PracticePeople In PracticeAct on data protection

Act on data protection

The 1998 Data Protection Act, which became law earlier this year, is probably the most widespread piece of IT legislation ever. Organisations that ignore it do so at their peril.

For any business moving more of its functions online the implications are profound.

In February this year, research by data specialist GB Information Management showed that nine out of 10 companies did not know that the Act would come into force on 1 March 2000.

Yet this is an Act that will completely transform the way that personal data is stored in the future – and the way most firms operate. Any ‘new processing’ done after 1 March is covered by the Act. That means that any post-February idea for a dot.com, any e-commerce venture undertaken by an existing company and any new ventures all have to be compliant today. Existing processes have a little more time: until 24 October, 2001 for electronic records, and until the same date in 2007 for paper records. But that still gives anyone holding data just over 12 months to rewrite their applications.

The eight principles of the Act form a watertight regime. Here are the points you have to remember, and some problems you may encounter:

1) Personal data must be processed fairly and lawfully

The data subject – the person whose data is being collected – has to know who the data controller is, and why the data is being collected.

Problem: Do the people on your database know exactly for what purpose their data has been collected? They must be informed and give their consent for use of their details

2) Personal data can be obtained only for specified purposes

You have to specify one or more purposes

Problem: Do your databases prevent other employees from ‘dipping in’ to that data? If not, you are in breach of the Act

3) Personal data should be adequate and relevant and not excessive

This was in the 1984 Act, but applied only to electronic records. Now it covers paper records too. Many websites may be in breach if they insist on an excessive registration page.

Problem: Does your contact data have ‘comments’ fields, with subjective comments about the data subject? If this is the case, then you are breaking the law.

4) Personal data must be accurate and up-to-date

If it isn’t accurate, you not only have to put it right, you may have to pay a fine. In a survey carried out by GB Information Management, eight per cent of companies admitted that they have never checked the accuracy of customer information, so this could be a big sticking point

Problem: Applies whether or not your company collected the data; this means you are equally liable for data from trading partners.

5) Information should not be kept for longer than is necessary

Part of the 1984 Act, but it now applies to all companies and all forms of records.

Problem: If you accept records from a trading partner for a specific marketing purpose, will that data be purged afterwards?

6) Data must be processed in accordance with the rights of the subjects

If individuals want to see all of the data you hold on them, they have a right to see it, in a user-friendly format, within 40 days. The law also applies to CCTV images.

Problem: Can you perform the necessary search, and produce a coherent document?

7) Appropriate technological measures must be taken

Information not only has to be kept safe from hackers, it must also be secured from other employees who don’t have rights to it.

Problem: You are also responsible for the security of data when it is in the hands of third parties. Are your partners secure too?

8) Personal data cannot be transferred to countries outside the European Union unless the country provides an adequate level of protection

Problem: Do you know what happens to the data collected from your web page? Personal data cannot be exported without the subject’s consent, or without first making certain that an equivalent data protection regime is in place. This has relevance for all subsidiaries of US organisations; data cannot be transferred for processing to the US, where there are no data processing or privacy laws.

  • Based on Computing magazine guide to the Data Protection Act.

Related Articles

Is inefficiency stealing your time and money?

Accounting Firms Is inefficiency stealing your time and money?

3m Emma Smith, Managing Editor
CIMA elects new president

Institutes CIMA elects new president

3m Emma Smith, Managing Editor
Transparent currency trade: How to achieve costs visibility

Governance Transparent currency trade: How to achieve costs visibility

4m Emma Smith, Managing Editor
Magma Group announces merger, partner promotions

Accounting Firms Magma Group announces merger, partner promotions

7m Emma Smith, Managing Editor
MHA MacIntyre Hudson advises on management buy-out

Accounting Firms MHA MacIntyre Hudson advises on management buy-out

8m Emma Smith, Managing Editor
Introduction to KPMG UK’s new leadership team

Accounting Firms Introduction to KPMG UK’s new leadership team

4m Emma Smith, Managing Editor
EY appoints head of UK Infrastructure Asset Intelligence practice

Accounting Firms EY appoints head of UK Infrastructure Asset Intelligence practice

6m Emma Smith, Managing Editor
FRP Advisory expands operation with new office, partner appointments

Accounting Firms FRP Advisory expands operation with new office, partner appointments

7m Emma Smith, Managing Editor