Do you breach data protection? Hefty fines could be coming your way
Protecting and securing personal data
Personal data is any information stored digitally or in print that could identify an individual, either on its own or together with other information held by a business or a third party. Personal data needs to be protected and kept secure. This data may include names, email addresses, telephone numbers, dates of birth and notes written about someone, such as an annual performance review.
Particular care must be taken with sensitive personal data, like medical records as more restrictive requirements apply to this type of data.
The individual could be a potential or actual employee, customer or supplier, or even someone captured on a business’s CCTV footage.
How can it go wrong?
Hampshire County Council was fined £100,000 for failing to implement effective contingency plans to protect personal data when decommissioning a disused building. Social care files of over 100 people, containing highly sensitive information about adults and children in vulnerable circumstances, were discovered in the disused building by the new owners. The building also contained 45 bags of confidential waste.
Regal Chambers, in Hitchin, Hertfordshire, was fined £40,000 for an unauthorised release of confidential information about a patient and her family. Despite express warnings from the patient that staff should take particular care to protect her details, the information was released in response to a Subject Access Request made by the patient's estranged ex-partner.
Whitehead Nursing Home in County Antrim, Northern Ireland, was fined £15,000 for failing to keep the personal information they hold secure. The breach occurred when a member of staff took an unencrypted work laptop home, which was stolen during a burglary overnight. The laptop contained sensitive personal details relating to 46 staff and about 29 residents.
These examples show how easy it is to risk a data breach and how important it is to make sure you handle personal data properly.
Collecting personal data
A business can only collect personal data if it has a legitimate reason for doing so. For example, because a new employee is coming to work for the business.
When you collect data about an individual, you will need to tell that individual what you intend to do with their data. If your purpose for that data changes, you must inform the individual again.
You should only collect information you require at that particular time. For example, bank details should only be collected once a job applicant has started to work for the business.
If you want to use someone’s data for marketing purposes, the individual must be informed. It is good practice to do this at the time the data is collected. In some cases, such as text or email marketing, a business will generally require the individual’s explicit consent.
Using data collected on individuals
An organisation is generally allowed to use someone’s personal data if they have given their consent. This includes if the data is needed to fulfil a contract with a customer -such as using their address to deliver goods to them.
You should not use data for any reason other than for the purpose it was attended. A good example here is if you record calls for training purposes only, then these recordings should not be used to discipline a member of staff.
If a you would like a third party to manage data, like payroll services, we recommend you take legal advice as you will still be responsible for protecting the data and will need to enter into a written contract with the third party.
You should also take legal advice if you are considering transferring any data outside the countries in the European Economic Area. Think how easy this is to do, simply by sending an email to an office outside the UK.
If the data is being used in any marketing material, you should check that the individual is aware that their data may be used for this reason and confirm they do not object. Companies will generally need the individual’s explicit consent (opt-in) for email and text marketing. If the individual is an existing customer, the company may be able to market similar products to them by these means without prior explicit consent. If these circumstances are applicable to you, we recommend you take legal advice.
You should also take legal advice when considering using sensitive personal data, including ethnic origin, trade union membership or criminal records.
Storing personal data
All data must be accurate and up-to-date. Make sure your databases are regularly cleaned and out-of-date information is deleted. Data should only be held for as long as it is required and for the reason it was collected. For example, if personal data was collected to deliver a product a year ago and has not been used since, it should not be held on the basis that it may be needed for another reason at some time in the future.
Keeping data secure and confidential
Personal data must be kept secure at all times. Unsure how to do this?
• Add password protection to computers, files, calendar entries and meeting requests or make them private, as appropriate.
• Lock manual filing cabinets containing personal data so they are only accessible to authorised personnel.
• Send personal data securely. For example, by encrypting emails and not sending confidential information in the internal mail.
• Dispose of personal data in a secure way. Think shredding, confidential waste bags, and securely deleting electronic files.
If you think there has been a security breach, such as accidentally losing personal data, you should ensure this is reported to the appropriate person immediately.
As we’ve seen, it is your responsibility to make sure that personal data is adequately collected, stored and used. Not only is this a key legal consideration for your business, but vital for your finances and your reputation.