The DPA

If you have a database or filing system (manual or on computer) concerning individuals (e.g. customers or employees) then the Data Protection Act 1988 will apply to you.

The Data Protection Act 1998 ('the Act') regulates the use of personal data. If you are in business it is likely that you are subject to the Act:

• the size of your business is immaterial
• the nature of your business is unimportant
• the amount of personal data you hold is irrelevant

Does the Act apply to you?
If you process information on individuals either on computer or in paper records then it is likely that you are a data controller for the purposes of the Act.

Data controllers are those who control processing of personal data. This can be any type of company or organisation, large or small, within the public or private sector. As such a data controller can be a sole trader, partnership or an individual.

The processing of personal data includes obtaining, holding, retention, disclosure and destruction of all personal data - whether on a computer, similar automatic system or a manual file.

What is covered by the Act?
The Act covers "personal data" i.e. information about living, identifiable individuals. This need not be particularly sensitive information and can be as little as a name and address.

How does the Act work?
The Act works in two ways:

• giving individuals (data subjects) certain rights, whilst;
• requiring those who record and use personal information (data controllers) to be open about their use of that information and to follow sound and proper practices - the eight data protection principles

The Data Protection Principles
As a data controller you will be required to comply with 8 data protection principles. Essentially the onus is on you, the data controller, to ensure your use of data does not breach these principles. The principles include obligations on you, as a data controller, to:

• ensure the data is fairly and lawfully processed - remember processed includes destroyed
• hold only the data which you actually need - information you do not need should be destroyed
• keep the data no longer than is necessary. In order to comply with the principle you should have a system for the removal of different categories of data from your systems after certain periods e.g. when the data is no longer required or a customer has ceased to trade with you

Security
Data controllers should ensure that they provide adequate security for the data taking into account the harm to the data subject which could arise from disclosure or loss of the data.

Compensation
Individuals may seek compensation if they have suffered damage, or damage and distress, because of any contravention of the Act. If, for example, you dispose of relevant data in your normal waste bin it can end up on a landfill site - outside of your control and not actually destroyed.

More information on the Data Protection Act, including the 8 data protection principles, can be obtained at the Information Commissioner's Office.

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.