What is the Data Protection Act? The DPA (1998) is concerned with organisational and business use of personal information or data about living people where individuals can be identified through that data. It is concerned with the collection, use, abuse, disclosure and disposal of personal information.
Does it apply to my organisation or business? Probably yes. Any organisation that processes data in any way must comply with the DPA and most organisations and companies need to notify and register with the Information Commissioner. If you have no dealings with any personal information or data about customers, suppliers or employees then the DPA may not apply to you.
What sort of personal information is covered? Any data that helps you or anybody else identify an individual is included. Names and addresses, full postcodes, e-mail addresses, e-mails, photos, CCTV recordings, phone call recordings, NHS and National Insurance numbers and employee files are all examples of data covered by the DPA.
What is sensitive data? Sensitive data includes information about an individual's ethnicity and nationality, religious and political beliefs (including Trades Union membership), their physical and mental health, their sexual life and criminal record. You must have explicit consent to hold such data from the individual concerned.
What does data processing include? Almost anything you do with data is termed processing.
- collecting data on the phone, by e-mail, off an application form or through a web-site;
- using the data to fulfil a contract - buying or selling something or employing someone;
- passing the data to someone else or another company or organisation;
- destroying the data by shredding or erasing it.
How should we collect data? You need to have a reason why you are collecting the data - normally a legitimate business need. Secondly, individuals need to know how you are going to use their personal data and be given the right to opt out of any particular use, e.g. for marketing or passing to other suppliers. Thirdly, you need to collect data lawfully, not through deception.
How should we use data? Use data only for the reasons given. Don't ask for and keep more data than you need and make reasonable effort to keep the data up-to-date. Only keep the data for as long as you need it and anonymise any long-term statistical data.
How about disclosing data? Individuals have the right to ask, in writing, what data you hold on them and have it corrected if it's wrong. You need to take care that data is only disclosed to the individual through security questions or written consent. You need to keep data secure so that it is not easily stolen - including careful and secure disposal of old paper and computer records.
What are the 8 Principles in the DPA? The 8 Principles are that personal information must:-
- Be fairly and lawfully processed
- Be processed for limited purposes
- Be adequate, relevant and not excessive
- Be accurate and up-to-date
- Not be kept longer than is necessary
- Be processed in line with the data subjects rights
- Be secure
- Not transferred to other countries without adequate protection
What about employee records? Employees have the right to request to see the personal information you hold on them and you should have a policy and procedure to do that - with a request form and how much notice you need. Recruitment files should be kept only as long as necessary and not used for any other purpose, e.g. for marketing.
How do we get more information? Check out the Information Commissioners Office website at www.ico.org.uk
How do we train staff in Data Protection Act awareness?
3D HR offers interactive learning workshops which cover up to 16 staff in a 90 minute session.