In the UK, the Data Protection Act of 1998 governs the storage and distribution of all personal and confidential information obtained by an organisation. The principles themselves are clear-cut, but their application can sometimes be vague. For example, the Act states that data should be ‘kept safe and secure… for as long as is necessary and no longer’. In practice this may be hard to observe unless, as an organisation, your protocol is clearly defined.
As an ambassador for your business, particularly if you work in Human Resources or accounts, it is important that you interpret these principles in a reasonable way and exercise careful judgment in their execution. In this article we discuss the principles of the Data Protection Act and how they can be applied practically, by presenting a selection of excerpts from the Act accompanied by advice on how to apply them to your workplace in order to observe data protection best practices.
It is of utmost importance that any personal information collected is accurate and steps are taken to amend any errors, and that data is stored on a protected system such as an encrypted database or intranet. Speak to your webmaster or IT support staff about creating and maintaining secure records, and use a password store such as Keeper to ensure that only authorised individuals have access to your systems. According to the Act, the responsibility of data collection lies primarily with the line manager, so you should ensure that they should receive full training in these skills.
The data you obtain should be as accurate as possible when you collect it, but some details, such as addresses and phone numbers, will need updating from time to time. It’s important that data controllers regularly check and update the information in their care, and encourage clients and other staff members to keep them informed of any changes. Regarding individuals’ access to data, according to yourrights.org.uk the Right of Subject Access entitles employees to ‘personal information about you held by public authorities and private bodies… regardless of the form in which it is held’, so it is illegal to withhold personal data from clients and colleagues if they request access to it.
Certain information may be pertinent when it is obtained but may become obsolete or irrelevant over time. It is important that this information is checked and weeded out every so often. It may be worth designing and implementing company policy to enforce ‘use-by’ dates for documents: certain records, such as financial records, should be kept for a specific length of time and no longer. Company policy should be drafted and enforced for the safe destruction of different forms of data. For physical formats such as papers, data may be destroyed by incineration or a reputable shredding company with a confidentiality policy such as Lombard Recycling. Digital data files should be regularly checked and double-deleted if possible, and CDs and flash drives should be cleared and/or overwritten.