20 FAQs people ask about data protection.
- Do we need to bother about the data protection legislation? What impact could it have on us?
- What does registering ('notifying') involve?
- What are the penalties likely to be, if we haven't notified when we should have done?
- How do the authorities decide who gets 'assessed'?
- We hear there are scams involving notification. How can we tell if the correspondence we have received is genuine?
- Someone working for one of our sub-contractors now wants copies of all the information we have in which his name appears. Do we have to provide it?
- Some of our customer records are still held in paper form. Are they covered by the Data Protection Act?
- Do we really have to get our customers to agree that we can send them marketing information?
- Do we have to get our customers to agree if we want to sell our mailing lists or disclose customer details to third parties?
- What do we have to do, if we want to use a third party to do payroll processing or direct mail marketing for us?
- If we conduct our direct mail marketing through a foreign firm, what do we have to do to stay on the right side of the law?
- If I take notes at a recruitment interview, can I be forced to show them to the interviewee?
- Is there any problem over us monitoring our employees' use of office phones, internet access or email system?
- Do we have to provide employees (or customers) with copies of the information we hold on them?
- Do we have to provide former employees with copies of the references that we have given about them to third parties?
- We are thinking of installing CCTV. Will we land ourselves with any data protection obligations if we do?
- We have a problem with petty pilfering, of employees' belongings as well as stock, and want to install continuous CCTV. Will that cause us problems?
- Do we need to tell customers if we operate a CCTV system?
- We put up CCTV cameras to deter break-ins, and caught one of our staff stealing. Can we use the tapes for disciplinary or court proceedings?
- What sort of penalties might we suffer for breaching the Data Protection Act?
1. Do we need to bother about the data protection legislation? What impact could it have on us?
Broadly speaking, the Data Protection Act 1998 is designed to prevent individuals and organisations from 'processing' information about any living individual who can be identified from that information, unless:
- they have a legally acceptable reason (or reasons) for doing so; and
- they can prove that they treat the information properly.
'Processing' covers practically anything that can be done with information - obtaining it, collecting it, sorting it, analysing it, discussing it, destroying it or even just filing it. The individuals to whom the information relates may be people (for instance, customers, or suppliers, or employees) with whom you have dealings now, with whom you hope to have dealings in the future, or with whom you have had dealings in the past. Most businesses cannot function without taking account of the Act's provisions: even defunct businesses might still be 'processing' (for example, holding) information. However, you are unlikely to fall foul of the Act unless:
- You hold information unlawfully - ie without a good reason. The more sensitive the information is, the better the reason you will need. Information held for 'standard business purposes' (staff administration, advertising, marketing and PR, and accounts and records) is usually exempt, though you will still need to comply with the principles of data protection (that information must be held lawfully and processed fairly; that it must not be collected for one purpose and then used for another; that it must not be excessive, inaccurate etc - see below). Anything relating to anyone's race, politics, religion, trade union membership, physical or mental health, sexual activities, or the commission of offences is high risk, and can only be justified if you hold it for one of a list of specified reasons.
- You process information unfairly - for example, without letting the individual know that you have it and what you are going to do with it.
- You collect information for one purpose, and then use it for another.
- You collect too much information - if you are trying to sell people egg-timers, you do not need to know their shoe size.
- You fail to ensure that information is accurate and up-to-date.
- You hold on to information for longer than you need it.
- You fail to let individuals know what you have on them when they ask to see it (unless one of the statutory exemptions applies).
- You fail to keep information secure.
- You send information outside Europe for processing, except to a limited list of countries with adequate data protection laws of their own.
2. What does registering ('notifying') involve?
Most businesses are legally obliged by the Data Protection Act 1998 to notify the Office of the Information Commissioner (ICO) of what information they are collecting, and for what purpose. The information you supply to the ICO when submitting a notification application goes onto a public register, to which anyone can have access. Notification currently costs £35, and has to be renewed every year. If you do not know whether you should notify, you can contact the Information Commissioner's Office. Or seek legal advice.
3. What are the penalties likely to be, if we haven't notified when we should have done?
It is a criminal offence for a business not to have notified when it should have done, and if the business is a company, its directors may also be committing an offence. If the Information Commissioner suspects you of failing to notify when you should have done, you may find yourselves on the wrong end of an investigation (known as an 'assessment'). This will tie up management time and resources. If the assessment indicates that you are in the wrong, you will probably be subject to enforcement action, under which you will be required to get your information organised in compliance with the Data Protection Act 1998 within a given time frame, and to notify the Information Commissioner of your data processing activities. This will tie up more time and resources. Failure to comply with an enforcement action could result in a criminal conviction, a fine, and possibly an action for damages being brought against you.
4. How do the authorities decide who gets 'assessed'?
Although the Information Commissioner's Office can conduct investigations of its own accord, it most frequently carries out assessments when it has been tipped off by someone - a customer, a supplier, a past or present employee, or even a business rival - asking for an assessment. They might, for example, be able to ask for an assessment because:
- they have not been able to find you on the Register, which suggests that you may not have notified
- they were not satisfied with your response when they exercised their right to ask for the information you hold about them
Businesses can also voluntarily disclose breaches of the Data Protection Act, for example where there is a data loss as a result of the loss or theft of a device containing information on identifiable individuals.
5. We hear there are scams involving notification. How can we tell if the correspondence we have received is genuine?
You hear right: there have been several lucrative scams involving bogus notification enforcement authorities demanding money in return for submitting applications to notify. The Office of the Information Commissioner is based at Wycliff House, Water Lane, Wilmslow, Cheshire SK9 5AF. Take a look at their website (www.ico.org.uk) for the latest information on scams, or ring the data protection advice line (0303 123 1113, or textphone 01625 545 860) if you want to check out any official-looking documents. Or alternatively, ring your legal adviser and check, first, whether the demand is from a genuine source, and secondly, whether you should actually have notified anyway.
6. Someone working for one of our sub-contractors now wants copies of all the information we have in which his name appears. Do we have to provide it?
Probably not, but consider taking legal advice. In a case in this area, the Court of Appeal decided the fact that someone's name appears in a document does not in itself make it 'personal data'. It will only be 'personal data' where its inclusion in the document affects the named individual's privacy. In deciding whether the individual's privacy is affected, the judges said it is important to consider:
- whether the information is biographical - ie, whether it gives details in addition to the name
- whether the focus is on the named individual, or whether the mention of his (or her) name is just peripheral to the purpose of the document
The judges said that the Act was not to be used as 'an automatic key' to force disclosure to individuals of any information in which their names are mentioned. However, this is a difficult area, which requires good legal judgement. The Information Commissioner has produced guidance on what is - or could be - personal data, in the form of a series of questions with worked examples: it is designed for public authorities, but is quite short, free of jargon and gives a good idea of how the ICO's collective mind is working, so it is worth consulting if you have problems in this area ('Determining what is personal data'). Take legal advice if you are still uncertain as to whether records you hold constitute 'personal data' and therefore have to be disclosed.
7. Some of our customer records are still held in paper form. Are they covered by the Data Protection Act?
It really depends on what is in them. The Act applies to living individuals, so if your records merely trace your dealings with customers which are limited companies, without any mention of individuals, you do not need to worry. Even if individuals are mentioned, but only peripherally, you may still not need to worry though you would still have to observe the principals of the Act.
However, any information about living human beings, other than exempt information or the strictly peripheral, will mean you have to notify. In particular this means that such information is subject to the first five data protection principles, that information shall be:
- fairly and lawfully processed
- for limited purposes
- adequate, relevant and not excessive
- accurate and up to date
- kept no longer than is necessary
The individuals to whom the information relates also get the right to correct it if it is inaccurate. Holding such information is in itself a form of processing, so if such manual files exist and do make reference to living individuals, you need to make a decision as to whether you wish to continue holding them, and if so, ensure that you comply with the provisions of the 1998 Act. It does not, however, require you to digitise or computerise such information. Take legal advice, if in doubt.
8. Do we really have to get our customers to agree that we can send them marketing information?
The law in relation to direct marketing is particularly fast-moving. If you want to stay on the right side of it, always tell customers exactly how you want to use their personal information and get evidence that they agree to such use. If you have existing customers on your database and want to send them marketing information relating to products and/or services similar to those you have previously supplied to them, you may continue to do so, but you should always offer them the ability to opt out of receiving further mailings. Note that individuals have a legal right to stop you sending them direct mail marketing at any time.
9. Do we have to get our customers to agree if we want to sell our mailing lists or disclose customer details to third parties?
To be on the safe side, you should always obtain your customers' express consent before you disclose any information about them to third parties. There are alternatives to obtaining express consent, but you should seek specific legal advice before attempting to use them.
10. What do we have to do, if we want to use a third party to do payroll processing or direct mail marketing for us?
The Data Protection Act 1998 requires that you enter into written agreements with anyone who is processing personal information on your behalf. You need to obtain written guarantees that they will keep the information secure and only use it in accordance with your instructions. It is your responsibility to ensure that the information is used lawfully.
11. If we conduct our direct mail marketing through a foreign firm, what do we have to do to stay on the right side of the law?
Make sure that you have put a data processing agreement in place and that the firm you are using is based in a country with data protection rules which are considered to be adequate under English law. Laws of the states in the European Economic Area (the EEA - member states of the EU, plus Liechtenstein, Norway and Iceland) are acceptable; otherwise you have to use your own (or your adviser's) judgement. The Information Commissioner has, however, recently made it plain that the rules alone are not enough; if you are sending data abroad, you also need to be certain those rules are adequately enforced. If your data turns up in the hands of people who should not have it, because you made the decision that it was safe to have it processed abroad, it is you that the ICO will be coming after. So if you do want to get some of your information processed outside the EEA, take good legal advice first. Otherwise, you must get those whose information you want to send abroad specifically to agree to it.
12. If I take notes at a recruitment interview, can I be forced to show them to the interviewee?
Generally speaking, you should presume that anything you write down or record about an individual may be shown to that individual at some point in the future. This includes any comments or personal opinions that you write down about interviewees. There are certain exemptions which may mean that you can delay or prevent disclosure, but they are very narrow, and very strictly interpreted, so you should always seek legal advice before relying on them.
13. Is there any problem over us monitoring our employees' use of office phones, internet access or email system?
Take a look at the Information Commissioner's Code of Practice for employers relating to the monitoring of staff at work. Or failing that, take legal advice. The Code is quite detailed, but the general principle is that you must make employees aware of how they will be monitored in the workplace (for example, by looking at their telephone, email or internet usage, or monitoring their movements by CCTV or vehicle tracking systems) and use the least intrusive methods of monitoring available to achieve your goals. This principle has recently been confirmed by the European Court of Human Rights, which found that a college which monitored an employee's use of the telephone without informing her, breached her right to respect for her private life and correspondence. Covert surveillance is allowed only in very limited circumstances, such as where there is suspected criminal activity. You will also have to take steps to ensure that you do not fall foul of associated legislation relating to the interception of communications.
14. Do we have to provide employees (or customers) with copies of the information we hold on them?
Generally, yes, if they ask for it, so be careful about the information you hold on individuals. The 'subject access request' must be in writing, and you must be certain that the person asking for the information is the person who is entitled to see it. You can require them to pay a fee of up to £10 and you must provide them with the information they have requested within 40 days of satisfying yourself as to their identity and receiving the fee. There are exemptions which you can use to withhold certain types of information, and you are specifically required to protect the rights of third parties, if they can be identified from the information you are disclosing. The Information Commissioner's Office (ICO) publications on their website include a 'good practice' note for small and medium-sized businesses on how to handle 'subject access requests'.
15. Do we have to provide former employees with copies of the references that we have given about them to third parties?
References are exempt from subject access requests if such requests are made to the person or organisation which gave the reference, but if a request is made to the recipient of the reference, the reference must generally be disclosed. The circumstances in which the reference was given - if, for example, a duty of confidentiality was imposed on the recipient - can have an impact on whether the reference is disclosable, so it is always advisable to seek legal advice in these circumstances.
16. We are thinking of installing CCTV. Will we land ourselves with any data protection obligations if we do?
Images of identifiable human beings can be 'personal data' under the Data Protection Act 1998 if they are taken using cameras which can be used to track individuals, which means that the obligations contained in the Act may apply to the use of CCTV. The Information Commissioner has published a Code of Conduct on the use of CCTV, which requires that any capacity for picking up conversations should be disabled, and deals with matters such as the positioning of cameras, the security of the recording media, the circumstances under which the film can be viewed, and the location and content of warning notices. You also need to notify the Information Commissioner that you are operating a CCTV system.
17. We have a problem with petty pilfering, of employees' belongings as well as stock, and want to install continuous CCTV. Will that cause us problems?
Potentially yes. The Information Commissioner's Code of Conduct says that although the use of CCTV is a common feature of our everyday life 'the public expect it to be used responsibly with effective safeguards in place'. Before installing CCTV you should consider whether you can achieve the same aims without using CCTV. For example, improving lighting, providing lockers for employees' belongings or introducing limited access to stock storage areas.
If you do decide to install CCTV, you should be aware that almost all uses of CCTV will be covered by the Data Protection Act. Failure to follow the Information Commissioner's Code of Practice could mean you fall foul of the Data Protection Act.
18. Do we need to tell customers if we operate a CCTV system?
You need to tell your customers and staff that you operate a CCTV system if it is capable of capturing images of them. The Information Commissioner's Code on the use of CCTV includes advice on the size and positioning of warning notices. Such notices should include details of who is operating the system, why it is in place and how to get further information about it.
19. We put up CCTV cameras to deter break-ins, and caught one of our staff stealing. Can we use the tapes for disciplinary or court proceedings?
Generally speaking you must use CCTV images only for the purpose for which they were recorded. If, however, cameras had been installed to deter break-ins but they caught an employee stealing stock, it would be reasonable for the employer to use the images as evidence in disciplinary and court proceedings. The test is what is reasonable, and that would depend on the circumstances. For example, it might not be reasonable to use images obtained to deter break-ins in proceedings against an employee who was caught committing a minor act of misconduct, such as smoking on the employer's premises.
20. What sort of penalties might we suffer for breaching the Data Protection Act?
The Data Protection Act 1998 contains a number of enforcement mechanisms designed to encourage compliance with the new data protection regime. The Information Commissioner has the power to investigate complaints from aggrieved individuals and to require those who process personal information to respond to their enquiries. The Information Commissioner usually attempts to resolve issues by correspondence, but can serve enforcement notices demanding compliance with the Act. The Information Commissioner can also issue substantial 'monetary penalty notices' of up to £500,000 to data controllers where there has been:
- a serious contravention of the data protection principles that is likely to cause substantial damage or distress, that was either
- deliberate; or
- the data controller knew (or ought to have known) that there was a risk that the contravention would occur, and that it was likely to cause substantial damage or distress, but nevertheless failed to take reasonable steps to prevent the contravention.
The Act also includes penalties for unlawfully obtaining personal data, which includes imprisonment in certain circumstances. The Data Protection Act contains a number of other offences, relating to matters such as failing to notify or having an inaccurate notification. A company director may also be committing an offence if his or her company fails to comply with the Act, due in part to his or her neglect. In certain circumstances, individuals can also sue for compensation if they have suffered damage and distress as the result of a failure to comply with the Act.