An enormous amount of data is generated everyday, and the Data Protection Act 1998 (DPA) governs how some types of data are used and stored.
What is the Data Protection Act 1998?
The DPA governs the use of personal data by businesses, institutions and / or the government. The ruling sets out various rights for both the Data Subject (you) and the Data Controller (business or institution), and strict rules to be followed with regards to data. These are known as the Data Protection Principals.
When does the DPA apply?
If you store or use personal information, then you and your business will be subject to the DPA. By collecting data you will become a Data Controller and, therefore, the legislation will dictate not only how you use data, but also how you store it. As a business you'll collect data not only about your clients, but also your employees.
You can only retain certain data about your staff – this is dictated under the DPA and includes these employees' details:
- Name, address, date of birth, sex and emergency contact details
- Details of any known disability
- Education and qualifications and work experience
- National Insurance number and tax code
An employer may also retain details about an employee such as:
- Employment history with the organisation
- Employment terms and conditions
- Any accidents connected with work, training and disciplinary action
With regard to customers you can store their information too, from their name and contact details to their previous product orders.
Also, CCTV recordings in your premises is also personal data, and needs to be monitored and stored correctly.
How does the DPA apply?
When you store data you must ensure that the data is secure, accurate and up to date. The onus is on the Data Controller to maintain the data and to ensure its safety. You must also ensure that you inform the Data Subject of who you are and the purpose for the data. They also have the right to view and correct the information if it's wrong.
As a Data Controller, you're under a legal obligation to inform the Information Control Officer how your business is utilizing personal data. This can be completed via the online portal – a fee will be payable. Register on the Information Control Officer's website.
Responding to a Data Access Request
The DPA also instills a duty to respond to a Data Access Request, promptly and accurately. Under the DPA, anyone has the right to ask if an organization holds data. Upon receipt of this request, as the Data Controller, you have 40 days to reply to the requester. When a request is made, you're entitled to charge a fee of £10. The requester has a right to ask you the following:
- What information is being used
- Why it’s being used
- Where it came from
- Who can see the information
When responding, you must provide hard copies of the information you hold (this can be a photocopy). However, if you receive the request by email, you can, with the agreement of the requester, provide the documentation by email.
It's also vital to ensure that the information you're providing is solely about the requester and are disclosable.
Refusing the request
There are situations such as the investigation of a crime, assessment of tax or a point of national security, where you can refuse to provide the information. If such a situation arises, you don't have to inform the requester as to why you're refusing to reveal the information.
Business owners have various obligations for business owners with regards to storing data under the DPA 1998. It's wise to have a Data Protection Policy in place, setting out how you'll conduct storage and reply to data requests. This will clearly inform staff and clients of your data use and ensure you are complying with the DPA.