All businesses process personal data. This includes personal data on their directors, employees, business partners, suppliers and customers. The Data Protection Act 1998 regulates the processing of such personal data. It covers both personal data found in computer systems and certain manual records.

What is personal data?

Personal data is information that relates to a living individual and from which that individual can be identified. It includes names, addresses, e-mail addresses, voice recordings, photographs and moving images captured on video.

What amounts to processing?

Processing includes obtaining, recording or holding data or carrying out any operation or set of operations including organisation, adaptation, alteration, disclosure, retrieval, conservation, use and destruction.

What does the act require you to do?

Make sure you have filed proper and adequate notification to the Information Commissioner unless you are exempted. You can check if you are exempted by working through a series of self-assessment questions available here. If you have already notified the commissioner, you may wish to check your notification to make sure that it is adequate.

You must process personal data fairly and lawfully by informing each individual of the purpose for which his or her personal data will be used, and by obtaining his or her consent for such use.

Give me some examples of when I need consent…

• Employees' personal data - you will need to advise your employees that their personal data will be used to fulfil the employment contract, to monitor sickness and performance, to administer and plan your business and to disclose it to specified third parties, if necessary.

• Customers' personal data - you will need consents from your customers to use their personal data to carry out your obligations under your contracts with them. For example, you may need to send their personal data to sub-contractors for delivery of goods to your customers. You will also need explicit consents if you intend to send marketing materials about other products to them.

How do I get consent?

Employees - your employees' consents can be obtained by setting out the granting of the relevant consents either in the employment contract or policies that form part of the employment contract. Your employees' attention must be drawn to such provisions.

Customers - your customers' consents can be obtained by incorporating the granting of the relevant consents into the terms of sale and purchase, or setting them out clearly on order forms.

What about disclosing personal data to third parties?

Make sure that you have proper and adequate agreements with third parties to whom you are disclosing the personal data or on whom you are relying for the supply of personal data. Make sure that they have given the relevant undertakings that they themselves are complying with the act.

What is classed as "sensitive data"?

Certain personal data is classified as sensitive data under the act. This includes data as to an individual's racial or ethnic origin, political opinions, religious beliefs and sexual preference. You must be extra careful when processing sensitive data.

What guidelines should I be following?

• Collect and process personal data in a manner compatible with those purposes for which the data was obtained.

• Use personal data only for the purposes notified to the Information Commissioner and for which they were first obtained. For example, consent obtained to use personal data for sending your own marketing materials does not mean you can disclose such data to third party business partners to enable them to send their own marketing materials.

• Personal Data must be adequate, relevant and not excessive.
  You must keep the minimum amount of information about an individual necessary for the processing. Review the details that are required in order forms or employment contracts.

• Personal Data must be accurate and be kept up to date.
  Accurate means being correct and not misleading as to any matter of fact. Impose an obligation on your employees and customers to notify you in writing of any changes in relation to any personal data that they provide in the employment contracts or order forms.

• Do not keep personal data for longer than necessary.
  Set a standard "life" for all records and lay down procedures for reviewing and deleting them. For example, an employee's records can be deleted after a certain period after he or she has left employment. Get feedback from relevant departments as to the purposes and the time periods for which such records must be kept. Also, consider which types of personal data can be deleted after a certain period even though the general records must be kept.

What about security?

You must take appropriate technical and organisational steps to prevent unauthorised or unlawful processing of personal data and to prevent accidental loss or damage. This includes reviewing the reliability of the computer system on which the data is kept. Make sure that the appropriate electronic barriers are installed and only relevant employees are given passwords.

Can I send personal data overseas?

You must not transfer personal data to a country outside the European Economic Area (EEA) unless that country has an adequate level of protection for processing personal data or unless you get consent from the individual to whom the data relates. The EEA consists of the 15 members of the European Union together with Iceland, Liechtenstein and Norway. The Channel Islands and the Isle of Man are not part of the EEA.

Can people demand to see their records?

You have to inform individuals that they have the right:

• to ask for and be supplied with a description of their data
• to a description of the purposes for which it is being processed
• to a description of any potential recipient of their data
• to any information as to the source of their data
• to copies of the data held about them.

Once a request for access to a file has been made, to destroy documents in the file will contravene the Data Protection Act.

However, you are only required to provide such information in response to a request in writing, the payment of an administration fee no higher than £10, and such information as you may reasonably require to satisfy yourself as to the identity of the individual making the request and to be able to locate the information requested. You have to respond in writing within 40 days.

Are there any special rules covering credit checks?

You must comply with certain obligations under the act if you make a decision that significantly affects an individual, and that decision is made solely by automated means. For example, where customers want to book a function and before accepting you use a computer to credit-score them, you will have to comply with the law. This says that you must notify the individual as soon as is reasonably practicable that the decision was taken on that basis. The individual then has 21 days to serve written notice requesting either that the decision is reconsidered, or that a new decision is taken, not based solely on automated processing. You then have 21 days to write to the individual specifying what steps you intend to take to comply with the request.

What if you do not comply with the Data Protection Act?

You may be guilty of both civil liability and criminal offences punishable with fines. There is no maximum limit for some offences. Under certain circumstances, your director, manager, company secretary or other similar officer may be personally liable.

by Jonathan Lane
Jonathan Lane is an IT and Ecommerce solicitor in the Leeds office of lawyers Eversheds.

Disclaimer