Data Protection – are you breaking the law?
Recently we reviewed both our and several clients’ Data Protection policies, we thought you might like to hear from an expert on the subject. Robyn Banks of Adavista has written some points for consideration which we urge you to read and act upon.
Robyn’s recommendations
NOTIFICATION This is a registration with the Information Commissioner’s Office (ICO). The ICO is the enforcement body for this legislation and they have started general enforcement. The Notification is “voluntary” but if the business has any web presence and/or uses electronic communications and/or systems, Notification is necessary – the company cannot claim exemption. Not having a Notification in place risks a fine of up to £5000 on the business.
The Notification appears on the ICO website as part of a Register. It details the “purposes” for which the company processes personal data. This will include Staff Administration; Advertising, Marketing and Public Relations; and Accounts & Records. There will then usually be additional Purposes listed to allow legal processing by the company of information for , for example, training. If these purposes do not reflect all the work undertaken by the company, a criminal offence is being committed!
Cost – £35.00 to the Information Commissioner’s Office (ICO)
SUPPORTING POLICIES These number two – they support the Notification and are based on the administrative procedures of the company. These are not requested by the ICO currently, but in our considered opinion it is only a matter of time.
WEBSITE It is not a requirement of the law to have a Privacy Statement on the website. It is a requirement to have an overall Data Protection Policy. We believe that the two can be incorporated into one document. The Privacy statement on a website meets the legal requirement to tell everybody you come into contact with in recorded format that you are working in accordance with the legislation and how they can get access to their data if they so wish. A properly written Privacy Statement has been proven to increase customer trust from the outset. If a CONTACT form on a website collects data, it should have a disclaimer for the same reason.
EMAIL: Due to the informal nature of email, the Privacy and Telecommunications Regulations 2000 insist on a security disclaimer on all outgoing emails. An email address is personal data as an individual can identified by it easily. Therefore it is recommended that a data protection statement be included.
