BIG Business not BIG Brother

Everyone using information about identifiable individuals in their everyday work is subject to the Data Protection Act,1998. You don't need to be doing particular data-related jobs for the law to apply. Equally, there need be no big mystery about it. The Data Protection Act doesn't preserve data, it protects people. It was passed to make sure that personal information could not be accessed or used by anyone who merely had a fancy to do so. The Act restricts what is allowed and clarifies what is forbidden.

All individuals at work are responsible for making sure that any personal information they handle as part of their job is processed accurately. The recording for business purposes of all personal data, whether held electronically or on paper, is gradually being brought into line. The latest is the accident recording system or accident book which, since 31 December 2003, must now conform to the confidentiality dictated by the Act.

New Year, New Regulations

Employers with 10 or more employees must keep an accident book recording details of all work-related accidents and many with fewer than 10 employees find it expedient to do so. The book records the date, the nature of the accident, what action was taken, plus the name and address of the injured person. Starting on 1 January 2004 personal information contained in the accident record is subject to the Data Protection Act and must be kept confidential.

Officially-approved accident books (Accident Book BL 510) have been redesigned by The Health and Safety Executive (HSE). They now contain a series of perforated pages each of which should be removed after completion. The completed pages should be stored in a secure location leaving the stubs to indicate that an accident has occurred and been duly recorded. Safety Representatives have the right to information about accidents so employers should either provide such information anonymously, i.e. with the personal details blanked out, or by gaining explicit consent from the injured person that their personal data may be revealed.

Staying Safe

Any time you collect personal information about named individuals you should inform those whose data you are intending to store:

• the name of the data controller and his/her representative, if any;
• why you are collecting the data and what you intend to do with it;
• other relevant information such as intended recipients of the information.

Organisations and individuals who record personal information are called data controllers. The Information Commissioner maintains a public register of data controllers and a brief description of what they do with the personal data under their charge. If personal information is processed as part of the work of your business then your company should notify the Information Commissioner's Office. You can do so by phoning 01625 545745, e-mailing mail@ico.gsi.gov.uk or accessing www.informationcommissioner.gov.uk.

There have been a number of occasions when people invoice or visit business addresses purporting to represent the data controller register. The Information Commissioner, Richard Thomas, says: 'I advise data controllers to ignore any approach made by these businesses, which appear to be charging up to ?95 + VAT for notification. Other than paying the annual statutory notification fee of ?35, on which no VAT is payable, there is no charge made by this office to any data controller wishing to notify'.

Size doesn't matter

The Act has been passed to ensure that personal information is treated with respect. There are eight data protection principles to which anyone storing details about identifiable individuals must adhere. Information must be:

• fairly and lawfully processed;
• processed for specific purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with the individual’s rights;
• secure;
• not transferred to countries without adequate protection.

Transfer of personal data can become complicated if the recipient is overseas. Personal information legally held in the UK may be sent to any organisation or company within the European Economic Area (EEA), which is not the same as the European Union (EU). Iceland, for example, is part of the EEA but not a member of the EU. Personal information can also be passed to other countries if there are sufficient controls in place in the laws of the country of destination to ensure adequate protection of the rights of the individuals to whom the data refers. The Act states that it is the duty of the data controller to ensure that the recipient’s country has such controls in place before transferring information.

Individual rights

If you hold information about individuals, sometimes called ‘data subjects’, they have the right to ask for details about the data concerning them. If an individual requests it you must send:

• a copy of the information;
• why you hold it;
• notification of anyone it may be seen by or passed to;
• the logic involved in any automated decisions.

You must send the information within forty days of being asked for it in writing, but you do have the right to charge a nominal fee to cover administrative costs. The Act recommends that the fee be no more than about £10.00 and allows that the forty-day notice period need not begin until appropriate payment is received. Data subjects have the right to ask for the information you hold about them to be corrected, deleted or the processing of it blocked. You do not have to comply with the request but must have an extremely good reason for refusing. Individuals do, however, have the right to demand that you cease using their information for direct marketing purposes.

The Data Protection Act was passed to protect individuals, but adhering to it also ensures that we keep our contact records up to date. After all, we’d all prefer the information to be accurate which our colleagues keep about us!