How Safe Do You Keep Personal Data?

The “lost” cds containing sensitive personal information relating to millions of child benefit beneficiaries is a huge breach of confidentiality and data protection principles but before we all join in the furore many businesses should check on their own procedures dealing with personal information.

Anyone who “processes” personal data (held in paper or electronic form) must protect it under eight guiding Principles in the Data Protection Act 1998. The term “processing” means doing anything with someone’s personal data – including storing and deleting records. Personal data is anything that identifies a living individual, and includes, name, address and national insurance number. Sensitive personal data, requiring greater protection, includes references to financial records (such as bank account details) physical or mental health records, racial or ethnic origin, political beliefs etc.

So what can businesses do – or not do – with personal data?

The data can only be used for the original purpose or purposes for which it was collected. For example address details collected to fulfil a customer order must not be added to a mailing list for marketing new products or events, unless the individual gave consent for the second purpose. Companies often ask individuals to tick a box on data collection forms to consent to receiving further information or for personal data to be passed on to third parties. However this only gives limited consent and does not cover all uses.

Personal Data must be accurate and, up to date. Keeping it longer than its original intended use – as in the case of HMRC, is illegal.

For HMRC the most important breach of the Principles is the obligation to take “appropriate technical and organisational measures” to make sure the data is not used in an unauthorised or unlawful way or accidentally lost, destroyed or damaged. Keeping huge amounts of data on single databases without encryption and widely accessible is a breach of this Principle. Sending it unsecured, unrecorded, untracked and unknown through the post (albeit an internal mail system) is most likely a breach of HMRC’s obligations.

If your business does not comply with the Principles, you run the risk of exposing your customers’, staff and suppliers’ personal data to security breaches. Even if, no harm comes to anyone on the HMRC database, there are other implications. The negative publicity generated by the loss of faith, trust and damage to reputation are the most obvious, but there are criminal sanctions, imposition or remedial measures and compensation claims to worry about. The Information Commissioner can now and more regularly does carry out spot checks on businesses to check compliance.

So how do you check your business keeps personal data safe and legal?
• carry out an audit of your practices
• check how you collect information, and why
• do you use data only for that purpose?
• Is your system an efficient system, keeping data up to date and not kept for longer than necessary?
• is that data secure – eg limited access to data, secure buildings and filing cabinets, password protected, encryptions etc?

Published 27/11/2007. The author of this article is Rachel Robinson