Dealing with personal data of customers, suppliers and employees is a regular part of many business’ day-to-day operations. However, if not handled properly there could be serious financial, commercial and reputational implications for a business (including
possible criminal penalties and fines).
Personal data is any information about an individual held on computer or in organised filing systems that could identify the individual, either on its own or together with other information. This may include a person’s name, email address, telephone number
and date of birth.
The Information Commissioner’s Office has recently published guidance on how to avoid the common pitfalls that some businesses have inadvertently fallen into. A summary of the report is provided below:
Collecting Personal Data
A business can collect personal data only if the information is required and if it has a legitimate reason for doing so (for example, because a new employee is coming to work for the business and his/her personal details are required for payroll).
When a business collects data about an individual, the business will need to tell that individual what it intends to do with their data. If the purposes changes, the individual must be informed once again.
Using Personal Data
Data should only be used for the reason that it was collected and only if consent has been obtained. The data can also be used in other limited circumstances, for example, if the business:
– needs to use the data to fulfil a contract with a customer (such as using their address to deliver goods to them); or
– has a legitimate interest in using it. This exception, however, must be balanced with the individual’s rights. For example, if a part of a business has been sold to a third party and the business needs to transfer customer data to it.
A business should obtain independent legal advice if it intends to:
– use a third party to manage the data (e.g. to carry out payroll services);
– transfer the data to countries outside of the European Economic Area:
– use sensitive personal data such as ethnic origin or criminal record; or
– market products to existing customers who have not given explicit consent for their personal data to be used in this way.
Storing Personal Data
The data should only be held for as long as it is required and for the reason it was collected. Databases should be regularly cleaned and out-of-date information must be deleted to ensure that all the data is accurate.
Keeping Data Secure and Confidential
Storing, sending and disposing of personal data must all be done in a secure way. This can be achieved, for example, by having password protections on computer systems and shredding documents once they are no longer required rather than placing them in the
When dealing with data in the public domain, handlers should ensure that confidential documents and matters are kept confidential and out of sight and earshot of the public.
Enquiries About Personal Data
Businesses should have a system in place to deal with individuals who request details of the personal information that the business holds on them. A business is permitted to charge an administration fee of up to £10 for responding to this type of request. This
request should only be dealt with by the person within the business with responsibility for data protection issues.
Personal data should not be given out to the friends or relatives of an individual without that individual’s specific consent.
Should you have any concerns regarding handling personal information or data protection generally please contact
Stephen Foster, Head of Corporate and Commercial at
firstname.lastname@example.org or by telephoning 0161 833 9211.
The information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice. No responsibility for its accuracy or correctness is assumed by Berg or any of its partners or employees. Professional legal advice
should be obtained before taking, or refraining from taking, any action as a result of this article.