Privacy and security of information are issues that have gained considerable prominence in recent years.
You may not realise it but, as an organisation, you hold a huge amount of personal data, whether it relates to your employees, customers, suppliers, referrers or competitors. This means that you are a data controller.
The Data Protection Act 1998 (DPA) sets out a number of principles that every data controller has to follow in relation to personal data held by them:
- Data shall be processed fairly and lawfully;
- Data shall be obtained only for lawful purposes;
- Data shall be adequate, relevant and not excessive;
- Data shall be accurate and up to date;
- Data shall not be kept for longer than necessary;
- Data shall be processed in accordance with the DPA;
- Measures shall be taken to prevent unauthorised or unlawful processing of data; and
- Data shall not be transferred outside of the European Economic Area (EEA).
It is important that you have in place a clear data protection policy which your employees are all aware of and that you regularly review the way you store and process data to make sure that you’re keeping it as safe as possible.
Often, the first time that an employer will come across the DPA in practice is when they receive a “subject access request”. These are simply requests by individuals to see exactly what information you have about them. Subject access requests must be taken seriously and you must provide the information requested within 40 days.
If you have received a subject access request from an existing or former employee or job applicant and want to discuss exactly what you need to do, speak to our data protection expert, Holly Cudbill, for more detailed advice.