Broadly speaking, the Data Protection Act 1998 is designed to prevent individuals and organisations from 'processing' information about any living individual who can be identified from that information, unless:
'Processing' covers practically anything that can be done with information - obtaining it, collecting it, sorting it, analysing it, discussing it, destroying it or even just filing it. The individuals to whom the information relates may be people (for instance, customers, or suppliers, or employees) with whom you have dealings now, with whom you hope to have dealings in the future, or with whom you have had dealings in the past. Most businesses cannot function without taking account of the Act's provisions: even defunct businesses might still be 'processing' (for example, holding) information. However, you are unlikely to fall foul of the Act unless:
Most businesses are legally obliged by the Data Protection Act 1998 to notify the Office of the Information Commissioner (ICO) of what information they are collecting, and for what purpose. The information you supply to the ICO when submitting a notification application goes onto a public register, to which anyone can have access. Notification currently costs £35, and has to be renewed every year. If you do not know whether you should notify, you can contact the Office of the Information Commissioner via www.ico.gov.uk. Or seek legal advice.
It is a criminal offence for a business not to have notified when it should have done, and if the business is a company, its directors may also be committing an offence. If the Information Commissioner suspects you of failing to notify when you should have done, you may find yourselves on the wrong end of an investigation (known as an 'assessment'). This will tie up management time and resources. If the assessment indicates that you are in the wrong, you will probably be subject to enforcement action, under which you will be required to get your information organised in compliance with the Data Protection Act 1998 within a given time frame, and to notify the Information Commissioner of your data processing activities. This will tie up more time and resources. Failure to comply with an enforcement action could result in a criminal conviction, a fine, and possibly an action for damages being brought against you (see 20).
Although the Information Commissioner's Office can conduct investigations of its own accord, it most frequently carries out assessments when it has been tipped off by someone - a customer, a supplier, a past or present employee, or even a business rival - asking for an assessment. They might, for example, be able to ask for an assessment because:
Businesses can also voluntarily disclose breaches of the Data Protection Act, for example where there is a data loss as a result of the loss or theft of a device containing information on identifiable individuals.
According to the Information Commissioner's Annual Report, the Information Commissioner received just over 26,000 cases in 2010-11. 817 of those cases were resolved with a decision notice, there were 5 prosecutions, and various penalties were applied, including a private company that was fined £60,000 following the loss of an unencrypted laptop containing the details of 24,000 individuals.
You hear right: there have been several lucrative scams involving bogus notification enforcement authorities demanding money in return for submitting applications to notify. The Office of the Information Commissioner is based at Wycliff House, Water Lane, Wilmslow, Cheshire SK9 5AF. Take a look at their website (www.ico.gov.uk) for the latest information on scams, or ring the data protection advice line (0303 123 1113, or textphone 01625 545 860) if you want to check out any official-looking documents. Or alternatively, ring your legal adviser and check, first, whether the demand is from a genuine source, and secondly, whether you should actually have notified anyway.
Probably not, but consider taking legal advice. In a case in this area, the Court of Appeal decided the fact that someone's name appears in a document does not in itself make it 'personal data'. It will only be 'personal data' where its inclusion in the document affects the named individual's privacy. In deciding whether the individual's privacy is affected, the judges said it is important to consider:
The judges said that the Act was not to be used as 'an automatic key' to force disclosure to individuals of any information in which their names are mentioned. However, this is a difficult area, which requires good legal judgement. The Information Commissioner has produced guidance on what is - or could be - personal data, in the form of a series of questions with worked examples: it is designed for public authorities, but is quite short, free of jargon and gives a good idea of how the ICO's collective mind is working, so it is worth consulting if you have problems in this area ('Determining what is personal data'). Take legal advice if you are still uncertain as to whether records you hold constitute 'personal data' and therefore have to be disclosed.
It really depends on what is in them. The Act applies to living individuals, so if your records merely trace your dealings with customers which are limited companies, without any mention of individuals, you do not need to worry. Even if individuals are mentioned, but only peripherally, you may still not need to worry (see 6) though you would still have to observe the principals of the Act (see below and 1).
However, any information about living human beings, other than exempt information (see 1) or the strictly peripheral, will mean you have to notify. In particular this means that such information is subject to the first five data protection principles, that information shall be:
The individuals to whom the information relates also get the right to correct it if it is inaccurate. Holding such information is in itself a form of processing, so if such manual files exist and do make reference to living individuals, you need to make a decision as to whether you wish to continue holding them, and if so, ensure that you comply with the provisions of the 1998 Act. It does not, however, require you to digitise or computerise such information. Take legal advice, if in doubt.
The law in relation to direct marketing is particularly fast-moving. If you want to stay on the right side of it, always tell customers exactly how you want to use their personal information and get evidence that they agree to such use. If you have existing customers on your database and want to send them marketing information relating to products and/or services similar to those you have previously supplied to them, you may continue to do so, but you should always offer them the ability to opt out of receiving further mailings. Note that individuals have a legal right to stop you sending them direct mail marketing at any time.
To be on the safe side, you should always obtain your customers' express consent before you disclose any information about them to third parties. There are alternatives to obtaining express consent, but you should seek specific legal advice before attempting to use them.
The Data Protection Act 1998 requires that you enter into written agreements with anyone who is processing personal information on your behalf. You need to obtain written guarantees that they will keep the information secure and only use it in accordance with your instructions. It is your responsibility to ensure that the information is used lawfully.
Make sure that you have put a data processing agreement in place (see 10) and that the firm you are using is based in a country with data protection rules which are considered to be adequate under English law. Laws of the states in the European Economic Area (the EEA - member states of the EU, plus Liechtenstein, Norway and Iceland) are acceptable; otherwise you have to use your own (or your adviser's) judgement. The Information Commissioner has, however, recently made it plain that the rules alone are not enough; if you are sending data abroad, you also need to be certain those rules are adequately enforced. If your data turns up in the hands of people who should not have it, because you made the decision that it was safe to have it processed abroad, it is you that the ICO will be coming after. So if you do want to get some of your information processed outside the EEA, take good legal advice first. Otherwise, you must get those whose information you want to send abroad specifically to agree to it.
Generally speaking, you should presume that anything you write down or record about an individual may be shown to that individual at some point in the future (see 14 on 'subject access requests'). This includes any comments or personal opinions that you write down about interviewees. There are certain exemptions which may mean that you can delay or prevent disclosure, but they are very narrow, and very strictly interpreted, so you should always seek legal advice before relying on them.
Take a look at the Information Commissioner's Code of Practice for employers relating to the monitoring of staff at work. Or failing that, take legal advice. The Code is quite detailed, but the general principle is that you must make employees aware of how they will be monitored in the workplace (for example, by looking at their telephone, email or internet usage, or monitoring their movements by CCTV or vehicle tracking systems) and use the least intrusive methods of monitoring available to achieve your goals. This principle has recently been confirmed by the European Court of Human Rights, which found that a college which monitored an employee's use of the telephone without informing her, breached her right to respect for her private life and correspondence. Covert surveillance is allowed only in very limited circumstances, such as where there is suspected criminal activity. You will also have to take steps to ensure that you do not fall foul of associated legislation relating to the interception of communications.
Generally, yes, if they ask for it, so be careful about the information you hold on individuals. The 'subject access request' must be in writing, and you must be certain that the person asking for the information is the person who is entitled to see it. You can require them to pay a fee of up to £10 and you must provide them with the information they have requested within 40 days of satisfying yourself as to their identity and receiving the fee. There are exemptions which you can use to withhold certain types of information, and you are specifically required to protect the rights of third parties, if they can be identified from the information you are disclosing. The Information Commissioner's Office (ICO) publications on their website include a 'good practice' note for small and medium-sized businesses on how to handle 'subject access requests'. See also 6 and 7 for further information on what types of record are covered by the Data Protection Act 1998.
References are exempt from subject access requests (see 14) if such requests are made to the person or organisation which gave the reference, but if a request is made to the recipient of the reference, the reference must generally be disclosed. The circumstances in which the reference was given - if, for example, a duty of confidentiality was imposed on the recipient - can have an impact on whether the reference is disclosable, so it is always advisable to seek legal advice in these circumstances.
Images of identifiable human beings can be 'personal data' under the Data Protection Act 1998 if they are taken using cameras which can be used to track individuals, which means that the obligations contained in the Act may apply to the use of CCTV. The Information Commissioner has published a Code of Conduct on the use of CCTV, which requires that any capacity for picking up conversations should be disabled, and deals with matters such as the positioning of cameras, the security of the recording media, the circumstances under which the film can be viewed, and the location and content of warning notices. You also need to notify the Information Commissioner that you are operating a CCTV system.
Potentially yes. The Information Commissioner's Code of Conduct (see 16) says that although the use of CCTV is a common feature of our everyday life 'the public expect it to be used responsibly with effective safeguards in place'. Before installing CCTV you should consider whether you can achieve the same aims without using CCTV. For example, improving lighting, providing lockers for employees' belongings or introducing limited access to stock storage areas.
If you do decide to install CCTV, you should be aware that almost all uses of CCTV will be covered by the Data Protection Act. Failure to follow the Information Commissioner's Code of Practice could mean you fall foul of the Data Protection Act.
You need to tell your customers and staff that you operate a CCTV system if it is capable of capturing images of them. The Information Commissioner's Code on the use of CCTV (see 16) includes advice on the size and positioning of warning notices. Such notices should include details of who is operating the system, why it is in place and how to get further information about it.
Generally speaking you must use CCTV images only for the purpose for which they were recorded. If, however, cameras had been installed to deter break-ins but they caught an employee stealing stock, it would be reasonable for the employer to use the images as evidence in disciplinary and court proceedings. The test is what is reasonable, and that would depend on the circumstances. For example, it might not be reasonable to use images obtained to deter break-ins in proceedings against an employee who was caught committing a minor act of misconduct, such as smoking on the employer's premises.
The Data Protection Act 1998 contains a number of enforcement mechanisms designed to encourage compliance with the new data protection regime. The Information Commissioner has the power to investigate complaints from aggrieved individuals and to require those who process personal information to respond to his enquiries. He usually attempts to resolve issues by correspondence, but he can serve enforcement notices demanding compliance with the Act. The Information Commissioner can also issue substantial 'monetary penalty notices' of up to £500,000 to data controllers where there has been:
The Act also includes penalties for unlawfully obtaining personal data, which includes imprisonment in certain circumstances. The Data Protection Act contains a number of other offences, relating to matters such as failing to notify or having an inaccurate notification (see 2). A company director may also be committing an offence if his or her company fails to comply with the Act, due in part to his or her neglect. In certain circumstances, individuals can also sue for compensation if they have suffered damage and distress as the result of a failure to comply with the Act.