THE DATA PROTECTION ACT MODULE Objectives By completing this module it will ensure that an individual understands and can demonstrate the basic principles of the Data Protection Act 1998.
Introduction The Data Protection Act gives consumers/companies the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. The Data Protection Act works in two ways, as shown below. 1. It states that anyone who processes personal information must comply with eight principles, which make sure that personal information is: • • • • • • • •
Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with your rights Secure Not transferred to other countries without adequate protection
2. It provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records. Should any individual consumer, or company, feel they're being denied access to personal information they're entitled to, or feel their information has not been handled according to the eight principles, they can contact the Information Commissioner's Office for help. Complaints are usually dealt with informally, but if this isn't possible, enforcement action can be taken.
Background There are obvious benefits to all concerned as a result of the increase in collation and utilisation of personal data, for example • the ease of online banking • helping to fight financial crime However, with these benefits also comes an increased risk that, when personal data is collected and utilised, individuals could be adversely affected if something goes wrong, i.e. identity fraud. The main purpose of the Data Protection Act is to protect individuals from improper use and unauthorised disclosure of information about them. It gives individuals the right to: • Access data held about them (in any format, e.g paper, online) • Contest data if it is incorrect • Claim compensation for any loss caused by data that is either inaccurate or improperly used It ensures that those who record data: • Obtain the data in a way that is fair and legal • Follow good handling procedures • Use the information properly
Definitions • Data - Information recorded in a form which can be processed by equipment operated automatically in response to instructions given for that purpose. • Personal data -Data consisting of information that relates to an individual who can be identified from that information including any expression of opinion about the individual but not any indication of the intentions of the data user ( I.e. name and card numbers) Anyone who holds personal data on some paper or all computer files must protect the data they hold by registering with The Information Commissioner. • The Data Commissioner - ensures that all data users comply with The Data Protection Act 1998. • Data Controllers - Those who determine the manner in which processing is carried out • Data Processor - any person who processes the data on behalf of the data controller. • Data Subject - the person that the information is held about. i.e. The customer. • Sensitive Personal Data relates to any information on the basis of : 1. Race or Ethnic origin 2. Political Opinions 3. Religious beliefs 4. Trade Union Membership 5. Physical or mental health condition 6. Intimate personal details 7. Any offences committed or alleged to have been committed.
Main Requirements of the Act •
All data controllers must register with the Information Commissioner:1. The purpose of the processing 2. The data subjects 3. The data classes 4. Recipients of the data
• All data users must comply with the requirements of the eight data protection principles. • All data subjects must be allowed access to the personal data held on them and be given the right to have inaccurate data corrected or updated. • Deliberate infringement of the principles could result in personal liability under the law or disciplinary measures. • Keep secret the affairs and concerns of the company and its clients, its business transactions, and particulars of customer’s affairs and accounts. Access to customer data and other data by staff is not permissible for reasons of personal curiosity and gain. • Do not disclose personal data to third parties without the data subject’s consent. • Keep customers’ records accurate and up to date. • Do not record opinions of a racial, political, religious or sexual nature and comments on physical or mental health, without reference to your Manager or Compliance Manager. • Follow the company’s security procedures at all times. • Do not remove personal data in any form from the office without permission. • Never enter personal data relating to the company’s business into privately owned computers. • Do not input data for your own personal private use into the company’s equipment.
The Eight Principles of Data Protection Separate Data Protection Acts have been passed in - The UK, Eire, Isle of Man, Jersey and Guernsey to enforce high standards of privacy and security over personal data. The Act embodies eight principles, which all users of personal data must adhere to. They are as follows:You must ensure that personal data is: 1. Processed fairly and lawfully 2. Obtained only for specified lawful purposes 3. Adequate relevant and not excessive 4. Accurate and kept up to date 5. Not kept longer than necessary 6. Processed in accordance with the rights of the data subject 7. Kept secure against unauthorised processing and accidental loss or destruction 8. Not transferred outside the EEA unless country has adequate level of protection.
Why is it so Important? • Customers - Information is power. The details you take from the customer are sometimes very confidential, and in the wrong hands can be used to commit fraud. • Shareholders - Must have confidence that the organisation has effective procedures in place to ensure it complies with the Data Protection Act. You should be aware of your duty to comply with the Act during your day-to-day working activities. The company has an obligation to protect its reputation by setting guidelines, which must be followed. • Your company - Your organisation takes the issue of personal data very seriously. It is a critical part of the service provided to customers to stress that the information they give us is always kept confidential. The company’s future business potential depends upon the discretion of its staff. • Staff - Have confidence in your dealings with customers in the knowledge that any information taken, stored and processed satisfies your legal and regulatory obligations. You are protecting your customer’s security and wellbeing
What are the effects of Poor Data Management? • Refusal or incorrect provision of credit • Unauthorised information disclosure • Refusal or overcharging of services • Security breaches • Unsolicited sales calls All of the above can lead to the distress, dissatisfaction &, in extreme circumstances, major life events such as arrest, medical blunders & even death of an individual.
Who Enforces the Act? • The Information Commissioner enforces the act. • The Information Commissioner also has the authority to strike a data user from the list for not complying with registration. • They provide assistance for data users in complying with the regulations and guidelines. • Those who do hold data and do not register are guilty of a criminal offence.
How Does it Affect You? Individual members of staff can be held personally liable for breaches of the Data Protection Act. • A customer can bring a complaint against the company if his personal data is inaccurate or has been lost, destroyed or disclosed to unauthorised persons. • Accuracy of all information kept about a customer – Total accuracy should be maintained from the moment you first record details for a customer. • Any use of that customer data – when you ask a customer for information you should firstly explain to them why you need the information and what it will be used for. You must only use the information for this purpose. • Disclosure of customer information – this includes customer identification and verification, respecting an individual’s privacy when discussing account/financial details. Customers can ask for all data relating to them.
Your Responsibilities
Information held by the company should be treated with the confidentiality appropriate to its nature. Disclosure of information in an unauthorised manner, whether it is about the company or about individuals, can have damaging effects. Therefore, requests for information from whatever source should be treated with great care. As mentioned, individual members of staff can be held personally liable for breaches of the Data Protection Act. You have a personal responsibility to ensure that you follow the procedures laid down by the organisation. • Comply with the eight principles of the Data Protection Act. • Customers have a right to opt out of receiving marketing material. You must log these requests when they are received. • When providing information, remember that you have a responsibility to ensure the accuracy and privacy of information about people. Before divulging any information about people or the company, ensure that the person requesting it is authorised to receive it. • Customers have the right to have inaccurate information corrected. You must verify with the customer and, where established, have the information amended. • Maintain a clear desk policy and log out of computer systems when away from workstation. • Ensure that information that is placed on a customer’s record is correct and accurate. Any comments or opinions that could be regarded as contentious should be avoided. • In the interests of maintaining business confidence, you should not discuss any computer-related incidents or problems with people outside the company. • If you receive a request for information from anybody who quotes their rights under the Data Protection Act, then refer such requests to your line manager.
Enquiries From Police / Journalists / Other Authorities It is imperative that enquiries from the above are dealt with both professionally and at the correct level within the company. The business must ensure that measures are in place to avoid confidential information being passed into the hands of persons using the telephone as a tool to obtain such information in an unscrupulous manner. Please refer to your manager with the following information when dealing with such enquiries. • The basic details of the enquiry; • The name of the caller (in the event of a police enquiry also obtain the officers number and the station at which they are based); • Ask if it is possible to place the request for information in writing or by fax. If not obtain the callers telephone number; • The time the caller would be available to be contacted.
Data Protection Case Study Exercise When in the process of delivering a new car you sit with customers at a sales desk to go through the handover paperwork. You find you have misplaced the tax disc for the vehicle & you excuse yourself & go off in search of the disc. Upon your return you notice that some of the paperwork left with the customers does not relate to them & you find that it contains personal information regarding the credit history of other clients. The paperwork shows full bank & address details of the third party plus details of a CIFAS warning issued by Experian. When your customers have left you approach your Sales Manager & inform him that you may have inadvertently breached the Data Protection Act. He asks you to explain why you believe that you have broken the law: List your rationale
Congratulations ! You have reached the end of this online training module. You now need to take the knowledge test to be considered competent in this unit. Click on the blue Continue to Test instruction back on the Training page.