What are the data protection requirements for my business?
Many business during the operation of that business will be required to collect and process personal information whether that it in relation to their employees or their customers. As a consequence there are a variety of requirements that all business should be aware of.
There are three main issues that all business should be aware of when processing personal information. They are as follows:
- That the requisite legislation is complied with
- The privacy and data protection issues in relation to direct marketing
- The notification requirements
The use of personal information by businesses in the UK is governed by the Data Protection Act 1998. If your business requires you to store people’s personal details such as employee records and customer details then you must comply with the data protection act.
The Data Protection Principles
Central to compliance with the Data Protection Act 1998 are the eight data protection principles detailed fully in the Act.
Of huge importance to the running of a business is the first data protection principle – to use the information fairly and lawfully.
To use the information fairly and lawfully
This requires that you tell individuals what you will use their information for and make sure that your use of the personal information does not break any other laws.
What do I need to tell individuals?
According to the Data Protection Act when you obtain personal information you must tell individuals the following:
- The name of your business or organisation
- What you use your information for
- Any other information needed to make your use of their information fair
- That they have a right to access the information and to correct it if it is incorrect
- You should explain ways you may use the information which they may not expect such as passing it on to other organisations
Following on from this you cannot use information in a way which you have not specified. For example if you wish to use the information for direct marketing purposes then you must provide the individual with details of this and provide then with an opportunity to opt out.
The Data Protection Act classifies some information as sensitive information and there are stricter rules about this kind of information. Information classed as sensitive is information concerned with the following:
- Racial or ethnic origin
- Political opinions
- Religious or similar beliefs
- Trade union membership
- Physical or mental health condition
- Sexual life
- Offences or alleged offences committed
- Proceedings related to those offences or alleged offences
A business can only use sensitive information where you can meet at least one of a narrow set of conditions for processing personal information specified by the Data Protection Act.
Privacy and Data Protection Issues related to direct marketing
For more information on:
- Data Controller
- How long does a notification last?
- Will I have to pay a fee for notification?