Data protection is high on the agenda of many businesses following a series of well-publicised security lapses in recent years.

Stories of thieves rummaging through dustbins in search of financial information, as well as the occasional discovery of such data on rubbish skips, serve as a useful reminder of the importance of correct procedures in the disposal of documents.

Just as identity theft has hit the headlines, privacy now rates as one of the top three social concerns. For small and medium-sized businesses, many of which may not have the luxury of sophisticated IT support, this is an area where error can be caused by thoughtlessness, lack of technical knowledge or even misplaced kindness.

The Information Commissioner’s Office, the UK’s independent public body set up to promote public access to official information and ensure the protection of personal data, is responsible for overseeing and enforcing the Data Protection Act. Assistant information commissioner Phil Jones said: “Larger companies are likely to have IT staff available to look after things like the correct disposal of documents, print outs and floppy disks. For smaller businesses, it can be quite easy for people to pass a computer on to, say, a local school, thinking they have deleted all the relevant documents, when in fact they have only deleted the links. It is then quite possible for someone with IT knowledge to retrieve these documents and use them for the wrong purposes.”

The Data Protection Act aims to promote high standards in the handling of personal information and to protect individuals’ right to privacy. The act applies to anyone processing personal information about living individuals. Any business that processes personal information should notify the ICO unless exempt. The annual fee for notification is £35 and failure to do so is a criminal offence.

In considering what personal information they hold about clients, employees and suppliers, businesses need to comply with certain basic principles. These state that information must be:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with personal rights
• Secure
• Not transferred to other countries without adequate protection

Jones said: “Much of it is common sense. It’s a case of looking at the personal information you hold and ensuring that it is being held for customer purposes and kept secure. “A newsagent may, for example, hold information about someone who is away on holiday for a couple of weeks without thinking that the information could be useful to criminals,” he added.

The pitfalls of poor information management are obvious. Businesses that use inaccurate or out-of-date information will not only annoy customers, but also waste time and money. In particular, the Data Protection Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

Should an individual or organisation feel they are being denied access to the information they are entitled to, or think their information has not been handled according to the basic principles outlined above, they can ask the ICO for help. Complaints are usually dealt with informally, but if this proves impossible,  enforcement action can be taken. By contrast, good information handling will increase customer and employee confidence, enhancing a business’s reputation.

Developments in technology also present particular challenges. CCTV, a commonplace security feature for many small businesses, needs to be considered in light of the Data Protection Act. Users must display notices explaining the reason for CCTV and also check that cameras are in the right place and do not intrude on people’s privacy.

Similar caution is required when handling personal information that may appear on a company website and, in some instances, it may be necessary to use a system of password protection for areas of the site containing personal information. In addition, staff are entitled to know if their e-mails are being monitored and be given an explanation as to why monitoring takes place.

To find out more about data protection for SMEs and to assess the performance of your business on compliance issues by a simple checklist, visit the ICO website at www.ico.gov.uk. 

Share this: digg   del.ico.us   Newsvine   Reddit   Furl   technorati   Facebook

Comments (0)

Subscribe to this comment's feed

Name (required)

Email (required) (not published)

Website

Title

POST

By posting on this website you are agreeing to abide by our website comment policy and all posts are subject to the approval of the website editor. We will remove posts that contain offensive or threatening language, personal attacks on the writer or other posters, posts that are off topic and posts that are considered spam or specifically used to promote any commercial products or services. Any poster who repeatedly contravenes the policy will be banned from posting on the website.