Legalease Home page
Data protection


Data protection

Legal information and advice about data protection law such as should you register, when and how to register with ICO, what is personal data, data protection principles, rights of data subjects, penalties and compensation for breach of data protection law.

Legaleze introduction
Data Protection has a bad name for many people, not because of the law itself which essentially has a good purpose, but because of the way it is interpreted by some companies with a total lack of common sense. The Information Commissioner’s office has pointed out some of the so-called “duck outs” or spurious excuses for not giving information.

Data Protection Act
The Data Protection Act 1998 ("DPA") regulates the processing of personal data by a data controller. “Personal data” is data relating to living individuals who can be identified from the data or other information in the possession of the "data controller". Data includes opinions and intentions as well as facts.

“Processing data” means processing data by means of equipment operating automatically in response to instructions or as part of a relevant filing system from which individuals can be readily identified (which includes a paper filing system).
The “data controller” is normally the person who decides what data is processed and the purposes for which it is processed.

All data controllers must ensure personal data is kept according the “data protection principles” set out in the DPA.

What you need to do
* Visit the Information Commissioner’s website ead in particular the ICO guide “Personal information online: small business checklist”.

If your business does process personal data, take the following steps:

* Decide if your business will need to notify the Information Commissioner’s Office (“ICO”). Some data processing is exempt from notification if strict conditions are met, e.g.: staff administration (employment and payroll records); advertising, marketing and public relations; accounts and records; and some non profit-making bodies).

* Whether or not notification is required, decide how your business will ensure that processing of personal data will comply with the data protection principles. This may mean writing a privacy policy, and will mean taking measures to ensure data subjects’ consent to data processing is obtained, and safeguarding data from unlawful disclosure and loss, e.g. security measures including encryption of data, rules to prevent personal data being used on lap top computers out of the office, especially if the data is unencrypted, and paper record secure handling.

* Notify the ICO if required. If you have followed the previous steps, you will be able to give the correct information to the ICO.

* Ensure data is kept up to date, deleted if not required, and monitor compliance with the data protection principles.

Read more: Data protection

Need a data protection policy or more advice? Contact us

[Page updated: 08/06/2013]


More information>

Data protection