While the criminal fraternity has long realised the value of personal data and the potential spoils from identity theft, the business community has been slow to appreciate the need to respect the personal data of its customers and clients.

Recently, the Financial Services Authority (FSA) fined The Nationwide Building Society £980,000 for the loss of a laptop which contained ‘confidential customer data’. The Nationwide was found to have failed to implement adequate risk management systems. And the fine is substantial.

However, where a business has been found to have breached data protection laws, the greater damage (albeit harder to quantify) can be in terms of loss of reputation, trust and goodwill and damage to the brand.

The Information Commissioner (IC) – who polices the Data Protection Act (DPA) - understands that adverse publicity can be a more potent sanction than a relatively small fine. On March 13, 2007, he named and shamed 11 banks and other financial institutions in breach of the DPA after investigating complaints concerning the disposal of customer information.

Waste bins
Household names such as Alliance & Leicester, Royal Bank of Scotland, Natwest, Barclays Bank, Nationwide Building Society and The Post Office were all found to have discarded personal information in waste bins outside their premises. The IC required these organisations to sign formal undertakings, breach of which could result in prosecution.

If the message were not already clear enough, the climate for enforcement of data protection is set to tighten further. The government has announced it will introduce much tougher powers on those found guilty of trading in - or deliberately misusing - the personal data of others.

Judges will have the power to impose prison sentences of up to two years in addition to unlimited fines. Although these changes are aimed primarily at those who are deliberately misusing personal data for profit, they are an indication of the seriousness with which the government is treating the issue of personal data privacy.

And, under the act, company directors as well as other managers, the secretary or similar officers can be found personally guilty of offences where committed with their consent or connivance or where attributable to their neglect.

Data protection in a nutshell
The DPA regulates the processing of personal data by data controllers. Broadly, to comply with the DPA you have to notify your processing operations to the IC and obtain a registration and process personal data in accordance with the eight ‘Data Protection Principles’.

Notification
All computer processing of personal data must be notified to the IC. It’s a criminal offence to process personal data without being included on the register maintained by the IC.

This is the simplest aspect of the DPA to comply with, and it is also the failure to comply with this aspect that is most likely to be identified by the IC and penalised.

Notification is relatively straightforward and can be carried out by completion of a form on the IC’s website (http://www.ico.gov.uk) and payment of the official fee of £35.

There are some exceptions to the requirement to notify (eg, some not-for-profit organisations) but, even if an exception may apply, it’s advisable to notify in any event to avoid committing an offence.

Data protection principles
Anyone who processes personal information must comply with the eight Data Protection Principles which are that data is processed fairly and lawfully; processed for limited purposes; adequate, relevant and not excessive; accurate and up to date; not kept for longer than is necessary; processed in line with individuals' rights; security; and not transferred to other countries outside the European Economic Area (EEA) without adequate protection.

Because the DPA sets out broad general principles, it can be difficult to comply with as it’s not always clear what you need to do in any given situation. In such cases, firms need to make an assessment by seeking to balance their legitimate need for business information against the sometimes competing right of the individual to respect for his or her private life.

Why comply with the DPA?
Apart from being a legal obligation, it’s good business practice. Breach of the legislation can have adverse consequences. The IC can take enforcement action. Failure to comply with an enforcement notice is a criminal offence, punishable by a fine. Individuals may also seek compensation through the courts for any damage suffered.

Most importantly, if a complaint is made or enforcement action is taken, there can be adverse publicity and damage to reputation. A Google search for ‘Nationwide Building Society’ refers in four of the first 10 search results to the £980,000 fine for data security lapses. Is this what you want to be known for?

Glossary
Personal data means data which relates to a living person. The information must affect a person’s privacy, whether in his personal or family life, business or professional capacity.

Certain personal data is regarded as ‘sensitive’ and requires a higher standard of compliance. This includes data about health, racial or ethnic origin, political opinions, religious or similar beliefs, sexual life.

Data controller is the person, firm or company who makes the decisions about the collection of, and what to do with, the personal data.

Processing is widely defined. Any collection, holding and processing of data on computer will be covered.

The DPA also covers manual (hard copy) data held in a structured filing system.

Checklist
The following checklist was compiled by the Information Commissioner’s Office (ICO) to help firms to comply with the DPA.

● Do I really need this information about an individual? Do I know what I'm going to use it for?

● Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for?

● If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this?

● Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure?

● Is access to personal information limited to those with a strict need to know?

● Am I sure the personal information is accurate and up to date?

● Do I delete or destroy personal information as soon as I have no more need for it?

● Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?