The Data Protection Act, or DPA as it is more commonly referred too, is the framework that is in place for the collection and processing of personal data.
The majority of businesses collect and process customer information in order to run their businesses and therefore have certain responsibilities to adhere too. By ‘customer information’ we mean personal information that is any information that identifies a living individual such as name, address, date of birth, educational record, financial details and even expressions of opinions or intentions.
The DPA covers personal information that may be held in soft or hard copy format i.e. on your computer or in paper format. The DPA has eight principles which businesses adhere to, to ensure they operate within the DPA framework.
These principles state that personal data must be:
- Used fairly and lawfully” Personal data should only be collected and used where there is a valid reason for doing so. Customers (or data subjects as they are referred to in the Act) should be told how their personal data may be used.
- Used for limited, specifically stated purposes” where any planned use of the information falls outside what has been explained to the data subject or what they might expect, consent must be obtained before proceeding.
- Used in a way that is adequate, relevant and not excessive” A business must be able to demonstrate that the level of personal information collected is legitimately required.
- Accurate and also, where necessary, kept up to date. A business has the responsibility to ensure data is accurate and kept up to date.
- Kept for no longer than is absolutely necessary” In principle personal data should not be kept for longer than is necessary for the reason(s) for which it was collected. Some personal data however needs to be retained for legal reasons.
- Handled according to people’s data protection rights” Data subjects have rights under the Act. These include: right of access to their records, right to have any inaccurate information corrected and a right to prevent processing likely to cause damage or distress.
- Kept safe and secure” Taking appropriate measures to ensure personal data is kept secure is one of the biggest obligations placed on a business. Data security is equally important for both manual and electronic records and applies throughout all stages of data processing, from obtaining and using to sharing and destruction.
- Not transferred outside the European Economic Area without adequate protection” Personal data cannot be transferred to countries which do not have similar personal data legislation to our own.
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- sexual health
- criminal records
10 Top DPA tips for your business:
- Keep paper personal data in a safe place such as a locked filing cabinet or drawer and lock all personal data away when you are finished with it and at the end of the day.
- Operate a clear desk policy.
- Only remove files containing personal information from the workplace when necessary. Their location should be tracked always.
- Destroy personal data by shredding.
- Do not store personal data on desktops, laptops or portable media unless protected by encryption software.
- Usernames and passwords for any system containing personal data should not be disclosed to anyone. Always renew passwords when prompted.
- When leaving your desk, lock your PC (by pressing ‘Ctrl, Alt and Del’ keys simultaneously). Log off when leaving for longer periods.
- Never leave personal data at printers. Collect print jobs promptly.
- Emails sent to addresses outside the organisation will be transmitted across the internet. Never send personal data to such addresses.
- Never leave laptops/portables/media unattended. When transporting any computer media always ensure it is out of sight, either in a glove compartment or boot of a car.