Obligations under the Data Protection Act

The Data Protection Act protects the privacy and integrity of data held on individuals by businesses and other organisations and ensures that individuals have access to their data and can correct it, if necessary. It seeks to apply eight principles of data protection, namely that data is:

• Fairly and lawfully processed.
• Processed for limited purposes.
• Adequate, relevant and not excessive.
• Accurate.
• Not kept for longer than is necessary.
• Processed in line with individuals' rights.
• Secure.
• Not transferred to other countries without adequate protection.

These are good principles and have to be applied by all businesses regardless of whether they are registered. However in certain circumstances you may be required to register with the Information Commissioner. Registration costs £35. Be wary of any so-called “agency” who tries to make you register and pay more than this.

You may need to review your policies, practices and procedures if you store personal information on clients, employees or other individuals. You may also need to review the terms and conditions that apply to your website.

Find out if you need to register

The Information Commissioner has a checklist for smaller businesses. Click on “Small Business Guidance.”

There is also an online tool to help find out if you need to register.

You can also find more information on the Business Link website.

Alternatively call the registration hotline on 01625 545740.

Should you monitor your employees' internet use?

Businesses are at risk from their employees' misuse of the internet. Besides the risk of cyber-slacking, problems include:

• Employees inadvertently defaming someone or another business by email.
• Employees create a hostile working environment by downloading or sharing offensive material.
• You can be held responsible for your employees' software piracy.
• The risk to your company's reputation that might be caused by employee misbehaviour.

You need to have clear employee policies but you may also need to monitor your employees' use of the internet.

Methods of employee monitoring

Monitoring technology is widely available and includes:

• Software auditing tools to scan for pirated programs.
• Blocking or tracking individuals’ access to certain websites.
• Automatically filtering email to prevent people sending confidential or embarrassing material to outsiders.
• Scanning hard disks for illicit material.
• Keeping email logs and archives so that old emails can be examined.

Regardless of whether these tools are used, companies need sensible and comprehensive policies regarding employees’ use of the internet.

Legal constraints on employee monitoring

Besides ethical constraints – you may feel uncomfortable playing secret agent – there are legal constraints on employee monitoring.

First, the Data Protection Act requires that employee monitoring must be:

• Proportionate to the objective. For example preventing cyberslacking probably doesn’t require that every employee be kept under permanent video surveillance.
• Carefully considered. For example, it needs to tally with employee policies and be planned and implemented with care.
• Clearly communicated to staff before it begins. This is typically done using employment policies.

Second, the Regulation of Investigatory Powers Act covers the interception of communications on private networks, such as monitoring internet and email. Covert surveillance is very rarely legal. The act underlines the importance of prior communication.

In any case, advice from a lawyer is a good idea.

More information

• See Business Link.  Click IT & e-commerce in the left-hand menu, then click on Data protection, privacy & security.
• Microsoft's bCentral business website.