The Data Protection Act does not just cover CCTV, as Claudia Gerrard writes. Imagine you are contacted by another company, asking you about a former employee. Or your staff have transferred to a new contractor and the new contractor is asking you for information. Then what?
From the July 2011 print issue of Professional Security magazine. <br><br>In most instances, the immediate reaction is to be helpful and provide the requested information. After all, what possible harm could there be in doing that? The risk is, though, that there are very specific rules on when certain types of data can be disclosed to third parties. The Data Protection Act 1998 (’the Act’) aims to protect personal data relating to a living individual. What constitutes data ranges from name and address, through to email addresses and even CCTV images. The important fact is whether an individual can be identified from that data. The Act requires anyone handling, storing or processing personal data to be registered and comply with eight data protection principles. For example, all data must be processed fairly, be accurate, up to date and kept secure. Where there is sensitive personal data, the obligations are even more stringent. Sensitive personal data includes ethnic origin, religious beliefs, health, criminal convictions and other such matters.<br><br>Only the data subject, as they are called by the Act, has a right to ask for their data and you can charge them £10 for providing it. So in our scenarios, it would generally be a breach of the Act to pass data to a third party and if information is passed, for example in a reference, it must be checked for accuracy. So, why do you need to comply with the Act? The penalties for non-compliance are very high. Not only is there the possibility of bad publicity, with the Information Commissioner actively seeking to ‘name and shame’ offenders. As well, legal action might be taken against you by individuals.<br><br>One such instance occurred this year, in the case of McVie v Swindon College. The College employed Mr McVie between 1995 and 2002. Having had two jobs in between, Mr McVie began work for the University of Bath. The HR director of the college made an inaccurate statement about Mr McVie to the university. As a result, Mr McVie was dismissed. However, his claim against the college was upheld in court and he could be awarded substantial damages for loss of earnings and damage to reputation. One of the other biggest risks a company faces is being fined. That occurred in September 2010, when Zurich Insurance was fined the record sum of £2.27m [featured in our October 2010 issue]. The details of some 46,000 customers were lost during the transfer of data to South Africa. Although it was a particularly serious breach, it does give an indication of the level of fine an offending company could face. In the light of cases such as those, companies need to ensure that they, and their staff, comply with all relevant principles in the Act.
