Business and Law Advocates

The Data Protection Act 1998 applies to any businesses that deal with people’s personal details; it gives you guidance on how you are allowed to make use of this information, which includes everything from bank details to names and addresses.

There are eight principles outlined in the Act that define good handling of personal information for businesses.  This includes processing it for limited purposes, lawfully and fairly, keeping it up to date and accurate and not for longer than is necessary.  In order to comply with this last principle you may need to look into shredding services.  Some companies may also need to tell the Information Commissioner’s Office what they are using personal information for.

Processing is defined as pretty much anything performed on a computer including recording, processing, and analysing a person’s personal information.

There are six conditions in the Act and in order to use personal information it must meet at least one of these.  The conditions are not hard to meet and include having the consent of the individual whose information you wish to use.

There are another set of conditions within these six that are narrower and apply to the use of sensitive personal information.  This is classified as religious beliefs, ethnic or racial origin, sexual orientation, any mental health or physical conditions and offences committed.  To use this kind of information, you must show that there is an essential need for your business to do so by meeting one of the original and one of the narrower conditions.

One of the eight principles of the Data Protection Act is the fair and lawful use of personal information, and like most of the principles, this mainly requires common sense.  It means you should tell people when obtaining their details what they will be used for, the name of your company and if you need any further information in order to ensure the fair use of their personal information.

People should also be informed that it is their right to be able to access the information you hold on them and to have it corrected if it is inaccurate.  Any and all ways you may use their details must be made clear, as they may not realise some of the uses it will be put to.  For example, passing it on to other organisations or filing it with credit reference agencies.

Once an individual has agreed to how you will use their information, you must not then use it for something they would not expect.  An example of this would be passing their details on to a third party for direct marketing when you told them it would only be your organisation using their information for this purpose.  The only exception to this would be if information was requested on someone by the police.

When it comes to your existing customers, if they have expressly opted out of receiving any further information from your company then you must respect this.  However, for customers who have not it is okay to send them marketing material in the future, if it is relevant.  Therefore, for example, if you run a travel company, it is acceptable to send someone a travel brochure with holidays similar to one they booked through your company the previous year.

The Data Protection Act also gives rights to individuals whose personal information is being used.  These include the right to access information held on them, the right to stop direct marketing at any time through written request, the right to have any misleading or incorrect information corrected, and the right to prevent important decisions being made about them using automation.  This means any decisions made purely by a computer such as recruitment.

It may be necessary for staff in your company dealing with personal information, such as those in marketing or database management, to have training on the rules of the Data Protection Act 1998.  They need to be able to recognise an official subject access request, or SAR as it is sometimes known, and how to deal with it.  This is a request sent be an individual who wishing to obtain access to the personal information you hold on them.

They also need to be able to deal with situations such as a third party request for details on a particular individual, for example someone claiming to be their lawyer or a relative, and understand the important of data privacy.  This means that those who are entrusted with carrying around personal information on a laptop or USB need to understand how damaging it would be if this information were lost or stolen.

The Act does not just cover information you hold on customers but also employees or potential employees.  When your company is recruiting, it is inevitable that personal information on individuals applying for positions will be obtained, however certain rules should still be followed.  You should only ask for as much information as you need and only ask about criminal convictions if it is somehow relevant to the job type.  If you perform a criminal records chick, then the result should only be listed as either satisfactory or unsatisfactory, no detailed information should be retained.

Any information you gain on an individual through recruitment should only be kept as long as you have a need for it.  Therefore, if that person is not employed by your company then the information should be destroyed.  One way to do this is through the shredding services from Iron Mountain.

This also applies to information you hold on employees.  When individuals are in your employment, their records must be kept secure and only accessed by trained and authorised staff.  Sensitive information such as sickness records should be stored separately and staff should periodically be allowed to update information they find to be out of date or incorrect.  Iron Mountain shredding services can help you to ensure you comply with the Data Protection Act by safely disposing of employee records when there is no longer a need for them.