The Data Protection Act and your business

The Data Protection Act and your business
How to avoid a £500,000 fine

If your business uses or holds databases, emails or spread sheets of customer information, then the Data Protection Act 1998 (DPA) will most likely apply, as this information will usually be used or 'processed' in some way.

The DPA is administered by the Information Commissioner's Office and holds all registrations that companies have made under the Act.

Fines of up to £500,000

If you fail to comply with the act then you could face heavy penalties. Failure to comply with the DPA could mean a fine of up to £5,000. Although in serious breaches of the Act, the ICO can impose a fine (with no recourse to the courts) of £500,000.

In essence the DPA compels your business to:

  • Only collect information that you need for a specific purpose.
  • Keep the information collected secure.
  • Ensure that the information your business holds is relevant and up to date.
  • The information held must only be what your business needs, and the information should only be held for the minimum time your business needs it.
  • Anyone that your business holds information about has the right to see this information at any time.

Note that the DPA applies to living individuals that you hold paper and/or electronic records about. Information can include their name, date of birth and address. But other information is also covered by the Act. A full definition can be found on the ICO website.

Basic registration is £35. Be aware that some bogus registration companies may try and charge more. Avoid these and register directly with the ICO.

Key DPA definitions

It is important that your business understands what 'personal data' means in the context of the DPA to allow your business to decide whether it needs to register. Under the DPA, personal data means information which:

  1. Is being processed by means of equipment operating automatically in response to instructions given for that purpose.
  2. Is recorded with the intention that it should be processed by means of such equipment.
  3. Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.

Sections one and two above make it clear that information that is held on computer, or is intended to be held on computer, is data. However data recorded on paper is also included under the act, if you intend to put it on computer at a later date.

There are a number of exemptions to the DPA that your business should be aware of. The Act does not apply to:

  • Organisations that process personal data only for a) staff administration (including payroll) b) advertising, marketing and public relations (in connection with their own business activity)
  • Accounts and records.
  • Some not-for-profit organisations.
  • Organisations that process personal data only for maintaining a public register.
  • Organisations that do not process personal information on computer.

Actions to take

Much of the DPA is commonsense, but your business should ensure that it fully understands the key requirements of the Act and puts in place systems to ensure its demands are met both online and offline – the DPA has multiple rules on the physical and secure protection of data, both on the business premises and when data is sent out of the business.

The ICO has a training checklist that includes the following advice about keeping personal data secure that your staff should follow:

  • Keep passwords secure – change regularly, no sharing.
  • Lock / log off computers when away from their desks.
  • Dispose of confidential paper waste securely by shredding.
  • Prevent virus attacks by taking care when opening emails and attachments or visiting new websites.
  • Work on a 'clear desk' basis - by securely storing hard copy personal information when it is not being used.
  • Visitors' should be signed in and out of the premises, or accompanied in areas normally restricted to staff.
  • Positioning computer screens away from windows to prevent accidental disclosures of personal information.
  • Encrypt personal information that is being taken out of the office if it would cause damage or distress if lost or stolen.
  • Keep back-ups of information.

The DPA is not designed to impose masses of restrictions on your business, but to ensure that any personal information your business does hold about your customers is properly managed and is secure. It is important that your business registers as soon as it can if the DPA applies.

In addition, the ICO's website contains all the information you need to help your business decide whether registration is needed including full definitions of what data the Act covers.

You can also contact the ICO directly on 0303 123 1113 or 01625 545745, which is available between 9am and 5pm, Monday to Friday.