Data Protection FAQ
Common queries about a complex subject
Data Protection FAQ
What is personal data?
Information about living, identifiable individuals. It does not need to be particularly sensitive information - it could just be a person's name and address.
Will I still be exempt from notification if I buy in data for marketing purposes?
Yes, if you buy in data such as mailing lists for your own marketing purposes you will still be covered by the advertising and marketing exemption.
What does the notification exemption on accounts and records cover?
This exemption covers keeping information on past, existing or prospective customers and suppliers necessary to help you keep your accounts, make decisions about whether to do business with a particular customer or supplier and make financial and management forecasts.
But it doesn't cover data obtained from a credit reference agency.
What are the eight basic principles of data protection?
The Data Protection Act contains eight principles which cover how data must be handled. They sum up what a business has to do to comply with the Act.
What can I do to make sure data is held securely?
Make sure any rooms and IT systems you use to store data are secure and destroy data which you no longer need (looking to comply with the requirements of British Standard 7799 on information security management may be helpful). Train staff to handle data reliably and remind them it is a criminal offence to pass it on, either recklessly or for money.
How do I notify with the Information Commissioner?
You can notify by calling 01625 545 740 or by visiting www.informationcommissioner.gov.uk
Do I have to give access to individuals to the data I keep on them?
Yes. Any individual has a legal right to make a written request to see any information you hold on them, though you can charge a fee of up to �10 for doing this. The information must be sent to the individual within 40 days of receiving the request (or of receiving payment if you ask for it). You should give details of why you're processing their data, anyone it may be passed to and any information you have about the source of the data.
What exactly is sensitive information and in what circumstances may I process it?
Sensitive information covers areas such as a person's racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, trade union membership or non-membership, physical or mental health or condition, sexual life, any actual or suspected criminal offence and any proceedings being brought in connection with this.
You can only process such information in certain restricted circumstances, such as: the person involved has freely given explicit written consent to its use for clearly stated purposes; it is required for legal reasons; it is needed for ethnic or anti-discriminatory monitoring.
The rules say I mustn't transfer data outside the European Economic Area unless I'm sure the country's data protection laws are adequate or I have the individual's consent. But what's the European Economic Area?
The European Economic Area is made up of the European Union countries plus Norway, Iceland and Liechtenstein. Note that only a few countries outside of the European Economic Area are considered as having 'adequate' data protection laws.
Will I be breaking the law if I'm not exempt from notifying but fail to do so?
Yes. Failure to notify could lead to fines of up to �5,000 per offence plus costs. Liability can extend to the company and to individuals. If a company commits a criminal offence under the Act, any director or manager can be found guilty too
How does 'Freedom of Information' law affect small businesses?
The Freedom of Information Act, in force from January 2005, affects businesses that regularly work and have contracts with public bodies, like local authorities and councils. It allows individuals a general right to access information about businesses working in the public sector - but businesses can charge to cover the administrative costs of providing such information. The Information Commissioner oversees the law.