Courtesy navigation

Data protection: your obligations

The Data Protection Act 1998 lays down strict rules covering the collection, storage and usage of personal information about customers and staff. Yet, according to the Information Commissioner's Office, only 65% of the small businesses surveyed were aware that the data protection rules require them to keep personal data secure - and failure to follow the rules could mean a £500,000 fine. Christian Doherty looks at your obligations

Personal data refers to any information you have about your customers and staff - from address details to opinions about your products and services. Whether you use this information for payroll or invoicing, you must comply with the Data Protection Act (DPA), which attempts to protect the privacy of individuals while enabling businesses and other organisations to operate effectively.

"It's important to ensure that an individual's privacy is protected as soon as their information is received," says Peter Driscoll, member of the National Association of Data Protection Officers. "And you must only use the information for the purposes you said you would use it for. If you tell someone their information will be used to invoice them, you are not allowed to use it for market research."

Basic data protection requirements

Any data you gather must be accurate, kept up to date and deleted when you no longer need it. If it is sensitive information that relates to ethnic origin, personal beliefs, health and so on, you must have written consent to use it.

If you collect and use personal information for any other reason than staff administration, marketing your own products or maintaining customer records, you may have to notify the Information Commissioner's Office (ICO). Failure to notify can result in a fixed penalty of £1,000. You can notify online or by calling the Information Commissioner's notification line on 0303 124 1113.

The collection and use of personal information has to be fair. This means that you have to provide people with your business details, the reason you are collecting the information and anything else they should know.

You must also make sure that what you collect is proportionate and only what you need.

Data security

Any personal information you store on computers or in paper files must only be accessible by people with permission to see it. You cannot pass it to other organisations unless you have permission to do so or a just cause, such as giving staff details to a payroll bureau.

"I would recommend you seek advice from an expert," advises Driscoll. "But there are some things you can do yourself, such as set up passwords for each computer user in your firm, and password protect files that contain sensitive or valuable information."

Paper files are also covered by the DPA and should be kept under lock and key or stored securely off-site. You should also make sure your staff know they must not discuss information about customers with people who are not allowed to access it.

Staff and customers' rights

Customers have the right to see any information you hold about them and can require you to update, amend or delete information if they can prove it is inaccurate. You are allowed to charge £10 for handling requests and you must deal with them within 40 days. Customers can demand corrections and instruct you not to use their details for direct marketing.

Staff are also allowed to view their personal files, including documents relating to disciplinary matters. You are not allowed to pass information about an employee to anyone unless you have their consent. If either customers or staff feel you are in breach of the Act, they can complain to the ICO. 

The Law Donut contains further information and advice on Data Protection and your obligations:

Find can also out more about your data protection obligations at the ICO website