Keeping Data Personal


The decision of the Information Commissioner's Office (ICO)

to prosecute a firm based in Worcestershire for unfairly and

unlawfully processing the personal data of construction workers

became big news recently, but what are the general learning points

and reminders about the Data Protection Act 1998 (DPA)?

DPA Applies To All Uses Of Personal Data

This case highlights that organisations that buy in personal

data need to be just as careful as organisations that collect and

sell it. In addition, a data processing agreement must be entered

into between controller and processor. Compliance is simple and

involves a short agreement or clause in a contract.

Forty construction firms, including many of the industry's

biggest names, paid for access to the Consulting Association's

database to vet potential employees. The regulator is likely

to issue enforcement orders, breach of which is a criminal offence.

But the headline penalty for getting it wrong is an unofficial one:

bad publicity.

The DPA Applies To Paper Filing Systems

A data subject (the person whom the information concerns) has a

right to request to see the personal information you hold on them.

Any filing system (electronic or on paper), can be caught, as long

as the information is readily identifiable within the system. The

case reminds us that, unless you are comfortable in disclosing

information, you are best advised not to record it.

You Must Register With The ICO

If you collect personal data in the course of your activities,

then in nearly all cases you must register with the ICO as a data

controller. We can advise on the exceptions. There is a small fee

required and you are asked to list all activities for which you

hold and collect data, and the type of data subjects you will hold

information on.

Compliance With The Data Protection


You should ensure that data subjects are clear about what

information you will collect about them and keep, whether or not

you need to get their consent. Where necessary you should obtain

their informed consent. You must ensure that the information you

hold is kept up-to-date and is not kept for longer than is

needed. If the data subject requests their information you

must disclose it. There are traps for the unwary so unless your

staff is experienced in dealing with requests you should take

initial tactical advice.

When Trouble Strikes

There is no doubt that Consulting Association could have made

life easier for itself. The ICO has extensive...

To continue reading