Many small companies remain unaware of their obligations when it comes to processing and managing personal data, it is claimed.
Many small companies remain unaware of their obligations when it comes to processing and managing personal data, report Experian. Many lack appropriate systems for making data accessible to the individuals concerned, which is a condition of the Act. A common misconception among smaller companies is that Data Protection legislation only applies to computer held records when, in reality, the new rules cover all personal data including hand written paper entries and manually maintained systems.ÿThe 1998 Act – which requires all companies to be compliant for manual records by October 2001 – applies to any records relating to an individual or from which an individual can be identified. In the case of small businesses, this is likely to include information held on individual customers, sole traders, partnerships, company directors and shareholders. The Act requires that the collection and processing of all personal information requires active consent from the individual concerned yet Experian’s research indicates that most SME companies will not have obtained consent to manage or process such personal information. Mike Bradford, Experian’s Director of Data Protection and Compliance, commented:ÿ “It is evident from our findings that many smaller companies have little awareness of the fact that the new Data Protection law affects them. For smaller companies selling to the trade or general public, personal information is also likely to cover sales records, credit payment accounts, mailing lists, customer orders and any notes on customers.ÿ Notes might typically include everyday comments such as ‘keeps disputing invoices’ or ‘high proportion of suspect returns’.ÿ The Act also covers notes on a company’s intentions towards a customer, for example, ‘reduce credit limit’ or ‘insist on cash up front’. All records come within the terms of the Act if they can be used to identify an individual, no matter how they are filed. They do not need to be filed by name, but could, for example, be filed by amount of business transacted, geographical location or type of business. So long as the personal information within these files can be used to identify the individuals concerned, then they are covered by the Act as personal data.? He concluded: “Under the new legislation, anyone is entitled to apply to a business to obtain all the data held on them. There are penalties, including fines, for non-compliance regarding the content of personal files and the way they are compiled and accessed.? Experian has produced a free booklet entitled A Simplified Guide to the Data Protection Act which is designed to assist businesses holding personal information on customers, suppliers, directors, shareholders or others. The booklet is available to businesses in PDF format on Experian’s web site. For a copy of this booklet go to www.nationalbusinessdatabase.com (Data Protection Advice Centre, PDF Files, DP Booklet). Essential advice in the booklet includes: assess all the records that are being used in your business, whether manual or computer, and examine the extent of personal data; appoint a Data Controller with the responsibility of ensuring relevant databases are compliant with the Act; notify the Information Commissioner of the data being held and the name of the appointed Controller; install the means by which consent is obtained from data subjects to hold and use information about them; set up the systems whereby individuals can inspect the data you hold on them; inform all relevant staff about the terms of the Act relating to how they collect, hold and access personal data.
