Magazine

Data protection - new powers to fine

Published 09th Mar 2010 by bathamm
Data protection - new powers to fine

Businesses that handle personal data have always had an obligation to take extra care to avoid breaking the law, warns legal expert David Wright.

However, this will become more acute as the Information Commissioner is soon to get new powers of enforcement in relation to serious breaches of the principles in the Data Protection Act 1998, including data security breaches.

 

 

 

New powers

According to the Information Commissioner's Office (ICO) a new power to issue fines against offenders will be introduced from April 2010. The Ministry of Justice (MoJ) is the government department responsible for the changes and it will determine the exact timescale.

From the commencement date, once confirmed, the ICO will be able to issue what are expected to be 'substantial' fines against data controllers (ie businesses and organisations using personal information from their employees, customers or other individuals on their own behalf) without prior warning, for deliberate or reckless breaches of the Data Protection Act (DPA).

The MoJ has proposed that the maximum civil monetary penalty which can be imposed for serious breach of the data protection principles is £500,000.

Other details, such as whether the ICO will be allowed to fine individuals - directors, for example - as well as the organisations themselves are still to be confirmed.

Currently, the ICO can issue enforcement notices against organisations in breach of the DPA. A notice would require the data controller to take particular steps in respect of the breach, including entering into binding undertakings.

Failure to comply with an enforcement notice is an offence.

Failure to comply with binding undertakings would be a breach of contract which could lead to action being taken. In addition, it is a criminal offence under the DPA to knowingly or recklessly obtain, disclose or procure the disclosure of personal information, or to sell (or offer to sell) it.

The maximum fine which can currently be imposed under proceedings in the magistrates court is £5,000.



So, with the new penalties coming into play soon, what are the basic rules that businesses have to follow?

Complying with the Data Protection Act

In essence, protecting personal information is not just sound commercial practice, it is a legal requirement. Any organisation responsible for the collection and use of personal information must comply with the DPA.

 

The law requires organisations to keep personal information secure against unauthorised or unlawful use and to manage personal information in a 'fair and lawful' manner. This means that you must hold personal information securely; ensure staff remain aware of the importance of keeping data secure and confidential; notify the ICO and the individual staff and customers, whose personal information is held, about how their personal details are collected and used; ensure personal information is only used for 'fair' purposes - for example, to fulfil a legitimate business need or a statutory duty, or where the individual has given their express consent; keep records up-to-date and cleansed from systems when no longer required; allow an individual's right to obtain a copy of their records on demand; and take extra care when transferring data to third parties outside the UK.

Monitoring Staff

Data protection goes beyond computer or paper-based information as many would expect. It also goes into the realm of monitoring those in your business or on your premises.

There are many types of monitoring, for example installing a hidden camera to catch a thief, CCTV cameras to see if staff are meeting health and safety requirements, or regular checking of websites visited by employees.

If you do monitor staff, customers or visitors you ought to consider, before introducing monitoring, why it is needed, its impact on those being watched, and whether there is any alternative.

If you want or need to go down that route you should only monitor as far as is necessary. You must tell your employees what monitoring you are carrying out and why, unless you can justify covert monitoring.

Also, avoid monitoring in areas where employees would expect privacy, such as toilets, unless you suspect serious crime.

If you monitor phones, email or internet access make sure you also have a clear policy specifying permitted and prohibited use of your systems. Remember the appropriate signage if you do use CCTV and you will need employee consent to any monitoring, ideally through their contracts.

Ensuring compliance

Establishing a clear policy will help ensure compliance with the rules and limit the risk of problems occurring. As a minimum requirement you need to make sure you have the following in place:

  • Staff need a clear understanding of the personal information collected and used within the organisation.
  • The use of personal information must remain consistent with the expectation of the individuals concerned.
  • You need to make sure that records are regularly updated and, when obsolete, deleted.
  • You must design your policies, procedures and IT systems to maintain the integrity of data, prevent unauthorised access and effectively identify and manage breaches.
  • You also need to regularly conduct data protection compliance audits.
  • It's important that a senior officer of the company has overall responsibility for management of data protection and security compliance.
  • Finally, specific approval from those whose data is held should be required before personal information can be passed outside the business, overseas or used for any new purposes.

What to do if things go wrong

If a serious information security breach occurs, avoid the temptation to keep quiet and hope the problem passes by unnoticed.

  • Take immediate steps to protect the individuals concerned.
  • You must notify the ICO and tell those individuals affected what has happened, explaining any risks they may be exposed to and steps they can take to preserve their privacy.
  • You also need to start an investigation to understand the cause of the problem and implement appropriate remedial action to prevent any recurrence
bathamm

bathamm

Published 09th Mar 2010

Trending

Have all the latest news delivered to your inbox

You must be a member to save and like images from the gallery.

Hairdressers Journal - Hair Industry News, Trends and Business Advice uses cookies to ensure we give you the best experience on our website. Please see our Privacy Policy for more information. If you continue we assume that you consent to receive all cookies on the website.