bCentral Home
Your Online Business Center

Data Protection FAQ

Common queries about a complex subject

Data Protection FAQ

What is personal data?

Information about living, identifiable individuals. It does not need to be particularly sensitive information - it could just be a person's name and address.

Will I still be exempt from notification if I buy in data for marketing purposes?

Yes, if you buy in data such as mailing lists for your own marketing purposes you will still be covered by the advertising and marketing exemption.

What does the notification exemption on accounts and records cover?

This exemption covers keeping information on past, existing or prospective customers and suppliers necessary to help you keep your accounts, make decisions about whether to do business with a particular customer or supplier and make financial and management forecasts.

But it doesn't cover data obtained from a credit reference agency.

What are the eight basic principles of data protection?

The Data Protection Act contains eight principles which cover how data must be handled. They sum up what a business has to do to comply with the Act.


Any data on individuals must be fairly and lawfully processed and can't be processed unless certain conditions are met.


It must only be processed for one or more specified purposes.


The data must be adequate, relevant and not excessive in relation to the purpose for which it is processed.


It must be accurate and where necessary kept up to date.


The data must be kept for no longer than necessary.


It must be processed in accordance with the rights of the person it relates to.


It must be held securely.


The data must not be transferred to other countries unless there is adequate protection for the personal data.

What can I do to make sure data is held securely?

Make sure any rooms and IT systems you use to store data are secure and destroy data which you no longer need (looking to comply with the requirements of British Standard 7799 on information security management may be helpful). Train staff to handle data reliably and remind them it is a criminal offence to pass it on, either recklessly or for money.

How do I notify with the Information Commissioner?

You can notify by calling 01625 545 740 or by visiting www.informationcommissioner.gov.uk

Do I have to give access to individuals to the data I keep on them?

Yes. Any individual has a legal right to make a written request to see any information you hold on them, though you can charge a fee of up to �10 for doing this. The information must be sent to the individual within 40 days of receiving the request (or of receiving payment if you ask for it). You should give details of why you're processing their data, anyone it may be passed to and any information you have about the source of the data.

What exactly is sensitive information and in what circumstances may I process it?

Sensitive information covers areas such as a person's racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, trade union membership or non-membership, physical or mental health or condition, sexual life, any actual or suspected criminal offence and any proceedings being brought in connection with this.

You can only process such information in certain restricted circumstances, such as: the person involved has freely given explicit written consent to its use for clearly stated purposes; it is required for legal reasons; it is needed for ethnic or anti-discriminatory monitoring.

The rules say I mustn't transfer data outside the European Economic Area unless I'm sure the country's data protection laws are adequate or I have the individual's consent. But what's the European Economic Area?

The European Economic Area is made up of the European Union countries plus Norway, Iceland and Liechtenstein. Note that only a few countries outside of the European Economic Area are considered as having 'adequate' data protection laws.

Will I be breaking the law if I'm not exempt from notifying but fail to do so?

Yes. Failure to notify could lead to fines of up to �5,000 per offence plus costs. Liability can extend to the company and to individuals. If a company commits a criminal offence under the Act, any director or manager can be found guilty too

How does 'Freedom of Information' law affect small businesses?

The Freedom of Information Act, in force from January 2005, affects businesses that regularly work and have contracts with public bodies, like local authorities and councils. It allows individuals a general right to access information about businesses working in the public sector - but businesses can charge to cover the administrative costs of providing such information. The Information Commissioner oversees the law.

Sign into Microsoft Small Business+ for free web-based training, online chat help and software support.

sign in
Security information

Find a local Microsoft Small Business Specialist to help with your IT needs

Microsoft Small Business SpecialistMore info >

Do you plan to implement Office 2007 or Windows Vista?

Do you plan to implement Office 2007 or Windows Vista?

Free business newsletters - subscribe now

Our free newsletters are packed full of business advice and ideas - plus all the latest news

Security information

Get the latest bulletins and updates direct from Microsoft