The Data Protection Act provides security for information held by businesses and other organisations based in the UK about the people they come into contact with. Such people may be employees or their relatives, customers, enquirer’s or suppliers.
The types of information that may be held by any one organisation could come from such areas as personnel, accounts, sales staff, stock room, IT department, web site, email or any of a whole host of other areas.
It only relates to information held about living people which is in some type of organised system and which could be used to identify any one individual person. An example of this may be a personnel record where name and address are stored, however it could relate equally to email as a persons email address can be unique to them alone.
What does it do?
The Act prevents organisations from using the information that they have about people unlawfully or not in accordance to the wishes of the person whose information they hold. The Act doesn’t prevent a company from holding information and is about being open about intentions when using it. It also provides individuals with redress should the information held be inappropriately used, incorrect or used for direct marketing.
How is the Act applied?
The Act is applied in two ways:
- By registration with the Information Commissioner. This is a brief document which broadly states what use will be made of personal information held.
- By compliance with the Act. This is more difficult to achieve and requires companies to be aware of the information they hold, what they do with it, what procedures they have in place for managing it, how they secure it and what systems are used to ensure it is correct.
Whose responsibility is it to register?
The responsibility for registration and compliance lies with the DATA CONTROLLER, who is the responsible person. This responsible person could be a company or an individual.
What are the penalties of non-registration or non-compliance?
Fines of up to £5000 per offence can be recorded against a company or individual. If the offence is tried in the Crown Court, the fines could also be unlimited.
How do I protect my company against non-compliance?
- Ensure you are registered and that the registration is accurat
- Have clear systems and procedures about how personal information is to be use
- Provide clear information to individuals about what information is being held and wh
- Use OPT IN systems for direct marketing, this is particularly important on the Internet.
- Educate staff in the importance of the data protection act and the organisations systems and procedure
- Cleanse data regularly where appropriate
- Consider contract used in the organisation very carefully
- Monitor the procedures used by third parties who have access to personal information.
You can find out more about The Data Protection Act from the Information Commissioners website. The Information Commissioner has recommended that if you carry out an audit of the personal information you hold about people, you will then be in a position to make an informed decision about how you will manage the data you have gathered and what you need to do to ensure you are properly registered – I have provided a basic audit questionnaire that you can download from the website which I have used at the start of consultancy work I have done with companies in the past. Remember that registration only costs £35 annually, you can register at the Information Commissioner’s website.