What are the data protection requirements for my business?
Many business during the operation of that business will be required to collect and process personal information whether that it in relation to their employees or their customers. As a consequence there are a variety of requirements that all business should be aware of.
There are three main issues that all business should be aware of when processing personal information. They are as follows:
- That the requisite legislation is complied with
- The privacy and data protection issues in relation to direct marketing
- The notification requirements
The use of personal information by businesses in the UK is governed by the Data Protection Act 1998. If your business requires you to store people’s personal details such as employee records and customer details then you must comply with the data protection act.
The Data Protection Principles
Central to compliance with the Data Protection Act 1998 are the eight data protection principles detailed fully in the Act.
Of huge importance to the running of a business is the first data protection principle – to use the information fairly and lawfully.
To use the information fairly and lawfully
This requires that you tell individuals what you will use their information for and make sure that your use of the personal information does not break any other laws.
What do I need to tell individuals?
According to the Data Protection Act when you obtain personal information you must tell individuals the following:
- The name of your business or organisation
- What you use your information for
- Any other information needed to make your use of their information fair
- That they have a right to access the information and to correct it if it is incorrect
- You should explain ways you may use the information which they may not expect such as passing it on to other organisations
Following on from this you cannot use information in a way which you have not specified. For example if you wish to use the information for direct marketing purposes then you must provide the individual with details of this and provide then with an opportunity to opt out.
The Data Protection Act classifies some information as sensitive information and there are stricter rules about this kind of information. Information classed as sensitive is information concerned with the following:
- Racial or ethnic origin
- Political opinions
- Religious or similar beliefs
- Trade union membership
- Physical or mental health condition
- Sexual life
- Offences or alleged offences committed
- Proceedings related to those offences or alleged offences
A business can only use sensitive information where you can meet at least one of a narrow set of conditions for processing personal information specified by the Data Protection Act.
Privacy and Data Protection Issues related to direct marketing
As seen above there are requirements in relation to direct marketing specified by the Data Protection Act. There are further requirements in relation to this specified in the Privacy and Electronic Communications Regulations – all business using information in this manner should be aware of this legislation.
The Data Protection Act requires business to give details about the way in which they process information to the Information Commissioners Office (ICO). These details will then be included in a public registrar to which members of the general public will be able to access understanding how various business use their personal information.
Not all organisations, however, have to comply with the notification procedure as some are exempt.
During the notification process you will be required to provide details of the way you process personal information by choosing the various options provided by the ICO. Each business will be slightly different, but most will incorporate the following standard uses:
- Staff administration – this includes payroll
- Advertising, marketing and public relations for their own business
- Accounts and records
When you register with the ICO through the notification procedure you must provide the name of your company. This will then be termed the data controller under the Data Protection Act and applies to any body handling personal information.
The name you provide must be the correct legal title of the individual or organisation. For example:
- Sole Traders must provide the full name of the individual
- Partnerships must provide the trading name of the firm
- Limited or public limited companies must provide the full name of the company
- Groups of companies cannot submit a single notification, each individual company who is a data controller must notify separately
- Schools must provide the name of the school
- Voluntary bodies must provide the name by which they are known to the public
How long does a notification last?
A single notification will last for a year. If you wish to renew a notification then you must do so within 28 days of expiry.
Will I have to pay a fee for notification?
All data controllers will have to pay a fee when first notifying the ICO of their data protection practices. They will then be required to pay the same fee on an annual basis in order to renew the notification.
Since October 2009 the fee structure has become two tiered and is as follows:
- £500 for all companies with an annual turnover of £25.9m or 250 or more employees – this will also apply to public bodies with 250 or more staff
- £35 for all other companies below the upper threshold
Failure to notify the ICO when you are required to do is a criminal offence.