The Data Protection Act 1988 came into force on 1 March 2000. The enactment brought with it confusion as to its intended purpose and application.
A common organisational perception of the Data Protection Act is that it is in place to hinder rather than help an organisation. The reality of this is somewhat different. The Act despite its complexities is one aspect of regulatory compliance that for most business is readily complied with. The approach is more progressive, and the Act is here to stay.
Individuals, as well as organisations, all possess personal data (the “data”) that requires some form of secure protection. From a commercial perspective however the protection of data in the information society that we live is an increasingly more important aspect to organisations’ commercial success in order to protect vital information about any organisations potential customers, current customers, suppliers and employees in order to ensure their data is protected. This gives the people involved in an organisation trust and confidence the data held about them is secure, accurate and held for the correct purposes in line with the trustworthy brand or get-up any organisation wants build or maintain.
Schedule 1 paragraph 7 of the Data Protection Act 1988 requires appropriate and organisational measures to be taken against unauthorised or unlawful processing of data and against accidental loss or destruction of, or damage to, data.
The security of the data therefore is paramount to the success of the protection of data. Processing of data under the Act covers operations ranging from initial collection through to destruction. The security measures put in place must take account of this data lifecycle. The data itself is defined in the Act to include information which is recorded with the intention that it should be processed by means of equipment operating automatically in response to instructions given for that purpose.
Therefore all information that is collected even via paper based mechanisms that are intended to be stored in an electronic manner in the future are considered within the reach of the security principle.
In terms of companies acting and remaining within the law under the Data Protection Act, a company is duty bound is to keep within the technical bounds of information security available to protect data. Information security is a process of constantly keeping one step ahead of the current threat to prevent a breach occurring. This requires an organisation to constantly monitor the security in place in the company.
These information security considerations go far beyond the complicated authentication and authorization procedures that are required to be put in place for electronic systems. Considerations must be given to the security of premises, the threat from disgruntled employees as a high proportion of breaches of security occur through internal breaches of security.
Companies should as a result give careful thought as to the sources of any data and consider the security threat that is posed in designing a new business process, marketing campaigns, recruitment drives where personal data is collected. Are the people responsible for the security of your organisation aware that this data is being collated and has this been designed into the security processes?
If the answer is no, then there is a potential breach of the Act but if the threat has been assessed and catered for the risks are reduced. Many companies treat information security as an after thought to sales of products and services upon which the business is based, to their own risk. If the attitude is endemic in a company a change of thinking towards the security of data of the company’s customers and suppliers, sooner or rather than later will assist in building appropriate processes into the companies’ structural processes
A data controller is a legal person such as an individual, a company or other corporate body that makes decisions on how personal data is processed. Data controllers control the data carried out by data processors who are defined under s.1(1) Data Protection Act 1988 as any person other than an employee of the data controller who processes the data on behalf of the data controller.
For example, this data controller – data processor relationship exists between company and a call centre; a company and its web site host and a company and a payroll bureau.
Data controllers using a data processor have obligations under Schedule 1 of the Data Protection Act. In order that the security principle is complied with, a data processor must be chosen that provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out and must take reasonable steps to ensure compliance with those measures.
In addition, the data controller is not regarded as complying with the security principle unless the processing is carried out under a contract which is made or evidenced in writing and under which the data processor is to act only on instructions from the data controller and the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the security principle.
Data Controllers are also under an obligation to notify Information Commissioners the details of personal data processing. This obligation under s.20 Data Protection Act 1988 also puts an obligation on data controllers to keep notifications up to date.
The Information Commissioner is the independent regulatory authority charged with overseeing the implementation and operation of the Data Protection Act. The Information Commissioner has set legal guidance on compliance with the seventh principle that states:
“That it is important to note that the Security Principle relates to the security of the processing as a whole and the measures to be taken by data controllers to provide security against the breaches of the Act rather than just breaches of security.
There can be no set standard of security measures that is required for compliance with the Seventh Principle. The Commissioner’s view is that what is appropriate will depend upon the circumstances, in particular, on the harm that might result from, for example, an unauthorised disclosure of personal data, which in itself might depend upon the nature of the data. The data controller, therefore, needs to adopt a risk-based approach to determining what measures are appropriate to the risks represented by the processing.”
Civil and Criminal Proceedings
Breaches of the Data Protection Act 1988 may lead to a civil claim made by a data subject, e.g. a customer. The level of damages awarded in any successful claim by a claimant who has suffered damage or distress as a result in which financial loss or physical injury has occurred may result in substantial damages being awarded if this loss or distress is significant subject to the data controller showing they took all reasonable precautions against such loss or distress occurring.
A breach of any notification requirements by a data controller can lead to a number of criminal sanctions where the processing of personal data has occurred without an entry on the register of data controllers. Failures to notify the Information Commissioner of any changes to the registrable particulars of existing notifications or failing to notify the Information Commissioner of registrable particulars within 21 days of receiving a written request from any person can all lead to criminal sanctions.
The Information Commissioner can prosecute the company secretary or other officers as a result of failure to notify on summary conviction of up to £5,000 and on indictment unlimited fines apply. Also the Information Commissioner can make Orders for forfeiture, destruction or erasure of the data.
Conclusion
The protection of data under the Data Protection Act 1988 is necessary under the law and must be complied with but it can help massively to focus a company or a company’s employees on the importance of its customers as without them a company cannot exist. The protection of their personal data therefore is essential to the survival of a company as leaks of information can potentially cause huge losses to customers.
To properly deal with personal data, data controllers must comply with the eight principles set out in the Data Protection Act 1988. Security is but one, although an essential element to be complied with as the number of persecutions under this Act may be increased by the Information Commissioner.
Contract Terms – Briefing Note - Contracts & Disputes: The Importance of Implied Terms in Contractual Disputes
Contract Terms – Termination and its Consequences - Software Licence Agreements and Software Development Contracts - Part 9
Employment Law – Workers on Long-term Sick Leave and Statutory Holiday Entitlements
T: +44 20 8965 4266
F: +44 20 8965 0229
Email Us
Contact our lawyers online
Sitemap
Technology | Commercial | Corporate law firm | London UK
Solicitors & Lawyers | Copyright | Gillhams 2005 - 2008
