TT30: Data Protection Act 1988
If your business processes information on individuals either on computer or manually, you are known as a Data Controller and there is a legal requirement for you to comply with the Data Protection Act. If you don’t you could face a fine of up to £5000.
The Act came into force on 1 March 2000 and works in two ways:
- Anyone who records and uses personal information about identifiable living individuals must be completely open about how the information is used and must follow the eight principles of good information handling (see below).
- It gives all individuals certain rights, including the right to see information that is held about them and to have it corrected if it’s wrong.
The eight principles of good information handling
These state that data must be:
- Fairly and lawfully collected and processed.
- Only used for a limited, clear and well-defined purpose.
- Relevant to the user’s needs and not excessive in detail.
- Accurate and up to date.
- Kept no longer than is necessary.
- Processed in accordance with the rights of the individual.
- Securely stored to prevent unlawful or unauthorised processing, loss, destruction, damage or disclosure.
- Not transferred to countries outside the EU.
All Data Controllers who process manual and automated data about individuals must notify the Information Commissioner.
- If a Data Controller only processes manual information, there is no requirement to notify, but they must comply with the other requirements of the Act.
- Notification can be made by post with an application form or on linehttp://www.dataprotection.gov.uk. (Information help line 01625 545 745.)
- The registration fee is £35 and notification must be renewed annually.
- Beware! A number of organisations have sprung up who send official looking warning notices to obtain registration through them for a significantly larger fee.
Barnes Roffe Topical Tips
- Notify your business as a Data Controller with the Information Commissioner.
- Appoint a Data Controller for responsibility for compliance with the requirements of the Act.
- Communicate the requirements and the importance of the Data Protection Act to all members of staff and how it effects their work.
- Review information systems to see what data is held, by whom, why held, how used and whether it is processed in line with the ‘eight principles’.
- Ensure that all data, manual and electronic is kept securely, confidential and only accessible by relevant staff, with adequate measures for security – both physical under lock and key and electronic by password protection.
- Implement a code of practice for dealing with the Data Protection Act in your business, and ensure it is communicated to customers and other relevant individuals.