When it comes to data protection, many businesses tend to bury their heads in the sand, thinking that the laws that govern it are little more than toothless red tape. At the same time, some fairly gruesome examples of data protection breaches have hit the headlines in recent years.
While the criminal fraternity realised the value of personal data and the potential spoils from identity theft long ago, the business community has been slow to appreciate the need to respect the personal data of its customers and clients.
Recently, the Financial Services Authority fined Nationwide £980,000 for the loss of a laptop which contained confidential customer data. The building society was found to have failed to implement adequate risk management systems.
Whilst the fine was substantial, the information commissioner - who polices the Data Protection Act - understands that adverse publicity can deal a worse blow to a company than a relatively small fine.
On March 13 2007, the IC named and shamed 11 banks and other financial institutions in breach of the Act after investigating complaints concerning the disposal of customer information. Household names such as Alliance & Leicester, Royal Bank of Scotland, NatWest, Barclays Bank, Nationwide and The Post Office were all found to have thrown personal information into waste bins outside their premises.
As if the message wasn’t already clear enough, the climate for enforcement of data protection is set to tighten even further. The government has announced that it will introduce tougher measures against those who are found guilty of trading in - or deliberately misusing - the personal data of others. Judges will have the power to impose prison sentences of up to two years in addition to unlimited fines. Although these changes are primarily aimed at those who are deliberately misusing personal data for profit, they are an indication of how seriously the government is treating the issue of personal data privacy.
Under the Act, not only can managers, the secretary and similar officers be found personally guilty of data-related offences - but company directors may also be just as liable for prosecution.
So, what do you have to do to comply with the Act?
data protection in a nutshell
The Data Protection Act regulates the processing of personal data by data controllers. Broadly, to comply with the Act you have to notify your processing operations to the IC and obtain a registration under the Act, and process personal data in accordance with the Eight ‘Data Protection Principles’.
Notification
The IC has to be notified of all computer processing of personal data - if it isn’t, it constitutes a criminal offence and is punishable by law.
This is the simplest aspect of the Act, but it is also this one that the IC is most likely to penalise you for if you fail to comply with it.
Notification is relatively straightforward and can be done by completing a form on the IC’s website (www.ico.gov.uk), and paying the fee of £35.
There are some exceptions to the requirement to notify, for example some not-for-profit organisations, but, even if an exception might apply, it is advisable to notify in any event to avoid committing an offence.
Data protection principles
Anyone who processes personal information should comply with the Eight Data Protection principles, which are that data is processed fairly and lawfully; processed for limited purposes; adequate, relevant and not excessive; accurate and up-to-date; not kept for longer than is necessary; processed in line with individuals’ rights; security; and not transferred to other countries outside the EEA without adequate protection.
Because the Act sets out broad general principles, it can be difficult to comply with as it is not always clear what you need to do in any given situation. In such cases, firms need to make an assessment by seeking to balance their legitimate need for business information against the sometimes competing right of the individual to respect for his or her private life.
Why comply with the Act?
Apart from being a legal obligation, it is good business practice. Breach of the legislation can have adverse consequences. The Information Commissioner can take enforcement action. Failure to comply with an enforcement notice is a criminal offence, punishable by a fine. Individuals may also seek compensation through the courts for any damage suffered.
Most importantly, if a complaint is made or enforcement action is taken, there can be adverse publicity and damage to reputation. A Google search for ‘Nationwide Building Society’ refers in four of the first 10 search results to the £980,000 fine for data security lapses. Is this what you want to be known for?
Personal data
‘Personal data’ means data which relates to a living person. The information must affect a person’s privacy, whether in his personal or family life, business or professional capacity.
Certain personal data is regarded as ‘sensitive’ and requires a higher standard of compliance. This includes data about health, racial or ethnic origin, political opinions, religious or similar beliefs, or sexual life.
‘Data controller’ is the person, firm or company who makes the decisions about the collection of, and what to do with, the personal data.
‘Processing’ is widely defined. Any collection, holding and processing of data on computer will be covered.
The Act also covers manual (hard copy) data held in a structured filing system.
checklist
The following checklist was compiled by the ICO to help firms to comply with the Act.
Do I really need this information about an individual? Do I know what I’m going to use it for?
Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
If I’m asked to pass on personal information, would the people about whom I hold information expect me to do this?
Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
Is access to personal information limited to those with a strict need to know?
Am I sure the personal information is accurate and up to date?
Do I delete or destroy personal information as soon as I have no more need for it?
Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
Nigel Miller is a Commerce and Technology partner at City law firm Fox Williams LLP.
No comments yet