You can't duck responsibility for your data

Lawyer Usha Jagessar explains your duties and liabilities under the Data Protection Act

New Asset  
Lawyer Usha Jagessar explains your duties and liabilities under the Data Protection Act.

The Data Protection Act 1998 introduced the right of individuals to privacy for data processed about them. It sets out rules and procedures for any business or organisation that processes personal data.

If you obtain, record, delete, disclose or access personal data you must comply with the Act. This affects data relating to a living individual, where he or she can be identified from the data or the data and other information you hold, or which is likely to come into your possession.

For example, data not apparently identifying an individual, such as a reference number, that you can link to data which you hold or data which you are likely to obtain might then allow you to identify the individual is covered by the Act.

Which staff are affected?

People who determine the manner and purpose in which personal data is processed are identified under the Act as "data controllers". Those who follow a data controller's instructions about how to process such data are described as data processors.

It is important to understand the flows of data in your business to establish how the Act applies to you. It is possible to be both a data controller and a data processor in different parts of the business.

Business activities

The Act can affect an organisation's internal business activities in a number of areas.

Human resources: the draft Employment Practices Data Protection Code deals with "the use of personal data in employer/employee relationships". It sets out how you should process personal data in relation to recruitment and selection, employment records, employee monitoring, and medical and related issues.

Employee data will contain "sensitive personal data", defined as anything that consists of information in respect of racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life and/or the commission or allegation of any offence. There are specific rules for processing sensitive personal data.

Data processing: where any internal business processes are outsourced, for example payroll. You will need to ensure the data is processed in accordance with the Act and your instructions.

Transferring data outside the European economic area: you will either need to ensure you have the appropriate consent to do so from the individuals concerned, or that the recipient of such data has "adequate protection" in place to process the data securely. A contract with the recipient setting out the obligations placed upon them is likely to be required.

Business processes must be able to deal with "data subject access requests". You must be able to find data in a limited time.

You will need to have a data protection policy, a document retention policy and an e-mail and internet policy governing compliance. These may simply be documents that can be consulted by staff to see what their working practices should be.

External business activities can also be affected, for example:

Where your external business activities involve the collection of personal data you will need to ensure that such data is fairly and lawfully obtained.

Customer data will need to be collected for a specified purpose and with the consent of the customer. The medium with which data is collected must be considered in order to effectively obtain consent. For example, data can be collected online from websites, using SMS text, from hard copy submission cards, competition entries, or rented customer lists.

Websites should have accessible and accurate privacy policies.

Contracts should be in place with third parties which transfer data to you or receive data from you, to ensure appropriate data protection provisions are in place.

Your obligations under the Act will be directly related to whether or not you are a data controller and/or a data processor.

Where data is processed you will need to ensure you are notified (registered) with the information commissioner, accurately reflecting the data processed and covering both internal and external business activities.

Usha Jagessar is a solicitor with law firm DLA's technology, media and communications group

Six ways to stay within the law

Establish whether you are a data processor or a data controller

Re-assess your data processes and how the Act applies to you

Ensure appropriate contractual obligations are in place between you and third parties

Ensure you have a data protection policy 

Appoint a data protection officer

Notify the Office of the Information Commissioner

Click here for more SME features >>

Click here for Part One of the SME supplement >>

Read more on IT strategy