All businesses that keep any information on living and identifiable people must comply with the Data Protection Act. The Act applies to any computerised or manual records containing personal information about people.
All businesses using personal data must comply with the data protection principles - enforceable rules for handling personal information - and some will also have to register (or notify) that they use personal information. This briefing covers:
- Whether you need to register.
- How you can comply with the Act.
- What circumstances are likely to trigger action by the data protection authorities.
- Some particular danger areas.
Many small businesses will not need to notify the Information Commissioner's Office (ICO), the independent body which maintains the register of data controllers. But there may be circumstances where you will need to.
1.1 Organisations which 'process' information on living people for core business purposes only are exempt from notifying.
All types of personal records are now included under the Act regardless of whether the processing is automated (for example carried out on a computer) or manual. Automated processing can include microfilm retrieval, CCTV camera use or phone logging.
1.2 Organisations which 'process' information on living people for any other reason are obliged to notify.
1.3 If you are not certain whether you should notify, seek advice.
1.4 Beware of data notification hustlers.
- They send out official-looking letters, or call on businesses, implying they should be registered and demanding payment forthwith to complete the process.
- They charge far more than the official fee for notification (£35 a year).
- If you get a letter like this, check whether it is genuine by ringing the ICO helpline on 0303 123 1113. Or go to www.ico.org.uk to check the latest list of bogus agencies.
1.5 Failure to notify when you should have done so is a criminal offence and you could well be prosecuted.
- The ICO can investigate if it suspects you haven't notified when you should have done so.
2 Data obligations for all firms
Whether or not you must notify, you are legally obliged to observe data protection principles.
2.1 You must process only as much information as you need.
- You must identify the minimum amount of information you need.
- You must need it for a specific purpose, which must be lawful.
- There are extra restrictions on the use of particularly sensitive data.
You can retain information about people where there is a good reason to do so, but you cannot hang onto information because it might come in useful in the future.
2.2 When you use information about an individual, whether they are an employee or a customer, you must make sure that they are properly informed of what you intend to do with their information.
- You should ensure that they are aware of who you are, what information you hold and why, and any other information (such as third parties you intend to pass the information to) which may make your use of personal information fair.
2.3 The information you hold must be accurate and up to date.
- You need to be able to prove you have taken 'reasonable steps' to ensure the accuracy of the information you hold.
- If anyone complains about the accuracy of the information you hold on them, you must be prepared to investigate and to amend it or at least note their complaint on file.
2.4 The information must be kept securely.
2.5 The information you hold must be deleted as soon as you have no reason to keep it.
2.6 You must observe the subject's rights.
Conditions for processing
To process information legitimately, one of the following conditions must be met:
- The individual has consented.
- You have a contract with the individual.
- You are legally obliged to do it - for example, to investigate a foreign worker's immigration status.
- It is in the individual's interests (processing of health information, for example).
- It is necessary for the administration of justice.
- You need to do it for your 'legitimate interests', and ensure that the benefit to you isn't outweighed by any detriment to the individual involved.
3 Recruitment data
When recruiting new staff, it is important to bear in mind data protection considerations.
3.1 You are required to be open about your own identity and methods.
- If you are advertising for a new employee you must make it plain who you are.
- If you intend to check up on potential recruits you should say so in advance.
3.2 Keep your questions relevant to the job.
- Beware of being unnecessarily intrusive.
- Be particularly careful in asking for sensitive personal information.
- If you need to ask about criminal convictions, ask at the end of the recruitment process, just before you offer the successful candidate a job. Asking all the candidates at the beginning could be unnecessarily intrusive.
3.3 Remember that applicants have a right to see all the information you hold on them.
3.4 Be prepared to destroy your files on unsuccessful applicants.
- But you can keep enough on your files to justify your selection of an applicant to an Employment Tribunal if an unsuccessful candidate complains of discrimination.
4 Monitoring employees
In broad terms, the Act establishes that employee monitoring may be carried out only where any detriment to the employee is offset by the benefit to the employer (or others).
4.1 You are required to be open about the nature, extent and reasons for monitoring.
- For example, you might want to monitor use of the telephone to minimise excessive private use or monitor internet access for the downloading of illegal material.
- Secret monitoring can only be justified in exceptional circumstances such as suspected criminal activity.
4.2 Limit monitoring to the amount necessary to achieve a legitimate business objective.
- Define what you want to achieve. Ignore matters outside this remit unless they are so serious no reasonable employer could fail to take action - such as serious breaches of health and safety rules.
- Remember your employees are entitled to a degree of privacy, even in the work environment.
- If you use video or audio monitoring, target it and keep it to areas where expectations of privacy are low.
4.3 Remember your employees have a right to see all the information you have on them.
- Don't keep the results of your monitoring, once they have served their purpose.
5 Employment records
5.1 Someone has to accept responsibility for looking after employment records.
- This includes keeping them accurate and up to date.
- It also includes keeping them secure. For example, they should not be loaded on to a laptop that could be lost or stolen, unless it has adequate access controls.
5.2 Employees' right to privacy must be respected.
5.3 Employees have the right to see all their personnel files.
- This includes files on disciplinary and grievance matters, unless an exemption applies, such as a continuing criminal investigation.
6.1 There are rules governing the use of CCTV cameras.
- Siting of cameras is critical.
- You must put up appropriate signs.
- Be careful about who can view the images.
- If you collect information about particular individuals through your use of CCTV they have the right to see any images of themselves you hold.
6.2 Go to the ICO website for a checklist of operators of small CCTV systems.