Introduction -the growth of computer power, database software and networking technology has facilitated an explosion of data capture and storage. The personal details of our everyday lives are captured and saved on hundreds of different databases. When we shop, bank, work, travel and do business with each other, information can be stored on many different computer databases. Protecting this electronic and paper based information, from falling into the wrong hands, is a vital task for the small business owners. Owners and managers of small firms must comply with legislation designed to protect the individuals right to privacy. At the same time, exploiting this raw data and converting it into management information, (for ethical and legitimate business purposes), must be done in the context of the legislative framework. The following article summarises the legal principles of data protection, as well as the challenges, small-business owners need to consider....
The Information Revolution - as a result of the widespread adoption of personal computers (PC's) during the 1980s, and incredible advances in microchip technology, the cost of distributed computing has continued to fall according to all industry metrics. At the same time, the computing power of the central processing unit (CPU) has continued to double every year. Coupled with the amazing take up of the Internet, and implementation of client server technology, there now exists an ever-changing network of interconnected, distributed, powerful computer databases. Governments, individual's and businesses have come to rely on storing and retrieving information from databases, located in many different locations. Online databases have replaced paper-based records as data can be stored virtually, retrieved and accessed more flexibly and managed a fraction of the cost. Many databases created and managed by businesses, contain sensitive personal information regarding a customer, employee or suppliers' name, address, financial record and employment history and so on. Yet most business owners are not IT literate enough to know whether the data they are responsible for, is secure and properly protected. As computer networks have become more geographically disparate, powerful and difficult to manage, small firms have chosen to outsource computer services and data handling functions, to specialist computer organisations. This has added a further layer of potential complexity into the risk management equation. Unfortunately, with so much personal information now stored electronically, database information has become a target for criminals, hackers and commercial parties, interested in exploiting personal information. As the information revolution continued to change the way in which information is managed, society naturally began to voice obvious concerns regarding an individuals right to privacy. In particular, how information is viewed, copied, or exploited for commercial gain or exposed to the risk of misuse by criminal activity. Consequently, governments around the world have developed national data protection laws to protect the rights of its citizens, and safeguard the stability of their economies.
The Data Protection Act 1998 - the Data Protection Act 1998 (DPA) is a piece of regulatory legislation passed by the United Kingdom Parliament. Its primary purpose is to define how information about individuals living in the UK, should be collected, managed and protected. The act has important implications for the way in which commercial organisations store, retrieve and exploit data stored within their organisation. The act refers to a person or business known as a 'data controller' (the nominated person) collects and keeps data about people. Under the Act, data must be processed lawfully in a fair and proper way. In the context of small firms, the act applies to both customer data as well as existing and former employee data. Personal information is obtained from these people; these individuals must be told the name of the business collecting this information, what you plan to use this information for, that they have the right to access and correct it in the future, and any other information needed to ensure the use of this pass on information is done fairly. Generally, individuals must opt in and consent to any written requests by an organisation to pass personal information on to another business for marketing purposes. Information must not be provided to anyone without the individuals consent, and that information must be held securely to prevent it from any up the hands of third party. The Act also individuals rights such as access to the information, and compensation if things go wrong. The Act applies to computerised information and to well-structured manual records, such as certain files about job applicants. Under the act, there are two types of personal data. The first is ordinary ' personal data', such as name, address banking all medical records. The second is 'sensitive personal data',which includes data of a more personal aspect, such as religion, sexual life, criminal information, ethnic origin, politics and health. To supplement the Act, the employment practices code, provides valuable best practice for owners of small businesses, when recruiting or employing. This code includes best practices for recruitment and selection, maintaining employment records, monitoring employees and work, information about workers health and workers rights. It covers how todeal with personal information related to potential, existing or former employees, agency workers and contractors.
- The Key Principles for 'Information Handling; - most small business owners have heard of the Data Protection Act. However, not all owners may be familiar with the detail, or how to interpret and apply the Acts main 'principles', to their individual day-to-day business. The Act defines the main eight principles of 'data handling', which states that personal data should be:-
- Processed fairly and lawfully
- Used for the lawful purposes for which it was collected;
- Adequate, relevant and not excessive in relation to the purpose for which it was collected;
- Accurate and, where necessary, kept up to date.
- Not kept for longer than is necessary.
- Processed in accordance with the rights of 'data subjects' (see below) under this Act.
- Protected using robust technical and organisational procedures, to prevent unauthorised or unlawful access, accidental loss, damage or destruction to, personal data.
- Not transferred to a country or territory outside the European Economic Area
- The Information Commissioner's Office -the Information Commissioner's Office (ICO) was set up to enforce provide guidance to the public, reporting directly to Parliament. In the context of small business ,their statutory powers include:-
- conducting assessments to check organisations are complying with the Act;
- serving notices requiring organisations to provide information;
- serve enforcement notices and 'stop now' orders to make organisations change or stop their current practices, leading to breach;
- prosecute offenders or breaches of the Act;
- conduct organisational audits;
- report to Parliament.
- Rights of 'Data Subjects' (Staff, Suppliers and Customers) - the act refers to a 'data subject' as someone who has data stored about themselves, outside of their direct control. Therefore, we are all data subjects as most of our lives documented on various databases. In the context of a small business, data subjects would most typically the employees of the company, its suppliers and customers. Under the act, all these data subjects have the:-
Creating a Data Protection Policy - by creating and distributing a written company policy for storing and using personal information, employees, prospective customers and suppliers have more confidence and trust in a small business. Employees need guidance on what information is being kept on them, how they can access this information and know that it is secure and not exposed to potential misuse in any way. Allow employees to view and check their own records periodically. This will allow mistakes to be corrected and information to be kept up to date.
- Right of access from the data controller, (subject access request or SAR) for a nominal fee;
- Right of correction to correct mistakes;
- Right to prevent the usage of any information held that may cause distress
- Right to stop automatic decisions based on computer points scoring.
- Right to stop direct marketing spam, such as unsolicited junk mail and telephone calls selling third-party products;
- Right of complaint, via the information Commissioner;
- Right to compensation if their personal information is lost, disclosed or inaccurate.
Monitoring Employees Email, Telephone Calls and Internet Usage - the Data Protection Act still applies in situations where a small business is collecting and storing personal information related to firms employees. Monitoring is intrusive and a very sensitive issue amongst any workforce. Employees will naturally perceive any form of monitoring as form of the 'big brother' culture. Small business owners will have to follow strict guidelines and ensure and fair and justifiable level of monitoring. The main reasons any small business employer would seek monitor its staff are; to prevent fraud, to ensure their health and safety, to measure productivity and to check employees are following the company policy on data protection. In the context of small business, the Human Rights Act 1998, provides the individual with the right to privacy and respect for family life. In addition, under the Lawful Business Practice Regulations, small business owners may read the communications of their employees, potentially without their consent. special attention should be paid where trying to obtain information regarding an employee's criminal convictions from the criminal records bureau or their credit history report from a credit referencing agency.
Impact on Recruitment and Employment Practices - an inevitable part of the recruitment process is the collection of personal information from job candidates from their completed job application forms, curriculum vitae or notes gathered from a job interview. Even though these job candidates may not work a small business yet, the information collected must be treated in accordance with the Data Protection Act. These candidates must also be made aware that this information is being collected and stored. The recruitment process must be fair and the advertised recruitment agency or employer's name must be visible on the job advert. Any job application form must be constructed to collect information required to make a decision as to whether or not the candidate should be employed. Any additional information requested May be deemed unnecessary and a breach of the act. This information collected mussels to be used for purposes designed for and not other purposes. Similar principles apply when candidates become employed and employers need to create an employment record for them. Employees must be given the opportunity to access their records and make changes were inaccuracies or out of date information needs amending. records must be stored securely and not for any longer than required. It is important to seek professional advice regarding what information on an employee may be deemed sensitive, such as medical records or Details of race or sexuality( for equal opportunity purposes). As an employer, you may be asked to provide an employment reference for a former employee who has left your company. To avoid being in breach of the act, ensure any confidential reference provided is done so with the written permission of the worker themselves.