---

How the Data Protection Act can affect your business

---

The Data Protection Act gives individuals in the UK the right to know what information is held about them, and sets out rules to make sure that this data is handled properly by the organisations holding the information.

The Data Protection Act 1998 was introduced in order to give the public and organisations greater protection over how their personal information is gathered, stored, shared and maintained by a range of organisations.

Implementation and regulation of the DPA is carried out by the Information Commissioners Office, or ICO, the UK's independent public body set up to protect personal information and promote public access to official information.

Organisations, companies or individuals register under the DPA as Data Controllers, if they collect and hold personal data about individuals. At present, the cost of annual registration, or Notification, is £35 and this can be done online at www.ico.gov.uk. Be wary of some private organisations which may try and charge you more to register.

Who should Register under the Data Protection Act?

The basic rule of thumb is that if an organisation holds Personal Data, it should register as a Data Controller. The definition of Personal Data includes information held electronically for future processing, or information which is processed in a non-automated way – in other words, in a traditional paper based filing system.

Some examples of what may or may not be classed as Personal Data include:

• Information which can identify a living individual is Personal Data – so for example a list of the order values of orders placed by your customers, which does not include any identifying personal information or dates, wouldn’t be personal data.

• People’s names are only personal data when they are held with other information which can identify a specific individual, such as such as an address, a place of work, or a telephone number.

• Information about an individual, even if does not include their name, can still be Personal Data if you also hold other information which could be used to identify an individual – such as a description, salary, age, or address.

• Personal information is also Personal Data which can be used to relate to, or which is obviously about a specific individual, such as a medical history, a criminal record, performance record at work, personal bank statements or itemised telephone bills.

• Information about an event or transaction which concentrates on an individual is Personal Data - for example the minutes of a disciplinary or employment tribunal hearing.

What do I have to do after registering?

Once you are registered as a Data Controller you have several obligations. Firstly you must comply with eight principles, which make sure that Personal Data is:

1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept for longer than is necessary
6. Processed in line with an individuals rights
7. Secure
8. Not transferred to other countries without adequate protection

Data Controllers also have to respond to the individual’s right to find out what Personal Data is held by them. If you receive such a request, you should respond within a maximum of 40 days from being asked in writing. If it is appropriate, you can charge a maximum fee of £10 to provide Personal Data, but many organisations waive the fee as part of their commitment to customer service.

If you are registered as a Data Controller and don’t meet your obligations, individuals are entitled to make a complaint to the ICO.

About the Author

Steve Sellwood is from http://www.selectabase.co.uk, leading UK suppliers of affordable list cleaning and data cleansing services to keep your in house lists up to date and ready to use. Selectabase also provide a wide range of business and consumer mailing lists for your next direct marketing campaign.

Posted February 19, 2008