1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190 
Keep it to yourself or else
Page 39
If you've noticed an error in this article please click here to report it so we can fix it.
Individuals who fall foul of the Data Protection Act face unlimited fines and up to two years in jail. Nigel Miller explains how to stay out of trouble.
T. he government plans tougher penalties for companies who trade in or misuse personal data. Judges will have the power to impose prison sentences of up to two years with unlimited fines.
The Financial Services Authority recently fined The Nationwide Building Society £980,000 for the loss of a laptop containing "confidential customer data", The Nationwide was found to have failed to implement adequate risk-management systems.
The Data Protection Act (DPA) is policed by the Information Commissioner (IC), who understands that adverse publicity can be a more potent sanction than a relatively small tine.
On 13 March 2007, he "named and shamed" 11 financial institutions in breach of the DPA and ordered them to sign undertakings. Breaches of these could lead to prosecution.
Under the DPA all company directors and managers, secretaries or other officers can be found personally guilty of offences committed with their consent or connivance, or attributable to their neglect.
`1i) stay within the law you must notify your processing operations (the computer system you have for recording your employees' or customers' data) to the IC, register under the DPA and process personal data in accordance with the eight"data protection principles". All computer processing of personal data must be notified to the IC; failure to do so is a criminal offence. Notification is relatively straightforward and can be carried out using a form on the IC's website (www.ico.gov.uk) and paving £35, There are some exceptions to the requirement to notify, but it is advisable to notify in any event to avoid committing an offence.
Data protection principles Anyone who processes personal information must comply with the eight data-protection principles. These are that data is: processed fairly and lawfully; processed for limited purposes; adequate, relevant and not excessive; accurate and up to date; not kept for longer than is necessary; processed in line with individuals' rights; secure; and not transferred to other countries outside the European Economic Area (the EU plus Norway. Iceland and Liechtenstein) without adequate protection.
The IRA sets out broad principles so it can be difficult to comply with because it is not always clear what the requirements are in any given situation. Firms need to make an assessment by seeking to balance their legitimate need for business information against the sometimes competing right of the individual to respect for his or her private life.
Apart from being a legal obligation, it is good business practice. In any case, breach of the legislation can have adverse consequences.
The IC can take enforcement action.Failure to comply with an enforcement notice is a criminal offence, punishable by a fine. Individuals may also seek compensation through the courts for any damage suffered. Most importantly, if a complaint is made or enforcement action is taken, there can be adverse publicity and damage to a company's reputation. • • Nigel Miller is a commerce and technology partner at City law firm Fox Williams LLP. He can be contacted at nmiiler@foxwilliams.com
Personal data: Data that relates to a living person. The information must affect a person's privacy, whether in his or her personal or family Ile, business or professional capacity.
Sensitive data: Certain personal data is regarded as 'sensitive" and requires a higher standard of compliance. This includes data about health, racial or ethnic origin, political opinions, religious or similar beliefs, and sex life. Data controller: The person, firm or company making decisions about the collection of, and what to do with, personal data.
Processing: This is widely defined. Any
collection, holding and processing of data on computer will be covered by the act.
Hard copy: The Data Protection Act also covers manual (hard copy) data that is held in a structured filing system.