The Data Protection Act 1998 governs how personal data is used by organisations, businesses and the government. Personal data is data which relates to a living individual who can be identified from the contents of the data.
If the data provides particular information about an individual or is focussed on them, then it can be viewed as personal data and will be protected by the Data Protection Act.
We are often asked questions regarding data protection, the most common we have tried to answer below:
If you handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 1998.
The Data Protection Act seeks to ensure the safe and secure processing of data in order to protect individuals’ personal data. This personal data needs to be protected due to the fact that it can be sensitive in nature.
How businesses can comply with the Data Protection Act
“I have an SME and I’m too busy to deal with Data Protection. I’m sure I’m doing everything fine; what’s the risk?”
The majority of UK business is comprised of SMEs. With great pressure to grow, often business owners have little time to think about data security. If you do not ensure that your business is data compliant then your money, your information and your reputation are all at risk.
The number of security breaches has increased, the scale and cost has nearly doubled and if data security remains low on the to-do list of SMEs, then the costs to businesses are going to continue to rise.
Did you know?
- £75k - £311k is the average cost to a small business of its worst security breach of the year.
- 74% of SMEs experienced some sort of data protection breach in 2015?
- 31% of SMEs experienced a staff-related data protection breach?
- The ICO issued a monetary penalty notice of £175,000 to a Welsh SME who engaged a 3rd party company to make in excess of 2.5m automated marketing calls in less than a 3 month period. Were you aware that it is the SME's responsibility to comply with data protection?
- The ICO can issue a monetary penalty of up to £500,000 for serious breaches of the Data Protection Act 1998, and senior executives could be held personally liable. This could result in most SMEs being wound up.
Where an organisation processes personal information about individuals, it will normally need to be registered with the Information Commissioner’s Office (ICO for short). This is called “notification” and it tells the ICO (for example) what personal and sensitive data will be processed, the groups of people whose data will be processed, and who that data may be shared with.
The eight principles of data protection
“That’s all well and good, but what does this really mean?”
This brief overview about the eight principles should help:
- Principle 1 – all data should be processed fairly and lawfully. In order to ensure fairness the data controller should be clear, open and transparent with the data subject when it comes to how and why their data is being collected.
- Principle 2 – States that personal data must only be used for the purpose for which it was intended. This helps to reinforce the first Principle as data controllers and data processors must be clear and transparent with the data subject about the handling of their data.
- Principle 3 – Makes sure that the data collected is adequate for the purpose that has been specified clearly and transparently in the previous two Principles. This ensures that data collected is relevant for the specified purpose and is not excessive in nature.
- Principle 4 - Focuses on the accuracy of data. Personal data must be accurate and up to date and the more personal or sensitive the data, the more steps need to be taken to ensure that it is accurate.
- Principle 5 – Looks at the retention of data. If the data collected / processed for a specified purpose is no longer needed, it should either be archived or securely deleted. Retention schedules help to ensure that records are not deleted prematurely or retained for too long.
- Principle 6 - The rights of the data subject are set out here, and help to protect the data subject from being at the mercy of the data controller. Subject to satisfying certain conditions, the data subject has the right to access a copy of their personal data that a data controller possesses. In addition the data subject has the right to have inaccurate personal data rectified, blocked, erased or destroyed, and claim compensation for damages caused by a breach of the Data Protection Act for example.
- Principle 7 – States that the nature of the security should match the level of sensitivity of the data. It is vital that data controllers have put in place the correct physical and technical security, reinforced by robust policies and procedures, followed by dependable well trained staff who are able to respond to any breach of security quickly and precisely.
- Principle 8 – Is concerned with the exporting of data outside the European Economic Area (EEA). This Principle states that personal data should not be transferred outside the EEA unless that country or territory possesses adequate levels of protection for the rights and freedoms of the data subjects.
The data protection basics
“Data protection is too complicated, what does it mean?”
- Follow the eight principles set out above, and the more in-depth review below;
- Have an audit (whether through the ICO or a private company) to ascertain levels of compliance and improvements to be made to data protection;
- Have a trained Data Protection Officer who will assist with the company’s compliance;
- Train staff on Data Protection in order to try and mitigate breaches of the Data Protection Act; and
- Contact a specialist and / or the ICO with queries about Data Protection.
“There are so many definitions that don’t make any sense.”
Here are some key definitions what should help:
- Data controller – a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed. For example, an SME collecting data for a specified purpose.
- Data processor - any person (other than an employee of the data controller) who processes the data on behalf of the data controller. For example, a payroll company processing wages.
- Data subject – the individual subject to the data.
- Personal data – data such as name, address, date of birth, bank account details etc.
- Sensitive data – medical information, sexual orientation, ethnicity / race etc.
- Subject access request – a formal request (which satisfies certain criteria) for an individuals’ data an organisation holds. For example, “I request a copy of all of my medical records”.
- Freedom of information request – a formal request similar to a subject access request, but made to a public body.
Data protection guidelines
Data protection vs privacy
“What is the difference between data protection and privacy?”
Data Protection is ensuring individuals data is kept securely and used for clear purposes which the individual has agreed to.
Data Privacy concerns IT security and the measures in place to keep data safe while in an organisation, and while it is being transferred to a third party.
Data protection declaration
“I have heard of a data protection declaration, but don’t know what it means”
A declaration from an organisation that it will comply with the Data Protection Act, save for certain exemptions.
Data protection: disclosure
“I’m always told that things can’t be done because of data protection, so what can be disclosed?”
Organisations can disclose data when an individual has made a Subject Access Request for example. Exemptions may apply (such as disclosing third party data and business data) from disclosure of some data, and therefore all data should be read and have the necessary exemptions applied before being sent to the individual. Failure to do so and take advice where necessary may result in exempt data being disclosed, and if it relates to a third party then you may breach their data protection rights.
Data protection: third party disclosure
“A customer returned some goods to us, but we think that they were tampered with and have refused to give a refund. I have received an email from the unhappy customer requesting copies of the data we hold on them, including names of staff involved with coming to the conclusion about the tampering”
This sounds like a Subject Access Request. Before replying, you need to ensure that the customer has provided you with identification so that you know you are sending data to the right person and not an imposter, and they have paid £10 to the business. This would make the request valid. Once this has been satisfied you should write to the customer explaining the next steps in the Subject Access Request, and a response must be sent to them within 40 calendar days of the Subject Access Request being valid.
Exemptions apply to data that need to be disclosed for Subject Access Requests, including disclosing third party data.
The customer is entitled to receive copies of data held about them, however caution should be exercised about disclosing staff members’ names, as they are a third party and their name is their personal data. It would be advisable to redact the members of staff names, or contact them to see if they consent to their data being disclosed.
Other exemptions would most likely apply to this case, so we would recommend seeking specialist advice. Please see our information on our Subject Access Request Bureau which should be of assistance.
Data protection: holding personal information
“My business holds a lot of personal information in filing cabinets. They are unlocked because we need access to it, but they are in a locked office. There’s nothing else I can think of to keep the filing cabinets secure.”
One of the eight principles is that you keep data secure; this includes paper based documents. It is certainly helpful that the office is locked at night, but who has the keys to the office? How are the keys kept secure? Do you have people such as cleaners who attend the office out of hours and who could gain access to the data? If the office was broken into, what would stop the perpetrators from stealing the data?
You could consider changing your working practices without much effort, such as:
- Have robust policies and procedures which set out clearly what members of staff can and cannot do with data.
- Ensure visitors only have limited access to where data is held, so that you know they cannot obtain data they are not entitled to.
- Ensure staff question people who they do not recognise so that people are not simply let into the office without any issues.
- Give someone responsibility to ensure the cabinets are locked when the office closes, as staff will not need access to the cabinets then.
- Review the data and securely destroy (i.e. shred) anything that is no longer accurate or up-to-date.
- Ensure people are situated next to the filing cabinets, so that if there is any inappropriate activity with the data, staff should notice.
- If the cabinets have a mixture of personal and sensitive data, separate the two data sets and keep the cabinet with sensitive data in locked at all times, with only certain people having access to it. This is because the more sensitive the data, the more responsibility there is on the organisation to keep it secure.
- Create a document setting out who has gained access to the cabinets, when, what they took, and when it was put back.
If data is stolen and the business did not take reasonable steps to ensure the data was kept securely, the ICO could issue a fine of up to £500,000. (This is set to increase with the General Data Protection Regulations coming into force on 25 May 2018 – see Data protection laws below.) There is also the associated reputational damage, and the risk of losing customers and suppliers etc, so more thought about security should mitigate the risk of the theft or misuse of the data.
Data protection: how long to keep records
“I hold a lot of records about current and previous members of staff, but I dread to think how far back the information goes. Surely that’s an admin issue that I’ll get around to when I’m not so busy?”
Under the Data Protection Act you are obliged to ensure that records are accurate and kept up-to-date, and information is only kept as long as the organisation needs it. Although it may seem an ‘admin issue’, this is also a data protection issue and probably a breach of the Data Protection Act which could result in action being taken by the ICO.
A data-cleanse seems the most sensible first step, followed by the creation of a retention schedule. This should set out how long certain types of information should be kept for before it is securely disposed of. Give someone responsibility for ensuring this is regularly monitored, so that the organisation keeps on top of retaining data it does not need.
Although the data cleanse may take time, it is worth it in the long-run to ensure the effective retention of data, and the peace of mind this element of the Data Protection Act is not being breached.
Data protection: email addresses
“The business regularly emails its customers, surely there’s no issue with that as we haven’t had any complaints?”
Email addresses are personal data, so the Data Protection Act and its principles apply.
Firstly, make sure customers have opted-in to receiving your emails, and secondly, ensure there is a Privacy Notice on your website telling customers what you will do with their data. Easy access to allow customers to opt-out of communications is also advisable.
One thing to bear in mind is ensuring customers’ email addresses are not shown on the email that is sent to the recipients. The Chelsea and Westminster Hospital NHS Foundation Trust accidently sent an email listing all recipients’ email addresses, and it was fined £180,000 for doing so.
Data protection: keeping CVs
“We regularly advertise roles and ask for CVs. What should I do with all of them once the role is filled?”
CVs will contain personal and potentially sensitive data about a prospective member of staff, therefore the principles regulating data protection apply.
Only keep the CV for as long as the business needs it; if it is a specific role and the person is unsuccessful, you could consider securely destroying the CV after six months for example. If it is a general role and you wish to keep the CV on file for future roles, tell the individual how long it will be retained for, and securely destroy it after this time.
Ensure that the CV is kept securely, and only those members of staff who need access to it, have access to it.
Data protection: employees
“I’ve been asked by an employee for a copy of their personnel file, including references. Should I just give the file to them?”
Firstly, employers will automatically hold a lot of personal and sensitive data on employees (i.e. name, address, date of birth, race, medical history etc.) so it is extremely important for employers to comply with the Data Protection Act.
It sounds as though the employee has made a Subject Access Request. It is not formal as yet because it does not seem as though they have provided a copy of their ID or paid £10, and the request needs to be in writing (just in case this was a verbal request). If there is a volume of information, it may be worthwhile asking them to make the request formal, and whether there is any specific information they require rather than their whole file. However, you can elect to deal with it informally.
Regarding the personnel file, you will need to review it to make sure that the information can be disclosed, or whether third party data (for example) needs to be redacted.
References will most likely have a third parties personal data contained within it (i.e. the referees name), and the Employment Practice Code for Data Protection states that organisations should “make a judgement as to what information it is reasonable to withhold”. With this in mind, we would suggest contacting the referee to get their consent about disclosing the reference, or to ascertain whether the reference was given in confidence and consent is not agreed.
Data protection: vulnerable adults
“I work with vulnerable adults and have been asked by a family member for a copy of their medical records. I don’t think I should give it to them, but I’m not sure what to do.”
You are right to exercise caution because although the person you work with is a vulnerable adult, it is still their sensitive data being requested by a third party.
If the vulnerable adult has the mental capacity to request their medical records, then it should really be them making the request, or consenting to the request. However if the individual does not have capacity to do this, you should speak to the network of people around to seek their professional opinions i.e. the individual’s GP, social worker, carer etc. You should also ascertain whether the family member has a Lasting Power of Attorney giving them certain rights etc. The ICO helpline would also provide you with useful information with this tricky situation.
Data protection: sensitive data
“I don’t understand the difference between sensitive and personal data. Surely it should all be treated in the same way?”
Sensitive data includes information about an individual, such as race and sexual orientation for example. This type of data falling into the wrong hands could lead to a person being discriminated against for example, which means that it needs to be more protected than personal data. Also, you need to ensure that a person has given explicit consent to the processing of their sensitive data.
Data protection: keeping records
“How long should I keep DBS checks for?”
It is recommended on the Government’s website that DBS Checks are kept for six months. Following this time, a new Check should be undertaken, or if the company assesses that no such Check is required again then do not do another until the requirement rises again.
As this is sensitive data the Check should be kept safely and securely, and destroyed securely.
Data protection: keeping credit card details
“We are an online business and process credit card payments. We have lots of people’s credit card details, so what should we do with them?”
This is personal data and should only be kept as long as you need it for, and then destroyed securely. This could mean destroying the data after each transaction, depending on the needs of the business. In the interests of security, it may be sensible to delete the information immediately, and in the event an error was made with the details, the individual is prompted to input the details again.
It would be sensible to notify people how long you retain credit card details for on your website’s privacy notice, so at least you are making people aware of what you do with the information, and how long it is retained for.
Data protection: insurance
“I have received a section 29 request from an insurance company. What does this mean?”
Section 29 of the Data Protection Act 1998 is an exemption where a party may be able to disclose personal data without the knowledge or consent of the data subject. Firstly, the organisation should be satisfied that the exemption applies, and secondly, the organisation holding the data will be liable for any disclosures, so should consider whether there are any less risky options available.
Data protection: impact assessment
“I have been told to do an ‘impact assessment’ but I don’t know what that is.”
A Privacy Impact Assessment (PIA) should be conducted when a company is scoping out projects that might have implications for individuals' privacy, such as a new CRM system. This way, there should be no difficulties regarding individual’s data when the project is ready to be launched, potentially causing financial loss, stress and reputational damage.
Recommendations from the ICO include consulting with stakeholders, identifying privacy and related corporate and compliance risks, and on integrating PIA outcomes into project plans.
Just so you are aware, the GDPR will change the name PIA to Privacy By Design.
Data protection: consent
“What consent is needed from people for organisations to have their data?”
Processing personal data requires an organisation to obtain ‘informed’ consent. For example on a website, as long as you show the individual where to find information about how their data is processed, and tell them how it is processed, this criteria will be satisfied.
Whereas processing sensitive data needs ‘explicit’ consent. This involves telling the individual how their sensitive data will be processed in a clear manner, and obtaining a signature to prove they have confirmed to this processing.
Guidelines for specific sectors
Data protection Act: ecommerce
“Does data protection include ecommerce businesses?”
In short, if you are holding and processing individual’s personal and sensitive data, then yes, you are governed by the Data Protection Act 1998.
Data protection: vets
“We deal with animals, so how does the data protection affect us?”
It is a legal requirement for dogs to be microchipped, and pet owners are increasingly microchipping other pets such as cats, rabbits and horses. Part of this process is the pet owner providing their personal details like name and address (personal data) and for it to be kept up to date. Therefore without realising you are holding and processing personal data which must be kept secure.
Data protection: voluntary organisations
“We think we are compliant with protecting people’s data, so what else do we need to think about?”
Anxiety UK was served with an undertaking to ensure, amongst other things, its website was secure. As part of the undertaking, it had to conduct a penetration test before going live, and on top of this it planned to have an annual penetration test and have a third party specialist check for vulnerabilities on a quarterly basis.
Ensuring your website is secure should therefore also be a factor of an audit you / an external party consider when looking into data protection for your organisation.
Data protection: medical records
“I have requested my medical records but I am being told I need to prove who I am via ID, and I need to sign documentation. As it is my data, why can’t I just have it?”
In brief, medical records are sensitive personal data and therefore data controllers have more of a requirement to keep the data secure. Fraudsters are experts at obtaining people’s names, addresses and dates of birth, so if this was all of the information needed to obtain your records, it could easily fall into the wrong hands and your data could be used for criminal purposes. Therefore while I am sure this is infuriating for you, the medical practitioner needs to ensure your sensitive data goes to the correct recipient, and this should hopefully give you confidence in your data being stored securely.
Data protection: policy for schools
“We are a school and have a data protection policy, but it focuses on pupils. What else could it address?”
Schools will hold personal and sensitive data about its students, staff, parents / carers, social services etc, therefore data protection does not simply extend to pupils. As a result, a robust data protection policy should be in place to ensure that the school is complying with the Data Protection Act, but also setting out steps of how people can access their information through a Subject Access Request (SAR) for example. This should make SARs easier to deal with, and will help all parties understand how to access their information, and any other actions they may want to take.
Data protection: marketing
“We have inherited a list of people’s contact details and have been told they have opted-in to marketing calls. What are the risks of this?”
The first risk is how do you know these people have opted in, and their data has not been obtained illegally? The people on the list could complain to the ICO which may take action against your company, but also you risk reputational damage.
Data protection: voice recording
“I have secretly recorded a meeting between me and my line manager because they say things to my face that they later deny, so I want a record of the truth. Is this breaching the Data Protection Act?”
The ICO does not look favourably on covertly recording meetings, because recordings should be agreed between those in the meeting. However, if you are going to use the recording for your own personal affairs, there would not be any breach of the Data Protection Act. If you are considering using the recording for raising a grievance for example, then there is a risk of your line manager pursuing you financially for breach of the Data Protection Act. In the event you have taken notes during the meeting and the recording is to evidence your notes, then it is unlikely the ICO would sanction you too severely, although it is a risky approach.
Data protection: guidelines for charities
“We are a charity with limited resources. Do you have any DP tips for us which would may be inexpensive?”
Ensure staff have complex passwords which need to be changed regularly, and use encrypted devices. You should ensure there is a designated person to lock cabinets containing personal and sensitive data, and have a Data Protection policy that all staff have to read on their first day with you, and sign to confirm they have read it.
Data protection: health
“What is the risk with disclosing details about people’s health?”
Medical records are sensitive personal data as they contain details about individual’s health. In August 2016, a GP surgery was fined £40,000 by the ICO for revealing confidential details about a woman and her family to her estranged ex-partner. This will serve as a reminder to all health professionals not to disclose data to anyone other than the data subject, except in limited circumstances.
Data protection: HMRC
“I have asked for my data from HMRC, but they have told me I can’t have it. What can I do?”
HMRC is a data controller and therefore you have the right to ask for all personal and sensitive data it holds about you. There are exceptions to this rule where the information is likely to prejudice the prevention or detection of crime, or it would prejudice the assessment or collection of any tax or duty for example.
If you are unhappy that you have not received all disclosable data about you, then you should refer the matter to the ICO.