- Make sure you register with the ICO (failure to do so is a criminal offence);
- You need to put processes in place to protect people's personal data.
This article is not legal advice. Here we simply highlight some key issues that you need to be aware of.
What the law says
The Data Protection Act controls how personal data is used by organisations. You have to pay attention to it if your company is strong people's personal data. Personal data (or ‘personal information’) is any information that can be used to identify a specific person. It's "any detail about a living individual that can be used on its own, or with other data, to identify them". Someone's name for example is not enough to identify them as many people share the same name. However a name, if stored with that person's address and date of birth creates a data set that can identify an individual. If you aren't sure whether this applies to you, have a closer look at the definition of personal data. Individuals have rights under law as to what personal data can be held on them and the ICO (Information Commissioners Office) is the UK's independent body set up to uphold information rights. Everyone responsible for using data has to follow the following ‘data protection principles’....
You must make sure that information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the UK without adequate protection
What you need to do
At a very basic level, there are 3 main things you need to do
- Register with the ICO
- Protect people's personal data
Register with the ICO
Most startups will process personal data in a way that requires them to register with the ICO as a data controller. Failure to register is a criminal offence.
Protect personal data
This is the most important point of all. Protecting personal data is your responsibility and this extends to data that is held physically as well as digitally.
- Some examples;
- your employee contracts contain personal data. They need to be stored securely. If printed, they need to be in a locked cupboard. If digitally, they must have restricted access
- likewise, candidate CVs contain personal data. They must not be left lying around on desks and should be disposed of after use
- do not share personal information you've collected with a third party without the explicit consent of the individual
- ensure contracts with 3rd parties state their obligations with regards to handling personal data
- think carefully about how you manage passwords and access to your core systems. Never share passwords that can access personal information
- clear hard drives from laptops when disposing of them
Here's a useful short video that explains all the basics.... https://www.youtube.com/watch?v=vHvd6HaPq_s