On the 24th October 2001 a number of important data security rules will affect almost all businesses that rely upon personal data, whether paper or computer based. A recent survey, carried out by the market research company The Opus Group, revealed that more than 60% of managers responsible for data protection in UK companies are unaware of this deadline. If you do not comply with the Data Protection Act 1998, you will almost certainly be committing an offence, which may carry criminal as well as civil liability!

What are the key areas your organisation needs to address NOW?

  1. Subject to a limited number of exceptions, you should have notified your data processing activities to the Office of the Information Commissioner.

  2. Whether or not you have given such notification, you must have in place policies and procedures to comply with the 8 data protection and information security principals of the Act. (Details of the 8 principals can be found at http://www.hobsonaudley.co.uk/bull_uploads/ACF76BF.pdf)
  3. You cannot outsource your data processing activities to a third party, such as a facilities management or business continuity company or to your ISP, without having a contract with them that binds them to process your data in accordance with best practice rules and under your control. In addition you must establish that they have adequate information security procedures in place.
  4. You must respond within 40 days to any request from an individual, whether an employee or customer, to show what data you hold about them.
  5. You must have in place adequate information security. This means technical as well as operational security.
  6. You cannot transfer personal data outside the European Economic Area (EU plus Iceland, Liechtenstein and Norway) unless you have got the informed consent of the person or persons whose data is being transferred, or you have put in place a contract with the recipients of the data that ensures they can provide the same level of data protection as you are obliged to under the Act.
  7. If you have databases of personal data you can only retain that data if the persons whose data you hold agree to all the purposes for which you use or intend to use their data.

All these requirements require action NOW.

Hobson Audley is highly experienced at advising organisations on their data protection compliance and can assist your company with auditing and compliance and the practical implications of the Act on your business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.