Comply with data protection legislation

Data protection laws affect how businesses and other organisations are allowed to make use of personal information. You must follow these rules if your business stores or processes people’s details – ie keeps customer or employee records.

This guide explains the requirements of the Data Protection Act 1998 and outlines steps you can take to ensure you meet them. This may involve notifying the Information Commissioner’s Office (ICO) about what personal information your business holds and what it’s used for.

You will find specific guidance on what you should consider when recruiting staff and managing employee records, as well the rules on monitoring workers. This guide also contains advice on training your staff to ensure they understand the implications of the Act.



What does the Data Protection Act 1998 apply to?

The Data Protection Act 1998 applies to personal information. This is data about living, identified or identifiable individuals and includes information such as names and addresses, bank details, and opinions expressed about an individual.

You can find advice and definitions for personal information for the purposes of data protection on the Information Commissioner’s Office (ICO) website- Opens in a new window.

What are the main requirements?

The Act regulates how personal information is used, and requires organisations to comply with eight principles – or rules – of good information handling. It also requires some organisations to tell the ICO what they use personal information for. See the page in this guide on the data protection principles.

Personal information can be used by an organisation only where it meets one of six conditions set out in the Act. In most cases, it should not be too difficult to meet one of these conditions – which include having the individual’s consent or having a legitimate interest in using their personal information.

Sensitive personal data

The Act classifies some personal information as ‘sensitive’ and there are stricter rules about this type of data. This is information about:

  • racial or ethnic origin
  • political opinions
  • religious or similar beliefs
  • trade union membership
  • physical or mental health condition
  • sexual life
  • offences or alleged offences committed
  • proceedings relating to those offences or alleged offences

You can only use sensitive personal information where you can meet at least one of a narrower set of conditions – as well as being able to meet one of the six standard conditions – for processing personal information. These narrower conditions make sure that this sensitive information is only used where there is an essential need for an organisation to use it.

You can see a list of the conditions for processing sensitive personal data on the ICO website.


The data protection principles

The Data Protection Act 1998 governs the use of personal information through the eight data protection principles.

These principles require that personal information is:

  • processed fairly and lawfully
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate and up to date
  • not kept for longer than is necessary
  • processed in line with the rights of individuals
  • secure
  • not transferred to other countries without adequate protection

The definition of processing is wide and covers virtually any action carried out on a computer. This includes obtaining, recording, holding, processing and analysing personal information.

You can find advice and definitions for processing information on the Information Commissioner’s Office (ICO) website- Opens in a new window.

You can read about the data protection principles on the ICO website- Opens in a new window.

If you are processing personal information covered by the Act, you and your staff must comply with the data protection principles. Complying with the principles is largely a matter of common sense and you may well be meeting the requirements already. However, if you need advice on what is required, you can contact the ICO Helpline on Tel 0303 123 1113. See the page in this guide on using personal information fairly and lawfully.

Data security

Your business must have appropriate security measures in place to protect personal information against unlawful or unauthorised use or disclosure. You can download data security advice for small and medium-sized enterprises (SMEs) [opens in a new window].


Using personal information fairly and lawfully

One of the key provisions of the Data Protection Act 1998 is that personal information must be used fairly and lawfully. You should tell individuals what you will use their personal information for, and make sure that your use of personal information does not break any other laws. When you obtain personal information, you must tell individuals:

  • the name of your business or organisation
  • what you use their information for
  • any other information needed to make your use of their personal information fair

You should also tell the individual that they have a right to access their information and have it corrected if it is factually inaccurate. You should explain any ways you may use the information that they might not expect. For example, you should tell them if you may pass the information to other organisations, or if it might be put on file at credit reference agencies.

Similarly, you should not use personal information for a reason an individual would not expect. This means that if you told an individual you would only send them direct marketing about your own products and services, you could not then pass that individual’s details to another organisation.

However, if – for example – someone booked a holiday through your business, it would be acceptable to send them a brochure about similar holidays the following year – unless they had asked you not to send them future marketing material.

Authorised information disclosures

Generally, you cannot pass information about an individual to another business or organisation unless you have asked for – and they have given – their consent. However, there are exceptions to this.

If the police ask you for information about someone, you can give this information without telling the individual – if doing so could obstruct the investigation or stop a crime being prevented. Disclosures can also be made if they are necessary for a court case or to obtain legal advice, for example, in connection with an employment tribunal.

You can download advice on releasing information to help prevent or detect crime [opens in a new window].


Individuals’ rights under the Data Protection Act 1998

The Data Protection Act 1998 gives individuals certain rights in relation to the use of their personal data. These rights are as follows:

  • The right of subject access – gives people the right to obtain information held about themselves. See the page in this guide on personal information access rights.
  • The right to prevent direct marketing – individuals can ask you at any time not to use their personal information for direct marketing purposes. They need to make their request in writing and you must act on it in a reasonable period of time. In most cases, this should be within 28 days.
  • The right to have personal information corrected – an individual has the right to have incorrect or misleading personal information held about them corrected. If you don’t do this, they could obtain a court order directing you to correct, delete, block or destroy the information. If this happens, it will be up to the court to decide if the information is inaccurate and what (if anything) to do about it. The individual may also ask the court for compensation and costs.
  • The right to prevent automated decisions – this allows individuals to stop important decisions about them being made by solely automated means – for example, decisions made only by a computer. This can include recruitment decisions made solely on the basis of psychometric testing. There are some automated decisions which, under certain circumstances, are exempt from this right. A sensible course of action is to allow the individual the right to appeal a decision taken in this way.

You can download the personal information online code of practice [opens in a new window].


Personal information access rights

The Data Protection Act 1998 gives individuals the right to access the personal information you process about them.

Individuals have the right to:

  • know whether you, or someone else on your behalf, is processing personal information about them
  • know what information is being processed, why it is being processed and who it may be disclosed to
  • receive a copy of the personal information about them
  • know about the sources of the information

To obtain access to personal information held about them, an individual must send either a written or electronic request – known as a subject access request (SAR). The SAR doesn’t have to refer to the Act but should make it clear that it is a formal request from the individual and not just an everyday enquiry. You can charge a fee of up to £10 to provide the information requested. 

If you are not sure about the identity of an individual requesting information, you can ask for proof. This could be an official document – eg a council tax bill, driving licence or passport.

You can request additional information that you might need to respond to the SAR. For example, if an individual has requested emails you could ask when the emails were sent, or for the senders or recipients of the emails.

Conditions for responding to a SAR

You must respond to a SAR no later than 40 days after receiving it. The 40-day period does not start until you receive any additional information you need. You don’t need to supply the information until after you receive any fee payable.

You must provide the information requested in a permanent format – such as a computer printout, letter or form – unless:

  • the individual agrees otherwise
  • it is not possible to supply such a copy
  • it will involve ‘disproportionate effort’

If this is the case, you must still provide access to the information in another way.

You must also ensure that the information can be understood. For example, if there are any codes used, you should explain what they mean.

Why comply with a SAR?

You can be fined heavily for breaking data protection rules – see the page in this guide on the Information Commissioner’s Office – but complying with a SAR also has other business benefits, including:

  • saving time and money by reducing correspondence being sent using out-of-date information or to incorrect addresses
  • increasing customer confidence in your information
  • reducing the risk of a complaint being made against your business
  • protecting your business against compensation claims

Data protection training for your staff

All workers involved in processing personal information about living individuals must have at least a basic understanding of the Data Protection Act 1998. Staff with more specialist roles – eg marketing, computer security or database management – may need extra training to cover data protection rules relevant to their jobs.

The Information Commissioner’s Office (ICO) has produced a checklist you can use to identify data protection training needs among your staff. Download data protection training guidance for businesses [opens in a new window].

Handling requests for information

Any individual that you hold information on is entitled to ask for a copy of information you hold about them. This is called a subject access request (SAR). See the page in this guide on personal information access rights.

Your staff need to know how to recognise a SAR and the rules for dealing with them. Download advice on handling a SAR from the ICO website (PDF, 33K).

Providing personal information to a third party

Your business may receive a call from a third party on behalf of an account holder – eg someone could claim to be a customer’s partner or relative, or their lawyer or accountant. It can sometimes be difficult to judge what information is appropriate to give out in these situations. Download data protection guidelines for dealing with a third party [opens in a new window].

Staff attitudes to data privacy and security

Data privacy and security are a key part of data protection rules, so you need to make sure your staff are aware of their importance. For example, the loss or theft of a USB stick or laptop containing personal information about customers could seriously damage your business’ reputation, as well as lead to severe financial penalties.

To help change staff attitudes, you can download a data privacy awareness campaign for businesses [opens in a new window].


Data protection for employee records and when recruiting

The Data Protection Act applies to personal information your business holds about all individuals – not just customers or account holders. You should bear this in mind when recruiting new staff and keeping employment records.

People can claim compensation if they suffer as a result of your business breaking data protection rules, so it’s in your interests to make sure records are well managed – and used responsibly.

Key considerations during recruitment

When recruiting new staff, you must make sure you comply with the Data Protection Act. You should:

  • give your business name and contact details – or that of the agency you’re using – on all job adverts you use
  • not collect more personal information than you need – eg bank details are only necessary from the successful candidate and motoring offences are only relevant if driving is a part of the job
  • only ask about criminal convictions if this is justified by the job type
  • not ask about ‘spent’ convictions unless the job is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974 
  • keep any personal information you obtain as secure as possible
  • only record whether a criminal records check is satisfactory/unsatisfactory and not hold on to detailed information
  • use the information you collect for recruitment purposes only – if you plan to use it for another purpose, eg for a marketing mailing list, you must explain so clearly
  • only keep information obtained though recruitment for as long as you have a clear business need for it and then dispose of it securely – eg by shredding

Key considerations for employee records

You should make sure you manage all employee records as responsibly as possible under the Data Protection Act. You should:

  • keep records secure – eg by locking paper records in a filing cabinet and using passwords to protect computerised ones
  • ensure only appropriate, authorised staff with the necessary training have access to employment records
  • store sensitive information separately – eg don’t give managers access to employees’ sickness records when a simple record of absences is sufficient
  • not keep records that are irrelevant, excessive or out of date
  • periodically let staff check and update information in their own records
  • not give a reference about a worker or an ex staff member without first checking that they are happy for you to do so
  • ensure records are disposed of securely – eg by shredding – once you no longer have a business need or legal requirement to keep them

Giving staff access to records

Your workers have a legal right to ask for a copy of information you hold about them. This includes information about grievance and disciplinary issues, and information you obtain through monitoring. See the page in this guide on personal information access rights.

However, you can withhold information where giving it to the worker would make it more difficult to detect a crime. See the page in this guide on monitoring workers.

You may also need to withhold information if it concerns a third party. For example, if a worker has been accused of harassment, you may need to protect the identity of the person making the accusation.

A worker may object to you holding or using information about them if it causes them distress or harm. If so, you should delete that information or stop using it in the way complained about, unless you have a compelling reason not to.

The issues covered on this page are covered in much greater detail in the Employment Practices Code published by the Information Commissioner’s Office (ICO). You can find data protection responsibilities and obligations on the ICO website- Opens in a new window.


Monitoring workers

The Data Protection Act 1998 covers personal information collected while monitoring workers – including casual, contract and agency staff.

Monitoring involves activities that set out to collect information about workers by keeping them under some sort of observation. This could include monitoring electronic communications, video and audio, and using information from others.

The Information Commissioner’s Office (ICO) has developed a code of best practice to help businesses comply with the Act. Part 3 of the Employment Practices Code states that any adverse impact of monitoring on workers must be justified by the benefits to employers and others. Read Part 3 of the Employment Practices Code on the ICO website- Opens in a new window.

To help you establish whether monitoring your workers would be justified, the code outlines an impact assessment which involves:

  • identifying the purpose behind the monitoring
  • identifying any negative impact it could have on the subjects of the monitoring
  • considering alternatives to monitoring
  • taking account of obligations that arise from monitoring – eg setting up new processes to ensure records are secure

Workers should be made aware of the nature, extent and reasons for monitoring, unless covert monitoring is justified. If you are monitoring workers to enforce the rules and standards of your business, these should be set out in a policy that also refers to the nature and extent of any associated monitoring.

Covert monitoring will rarely be justified – you must be satisfied that there are clear grounds for suspecting criminal activity or other malpractice. A reliable test to use would be whether the activities you wish to monitor are sufficiently serious to involve the police – although you would not actually have to involve them.

You must make sure that those responsible for monitoring in your business are aware of the Data Protection Act and its implications. Keep the number of workers who have access to personal information obtained through monitoring to a minimum.

If information gathered through monitoring is to have consequences for a member of staff, that worker should first be given the chance to give their side of the story. It could be that the information obtained is misleading or inaccurate.


Notifying the Information Commissioner’s Office about personal information

The Data Protection Act 1998 requires businesses to give details about the way they process personal information to the Information Commissioner’s Office (ICO) for inclusion in a public register, unless they are exempt. This is called notification.

The notification process allows people to find out what personal information an organisation is processing and why. It involves providing some basic details about your business and how you process personal data.

Read a guide on notification for data protection on the ICO website- Opens in a new window.

Exemptions from notification

A core business purposes exemption from notification is available for organisations that only process personal information, subject to certain conditions, for the following purposes:

  • staff administration – including payroll
  • advertising, marketing and public relations for their own business
  • accounts and records

If you are a data controller, you should always check with the ICO whether you are exempt from notification. The ICO has developed a series of questions to help you decide if you need to notify them.

Exemptions are possible for the following:

  • some not-for-profit organisations
  • personal information processing for personal, family or household affairs
  • maintaining a public register

If you only hold manual records, you will be exempt from the requirement to notify.

Even if you are exempt from notification, you must still comply with other provisions in the Data Protection Act 1998, including the eight data protection principles. See the page in this guide on the data protection principles.

Notification procedure and fees

You can start the notification process by calling the ICO Notifications Helpline Tel 01625 545740, or by filling in and posting a notification form. Complete the notification form online on the ICO website- Opens in a new window.

Unless your business is exempt, as a data controller you must pay an annual notification fee to the ICO. The fees are as follows:

  • businesses with 250 or more staff and a turnover of at least £25.9 million – £500
  • public authorities with 250 or more staff (regardless of turnover) – £500
  • all other data controllers – £35 unless they are exempt

Registered charities and small occupational pension schemes do not come into the higher tier, regardless of their size and turnover. They fall into the lower tier unless they are exempt from the requirement to notify altogether.

Failure to notify the ICO when you are required to do so is a criminal offence. The period of notification is one year.

Changes to a notification entry must be made within 28 days. Changes are made free of charge. Failure to notify changes to your notification is a criminal offence.

Bogus agencies

Businesses throughout the UK continue to be troubled by bogus data protection notification agencies.

The ICO is the only statutory authority for administering and enforcing the public register of data controllers. You should ignore any notification correspondence that is not from the ICO.


The Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is an independent public body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. One of the ICO’s responsibilities is enforcing the Data Protection Act 1998.

The ICO promotes good practice by:

  • publishing guidance to simplify compliance
  • running a helpline
  • encouraging the development of codes of practice
  • taking enforcement action where necessary
  • seeking to influence national and international bodies on privacy and access matters
  • maintaining a register of organisations and businesses that process personal information

The ICO handles complaints from individuals about the use of their personal information. If the ICO receives a valid complaint about your business, you will usually be contacted about it. The ICO may recommend you take certain action to make sure that your future use of personal information complies with the Act.

Offences and enforcement

If your business processes personal information you need to be aware of the offences under the Act.

The main offences relate to:

  • notification – where an organisation fails to notify or to update their notification entry as required
  • obtaining or disclosing personal data without the consent of the data controller – it is an offence to knowingly or recklessly obtain, disclose, sell or offer to sell personal information without the consent of the organisation processing the information
  • breaching formal notices issued by the ICO

The ICO has the power to prosecute those it believes may have committed a criminal offence. It can also issue an enforcement notice if it believes an organisation has not complied with one or more of the data protection principles. See the page in this guide on the data protection principles.

By issuing an information notice the ICO has the power to require an organisation to supply any information needed to assess whether the Act has been breached. You could be liable for a financial penalty through the courts if you fail to notify, or fail to comply with an enforcement or information notice.

In addition, since 6 April 2010 the ICO can impose its own penalties (without recourse to the courts) of up to £500,000 where a serious breach of the principles occurs. Before a monetary penalty is imposed, you will be issued with a notice of intent by the ICO. You will then have the opportunity to provide the ICO with details of the specific circumstances surrounding the alleged breach, as well as the financial impact of any proposed penalty.

Although small businesses are not exempt from compliance with the Act, in the event of a breach, your financial and other circumstances will be taken into account by the ICO.

Data Protection Act compliance checklist

To help check if your business is meeting data protection rules, the ICO has produced a list of questions to consider. Download a data protection compliance checklist [opens in a new window].


CASE STUDY

Here’s how I complied with the Data Protection Act 1998

When former teacher Susan Moore set up her own supply teaching agency, STC Consortium Limited, she was alerted to the need to comply with the Data Protection Act 1998 by a potential customer. Several years on, Susan’s business now provides cover for absent teachers over 6,000 square miles from the Tweed to the Tees and the business stores personal data about more than 800 teachers. Susan explains how she complied with the Act – and the efficiency gains that compliance has produced.

What I did

Gather information

“I didn’t really know much about the Data Protection Act 1998 before I started trading. However, when I was discussing the service my business could provide to the Local Education Authorities (LEAs), they told me I should be registered with the Information Commissioner’s Office (ICO). This is because my IT database was going to store the names, addresses, work experience and Criminal Records Bureau details of the teachers that would work through the agency. I would also need to store hard copy application forms in my archive. A lot of information about people, in other words.

“I found more information on the ICO website.”

Appoint a data protection officer

“I made a member of staff responsible for finding out about what we needed to do to comply with the Act. She went on the ICO website and sent off for information packs and videos available on the site. She also attended an information day to learn about the Data Protection Act 1998.”

Train all staff

“The data controller then trained the rest of the staff to process data confidentially and accurately, and to ensure it was seen by nobody outside the business. We used a video from the Information Commissioner as the foundation of these training sessions. We compiled a handbook so every member of staff could have a copy to which they could refer at any time. This meant they knew how to handle and protect data at all times.”

What I’d do differently

Set up data protection policies before starting the business

“The LEAs suggested that I should be registered with the ICO. I should have done this from the start to comply with the Act.”

Get permission to use data to apply for references as part of the initial paperwork

“We now have a data protection policy on the back of our application form. This means people can fill the permission details out as part of their initial application, making the application process more streamlined. We only have to process one set of forms, rather than sending out a separate form which would cost us more money in postage and administration time.”

Every effort has been made by the author(s) to ensure this article’s accuracy but it does not constitute legal advice tailored to your circumstances. If you act on it, you acknowledge that you do so at your own risk. We cannot assume responsibility and do not accept liability for any damage or loss which may arise as a result of your reliance upon it.