As an organisation it is a big responsibility to be in possession of people's personal data and the way that it is used and handled is enshrined in law.
The Data Protection Act 1998 outlines the requirements that businesses and organisations must adhere to in order to avoid costly fines or other legal trouble. What is considered to be personal information?
With relation to the act, personal information is anything which relates to a person, which can identify them.
Examples of personal information include:
• Bank details The eight principles of managing personal data
There are a number of principles, which if followed should prevent organisations which hold personal data from breaking the law.
They are that personal information should be:
• Processed in a fair and legal manner
• Used for limited purposes
• Use should be adequate, relevant and not excessive
• Up-to-date and accurate
• Only kept for the necessary time
• Processed in line with individual's rights
• Be secure
• Only transferred abroad if adequate protection is supplied
Following these principles applies to all staff and though they can be interpreted with a degree of common sense, anyone needing guidance should get in touch with the Information Commissioner's Office.
It is this body which regulates organisations and levies fines should they be in breach of the act. Sensitive personal data
There is a subset of personal data, which is known as sensitive personal information and this must only be disclosed if absolutely necessary.
This data includes:
• Ethnic origin
• Political stance
• Religious beliefs
• Membership of a trade union
• Health conditions
• Sexual orientation
• Alleged or committed offences
• Proceedings related to offencesWhen can personal information be used?
There are a number of legitimate reasons why an organisation may wish to use a person's information outlined in the act and it can also be used if the individual in question has given their permission.
Exemptions to the Data Protection Act occur when it is necessary in order for justice to be served, tax or regulatory duties to be performed.
There are other circumstances when it can be exempt, such as to provide a confidential reference. The individual's rights
It is up to the organisation to make sure that the individual whose personal information is obtained knows what their rights are.
They have the right to know that their information is being stored, also to see that data if they so wish and also to correct it should there be any factual inaccuracies.
A common issue is businesses using personal information for marketing purposes and the individual can ask for this to be stopped at any time and this must be adhered to. Instructing staff
Any employee who is granted permission to work with personal information must be fully trained and stay within the bounds of the act.
They must know exactly what their role is and how to carry it out and it is up to the organisation to ensure this is the case. Notifying the Information Commissioner's Office
It is the legal responsibility of an organisation under the act to notify the Information Commissioner's Office about how they use personal information.
That is unless they are exempt from doing so for any reason.
Notification usually requires the submission of basic details of the nature of the work and the processes put in place. Case study: the consequences of breaching the act
The highest fine ever to be handed out by the Information Commissioner's Office was to an NHS Trust for serious breaches of the act.
It was for £325,000 after the trust sold hard drives on an internet auction site with highly sensitive information still present on them.
The information related to both staff and patients and included data about conditions including HIV and Genito Urinary Medicine cases.