Data protection: 20 FAQs

1. Do we need to bother about the data protection legislation? What impact could it have on us?
2. What does registering ('notifying') involve?
3. What are the penalties likely to be, if we haven't notified when we should have done?
4. How do the authorities decide who gets 'assessed'?
5. We hear there are scams involving notification. How can we tell if the correspondence we have received is genuine?
6. Someone working for one of our sub-contractors now wants copies of all the information we have in which his name appears. Do we have to provide it?
7. Most of our customer records are still held in paper form. Are they covered by the Data Protection Act?
8. Do we really have to get our customers to agree that we can send them marketing information?
9. Do we have to get our customers to agree if we want to sell our mailing lists or disclose customer details to third parties?
10. What do we have to do, if we want to use a third party to do payroll processing or direct mail marketing for us?
11. If we conduct our direct mail marketing through a foreign firm, what do we have to do to stay on the right side of the law?
12. If I take notes at a recruitment interview, can I be forced to show them to the interviewee?
13. Is there any problem over us monitoring our employees' use of office phones, Internet access or email system?
14. Do we have to provide employees (or customers) with copies of the information we hold on them?
15. Do we have to provide former employees with copies of the references that we have given about them to third parties?
16. We are thinking of installing CCTV. Will we land ourselves with any data protection obligations if we do?
17. We have a problem with petty pilfering, of employees' belongings as well as stock, and want to install continuous CCTV. Will that cause us problems?
18. Do we need to tell customers if we operate a CCTV system? 
19. We put up CCTV cameras to deter break-ins, and caught one of our staff stealing. Can we use the tapes for disciplinary or court proceedings?
20. What sort of penalties might we suffer for breaching the Data Protection Act?

1. Do we need to bother about the data protection legislation? What impact could it have on us?

Broadly speaking, the Data Protection Act 1998 is designed to prevent individuals and organisations from 'processing' information about any living individual who can be identified from that information, unless:

• they have a legally acceptable reason (or reasons) for doing so; and
• they can prove that they treat the information properly.

'Processing' covers practically anything that can be done with information - obtaining it, collecting it, sorting it, analysing it, discussing it, destroying it or even just filing it. The individuals to whom the information relates may be people (for instance, customers, or suppliers, or employees) with whom you have dealings now, with whom you hope to have dealings in the future, or with whom you have had dealings in the past. Most businesses cannot function without taking account of the Act's provisions: even defunct businesses might still be 'processing' (for example, holding) information. However, you are unlikely to fall foul of the Act unless:

• You hold information unlawfully - ie without a good reason. The more sensitive the information is, the better the reason you will need. Information held for 'standard business purposes' (staff administration, advertising, marketing and PR, and accounts and records) is usually exempt, though you will still need to comply with the principles of data protection (that information must be held lawfully and processed fairly; that it must not be collected for one purpose and then used for another; that it must not be excessive, inaccurate etc - see below). Anything relating to anyone's race, politics, religion, trade union membership, physical or mental health, sexual activities, or the commission of offences is high risk, and can only be justified if you hold it for one of a list of specified reasons.
• You process information unfairly - for example, without letting the individual know that you have it and what you are going to do with it.
• You collect information for one purpose, and then use it for another.
• You collect too much information - if you are trying to sell people egg-timers, you do not need to know their shoe size;
• You fail to ensure that information is accurate and up-to-date.
• You hold on to information for longer than you need it.
• You fail to let individuals know what you have on them when they ask to see it (unless one of the statutory exemptions applies).
• You fail to keep information secure.
• You send information outside Europe for processing, except to a limited list of countries with adequate data protection laws of their own.

Back to top

2. What does registering ('notifying') involve?

Most businesses are legally obliged by the Data Protection Act 1998 to notify the Office of the Information Commissioner (ICO) of what information they are collecting, and for what purpose. The information you supply to the ICO when submitting a notification application goes onto a public register, to which anyone can have access. Notification currently costs £35, and has to be renewed every year. If you do not know whether you should notify, you can contact the Office of the Information Commissioner via www.ico.gov.uk. Or seek legal advice.

Back to top

3. What are the penalties likely to be, if we haven't notified when we should have done?

It is a criminal offence for a business not to have notified when it should have done, and if the business is a company, its directors may also be committing an offence. If the Information Commissioner suspects you of failing to notify when you should have done, you may find yourselves on the wrong end of an investigation (known as an 'assessment'). This will tie up management time and resources. If the assessment indicates that you are in the wrong, you will probably be subject to enforcement action, under which you will be required to get your information organised in compliance with the Data Protection Act 1998 within a given time frame, and to notify the Information Commissioner of your data processing activities. This will tie up more time and resources. Failure to comply with an enforcement action could result in a criminal conviction, a fine, and possibly an action for damages being brought against you (see question 20).

Back to top

4. How do the authorities decide who gets 'assessed'?

Although the Information Commissioner's Office can conduct investigations of its own accord, it most frequently carries out assessments when it has been tipped off by someone - a customer, a supplier, a past or present employee, or even a business rival - asking for an assessment. They might, for example, be able to ask for an assessment because:

• they have not been able to find you on the Register, which suggests that you may not have notified
• they were not satisfied with your response when they exercised their right to ask for the information you hold about them (see question 14)

According to the Information Commissioner's 2006-7 Annual Report, there were 24,000-odd requests for assessments last year. Some 2,600 cases were opened during the year, and a similar number closed - almost half of them by informal agreement, but there were 339 decision notices, 16 prosecutions, and various penalties applied, including a husband and wife team who were given combined fines amounting to almost £7,700, plus costs of some £3,700, and an individual who ended up with 150 hours of community service.

Back to top

5. We hear there are scams involving notification. How can we tell if the correspondence we have received is genuine?

You hear right: there have been several lucrative scams involving bogus notification enforcement authorities demanding money in return for submitting applications to notify. The Office of the Information Commissioner is based at Wycliff House, Water Lane, Wilmslow, Cheshire SK9 5AF. Take a look at their website (www.ico.gov.uk) for the latest information on scams, or ring the data protection advice line (0845 630 6060, or 01625 545 745) if you want to check out any official-looking documents. Or alternatively, ring your legal adviser and check, first, whether the demand is from a genuine source, and secondly, whether you should actually have notified anyway.

Back to top

6. Someone working for one of our sub-contractors now wants copies of all the information we have in which his name appears. Do we have to provide it?

Probably not, but consider taking legal advice. In a case in this area, the Court of Appeal decided the fact that someone's name appears in a document does not in itself make it 'personal data'. It will only be 'personal data' where its inclusion in the document affects the named individual's privacy. In deciding whether the individual's privacy is affected, the judges said it is important to consider:

• whether the information is biographical - ie, whether it gives details in addition to the name
• whether the focus is on the named individual, or whether the mention of his (or her) name is just peripheral to the purpose of the document

The judges said that the Act was not to be used as 'an automatic key' to force disclosure to individuals of any information in which their names are mentioned. However, this is a difficult area, which requires good legal judgement. The Information Commissioner has produced guidance on what is - or could be - personal data, in the form of a series of questions with worked examples: it is designed for public authorities, but is quite short, free of jargon and gives a good idea of how the ICO's collective mind is working, so it is worth consulting if you have problems in this area ('Determining what is personal data'). Take legal advice if you are still uncertain as to whether records you hold constitute 'personal data' and therefore have to be disclosed.

Back to top

7. Most of our customer records are still held in paper form. Are they covered by the Data Protection Act?

It really depends on what is in them. The Act applies to living individuals, so if your records merely trace your dealings with customers which are limited companies, without any mention of individuals, you do not need to worry. Even if individuals are mentioned, but only peripherally, you may still not need to worry (see question six). Up to midnight on 23 October 2007, if your records suggested that the purchasing manager at one customer liked a good meal, while the managing director at another enjoyed a day at the races, but the information was held in manual files, and would not have been easily accessible to, eg a new temp in the office (because, for instance, they were only identified by their initials or nicknames), you might not have had to notify (though you would have had to observe the principles of the Act - see below and question 1). Now, however, any information about living human beings, other than exempt information (see question 1) or the strictly peripheral, will mean you have to notify. This is because the transitional arrangements under which holders of pre-1998 manual records were exempt from notification ceased with effect from midnight on 23 October 2007. In particular this means that such information is subject to the first five data protection principles, that information shall be:

• fairly and lawfully processed.
• for limited purposes.
• adequate, relevant and not excessive.
• accurate and up to date.
• kept no longer than is necessary.

The individuals to whom the information relates also get the right to correct it if it is inaccurate. Holding such information is in itself a form of processing, so if such manual files exist and do make reference to living individuals, you need to make a decision as to whether you wish to continue holding them, and if so, ensure that you comply with the provisions of the 1998 Act. It does not, however, require you to digitise or computerise such information. Take legal advice, if in doubt.

Back to top

8. Do we really have to get our customers to agree that we can send them marketing information?

The law in relation to direct marketing is particularly fast-moving. If you want to stay on the right side of it, always tell customers exactly how you want to use their personal information and get evidence that they agree to such use. If you have existing customers on your database and want to send them marketing information relating to products and/or services similar to those you have previously supplied to them, you may continue to do so, but you should always offer them the ability to opt out of receiving further mailings. Note that individuals have a legal right to stop you sending them direct mail marketing at any time.

Back to top

9. Do we have to get our customers to agree if we want to sell our mailing lists or disclose customer details to third parties?

To be on the safe side, you should always obtain your customers' express consent before you disclose any information about them to third parties. There are alternatives to obtaining express consent, but you should seek specific legal advice before attempting to use them.

Back to top

10. What do we have to do, if we want to use a third party to do payroll processing or direct mail marketing for us?

The Data Protection Act 1998 requires that you enter into written agreements with anyone who is processing personal information on your behalf. You need to obtain written guarantees that they will keep the information secure and only use it in accordance with your instructions. It is your responsibility to ensure that the information is used lawfully.

Back to top

11. If we conduct our direct mail marketing through a foreign firm, what do we have to do to stay on the right side of the law?

Make sure that you have put a data processing agreement in place (see question 10) and that the firm you are using is based in a country with data protection rules which are considered to be adequate under English law. Laws of the states in the European Economic Area (the EEA - member states of the EU, plus Liechtenstein, Norway and Iceland) are acceptable; otherwise you have to use your own (or your adviser's) judgement. The Information Commissioner has, however, recently made it plain that the rules alone are not enough; if you are sending data abroad, you also need to be certain those rules are adequately enforced. If your data turns up in the hands of people who should not have it, because you made the decision that it was safe to have it processed abroad, it is you that the ICO will be coming after. So if you do want to get some of your information processed outside the EEA, take good legal advice first. Otherwise, you must get those whose information you want to send abroad specifically to agree to it.

Back to top

12. If I take notes at a recruitment interview, can I be forced to show them to the interviewee?

Generally speaking, you should presume that anything you write down or record about an individual may be shown to that individual at some point in the future (see question 14 on 'subject access requests'). This includes any comments or personal opinions that you write down about interviewees. There are certain exemptions which may mean that you can delay or prevent disclosure, but they are very narrow, and very strictly interpreted, so you should always seek legal advice before relying on them.

Back to top

13. Is there any problem over us monitoring our employees' use of office phones, Internet access or email system?

Take a look at the Information Commissioner's Code of Practice for employers relating to the monitoring of staff at work. Or failing that, take legal advice. The Code is quite detailed, but the general principle is that you must make employees aware of how they will be monitored in the workplace (for example, by looking at their telephone, email or internet usage, or monitoring their movements by CCTV or vehicle tracking systems) and use the least intrusive methods of monitoring available to achieve your goals. This principle has recently been confirmed by the European Court of Human Rights, which found that a college which monitored an employee's use of the telephone without informing her, breached her right to respect for her private life and correspondence. Covert surveillance is allowed only in very limited circumstances, such as where there is suspected criminal activity. You will also have to take steps to ensure that you do not fall foul of associated legislation relating to the interception of communications.

Back to top

14. Do we have to provide employees (or customers) with copies of the information we hold on them?

Generally, yes, if they ask for it, so be careful about the information you hold on individuals. The 'subject access request' must be in writing, and you must be certain that the person asking for the information is the person who is entitled to see it. You can require them to pay a fee of up to £10 and you must provide them with the information they have requested within 40 days of satisfying yourself as to their identity and receiving the fee. There are exemptions which you can use to withhold certain types of information, and you are specifically required to protect the rights of third parties, if they can be identified from the information you are disclosing. The Information Commissioner's Office (ICO) publications on their website include a 'good practice' note for small and medium-sized businesses on how to handle 'subject access requests'. See also questions six and seven for futher information on what types of record are covered by the Data Protection Act 1998.

Back to top

15. Do we have to provide former employees with copies of the references that we have given about them to third parties?

References are exempt from subject access requests (see question 14) if such requests are made to the person or organisation which gave the reference, but if a request is made to the recipient of the reference, the reference must generally be disclosed. The circumstances in which the reference was given - if, for example, a duty of confidentiality was imposed on the recipient - can have an impact on whether the reference is disclosable, so it is always advisable to seek legal advice in these circumstances.

Back to top

16. We are thinking of installing CCTV. Will we land ourselves with any data protection obligations if we do?

Images of identifiable human beings can be 'personal data' under the Data Protection Act 1998 if they are taken using cameras which can be used to track individuals, which means that the obligations contained in the Act may apply to the use of CCTV. The Information Commissioner has recently published a draft revision of the Code of Conduct on the use of CCTV, which requires that any capacity for picking up conversations should be disabled, and deals with matters such as the positioning of cameras, the security of the recording media, the circumstances under which the film can be viewed, and the location and content of warning notices. You also need to notify the Information Commissioner that you are operating a CCTV system.

Back to top

17. We have a problem with petty pilfering, of employees' belongings as well as stock, and want to install continuous CCTV. Will that cause us problems?

Yes. The Information Commissioner's Code of Conduct (see question 16) describes continuous CCTV monitoring as 'intrusive and disproportionate', and says it should only be used under very exceptional circumstances, for example where employees are dealing with hazardous substances, and a failure to observe the proper procedures could create a serious danger to life.

Back to top

18. Do we need to tell customers if we operate a CCTV system?

You need to tell your customers and staff that you operate a CCTV system if it is capable of capturing images of them. The Information Commissioner's Code on the use of CCTV (see question 16) includes advice on the size and positioning of warning notices. Such notices should include details of who is operating the system, why it is in place and how to get further information about it.

Back to top

19. We put up CCTV cameras to deter break-ins, and caught one of our staff stealing. Can we use the tapes for disciplinary or court proceedings?

Generally speaking you must use CCTV images only for the purpose for which they were recorded. If, however, cameras had been installed to deter break-ins but they caught an employee stealing stock, it would be reasonable for the employer to use the images as evidence in disciplinary and court proceedings. The test is what is reasonable, and that would depend on the circumstances. For example, it might not be reasonable to use images obtained to deter break-ins in proceedings against an employee who was caught committing a minor act of misconduct, such as smoking on the employer's premises.

Back to top

20. What sort of penalties might we suffer for breaching the Data Protection Act?

The Data Protection Act 1998 contains a number of enforcement mechanisms designed to encourage compliance with the new data protection regime. The Information Commissioner has the power to investigate complaints from aggrieved individuals and to require those who process personal information to respond to his enquiries. He usually attempts to resolve issues by correspondence, but he can serve enforcement notices demanding compliance with the Act. Failure to comply with such a notice is a criminal offence, punishable by a fine of up to £5,000 (in a case brought in a magistrates' court), or an unlimited amount (in the Crown Court). There is no firm introduction date yet, but the Criminal Justice and Immigration Act 2008 also authorises the Information Commissioner to issue substantial (although the amounts have yet to be fixed) 'monetary penalty notices' to data controllers where there has been:

• a serious contravention of the data protection principles (see questions 1 and 7)
• that is likely to cause substantial damage or distress, that was either
  • deliberate; or
  • the data controller knew (or ought to have known) that there was a risk that the contravention would occur, and that it was likely to cause substantial damage or distress, but nevertheless failed to take reasonable steps to prevent the contravention.

The new Act will also increase the penalties for unlawfully obtaining personal data, which will include imprisonment in certain circumstances. The Data Protection Act contains a number of other offences, relating to matters such as failing to notify or having an inaccurate notification (see question 2). A company director may also be committing an offence if his or her company fails to comply with the Act, due in part to his or her neglect. In certain circumstances, individuals can also sue for compensation if they have suffered damage and distress as the result of a failure to comply with the Act.

Back to top