What is Data Protection?
The Data Protection Act (1998) is the protection of any personal data that is in the possession of any organisation, business or government, and how this information is used or shared. There are a set of rules that must be followed called the Data Protection Principles. The Information Commissioners Office (ICO) is in control of the data protection act, they judge whether organisations are using specific data responsibly, or whether they are being reckless with personal files, such as selling information.
Customers have data protection rights, including that all the safekeeping and confidentiality of their personal records. There is even stronger protection for more sensitive personal information, such as ethnic backgrounds, political opinions, religious beliefs, health, sexual health and criminal records.
How Does it Affect Your Company?
Different organisations will have different amounts of personal data; however it is advisable to audit your personal data regularly to get rid of data that you do not need. The ICO can deem it reckless if you keep old data for too long.
Keeping a large amount of personal data without auditing it can also be problematic for organisations for a number of reasons:
- Older data may be out of date, causing errors or increasing the risk of passing on false information.
- It is more difficult to ensure that older documents are correct.
- It is more difficult to locate personal data if there is too much unnecessary data in store.
It is also advisable to put information that you do not need on a regular basis into storage to ensure safekeeping. It is not a criminal offence to keep personal data that does not get used very regularly, however it is a criminal offence to store them unsafely. It is best to outsource your document storage to free up space and also to ensure it is stored in accordance with Data Protection Act legislation. Therefore you should also conduct regular audits to be sure that you are not holding too much data for too long.
If an organisation breaches any of the Data Protection Act’s principles then the Information Commissioner has the right to issue a financial penalty. This is relevant if the company deliberately breaches any of the principles, or if the company knew (should have known) there was a risk of a breach which is likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it.
The maximum penalty that can be issued is £500,000.
Not complying with data protection principles is not a criminal offense; however there are multiple ramifications for being careless with people’s personal data. People may demand compensation for any harm caused, you may need to pay a penalty given by the ICO, but most of all it is bad publicity and negative for your brand name.
Data Protection Case Study
Sony Computer Entertainment Europe was fined £250,000 in January 2013. This is a result of the Sony PlayStation system being hacked in 2011, putting personal data such as payment card and login details at risk. The ICO decided that their security system was not strong enough to withstand the hack and that they should have been stronger.
Sony was responsible for keeping all of this information safe from hackers, and therefore received the fine as the ICO said that it could have been avoided. (SRC: BBC News)
About Secure Data Management
At Secure Data MGT we have over 25 years of document storage experience and we offer an auditing and storage service that minimises the risk of Data Protection breaches. We store in access controlled, weather and fire proof centres with 24-hour security and CCTV. On top of this, we help with the auditing of your documents to improve processes and workflow. Get in touch!