The Data Protection Act 1998 is an extremely important piece of legislation which was introduced to the UK to bring the regulations in line with the European Directive of 1995. This directive from the EU required Member States to protect citizen’s fundamental rights and freedoms and in particular mentioned their right to privacy when dealing with personal and confidential data. The Data Protection Act doesn’t apply to personal use – you aren’t going to be prosecuted for leaving your address book unattended, for instance, but if you’re a business storing people’s personal data you must follow the eight data protection principles to keep this data safe.
The ICO Information Commissioner’s Office, an independent government authority oversees the compliance with the Act and also offers a great deal of data and information about the Data Protection Act. Their website can be found here: http://www.ico.gov.uk/for_organisations.aspx.
Due to the seriousness of the Data Protection Act, the ICO are also able to give penalties to those organisations in breach of the Act, which added to the possible loss of business and brand damage can really affect the running of the business. The ICO can issue fines of up to £500,000, prison sentences and compliance costs. In 2011 the ICO issued £541,000 in fines to a total of 7 organisations. With this in mind it is extremely important that businesses find ways of complying with the eight principles of the law.
The eight principles are as follows, all data must be:
- Processed lawfully and fairly
- Used for the purpose the person agreed to when the data was collected
- Adequate, relevant and not excessive
- Accurate, and kept up to date if needed
- Kept no longer than necessary
- Processed while bearing in mind the individual’s rights
- Kept secure
- Transferred to countries which offer adequate data protection
There are a number of ways by which organisations can comply with the 8 principles, and one way is by incorporating an ISO 27001 standard into their organisation. This is an internationally recognised standard which sets the benchmark for information data security, helping organisations to set out policies for the security of data as well as implementing an Information Security Management System, which outlines procedures they follow.
An ISO 27001 certification is great for a business’ reputation, as well as ensuring that you’re complying with your legal obligations. It is important to remember that it is not only a requirement to follow these laws but it is also one which is preferential for your business. Failing to comply means that your reputation could be damaged severely and as mentioned, the ICO could issue you with a fine.