The DPA consists of eight principles which represent guidelines for best practice in handling personal data:
1. Personal data must be processed fairly and lawfully
Tell people for which purposes the data is being collected, and if applicable, that the data may be sent outside of the EEA (European Economic Area). The most common bases for processing personal data are to enter into a contract (for example contract of sale) or if you have the individual’s consent. Recorded telephone messages are useful tools for enabling these types of message, and can be optional (for example, press 1 to hear the DP message). Notices should be prominent where CCTV is used as these images are covered by the Act and would be in scope for data subject access requests if the images are not overwritten within 40 days.
2. Notify the Information Commissioner (via the online process) that you are processing personal data and for which purposes (there is a notification charge).
Personal data shall only be used in accordance with the purposes for which it was collected
Ensure data collected for one purpose is not then used for a different purpose. This can be covered off by including all likely purposes in the DP fair processing message. The purposes for collecting the data must be reasonable (and obviously, lawful).
3. Personal data must be adequate, relevant and not excessive
Do not collect data just in case it might be useful.
4. Personal data must be accurate and where necessary kept up to date
Allow individuals the ability to update their data or to have it updated. This includes marketing communications. It is common practice nowadays for organisations to provide an opt-in approach to marketing (‘tick here if you wish to be contacted for marketing purposes’), and to enable the updating of personal data online.
5. Personal data must be kept for no longer than is necessary
Develop a retention policy for personal data and ensure it is enforced.
6. Personal data must be processed in accordance with the rights of data subjects
Ensure any requests from individuals for a copy of their data are responded to promptly and the data is provided within 40 days. Establish whether or not you require a fee (maximum £10) to be paid – and how it should be paid. Provide opt-in tick boxes for marketing communications and ensure this is accurately captured in systems. Many complaints rightly arise from people receiving marketing emails or calls when they have not requested them.
7. Appropriate technical and organisational measures must be established to protect the data
To protect systems from hackers, set up firewalls at your network perimeter, store the data itself securely with only specific authorised individuals having access. Consider data encryption. Develop an organisational policy for handling personal data (and other sensitive or confidential data) and set up a staff training programme accordingly. Consider additional protection when emailing personal data over the internet, as email is inherently insecure.
8. Personal data must not be transferred outside the EEA unless adequate provisions are in place for its protection
If a requirement exists to send or transfer data outside the EEA, consider the following:
- Does the receiving state have an adequate privacy legislation equivalent to that of the EU?
- Is it necessary to send the data as part of the fulfilment of a contract?
- Has the data subject consented? (Does the fair processing notice include a statement to the effect that it may be transferred outside the EEA?)
- Is the data being processed outside of the EEA by another office of the same firm which is established within the EEA? (such as a branch of a UK firm in the US which needs to view orders).
- Is there a contract in place between the data controller and the receiving organisation providing for adequate protection of personal data? (such as if a UK organisation uses a third party in India for managing its HR records).
- If personal data is processed for the prevention and detection of crime, a fair processing notice does not have to be provided. Disclosure of personal data to law enforcement agencies is generally acceptable as long as a formal procedure is established to ensure the request is ‘reasonable’ and the response satisfactory and not excessive.
- Journalistic exemption. There are certain exemptions relating to the processing of personal data in the media (photographs in newspapers, TV images etc).
- Legal proceedings.
- Vital interests of the data subject.
These principles have to be applied by all organisations regardless of whether they are registered. However, in certain circumstances you may be required to register with the Information Commissioner. Registration costs £35 for organisations turning over up to £25.9m, and £500 for companies exceed this turnover and with more than 249 employees. Beware of bogus ‘agencies’ who offer registration in exchange for a higher fee than this.
- Personal data – information relating to a living individual.
- Data subject – the person about whom the data relates.
- Data subject access request – the right of an individual to request a copy of their data under a formal process and payment of a fee.
- Data controller – an organisation or body which uses personal data.
- Processing of personal data – storage, transfer, viewing, access, analysis of personal data.
- Notification – a formal process of notifying the Information Commissioner’s Office by an organisation of the use of personal data.
- Sensitive personal data – data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal record.
- Digital or electronic data (including CCTV images).
- Data in manual filing systems (paper-based systems), if it is considered to be a structured filing system.
A relevant filing system is defined as “a manual file that is well indexed with marked tabs so a particular document within the file is very easy to find”.
Legal constraints on employee monitoring
The Data Protection Act also covers employee monitoring. Besides perceived ethical constraints, there are legal constraints which require that employee monitoring must be:
- Proportionate to the objective. For example, preventing online timewasting probably does not require that every employee be kept under permanent video surveillance.
- Carefully considered. For example, it needs to tally with employee policies and be planned and implemented with care.
- Clearly communicated to staff before it begins. This is typically done using employment policies.
The Regulation of Investigatory Powers Act covers the interception of communications on private networks, such as monitoring internet and email. Covert surveillance is very rarely legal. The act underlines the importance of prior communication. We recommend that you seek advice from a lawyer if considering any of these measures.
Consequences of non-compliance
The Information Commissioner has legal powers to take action against organisations that breach the principles of the Data Protection Act. Individuals who believe their personal data has been misused can initially complain to the organisation but may also take legal proceedings and complain to the Information Commissioner, who will then instigate an investigation and decide whether the organisation has taken sufficient measures to protect personal data.
Actions that can be taken by the Information Commissioner include the following:
- Serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period.
- Issue undertakings committing an organisation to a particular course of action in order to improve its compliance.
- Serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law.
- Conduct consensual assessments (audits) to check organisations are complying;
- Serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice (data protection only).
- Issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010, or serious breaches of the Privacy and Electronic Communications Regulations occurring on or after 26 May 2011.
- Prosecute those who commit criminal offences under the Act.
- Report to Parliament on data protection issues of concern.
www.ico.org.uk – Information Commissioner’s website, including advice and guidance on Data Protection, Privacy and Electronic Communication and Freedom of Information*
(*applies to public authorities)