CREDIT: Article written for us by ContractLaw
How to ensure your systems stay on the right side of data protection laws
When dealing with IT systems of ever increasing complexity and dynamism, data protection is easy to overlook. However, the consequences of breaching the Data Protection Act 1998 and an investigation by the Information Commissioner’s Office are scary. Your organisation could be fined up to £500,000, and the directors held criminally liable. Here are some tips to help you avoid this. What are the requirements for IT systems under the Data Protection Act? The Act sets out principles on the use of personal data in both electronic and paper-based systems. In summary, personal data should be:
- Used for a legitimate purpose
- Relevant to the intended purpose
- Accurate and, up to date where appropriate
- Used in accordance with the rights of the individual
- Kept secure and held for no longer than necessary
- Not transferred to a country outside the European Economic Area that does not have adequate data protection laws
For what purposes can personal data be used?
Data must be used in a way compatible with the purpose for which it was provided and which the individual concerned could reasonably expect. For example, in the case of a telecommunications company:
- It is obvious that they will keep customer’s details on file for billing purposes
- If they diversify into a new kind of telecommunications, it would probably be acceptable to send promotional information to established customers
- If they wanted to pass customer’s details to a sister company in order to promote an unrelated product, explicit consent from the individuals concerned would probably be necessary
What are the security requirements for electronic data?
The Information Commissioner’s Office recommendations include:
How should electronic data be deleted?
The Information Commissioner’s Office takes a “realistic” approach to removal of electronic data. They will normally consider data to be deleted where it is “beyond use”, meaning:
- The data will not be used for action affecting the individual concerned
- It will be kept secure and not provided to third parties
- It is intended that the data will be deleted permanently when possible
Data Protection Law is complicated and the consequences of getting it wrong are serious. It is strongly advisable to take legal advice when developing and implementing systems that handle personal data.
To find out more about data protection laws, click here to visit Contact Law.