The Data Protection Act is a United Kingdom Act of Parliament which defines UK law on the handling of data relating to identifiable living people. Financial services firms are required by law to adhere to the eight principles of the Act and are regulated by the Financial Services Authority (FSA) to do so. However, a worryingly low percentage of firms in the UK have a dedicated security policy in place to account for data protection compliance.
One of the main reasons for the poor compliance throughout UK firms has been credited to a lack of understanding and enlightenment about the Data Protection Act. As it is written, the Act is inaccessible to many small to medium sized companies without dedicated legal departments.
This article is a guide to the Data Protection Act. It presents the eight core principles in layman’s terms and details instances where required action should be taken. Hopefully this guide will then be used as an aid for responsible parties when creating their firm’s own data protection policy.
Principle 1 – Information must be processed fairly and lawfully
The first principle of the Data Protection Act states that any personal data collected by an organisation must be used fairly and lawfully. In order to use data ‘fairly and lawfully’ a collected company must receive consent from the data owner. This is usually delivered in the form of a written disclaimer in a contract. By agreeing to that contract, the individual is stating that it is OK for the providing company to use their personal data for the reasons stated.
In other words – be upfront and honest. To be seen as acting fairly, a collecting company must be transparent and gain permission. You should make every effort to inform your customers about what will happen to the personal information you collect from them.
Principle 2 – Information collected must be processed for limited purposes
The second principle of the Data Protection Act states that any data hk information collected must only be used for limited purposes – in other words only using the data for the reasons originally agreed. Data must not be processed in any manner incompatible with its original purpose(s). If a company wishes to use data outside of its original purpose, they must contact the data owner and gain permission.
In other words – don’t be cheeky. Don’t take the original data you collected and use it for a new purpose without asking.
Principle 3 – Information collected must be adequate, relevant and not excessive
The third principle of the Data Protection Act states that information collected must be adequate, relevant and not excessive. This means that only the minimum amount of data needed to complete the pre-defined task should be collected. An organisation should not ask for or hold any additional data that is outside their concern.