Virtually all businesses gather, store and process information about other people, whether it is abo...
Virtually all businesses gather, store and process information about other people, whether it is about staff, customers, clients or suppliers. The advance of the 'information age' in recent years has meant this information is now usually stored on computers and is therefore widely distributable and readily accessible.
The Data Protection Act 1998 ('the Act') was introduced "to make provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information".
The Information Commissioner's Offices (ICO) is the UK's independent public body set up to promote access to official information and to protect personal information in accordance with the provisions of the Act. The ICO also has powers of enforcement under the Act.
A good example of where the ICO has used its enforcement powers recently has been against Carphone Warehouse and its sister company, TalkTalk.
The ICO carried out an investigation after receiving complaints about the way in which the companies processed and stored customers' personal information.
It was found that Carphone Warehouse and TalkTalk had allowed customer accounts to be opened in the wrong name and passed inaccurate information on to credit reference agencies and debt collection agencies; had breached security provisions by enabling some customers to see other customers' confidential personal data when logging on to their online account and in some instances had emailed such data to other customers; and had not responded to requests by individuals for information held about them.
The current law provides that anyone who processes and stores personal information must comply with the eight principles that ensure personal information is:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than is necessary;
- processed in accordance with individuals' rights under the Act;
- kept securely;
- not transferred to other countries without adequate protection.
If it can be shown that a company has contravened the provisions of the Act, the ICO can serve an Enforcement Notice upon the offending company, which compels the company to rectify the breaches. Failure to comply with the Enforcement Notice is a criminal offence and usually punishable by a hefty fine.
The ICO served Enforcement Notices upon Carphone Warehouse and TalkTalk, which ordered them to improve their data protection practices within 35 days. The ICO has indicated that further action will be taken against Carphone Warehouse and Talk-Talk should they not comply with the Enforcement Notices.
The above example demonstrates that employers need to take their data protection obligations seriously or face criminal sanctions and adverse publicity.
Sound and secure data protection practices should be implemented and regularly reviewed, and training should be provided to employees.
Employers should remember that customers have a legal right to the personal information that you hold. You are legally obliged to provide this information upon request.
Two global vehicles
'Further plug advice gap'
Must appoint separate CEOs and boards
Advisers do come out well
Will report to Mark Till