How to comply with the Data Protection Act
The Information Commissioner is the UK authority set up to uphold data privacy. Under certain circumstances businesses need to register with the Information Commissioner as a 'data controller'. If your business holds personal information of any kind about a living person you must comply with the Data Protection Act, even if you don't need to register.
As a small business there's two main obligations you need to be aware of:
The eight principles of good information handling
The Act specifies that any data you hold must be:
Fairly and lawfully processed
Processed for specific purposes
Adequate, relevant and not excessive
Accurate and kept up to date
Not kept for longer than is necessary
Processed in line with the rights of the individual
Not transferred to countries outside the European Economic Area unless there is adequate protection for the information
The right to see the data held about an individual
Section 7 of the Data Protection Act deals with a person’s rights to see the personal data that is held on them, and the right to have it corrected if it's wrong.
A ‘subject access request’ is a request from an individual to a company to show them what personal data is held on them. Any company that receives a subject access request must:
Respond to it within 40 days
Provide a copy and a description of the data held
- Advise where the data came from
- Give information on how the data is processed
Give information on which other people or organisations it may have been disclosed to
You can charge a fee of up to £10 for handling a subject access request if you choose to do so. Under certain circumstances you can withhold information. If you need clarification on what you should or should not provide phone the Information Commissioner's helpline on 01625 545745 for advice.
Find out how to register with the Information Commissioner and where to go for more information.