferring these onto a computer-based system. These files include...

My company is streamlining many of our manual files and transferring these onto a computer-based system. These files include personnel records and marketing data. Should we revert back to a manual filing system in view of the Data Protection Act?

A new Data Protection Act came into force on 1 March 2000 which has many implications for business. The new Act covers personal data held in certain manual filing systems, such as card indexes and microfiches, so reverting to your original system will not necessarily mean that you do not have to comply with data protection laws.

You should carry out an audit of what information you have and how it is used. It is critical that an analysis of working practices and systems be undertaken and that the relevant training is given to those who use and process personal data.

Any information which can be manipulated for marketing purposes also needs to be addressed. Restrictions have been placed on the automatic processing of data to evaluate matters relating to individuals, such as an individual's credit worthiness.

If you have any involvement in overseas business, particularly countries outside the European Economic Area, you should be aware that special rules apply to the transfer of personal data to those countries. Special rules also apply in relation to the processing of sensitive information such as details of a person's health, race, religion, political opinion and trade union membership.

Whether you are addressing personnel files or marketing data, individuals will have greater rights of access to personal information - and in some circumstances, rights to prevent processing. Consent from individuals to process their personal data may require more explicit notification on forms than those currently used.

Apart from reviewing systems and processes, you need to be aware that individuals have the right to take action where certain breaches of the Act occur. There are new requirements for the overall protection and security of the data, including the need to enter into appropriate legal agreements where data is processed by someone else on your behalf.

In view of the changing pace of legislation, it is important that you keep abreast of any modifications as secondary legislation is introduced.

Solution provided by Peter Vass, Eversheds

Read more on IT risk management