Written by Steve Sidkin
18 November 03
Do you keep a list of contact information on your customers or suppliers? Do you have employees or agents? If so, then you are likely to be subject to the requirements of current UK data protection laws, which safeguard the use of personal information in a commercial context.
Let’s face it, every business deals with personal information in some form and to some extent, whether about its employees, clients, customers, suppliers, contacts or the people to whom it wishes to market its products. Despite this, an alarming number of businesses are unaware of their data protection obligations. Perhaps more alarming still is the fact that many businesses do not realise it is a criminal offence to fail to comply with certain data protection laws, or that the directors, managers and other officers of a company may be personally liable where a company breaches these laws.
Given that it is no excuse to plead ignorance of the law, it may be prudent to spend some time now getting to grips with the basic rules.
Do the rules apply to me?
The current UK data protection laws are contained in the Data Protection Act 1998. Broadly, the Act applies if you are processing personal data as a data controller who is established in the UK, or using equipment in the UK for processing the data. In this context:
- "processing" covers almost anything you can do with data (including obtaining, retaining and destroying it)
- "personal data" is any information that relates to and identifies a living individual
- "data controller" is a person who determines the purposes for, and the manner in, which any personal data is processed.
What must I do to comply?
There are three key areas of compliance. Notification. If you process personal data for business purposes, you will need to "notify" with the Information Commissioner unless one of the exemptions applies to you. This involves registering your firm in the register of data controllers maintained by the Information Commissioner. Your notification will set out information such as the kinds of personal data you process, what you do with it and why you process it. Notification is a relatively cheap and straightforward procedure, and is effected by filling in and sending off a simple form (that can be completed online). Your notification must be renewed every year, and you are obliged to keep the content of your notification up-to-date at all times.
Data protection principles. Unfortunately, notifying with the Information Commissioner alone does not put you in the clear. You must also ensure you comply at all times with the eight data protection principles. These principles require you to process personal data fairly and lawfully and only for purposes that you have specified to the Information Commissioner or to the individual whose personal data you are processing. The principles require you to ensure that personal data processed by you is accurate, up-to-date, relevant and not excessive for the purposes for which it is processed. The principles prohibit you from retaining personal data for longer than is necessary for the purposes you have specified, and is only transferred out of the European Economic Area if adequate protection is in place. Finally, the principles require you to take appropriate measures to keep personal data secure.
Individuals’ rights. The Act grants to individuals whose personal data you process a number of rights, including the following:
- you must inform them that their personal data is being processed by you or on your behalf
- you are obliged upon request to provide them with a description of their personal data that you are processing, the purposes for which their personal data is being or is to be processed, and the persons or types of person to whom you may disclose their personal data
- you are obliged upon request to provide them with a legible copy of the information constituting the personal data, and any available information as to the source of the data
- if they make a "subject access request" of you and pay the requisite fee, you must communicate to them all personal data about them that is held by you as at the date of the request.
What if I do not comply?
The Information Commissioner enforces the Act. The penalties and the enforcement procedure adopted by the Information Commissioner vary according to which requirement has been breached. For example, it is a criminal offence to process personal data without a notification or with an out-of-date notification. However, the Information Commissioner may give you a chance to notify before bringing a criminal prosecution against you.
In contrast, it is not a criminal offence to breach one of the data protection principles. However, the Information Commissioner can take certain enforcement actions against you for breaching one of the principles. Usually, a preliminary warning will be issued, followed by an enforcement notice. Failure to comply with an enforcement notice is a criminal offence.
This briefing note is for general information. For advice in applying this general information to your specific circumstances, please contact Stephen Sidkin or any members of the Fox Williams’ agentlaw team. (www.agentlaw.co.uk).