Protecting and securing personal data

  • Personal data is any information about an individual held on computer or in organised filing systems that could identify the individual, either on its own or together with other information held by that business or a third party.
  • Personal data needs to be protected and kept secure. This data may include:
  1. name;
  2. e-mail address;
  3. telephone numbers;
  4. date of birth;
  5. photographs; and
  6. notes written about someone.
  • Particular care must be taken with sensitive personal data (for example, medical records) as more restrictive requirements apply to this type of data.
  • The individual could be a potential or actual employee, customer or supplier, or possibly someone captured on a business' CCTV footage.

Collecting personal data

  • A business can only collect personal data if it has a legitimate reason for doing so.
  • When a business collects data about an individual, the business will need to tell that individual what it intends to do with their data. If the purposes for which the business wants to use someone's data changes, the individual must be informed.
  • Businesses should only collect information they require at that particular time.
  • If a business wants to use someone's data for marketing purposes, the individual must be informed. It is good practice to do this at the time the data is collected.

Using data collected on individuals

  • A business is generally allowed to use someone's personal data if they have given their consent. The data can also be used in other circumstances, for example, if the business:
  1. needs to use the data to fulfil a contract with a customer (such as using their address to deliver goods to them); or
  2. has a legitimate interest in using it, although this must be balanced with the individual's rights.
  • Data should only be used for the reason for which it was collected.
  • If a business wants a third party to manage its data it should take legal advice as the business could still be responsible for protecting the data and will need to enter into a written contract with the third party.
  • Businesses should take legal advice if they are considering transferring any data outside the countries in the European Economic Area.

Storing personal data

  • All data must be accurate and up to date. Databases should be regularly cleaned and out-of-date information must be deleted.
  • Data should only be held for as long as it is required and for the reason it was collected.

Keeping data secure and confidential

  • Personal data must be kept secure at all times. For example:
  1. computers and files should be password protected;
  2. personal data on laptops and other portable devices should be kept to a minimum;
  3. manual filing cabinets containing personal data should be locked and only accessible to authorised personnel;
  4. confidential documents should not be left unattended on desks; and
  5. personal data should be removed promptly from fax machines, printers and photocopiers.
  • When a business sends personal data, it must be done in a secure way.
  • Personal data must be disposed of securely. Confidential papers should not, for example, be put in the recycling bin.
  • When working away from the office or in public areas:
  1. ensure personal data stored on portable devices such as laptops, Blackberries, tablets or memory sticks is encrypted and kept secure at all times;
  2. avoid leaving papers or electronic devices lying around;
  3. make sure members of the public cannot see confidential documents or computer screens; and
  4. avoid talking about confidential matters when members of the public may be able to hear.
  • Security breaches (such as accidentally losing personal data) should be reported to the appropriate person immediately.
  • Electronic documents, including calendar entries and meeting requests, should be password protected or designated private where appropriate.

Enquiries about personal data

  • Businesses should have a system in place to deal with individuals who request details of the personal information that the business holds on them. A business is permitted to charge an administration fee of up to £10 for responding to this type of request and must respond to such requests within the relevant time limits.
  • Individual employees should not deal with this type of enquiry, unless they have been given specific authorisation to do so. The request should normally be passed to the person within the business who has responsibility for data protection issues.
  • Personal data should not be given out to the friends or relatives of an individual without that individual's specific consent.

Penalties for failing to deal with personal data appropriately

There could be serious financial, commercial and reputational implications for a business (including possible criminal penalties and fines) if personal data is not handled properly. If in doubt, you should seek legal advice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.