All businesses that keep any information on living and identifiable people must comply with the Data Protection Act. The Act applies to any computerised or manual records containing personal information about people.
All businesses using personal data must comply with the data protection principles - enforceable rules for handling personal information. Some will also have to register (or notify) that they use personal information.
Many small businesses will not need to notify the Information Commissioner's Office (ICO), the independent body which maintains the register of data controllers. But there may be circumstances where you will need to.
You do not need to notify if you only process information for 'core business purposes'
- Processing includes obtaining, recording, retrieving, holding or destroying data. The ICO says it is difficult to imagine any form of activity involving data about individuals that would not involve processing.
- Core business purposes include staff administration (including payroll), advertising and marketing your own goods or services, or promoting them through public relations, and keeping accounts and records.
- All types of personal records are now included under the Act regardless of whether the processing is automated (for example carried out on a computer) or manual. Automated processing can include microfilm retrieval, CCTV camera use or phone logging.
Organisations which process information on living people for any other reason must notify
- When you notify, you give your trading name (or legal name and any other names by which the company might be known), address and an outline of the information that you hold and what you use it for.
- The information you provide goes on a public register, which anyone can consult. You could have a look at it, to see what type of information your suppliers, customers or rivals hold.
- You can write to any organisation to ask to see a copy of any information it holds on you.
If you are not certain whether you should notify, seek advice
- You can find out if you need to register by completing a self-assessment questionnaire or contacting the ICO helpline (0303 123 1113).
Beware of data notification hustlers
- These send out official-looking letters, or call on businesses, implying they should be registered and demanding payment to complete the process.
- They charge far more than the official fee for notification (£35 a year).
- If you get a letter like this, you can check whether it is genuine by ringing the ICO helpline.
Failure to notify when you should have done so is a criminal offence
- The ICO can investigate if it suspects you haven't notified when you should have done so. You could well be prosecuted.
2. Data obligations for all firms
Whether or not you must notify, you are legally obliged to observe data protection principles.
You must process only as much information as you need
- You must identify the minimum amount of information you need.
- You must need it for a specific purpose, which must be lawful.
- There are extra restrictions on the use of particularly sensitive data.
- You can retain information about people where there is a good reason to do so, but you cannot hang onto information because it might come in useful in the future.
When you use information about an individual they must be properly informed
- Whether they are an employee or a customer, you must make sure that they are properly informed of what you intend to do with their information.
- You should confirm that they are aware of who you are, what information you hold and why, and any other information (such as third parties you intend to pass the information to) which may make your use of personal information fair.
The information you hold must be accurate and up-to-date
- You need to be able to prove you have taken 'reasonable steps' to make sure the information you hold is accurate.
- If anyone complains about the accuracy of the information you hold on them, you must be prepared to investigate and to correct it or at least note their complaint on file.
The information must be kept securely
- You (and your staff) may not pass on information to third parties without just cause.
- You can use external data processors (for example, payroll bureaux), but you must have a written guarantee they will keep your information secure.
- You must ensure that any information you keep on the premises is safe.
- You must have a secure arrangement for deleting digital information and for disposing of paper records.
- If you send information abroad, you must check the country has adequate data protection laws. Alternatively you must get consent from the individual in question or ensure the organisation you are sending the data to has acceptable security arrangements.
The information you hold must be deleted as soon as you have no reason to keep it
- You need a very good reason to hold on to information beyond its immediate use. For example, you might want to hold information on potential recruits in case your preferred candidate drops out.
You must observe the subject's rights
- These include the right to see all the information you hold on them.
- They have to ask in writing, provide evidence of identity, and pay any fee you request up to £10.
- You have 40 days to comply.
- You need not comply if their name is only mentioned in passing. The Act exists to allow individuals to check whether their privacy is being invaded. It is not an 'automatic key' to any information on matters in which they might be involved.
- You can sometimes hold back the information if a third party is involved.
- Individuals can ask for corrections. You must investigate and at least make sure the request is on file.
- Individuals can instruct you not to use their personal data for direct marketing.
You could face action if you fail to follow the data protection principles
- If an individual believes their personal data is not being processed according to the data protection principles, they can ask the ICO to assess the business concerned.
- You could be subject to an enforcement notice requiring you to change the way you process data. Failure to comply with such a notice is a criminal offence and could lead to a possibly unlimited fine.
- You could be sued by anyone who suffers damage because of what you have done.
- Serious breaches of the data protection principles could lead to a fine of up to £500,000 being imposed by the ICO.
Conditions for processing
To process information legitimately, one of these conditions must be met:
- the individual has consented;
- you have a contract with the individual involved;
- you are legally obliged to do it - for example, to investigate a foreign worker's immigration status;
- it is in the individual's interests (processing of health information, for example);
- it is necessary for the administration of justice;
- you need to do it for your 'legitimate interests', and ensure that the benefit to you isn't outweighed by any disadvantage to the individual involved.
3. Recruitment data
When recruiting new staff, it is important to bear in mind data protection considerations.
You are required to be open about your own identity and methods
- If you are advertising for a new employee you must make it plain who you are.
- If you intend to check up on potential recruits you should say so in advance.
Keep your questions relevant to the job
- Beware of being unnecessarily invasive.
- Be particularly careful in asking for sensitive personal data.
- If you need to ask about criminal convictions, ask at the end of the recruitment process, just before you offer the successful candidate a job. Asking all the candidates at the beginning could be unnecessarily intrusive.
Remember that applicants have a right to see all the information you hold on them
- This could include interview notes. Play safe by recruiting against objective criteria and only making notes in relation to these.
- It also includes references sent to you by a previous employer. If a third party is implicated (eg the author of the reference letter), you must provide as much information as possible without revealing their identity.
Be prepared to destroy your files on unsuccessful applicants
- You can keep enough on your files to justify your selection of an applicant to an Employment Tribunal if an unsuccessful candidate complains of discrimination.
Sensitive personal data
Information in several areas is sensitive
- Racial or ethnic origin.
- Political opinions.
- Religious beliefs.
- Trade union membership.
- Physical or mental health.
- Sexual life.
- Commission (or alleged commission) of any criminal offences, or any proceedings associated with such offences.
You can only process sensitive information lawfully in certain conditions
For example, sensitive information can be processed (eg disclosed) where it is necessary to protect an individual's vital interests or where it is required by law. For anyone running a business, it will be difficult to justify holding sensitive information unless:
- The individual has freely given explicit consent. That means a signature and no hint of compulsion such as making a job offer dependent on it.
- There are legal reasons. For example, you might need to ask an individual about their medical history if they are applying for a physically hazardous job.
- The information is needed for ethnic or other discrimination monitoring.
4. Monitoring employees
In broad terms, the Act establishes that employee monitoring may be carried out only where any disadvantage to the employee is offset by the benefit to the employer (or others).
You are required to be open about the nature, extent and reasons for monitoring
- For example, you might want to monitor use of the telephone to minimise excessive private use or monitor internet access for the downloading of illegal material.
- Secret monitoring can only be justified in exceptional circumstances such as suspected criminal activity.
Limit monitoring to what is necessary to achieve a legitimate business objective
- Define what you want to achieve. Ignore matters outside this remit unless they are so serious no reasonable employer could fail to take action - such as serious breaches of health and safety rules.
- Remember your employees are entitled to a degree of privacy, even in the work environment.
- If you use video or audio monitoring, target it and keep it to areas where expectations of privacy are low.
Your employees have a right to see all the information you have on them
- Don't keep the results of your monitoring, once they have served their purpose.
5. Employment records
Someone has to accept responsibility for looking after employment records
- This includes keeping them accurate and up to date.
- It also includes keeping them secure. For example, they should not be loaded onto a laptop that could be lost or stolen, unless it has adequate access controls.
Employees' right to privacy must be respected
- For example, it would be inappropriate to draw up and publish a league table of absence due to sickness. The intrusion into employees' privacy would exceed any management benefit.
- You must tell employees about any personal information that you have a legal duty to pass on to a third party, such as HM Revenue & Customs.
- You should not pass on employees' details to other organisations (except for data processors such as a payroll bureau) without specific consent from the employees involved, unless there is some other justification or legal requirement to do so.
- When potential employers ask for a reference, ask employees if they're happy for you to provide it.
Employees have the right to see all their personnel files
- This includes files on disciplinary and grievance matters, unless an exemption applies, such as a continuing criminal investigation.
There are rules governing the use of CCTV cameras
- Siting of cameras is critical.
- You must put up appropriate signs.
- Be careful about who can view the images.
- If you collect information about particular individuals through your use of CCTV they have the right to see any images of themselves you hold.
- Find guidance for businesses from the ICO (0303 123 1113).
- Register online or check whether you need to register by completing a self-assessment questionnaire from the ICO.
- Download a code of practice and checklist for CCTV systems from the ICO.
- Check what type of information other organisations hold by searching the Data Protection Public Register from the ICO.
The law is complex. This factsheet reflects our understanding of the basic legal position as known at the last update. Obtain legal advice on your own specific circumstances and check whether any relevant rules have changed.
"The Information Commissioner's latest report indicates that more than half of all small and medium businesses are unaware of the implications of the Act." - Arian Associates
"To help you comply with the Data Protection Act when recruiting and employing workers, a good place to start is the ICO's 'Quick Guide to the Employment Practices Code'. See www.ico.org.uk for more information." - Information Commissioner's Office