Data protection plays a key role in today’s business world. So it is good to know whether your business is under any obligation to comply with data protection legislation.
The Data Protection Act 1998 lays down a number of important principles which govern how personal data is collected, held and processed by businesses. Many businesses comply with the legislation without even realizing it. However, it is very easy to fall foul of the Data Protection Act in the absence of a fixed Data Protection Policy.
Have a look at the checklist designed by Information Commissioner’s Office as this can help you comply with the Data Protection Act.
Given the vast quantities of data held by businesses regarding their employees it is crucial to consider the issue of data protection from an employer’s perspective. A typical Employee Data Protection Policy will clearly set out the data protection obligations of an employer and lay down a number of organisational and procedural measures to ensure compliance with the Act. The rights and obligations for employees (as data subjects) should also be included in such a policy document.
Not all data within an organisation remains internal. It is common for businesses to outsource their data collection and processing to third parties. Employees’ data will frequently be passed on to trade unions and the providers of benefits such as pensions and private healthcare. To cover this eventuality, many Employee Data Protection Policies go beyond the organisation itself and address the obligations of such third parties.
So what happens if you do not comply with the Data Protection Act? You as a “data controller” can be found criminally liable (i.e. for failure to comply with Commissioner’s notice; providing false information). Also managers and employees can be personally liable. While you might be prepared to pay a fine, you might want to reconsider putting a Data Protection Policy in place to avoid negative publicity that could destroy your business.