The Data Protection Act 1998 is an important piece of legislation for consumers and businesses alike, and governs how your personal information may be used when you provide a profit-making company with potentially sensitive details such as your name, date of birth and address.
However, it goes further than that, to include your communications with the relevant organisation, records of your past transactions, and so on.
Fundamentally, the Data Protection Act (DPA) calls for companies to keep confidential information private, and to erase any details they hold on file about you, once they are no longer directly needed in order to continue providing you with the appropriate service.
If you are dealing with clients, either as an individual or as part of a company, you should understand your obligations under the terms of the Data Protection Act, and make sure you comply with them on an ongoing basis.
Does the Data Protection Act affect your company?
The Information Commissioner’s Office provides some useful guidance about the DPA, who it affects and how to comply with its requirements.
If you’re not sure whether you are subject to the terms of the Act, then simply ask yourself whether you process personal data – either on a computer, or on paper – or whether you have information about your customers stored somewhere that you might want to process at a later date.
You should also know that ‘personal’ data specifically relates to records from which a person can be identified – even if those records have been partially anonymised, but can still be identified using a separate index file or list.
What are my obligations?
Some organisations should notify the ICO if they are processing information, although there are exemptions to this, such as if the information is held only for public relations purposes.
You may be required to respond to requests from individuals who want to access the records you have on file relating to them.
Generally speaking, however, there are eight main principles of the Data Protection Act:
- Data should be processed lawfully.
- Personal data should be obtained for a specific purpose.
- Only the necessary personal data should be obtained.
- Personal data should be up-to-date and accurate.
- Personal data should not be kept longer than necessary.
- The rights of data subjects should be taken into account.
- Data loss, damage and destruction should be protected against.
- Personal data should not be transferred out of the European Economic Area, unless the destination country has similar protections in place.
Dealing with Data Loss
If you believe you have lost data – due to theft, equipment damage, or your own negligence – you should inform the appropriate organisations immediately.
You’ll need to work out any risks that might arise from the breach, and devise a plan to minimise any damage and recover from the data loss.
It’s likely that you’ll also need to update your policies to prevent a similar incident from happening in future.
The Data Protection Act can sound fairly ominous when you’re first setting up in business, but it’s really just a common-sense approach to protecting your customers’ information.
As long as you only collect the necessary information, and don’t hold on to it for longer than you need it, you’ve made a good start towards handling personal data in the appropriate way.