ICT Management. > Legal Issues

Make sure your Data Protection compliance is in order

By Paul Ticher

Is your organisation fully compliant with the Data Protection Act 1998? This article outlines some of the main questions you will need to ask yourself in order to make sure you are.

The Data Protection Act 1998 came into force fully on 24th October 2001.  Some of the main questions you need to be able to answer include:

Is our use of personal data fair?

This is the fundamental aim of the Act - not to hamper your activities by stopping you using information, but to make sure that when you do use it you go about things in the right way, with respect and courtesy for the individuals concerned.

Does everyone know what sort of information we hold about them, and what we use it for?

There are a few exceptions where it may be ok for people not to know specifically (your contact names in other organisations, for example) but the test is, 'would anyone be surprised if they found out what we were doing with their information?' It is wrong to do things behind people's backs or keep them in the dark deliberately. Don't forget to consider 'secondary' people - your clients' family members, for example.

Are we clear about when we need consent to use people's information?

You often don't need consent for run-of-the-mill information, but you might well need it if you hold any sensitive data - that is, information about a person's racial or ethnic origin, religious or political beliefs, Trade Union membership, health, sex life or criminal record. There are some exceptions where you can use this information without consent, but you must be careful to meet the requirements fully. If you don't have consent, you must meet at least one of the other conditions set out in the Act.

Do we protect our information from unauthorised access?

You must be clear who is authorised to see and use information - and who is not. People should only be authorised if they have a good reason. Take particular care when you are disclosing information to people outside the organisation, especially over the telephone.

Have we checked our information collection processes to make sure that the information we hold is adequate, relevant and not excessive?

You might ask for information out of habit but no longer have a use for it, or collect information from everyone that you only need in a small minority of cases. It would be wise to ask for the information only when you realise that you need it.

Do we keep information longer than necessary?

Now that Data Protection applies to paper files as well as computer records, you cannot just archive things automatically, however large your basement. You must ask 'Can we envisage a situation when it would matter if we didn't have this information?' If not, perhaps you shouldn't be keeping it. If you want it for historical purposes, can it be made anonymous or compiled into statistics?

Do we have clear procedures if people don't want to receive marketing or fundraising material?

People now have the right to stop you using their data for these purposes. Whenever you obtain information that will be used for marketing or fundraising you need a box for people to tick if they don't want it (or a routine question when you take the information over the phone).

Do we get consent for putting information (including photographs) about people on our web site?

Because a web site can be accessed from countries that do not have Data Protection legislation, it counts as an overseas transfer, with special rules. Photographs, if they are of identifiable people, are covered by Data Protection, and it is particularly important to be careful when you use photos of children or vulnerable adults.

Are we up to speed on the Criminal Records Bureau?

Soon this will be the only way you are allowed to carry out a police check on staff or volunteers. See the Criminal Records Bureau website for more details. If you're happy that you can answer all the above questions positively, then you probably have little to worry about. Even if you haven't worked specifically on Data Protection, you will probably find that your existing policies and procedures are pretty close to what is required. However, it's as well to be sure.

Further Information

For more information:

• Visit the website of the Information Commissioner,  or call 01625 545 700
• Read the Lasa Computanews Guide on Data Protection (209 kb PDF document - requires Adobe Reader. Download free from Adobe )
• Buy my book: Data Protection for Voluntary Organisations, £12.95 from the Directory of Social Change, 020 7209 5151

Paul is a self-employed consultant. He can be contacted on 0116 273 8191 or by email as [email protected].