The issue of data protection is one that often has many businesses and organisations spinning with concern. Whilst it is true that the law places certain requirements and with upcoming changes potentially large fines for breaches, it is however an area of regulation which is fairly straightforward and with good policies, practices and planning, the potential for risk can be managed.
What is Data?
The law in the UK is determined by the Data Protection Act 1998 which in turn implemented the 1995 EU Data Protection Directive. The first begging question is what is data? Personal data is defined as any data that relates to a living individual which could lead to that individual being identified. The medium on which that data is stored could be anything, for example; a piece of paper, a computer file, anything online, images, audio recordings, to name but a few. The key is if the information relates to a living individual who could be identified through it, then it is data. Storage and processing of such data needs to adhere to the 8 principles contained in the Act. I will provide them for you below, and if you process such data you will need to ensure that the information is:
- used fairly and lawfully,
- used for limited, specifically stated purposes,
- used in a way that is adequate, relevant and not excessive,
- kept for no longer than is absolutely necessary,
- handled according to people’s data protection rights,
- kept safe and secure,
- not transferred outside the European Economic Area without adequate protection.
Furthermore there are added protections if the data is classed as sensitive data. Sensitive data is data which directly or indirectly identifies an individual’s:
- ethnic background,
- political opinions,
- religious beliefs,
- sexual health,
- criminal records.
So if you do process such data there are a number of things you can do to make sure you remain on the right side of the law. They include formulating and reviewing internal policies and practices and making sure they are followed within your organisation. You should also register as a Data Controller with the Information Commissioner’s Office (ICO). This is an online application which will take no more than 30 minutes and costs £35 per each application. Registration lasts 12 months and should be renewed each year.
If you wish to discuss how we can help you in relation to data protection please do not hesitate to contact us. Written by Bruno Rodrigues. You can contact us using the Contact form on this website or using the information available on this site.