Topic overview

Data protection

Data protection{{}}The Data Protection Act regulates how your business processes personal information about living individuals. All businesses are required to comply with the eight data protection principles. You may also be required to notify the Information Commissioner of your data processing activities. Making sure that you understand and comply with data protection regulations helps protect your business against regulatory action.

The data protection principles

To comply with the data protection principles set out in the Act, you must only process personal information (for example, that of a customer or employee) when you have a fair and lawful reason. ‘Processing’ covers practically anything that can be done with information - obtaining it, collecting it, sorting it, analysing it, discussing it, destroying it or even just filing it, whether through your business' IT systems, via CCTV or in a manual filing system.

You must limit your processing of personal information: only collecting the information you need, using it for specified purposes and deleting it when you no longer need it.

You must also keep information up to date and hold it securely. There are restrictions on transferring personal data overseas, and you must take particular care with sensitive information (for example, details of an individual’s ethnic origins or their health records).

Individuals have the right to ask to see the information you hold on them - known as a 'subject access request'. If you receive a request, you must provide any data you hold within 40 days of the request. This covers all data, whether it is held electronically, in paper form or in any other form. They can ask you to correct inaccuracies, and not to use the information for direct marketing.

Data protection notification

Provided you comply with the data protection principles, you are allowed to process personal data for core business purposes without notifying the Information Commissioner. These core business purposes include staff administration and marketing to your customers.

If you process personal data for other purposes, you must notify the Information Commissioner. You give details of the personal information you process and why, and pay a small fee.

Related articles and resources

You may find the following articles and resources useful:

Need assistance? Ask a question

Browse topics: Data protection and IT