The decision of the Information Commissioner's Office (ICO) to prosecute a firm based in Worcestershire for unfairly and unlawfully processing the personal data of construction workers became big news recently, but what are the general learning points and reminders about the Data Protection Act 1998 (DPA)?
DPA Applies To All Uses Of Personal Data
This case highlights that organisations that buy in personal data need to be just as careful as organisations that collect and sell it. In addition, a data processing agreement must be entered into between controller and processor. Compliance is simple and involves a short agreement or clause in a contract.
Forty construction firms, including many of the industry's biggest names, paid for access to the Consulting Association's database to vet potential employees. The regulator is likely to issue enforcement orders, breach of which is a criminal offence. But the headline penalty for getting it wrong is an unofficial one: bad publicity.
The DPA Applies To Paper Filing Systems
A data subject (the person whom the information concerns) has a right to request to see the personal information you hold on them. Any filing system (electronic or on paper), can be caught, as long as the information is readily identifiable within the system. The case reminds us that, unless you are comfortable in disclosing information, you are best advised not to record it.
You Must Register With The ICO
If you collect personal data in the course of your activities, then in nearly all cases you must register with the ICO as a data controller. We can advise on the exceptions. There is a small fee required and you are asked to list all activities for which you hold and collect data, and the type of data subjects you will hold information on.
Compliance With The Data Protection Principles
You should ensure that data subjects are clear about what information you will collect about them and keep, whether or not you need to get their consent. Where necessary you should obtain their informed consent. You must ensure that the information you hold is kept up-to-date and is not kept for longer than is needed. If the data subject requests their information you must disclose it. There are traps for the unwary so unless your staff is experienced in dealing with requests you should take initial tactical advice.
When Trouble Strikes
There is no doubt that Consulting Association could have made life easier for itself. The ICO has extensive powers in enforcing data protection legislation, ranging from on-site investigation to enforcement notices, imprisonment and fines. Damage in all respects can be mitigated by careful management of the relationships with data subject and regulator.
Support From Us
If you are unsure about data protection, we provide a wide range of services that can help you comply. These include:
- Audit Highly cost-effective support with internal compliance audits, systematic data protection compliance audits.
- Training For senior managers and operational staff.
- Policy Internal and outward-facing data protection and direct marketing policies.
- Relationships We advise regularly on managing relationships with third parties and employees, such as fair processing notices for data subjects, data sharing with suppliers or partners, dealing with DPA requests and enquiries by the regulator.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.