DATA PROTECTION – HAVE YOU TAKEN THE NECESSARY STEPS?

Posted on June 10, 2011 by admin

Powers exist under the Data Protection Act enabling the Information Commissioner to impose fines of up to £500,000 on “Data Controllers” for breaches without first going to court. A year on from this legislation coming in force , has your business ensured they are adequately up to date?

If you haven’t already taken the necessary steps, now is the time for businesses to:-

• Carry out a risk assessment, taking into account the kind of risk areas including those particularly relevant to the organisation;
• Review and update policies and procedures to review how they handle, store and disseminate personal data to make sure that processes and procedures remain robust;
• Have good governance and audit arrangements to establish clear lines of responsibility; and
• Implement the Guidance, Codes and Standards published by the Commissioner and other bodies on information security management.

As a minimum first step, knowledge of the eight data protection principles in the 1998 Act should be refreshed and current practices for dealing with personal data in the following key areas should be considered:

1. General security – it is essential for organisations to have tools in place that manage access to data and keep track of what is done with it. The system a company has in place should cover containment, damage limitation and recovery.

a) Who has access to work in progress and manual files during the day?
b) Is there a ‘clear desk policy’ after hours?
c) What happens to waste paper?
d) Are laptops and portable media on which personal data is stored routinely encrypted?

2. Sickness – medical information is one of the categories designated as ‘sensitive’ for which a special justification for processing is required.

a) Are there clear protocols designating who needs to have access to medical information?
b) Are processes in place for keeping medical information secure and confidential from colleagues who have no need to access it?

3. International outsourcing – offshoring to an outsourced service provider outside the EEA requires extra care.

a) Is the contractor secure and reliable?
b) Are there contracts in place to satisfy the rules in the 1998 Act on sending data overseas and passing it to a data processor?

4. Transnational management structures – complications may arise when sending personal data to a foreign parent company.
a) Has authorisation been given?
b) Have contracts or Binding Corporate Rules been put in place to satisfy the Eighth Data Protection Principle?

5. TUPE – information given during the course of preliminary discussions should not be so detailed that individuals can be identified. The Commissioner’s guidance should be followed.

6. Employee relations – In particular, care should be taken when dealing with grievance and disciplinary cases. It is important to ensure that a union representative has authority to act on behalf of an individual. In collective negotiations the privacy of non-members must be protected.

This entry was posted in blog. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>