Q&A: Data protection rules

Holding sensitive personal data on individuals is strictly regulated. The Data Protection Act 1998 gives clear guidance on how customer and employee information should be stored and retrieved, explains Marie Kell of Andrew Jackson solicitors

What is the Data Protection Act 1998?

It governs the use of personal information held about individuals in storage and retrieval systems. That includes computerised systems and searchable paper systems. The Act gives people the right to know what information is held about them – and to access it. The Act applies to large and small businesses that maintain personal data.

What personal data are we talking about?

Names and addresses… bank details… opinions about an individual – living, identified or identifiable. For businesses, this is most likely to be customers and possibly employees.

Is there any personal information I cannot retain?

Under the Act, some personal information is deemed ‘sensitive’ and is therefore subject to greater restrictions. This includes information about someone’s race or ethnicity, political affiliation/trade union membership, religious or moral beliefs, physical or mental health, sexuality and criminal record.

What obligations does the Data Protection Act place on businesses?

Those affected must comply with eight principles, which aim to make sure personal information is fairly and lawfully processed, processed for limited purposes, adequate, relevant and not excessive, accurate and current, not kept for longer than necessary, processed in line with the person’s statutory rights, kept secure, and not transferred to other countries without adequate protection. Businesses processing personal information must notify the Information Commissioner, unless they are exempt.

Must I reveal such details?

If someone asks to see the personal information you hold about them – which is called a ‘subject access request’ – you must release it. You have 40 calendar days to respond to a subject access request and can charge a fee of £10 for making this personal data available. Also, if the police make a request to view your data to prevent or detect crime or catch or prosecute a suspect, you can lawfully reveal it.

Does the Data Protection Act apply to me if I keep records simply for staff admin?

If you hold personal data about individuals, the Data Protection Act will apply to you. You will still be required to comply with the eight principals of the Data Protection Act and ensure personal information is processed fairly and lawfully.

However, if the information is only held by your business for staff administration purposes or for advertising, marketing and PR purposes, you may be exempt from the requirement to notify the Information Commissioner. If you must ‘notify’ the Information Commissioner, you will have to pay an annual fee of £35. Exemptions are explained in full on the Information Commissioner's website.

Does the Data Protection Act apply to monitoring employees?

Yes, it covers personal information processed while monitoring employees – including casual, contract and agency people – by electronic communications, video and audio and information supplied by others. You should tell employees the nature, extent and reason for your monitoring, unless secrecy is justified. You can only do this if there are clear grounds for suspecting criminal activity or malpractice – usually matters where ultimately you would need to involve the police.

And if other employees are involved in such monitoring?

Make them aware of their responsibilities under the Data Protection Act. As a general rule, as few people as possible should have access to personal information obtained via monitoring or maintenance of a database.

How long should I keep personal data for?

The Data Protection Act says information should be kept for ‘no longer than is necessary’, which makes the law a bit vague. Each case is considered on its own merits. As a general rule, when personal information is no longer required, erase it from your system.

Can I use personal data for direct marketing?

Not if customers have expressly told you not to. This must be in writing and you must act on the request in a reasonable period of time, usually 28 days.

What if the personal information I hold is incorrect or misleading?

The person can ask you to correct it. If you don’t comply, they can obtain a court order directing you to correct, delete or destroy the personal information. The court will decide if the information is inaccurate and what happens next. You may be instructed to pay compensation and costs.