Data Protection

Computers facilitate the collection and storage of huge amounts of information about every one of us

Think how you use your credit and other payment cards, you surf the web, you are recorded by CCTV cameras, you use your landline and mobile phone, how you send out CVs, how your doctor, dentist, employer and all other contacts keep records on you. Your life can be re-constructed from this information, which is all on a computer somewhere.

As this information can be abused, legislation now controls how UK and EU businesses control and use this information. Even manual records are now covered, if part of a relevant filing system e.g. files, card indexes and paper lists of customer contacts.

All businesses have to appoint a Data Controller responsible for compliance with the Act. He can register on-line with the Information (formerly the Data Protection) Commissioner, tell him what Personal Data is being processed, and should thereafter ensure compliance with the 8 Data Protection Principles and allow access by the Data Subject to his own Personal Data for checking

Personal Data includes anything that can be used to identify an individual - a job title, an email address, video footage, a CV, a written opinion about someone, personnel files. These individuals will be your employees, suppliers, customers and personal contacts.

Sensitive Personal Data is information about the Data Subject's racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life or criminal record. Make sure the Data Subject gives you his express consent.

The Data Controller should identify how your business collects Personal Data e.g. application forms, interactive web site, CCTV , call centre, referrals from third parties and prepare policy statements as to how the Data will be used or shared - often called a Privacy Policy in websites.

He should also devise business procedures so that all information can be processed fairly at each stage through collection storage manipulation analysis and disclosure in accordance with the eight principles of good practice, requiring that Personal Data in the UK is:

• Processed fairly and lawfully. Data must be gathered with the Subject's knowledge and not obtained illegally or under false pretences. Having got information for one purpose e.g. to fulfil a contract, the Data Subject's informed consent should be obtained for another e.g. listing him as a satisfied customer on a website or brochure, credit scoring, profiling, direct marketing by other companies.

• Obtained for specific and lawful purposes and not further processed incompatibly with those purposes. "Processed" here means changing or combining your contact list with other information. A quick report showing which of your contacts work in which areas is fine, but you must not use the Data in a way for which it wasn't intended.

• Relevant and not excessive. Only store Data that you need; you should not keep other Personal or "sensitive" Data. Do you really need to collect postal addresses and fax numbers if you intend to deal with everything by email!

• Accurate and kept up to date. Your contacts can demand that you change or remove any inaccurate information about them. Consider asking your contacts to verify their contact details once a year.

• Kept for no longer than necessary. This is termed "a reasonable time," which can be hard to judge. However, pruning old and useless contacts might be a useful exercise anyway.

• Processed in accordance with the rights of Data Subjects. Anyone on a Database has the right to prevent processing for direct marketing purposes and can claim compensation in certain cases of Data misuse.

• Protected by adequate security. Letting other people access your Data could land you in trouble, and you are required to keep Data secure using passwords and basic computer security. Consider the position regarding outsourcing, payroll processing and external delivery agents.

• Only transferred to countries outside the European Economic Area, if adequate protection is available. The EC will decide from time to time which countries have such protection. Canada and Switzerland are approved. The USA is not bound by the UK Act, but US companies can sign up to the US Safe Harbor program, which is recognized by the EC. A Contract can be entered into between EU companies and companies in non-conforming countries so that they are bound by contract to observe adequate levels of protection. Personal Data can also be transferred if the Data Subject consents.

Criminal offences

Processing Personal Data without being registered, failing to comply with enforcement notice from the Information commissioner, obtaining or disclosing Personal Data without consent of Data Controller or exceeding any authority given.

MISCELLANEOUS ISSUES

Access

Devise a system for making sure that all records can be accessed by reference to the Data Subject's name, dealing with requests by them for access to their own records (not anyone else's) and insist that requests are made in writing

Automated decisions.

There is nothing wrong with a computer deciding whether or not to do business with someone or what credit limit to give, but if the decision adversely affects the customer there should be some human intervention.

Cookies

These files track a visitor so that you could use that information to target your marketing efforts. Your system should be able to comply with his request for cookies to be switched off in relation to him or in relation to certain information and should warn you that he does not want marketing material sent to him.

© Michael Breeze November 2003

Call Michael Breeze on 07900 195 195 or call 0845 270 2511 to set up an appointment