Updated May 2017
This Briefing Note outlines the key legal obligations your business should consider when dealing with the personal data of customers, suppliers, employees and anyone else you may encounter during the course of business. This Briefing Note should not be relied upon as legal advice and you should contact us for advice on your specific circumstances.
Penalties for mishandling personal data
There could be severe financial, commercial and reputational ramifications (including possible criminal penalties and fines) if your business mishandles personal data.
Keeping personal data safe and secure
Personal data is any information held on computer or in hardcopy filing systems that could identify an individual, either on its own or together with other information held by a business or a third party. Personal data must be protected and kept secure. Personal data may include:
- E-mail address.
- Telephone numbers.
- Date of birth.
- Notes written about someone (such as an annual performance review).
Businesses must be particularly careful with sensitive personal data (such as medical records) as more restrictive requirements apply to this type of data.
The data subject could be a prospective or actual employee, customer or supplier, or even someone captured on a business’ CCTV footage.
Collecting personal data
Your business can only collect personal data if it has a legitimate reason to do so (for example, when a new employee joins the business).
When your business collects data about an individual, the business will need to tell them what it plans to do with their data (for example, if the business is collecting a customer’s email address to confirm an order). If the purpose for using someone’s data changes, the business must inform that person.
Your business should only collect information that it requires at that particular time. For example, you should not ask a job applicant for their bank details. This type of data should only be collected if the applicant accepts an offer to work for the business.
If your business wants to use someone’s data for marketing purposes, that individual must be informed. It is good practice to do this at the time the data is collected. In some cases (such as text or email marketing) a business will generally require the individual’s explicit consent.
Using data collected on individuals
In general, a business is allowed to use someone’s personal data if they have given their consent. The data can also be used in other circumstances, for example, if the business:
- Needs to use the data to fulfil a contract with the customer (such as using their address to deliver goods to them).
- Has a legitimate interest in using it, although this must be balanced with the individual’s rights. For example, if a part of your business has been sold to a third party and the business needs to transfer customer data to it.
Data should only be used for the reason that it was collected (for example, if calls between staff and customers are recorded for training purposes only, they should not be used to discipline a worker).
If your business wants a third party to manage data (for example, a payroll-service provider) it should take legal advice. Your business will still be responsible for protecting the data and will need to enter into a written contract with the third party.
Likewise, a business should take legal advice if it plans to transfer any data outside the countries in the European Economic Area. It is easy to inadvertently transfer data outside the country a business is based in (for example, by sending an email to an office outside the UK).
If the data is being used in marketing material, your business should ensure the recipient is aware that their data may be used in that way and confirm they do not object. A business will generally need a person’s explicit consent (opt-in) for email, fax and text marketing. If the individual is an existing customer, the business may be able to market similar products to them by these means without prior explicit consent. Businesses should take legal advice in these circumstances.
If your business plans to store or process sensitive personal data (for example, information about ethnic origin, trade union membership or criminal records), it should first take legal advice.
Storing personal data
All personal data you store must be accurate and up to date. Databases should be regularly cleaned and out-of-date information must be deleted or updated.
Businesses should only store data for as long as it is required and for the reason it was collected. For example, if personal data was collected to deliver a product a year ago and has not been used since, it should not be held on the basis that it may be needed for another reason at some time in the future.
Keep personal data secure and confidential
Your business must keep personal data secure at all times. For example:
- Computers and files containing personal data should be password protected.
- Personal data on laptops, mobiles and other portable devices should be kept to a minimum.
- Manual filing cabinets containing personal data should be locked and only accessed by authorised personnel.
- Confidential documents should not be left unattended on desks.
- Documents containing personal data should be removed promptly from fax machines, printers and photocopiers.
- Train staff on how to handle personal data safely and securely.
When your business sends personal data, it must be done securely (for example, confidential information should not be sent in the internal mail).
Businesses must dispose of personal data securely (for example, by shredding, using confidential waste bags, destroying or securely deleting electronic files). Confidential papers must not be put in the recycling bin.
Security breaches (such as accidental loss of personal data) should be reported to the appropriate person immediately.
Where appropriate, electronic documents, including calendar entries and meeting requests, should be password protected or made private.
When working away from the office or in public areas:
- Personal data stored on portable devices such as laptops, Blackberries, tablets or memory sticks should be encrypted and kept secure at all times.
- Do not leave documents or electronic devices lying around.
- Ensure members of the public cannot see confidential documents or computer screens; and
- Do not talk about confidential matters when members of the public may be able to hear.
Personal data enquiries
Your business should have a system in place to process requests from people who ask for details of the personal data you hold on them. A business is permitted to charge an administration fee of up to £10 for dealing with this type of request.
This type of enquiry should only be dealt with by employees specifically authorised to do so. The task is usually handled by the person within the business who has responsibility for data protection issues.
Personal data should not be given out to the friends or relatives of an individual without that individual’s explicit consent.