Courtesy navigation

Data protection: your obligations

The Data Protection Act 1998 lays down strict rules covering collecting, storing and using personal information about customers and staff. Yet, according to the Information Commissioner's Office, only three quarters of the small businesses surveyed were aware of data protection requirements - and failure to follow the rules could mean a £500,000 fine. Christian Doherty looks at your obligations

Personal data refers to any information you have about your customers and staff - from address details to opinions about your products and services. Whether you use this information for payroll or invoicing, you must comply with the Data Protection Act (DPA), which attempts to protect the privacy of individuals while enabling businesses and other organisations to operate effectively.

"It's important to ensure that an individual's privacy is protected as soon as their information is received," says Peter Driscoll, member of the National Association of Data Protection Officers. "And you must only use the information for the purposes you said you would use it for. If you tell someone their information will be used to invoice them, you are not allowed to use it for market research."

Basic data protection requirements

Any data you gather must be accurate, kept up to date and deleted when you no longer need it. If it is sensitive information that relates to ethnic origin, personal beliefs, health and so on, you must have written consent to use it.

If you collect and use personal information for any other reason than staff administration, marketing your own products or maintaining customer records, you may have to notify the Information Commissioner's Office (ICO). Failure to notify can result in a fixed penalty of £1,000.

The collection and use of personal information has to be fair. This means that you have to provide people with your business details, the reason you are collecting the information and anything else they should know.

You must also make sure that what you collect is proportionate and only what you need.

Data security

Any personal information you store on computers or in paper files must only be accessible by people with permission to see it. You cannot pass it to other organisations unless you have permission or a just cause, such as giving staff details to a payroll bureau.

"I would recommend you seek advice from an expert," advises Driscoll. "But there are some things you can do yourself, such as set up passwords for each computer user in your firm, and password protect files that contain sensitive or valuable information."

Paper files are also covered by the DPA and should be kept under lock and key or stored securely off-site. You should also make sure your staff know they must not discuss information about customers with people who are not allowed to access it.

Staff and customers' rights

Customers have the right to see any information you hold about them. You are allowed to charge £10 for handling requests and you must deal with them within 40 days. Customers can demand corrections and instruct you not to use their details for direct marketing.

Staff, too, are allowed to view their personal files, including documents relating to disciplinary matters. You are not allowed to pass information about an employee to anyone unless you have their consent. If either customers or staff feel you are in breach of the Act, they can complain to the ICO. 

For more detailed information on this topic, read our briefing Your firm and the Data Protection Act.