Prepare yourself for the Data Protection Act

Graham Small from law firm Rowe Cohen looks at recent changes to the Data Protection Act and the steps that personnel managers must take to comply…and the consequences if they don’t.

Last month a new Data Protection Act came into force, which has far reaching implications for any organization that collects and processes personal data. If you think that this law only applies to banks, credit card companies, mail order houses and the like, then think again.

Personal Data?
As ‘personal data’ is defined as any information that ‘identifies a living individual’, the new laws now cover any information your company holds about customers, suppliers, prospects and employees. This even includes, for example, a collection of business cards that many people in business keep in their briefcase as a matter of course or a Filofax full of names addresses, e-mail and ‘phone numbers.

Anyone who works in a personnel or human resources department should pay particular attention to the new rules because they extend to the records you keep about existing, potential and ex-employees. Your carefully maintained employee files could easily become a liability instead of an asset.

Outside suppliers, too
The tentacles of the new legislation extend beyond your own workplace, too. If you supply records to some form of outsourcing supplier, a recruitment agency perhaps or an external mailing house, you must obtain a written undertaking from them that they, too, will comply with the new law. They must guarantee to protect the security and integrity of the relevant personal data.

It might be worth mentioning to your Marketing Department that this stringent new law also governs both the internal and external use and operation of their treasured past, present and prospective customer databases and any outside lists that they rent, lease, buy or otherwise gain access to

Your secrets are safe
Looking on the positive side, business secrets such as forward plans and forecasts – including those that deal with matters of employment, promotion and redundancy – are generally exempt under the Act.

The ‘Big Eight’ Principles
The Data Protection Act has been introduced to protect individuals’ rights to privacy and confidentiality regarding their personal and financial affairs. It imposes a requirement on all organizations that hold personal data to adhere to a code of eight data protection principles. With this in mind, you have a duty to ensure that all data regarding your workforce is:

1) fairly and lawfully collected and processed

2) only used for a limited, clear and well-explained purpose

3) relevant to your organisation’s needs and not excessive in detail

4) accurate and up-to-date

5) kept no longer than is necessary

6) processed in accordance with the rights of the individual

7) securely stored to prevent unlawful or unauthorized processing, loss, destruction, damage or disclosure

8) not transferred to countries outside the European Economic Area

Audio, video, digital or good old paper
While previous Data Protection legislation has mainly related to computer records, this latest Act covers recorded and video data as well as paper records. The government realizes that bringing manually maintained records up to compliance standards will be a huge task for some large organizations, so paper records need not conform until 2007. However, the subjects of your personal data files have a legal right to access their records as from 24 October 2001, so be prepared to disclose such information willingly if such a request is made.

Implications of the Act
There are a number of key implications for anyone working in human resources.

1) When you collect someone’s personal data, you must make the person who is the subject of the data aware of what data you’re collecting; why you’re collecting it and to whom it’s going to be disclosed. This applies particularly where a proposed use of the data is not obvious. For example, collecting data relating to insuring or providing pensions for people with a past history and/or family history of heart disease. If that is the reason for seeking to acquire the information you MUST say so at the time.

2) To enquire about and record any data that is particularly personal in nature, such as someone’s racial or ethnic origin; their religious or political beliefs; their medical status; or any criminal convictions, you must have either the explicit consent of the person concerned; be involved in the administration of justice; or be protecting the vital interests of a relevant third party.

3) Prospective employees that your company has decided not to appoint, now have a legal right to get a copy of all the information you hold on them, be they held on computer or in manual files. They can also insist on being told the source of the information if they so wish.

Furthermore, all employees (past or present) now has the right to insist that any inaccurate information is amended or their details be removed from your systems. In extreme cases, they will be able to claim compensation for any damage or distress that has been caused resulting from of a breach of the Data Protection Act by your organisation.

Bad news – fail and you risk being fined
You could face a £5,000 fine if you fail to comply with such a request. Don’t be lulled into a false sense of security by thinking if there’s a breach of the Act the business will bear the cost of the fine. If you are a company director or a manager and the breach was committed with your consent or knowledge or because of your neglect, you’re guilty of the offence and personally liable.

Good news – you get time and money
Don’t panic, it’s not all bad news. If someone wants to access their records, they must give you written notice, following which you have within 40 days to comply with their request. You can charge them up to £10 for providing the information.

Consent, reason, intent
A good rule of thumb to help ensure you and your colleagues are complying is to make certain that:

What you MUST do – if you haven’t already done it
Believe it or not, the first thing you will need to do is ensure that your company is registered on the Register of Data Controllers, which is maintained by the Office of Information Commissioner. It is now deemed a criminal offence for you to process personal data without a register entry, which is renewable annually at a cost of £35 per year. The register is publicly available at www.dpr.gov.uk/search.html

If you haven’t already registered, do it now, today.

While certain types of business are exempt from having to register (certain non-profit making organizations, for instance) this doesn’t mean that such organisations are exempt from having to comply with the Act.

To make life easier for companies to restructure the way they use data, the implementation of the Act has been divided into a series of three phases.

Phase One (1 March 2000 – 23 October 2001)
During this period your company should have elected and trained a ‘data controller’ to ensure that your procedures and systems comply with the eight principles of the new Act listed above.

Although all data processed before 24 October 1998 escapes the clutches of the new Act, your ‘data controller’ should have ensured that all computerised data gathered after that complies with the new Act, as opposed to the previous 1984 Act.

Phase Two (24 October 2001 – 24 October 2007)
All manual data (including health records) gathered on or after 24 October 1998 will be subject to the Act.

Phase Three
After October 2007, the Act will be fully effective and all data, however stored, will have to comply with no exemptions.

Still procrastinating?
Despite lots of warnings in the press about the above deadlines, I suspect that many companies still haven’t appointed a ‘data controller’ and still haven’t put compliance measures in place.

If your current procedures fall short of the new rules, then you really do need to take immediate action. If, on the other hand, your company has taken all necessary measures and believes it is compliant, then make sure that you continually review your procedures.

Making the effort
In reality, I think it is probably virtually impossible to achieve full and continuous compliance but if you are able to demonstrate that you have put a strategy in place that aims to achieve compliance, then you greatly reduce the risk of being fined.

Like it or not, the new Data Protection Act affects you. While you can still go about your daily tasks, it would pro