"We tell it like it is!"

June 2021

May 2021

March 2021

February 2021

January 2021

December 2020

November 2020

October 2020

September 2020

August 2020

July 2020

June 2020

May 2020

April 2020

March 2020

February 2020

January 2020

December 2019

November 2019

October 2019

September 2019

July 2019

June 2019

May 2019

March 2019

February 2019

December 2018

November 2018

July 2018

June 2018

May 2018

April 2018

March 2018

February 2018

January 2018

December 2017

November 2017

October 2017

September 2017

July 2017

June 2017

March 2017

February 2017

January 2017

December 2016

November 2016

October 2016

September 2016

Your Systems and Data Protection

Published over 8 years ago by Elkie Holland
CREDIT: Photo from Flickr
CREDIT: Article written for us by ContractLaw 

How to ensure your systems stay on the right side of data protection laws 
When dealing with IT systems of ever increasing complexity and dynamism, data protection is easy to overlook. However, the consequences of breaching the Data Protection Act 1998 and an investigation by the Information Commissioner’s Office are scary. Your organisation could be fined up to £500,000, and the directors held criminally liable. Here are some tips to help you avoid this. What are the requirements for IT systems under the Data Protection Act? The Act sets out principles on the use of personal data in both electronic and paper-based systems. In summary, personal data should be:

  • Used for a legitimate purpose
  • Relevant to the intended purpose
  • Accurate and, up to date where appropriate
  • Used in accordance with the rights of the individual
  • Kept secure and held for no longer than necessary
  • Not transferred to a country outside the European Economic Area that does not have adequate data protection laws 

For what purposes can personal data be used? 
Data must be used in a way compatible with the purpose for which it was provided and which the individual concerned could reasonably expect. For example, in the case of a telecommunications company:
  • It is obvious that they will keep customer’s details on file for billing purposes
  • If they diversify into a new kind of telecommunications, it would probably be acceptable to send promotional information to established customers
  • If they wanted to pass customer’s details to a sister company in order to promote an unrelated product, explicit consent from the individuals concerned would probably be necessary 

What are the security requirements for electronic data? 
The Information Commissioner’s Office recommendations include:
  • Using a “layered” approach to security so there are backups if one protection fails (eg. physical security of the building; virus protection; firewalls; and passwords)
  • Segmenting network components (eg. web server and main file server)
  • Encrypting personal information that would cause damage or distress if lost
  • Limiting staff access to the information they need
  • Encrypting data stored on mobile devices and equipping them with a remote disable or wipe facility in case of loss When transferring data to third parties like payroll processors and cloud computing providers your obligations under the Data Protection Act still apply. Make sure the external parties have adequate data protection processes and ideally get written guarantees from them.

  • How should electronic data be deleted?
    The Information Commissioner’s Office takes a “realistic” approach to removal of electronic data. They will normally consider data to be deleted where it is “beyond use”, meaning:
    • The data will not be used for action affecting the individual concerned
    • It will be kept secure and not provided to third parties
    • It is intended that the data will be deleted permanently when possible Data Protection Law is complicated and the consequences of getting it wrong are serious. It is strongly advisable to take legal advice when developing and implementing systems that handle personal data. {{image_72_left}} 

    To find out more about data protection laws, click here to visit Contact Law.
    comments powered by Disqus