Data protection is a growing formality for all businesses considering the government’s ongoing plans to ensure businesses take proactive measures to achieve this. The Data Protection Act is the main piece of legislation which governs the way personal information is used by organisations, businesses and individuals. The act satisfies two main forms of ‘personal data’:
- Information processed, or intended to be processed, wholly or partly by automatic means (e.g. on a computer); and
- Information processed not by automatic means which form part of, or are intended to form part of, a ‘relevant filing system’ (i.e. manual information in a filing system).
What Data Can I Use?
Many have the misconception that because information may have been given to a party, that they have the right to use it. The government has released a code of practice which covers practical principles that should be applied by all businesses, organisations and individuals.
- All data must be fairly and lawfully processed – This is to ensure that all acts are in the best interest of the individual
- Use of data – You have a legitimate reason for processing the data and have obtained the data for one or more specified purposes
- Holding too much data – You do not hold more personal information than you need for your purpose
- Accuracy – Data is accurate and kept up-to-date
- Retention – You do not keep the data for longer than necessary
- Rights – You ensure that the rights of the individual whose data has been collected is respected and abided by
- Security – Data is kept securely and protected from loss, destruction and damage
- International conditions – You do not share data outside of the EEA unless that country ensures an adequate level of protection
- What their personal information is being used for
- What marketing and mailing lists they are being subscribed to
- Whether their information will be shared with third parties
You do not have to make the party aware that you will be keeping the data, however you will need to make them aware of the use of the data. If, however, the data has a time stamp, it is important that you do not use the data after this time or you make the individual aware of the use of it.
Sanctions
The crackdown of misuse of data is on the rise. The ICO have the power to sanction businesses who fail to comply with legislation. Regulatory action can include; criminal prosecution, civil monetary penalties, non-criminal enforcement and, in some circumstances, an audit.
If you would like any further information or guidance on this area, go to https://ico.org.uk/for-organisations/ or contact Lee Manning at lee.manning@raffingers.co.uk.