Keeping Data Personal
The decision of the Information Commissioner's Office (ICO)
to prosecute a firm based in Worcestershire for unfairly and
unlawfully processing the personal data of construction workers
became big news recently, but what are the general learning points
DPA Applies To All Uses Of Personal Data
This case highlights that organisations that buy in personal
data need to be just as careful as organisations that collect and
sell it. In addition, a data processing agreement must be entered
into between controller and processor. Compliance is simple and
involves a short agreement or clause in a contract.
Forty construction firms, including many of the industry's
biggest names, paid for access to the Consulting Association's
database to vet potential employees. The regulator is likely
to issue enforcement orders, breach of which is a criminal offence.
But the headline penalty for getting it wrong is an unofficial one:
The DPA Applies To Paper Filing Systems
A data subject (the person whom the information concerns) has a
right to request to see the personal information you hold on them.
Any filing system (electronic or on paper), can be caught, as long
as the information is readily identifiable within the system. The
case reminds us that, unless you are comfortable in disclosing
information, you are best advised not to record it.
You Must Register With The ICO
If you collect personal data in the course of your activities,
then in nearly all cases you must register with the ICO as a data
controller. We can advise on the exceptions. There is a small fee
required and you are asked to list all activities for which you
hold and collect data, and the type of data subjects you will hold
Compliance With The Data Protection
You should ensure that data subjects are clear about what
information you will collect about them and keep, whether or not
you need to get their consent. Where necessary you should obtain
their informed consent. You must ensure that the information you
hold is kept up-to-date and is not kept for longer than is
needed. If the data subject requests their information you
must disclose it. There are traps for the unwary so unless your
staff is experienced in dealing with requests you should take
initial tactical advice.
When Trouble Strikes
There is no doubt that Consulting Association could have made
life easier for itself. The ICO has extensive...
To continue readingREQUEST YOUR TRIAL