If your organisation handles personal information about living people, for example customers, suppliers and members of staff, then you have legal obligations to protect that information under the Data Protection Act 1998.
The Data Protection Act implements European legislation currently under review in respond the developing technologies.
Most organisations process personal information so it's likely that yours must also comply with the Act.
Our Back to Business Basics briefing looks at the current data protection rules as well as examines what's coming up on the legislative agenda.
What is data protection?
Data Protection concerns the organisation's guardianship of an individual's personal information in an age when information is valuable and technology easy to use. From an e-business perspective, the collection of personal information allows organisations to market and sell their products and services to a targeted audience. Understanding customer buying habits puts them right at the heart of the business strategy and can help promote competitive advantage.
But, as more organisations are using online technologies to process personal information, concerns are growing that there are not enough controls and safeguards in place to protect personal information.
This is one reason why Parliament has recently increased the powers of the Information Commissioner (ICO), the UK's data protection regulator, to impose fines of up to £0.5 million.
Data Protection Act
UK data protection laws are based upon the Data Protection Act 1998 which transposes the EU's Directive 95/46/EC on the protection of individuals with regard to processing of personal data and the free movement of such data.
The law balances the legitimate needs of organisations to collect and use personal data for business and other purposes, and the individual’s right to respect for the privacy of their personal details. The Act grants living individuals the rights to access their data, prevent the data being processed under certain circumstances, ‘opt out’ of having their data used for direct marketing and establishes eight straightforward, common-sense Data Protection Principles for organisations to follow.
The legislation itself is complex and, in places, hard to understand. However, by handling personal data in line with the spirit of the principles, the business will go a long way towards ensuring a good level of compliance.
The 8 data protection principles
1. Personal data shall be processed fairly and lawfully.
Have legitimate grounds for collecting and using the personal data; do not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their data; handle people’s data only in ways they would reasonably expect; and make sure nothing is done unlawfully with the data.
2. Personal data shall be obtained only for one or more specified and lawful purposes.
Be open about the reasons for obtaining personal data, and that what is done with the information is in line with the reasonable expectations of the individuals concerned.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Identify the minimum amount of personal data needed to fulfill the purpose. Do not hold more than the minimum amount.
4. Personal data shall be accurate and, where necessary, kept up to date.
The law recognises that it may not be practical to double-check the accuracy of every item of personal data received, but reasonable steps should be taken to ensure that it is. Identify the data’s source.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Review the length of time personal data is kept; consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; securely delete information that is no longer needed for this purpose or these purposes; and update, archive or securely delete information if it goes out of date.
6. Personal data shall be processed in accordance with the rights of data subjects under the Act.
A person has right: of access to a copy of the information comprised in their personal data; to object to processing that is likely to cause or is causing damage or distress; to prevent processing for direct marketing; to object to decisions being taken by automated means; in certain circumstances to have inaccurate data rectified, blocked, erased or destroyed; and to claim compensation for damages caused by a breach of the Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Design and organise security to fit the nature of the personal data held and the harm that may result from a security breach; be clear about who in the organisation is responsible for ensuring information security; make sure the correct physical and technical security is deployed, backed up by robust policies and procedures and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Make sure that the data protection law in countries to which you are transferring personal data have the same level of protection as the countries in the European Union. In the absence of such laws you will need to put a contract in place that ensures that organisations in recipient countries will guard personal data to EU standards. Remember that the US is a non-compliant country too and that a contract must be put in place if the company based in the US has not signed up to the US-EU Safe Harbor Agreement.
Principle Eight is designed to protect personal data being sent to countries with inadequate data protection regimes. Developments in cloud computing technologies are making it difficult to know where in the world personal data is being held - in direct conflict with Principle 8. This situation has prompted the regulator to introduce a new code for keeping personal information online.
Here are a some data protection tips to help organisations get started…
1. Get director buy-in. The business is a data controller and owners will be liable for non-compliance;
2. Deploy a governance model that captures all parts of the business. That way, implementation is top-down rather than bottom-up, and focuses on the overall business strategy rather than single compliance issues;
3. Notify the Information Commissioner immediately that the organisation is processing personal data at www.ico.gov.uk. Keep the notification details up-to-date;
4. Write a comprehensive data protection policy that identifies relevant data assets, business processes, stakeholders and technologies used, e.g. cookies on websites. Make sure that the policy is reviewed regularly and staff receive ongoing training;
5. Sending of unsolicited electronic marketing messages by telephone, fax, email and text is strictly regulated by The Privacy and Electronic Communications Regulations. Unsolicited marketing material by electronic mail (this includes texts, picture messages and emails) should only be sent if the person has chosen to receive them (by opt-in), unless the email address was obtained as a result of a commercial relationship. The individual should always be given the opportunity to stop receiving the emails.
6. Cookies on websites must only be used if you have obtained the consent of the website user beforehand. There are some exceptions to the rule which are discussed in our Cookies Regulation briefing.
Proposed data protection law
The European Commission (DG Justice) is expected to publish a new EU Data Protection law at the end of January 2012. The review is Action 12 of the Digital Agenda aimed at enhancing individuals' confidence and strengthening their rights.
What is the problem? Data protection rules vary and are difficult to understand
EU citizens have the right to the protection of their personal data and to their privacy in the online world. However, these rights are encoded in many different laws and are not always easy to grasp, while national approaches to data protection rules can vary widely across the EU.
Why is EU action needed? Lack of trust means less online business
This lack of clarity in online privacy rules triggers a lack of trust among consumers, which slows down the growth of Europe's online economy. Worries about payment security privacy concerns and trust were some of the top reasons for not making online purchases in a survey of people who did not shop online in 2009. Recent surveys and independent studies confirm that privacy concerns continue to grow among the public.
What will the Commission do?
The European Commission (DG JUSTICE in lead) will review EU data protection rules with the aim of modernising all relevant legal instruments to enhance trust and confidence of European consumers. Speculation is rife that Commissioner Viviane Reding favours a regulation over another directive because it allows for more flexibility. Given how quickly technology and the way it is used is constantly changing, a regulation may be the preferred instrument by being directly applied into UK law almost instantly; typically a directive can take up to three years to transpose into national law.
Updated 10th June 2013