The Data Protection Act is a United Kingdom Act of Parliament which defines UK law on the handling of data relating to identifiable living people. Financial services firms are required by law to adhere to the eight principles of the Act and are regulated by the Financial Services Authority (FSA) to do so. However, a worryingly low percentage of firms in the UK have a dedicated security policy in place to account for data protection compliance.
One of the main reasons for the poor compliance throughout UK firms has been credited to a lack of understanding and enlightenment about the Data Protection Act. As it is written, the Act is inaccessible to many small to medium sized companies without dedicated legal departments.
This article is a guide to the Data Protection Act. It presents the eight core principles in layman’s terms and details instances where required action should be taken. Hopefully this guide will then be used as an aid for responsible parties when creating their firm’s own data protection policy.
Principle 1 – Information must be processed fairly and lawfully
The first principle of the Data Protection Act states that any personal data collected by an organisation must be used fairly and lawfully. In order to use data ‘fairly and lawfully’ a collected company must receive consent from the data owner. This is usually delivered in the form of a written disclaimer in a contract. By agreeing to that contract, the individual is stating that it is OK for the providing company to use their personal data for the reasons stated.
In other words – be upfront and honest. To be seen as acting fairly, a collecting company must be transparent and gain permission. You should make every effort to inform your customers about what will happen to the personal information you collect from them.
Principle 2 – Information collected must be processed for limited purposes
The second principle of the Data Protection Act states that any information collected must only be used for limited purposes – in other words only using the data for the reasons originally agreed. Data must not be processed in any manner incompatible with its original purpose(s). If a company wishes to use data outside of its original purpose, they must contact the data owner and gain permission.
In other words – don’t be cheeky. Don’t take the original data you collected and use it for a new purpose without asking.
Principle 3 – Information collected must be adequate, relevant and not excessive
The third principle of the Data Protection Act states that information collected must be adequate, relevant and not excessive. This means that only the minimum amount of data needed to complete the pre-defined task should be collected. An organisation should not ask for or hold any additional data that is outside their concern.
In other words – don’t be greedy. Collect only data that you need to know now and not any other data that may be useful to you in the future.
Principle 4 – Information collected must be accurate and up to date
The forth principle of the Data Protection Act states that data hk companies must ensure that any personal information they use during their purpose is accurate. If the information they use is inaccurate, it could result in misrepresentation on behalf of the customer.
In other words – make sure your data is true. If any suspicion exists that the information is inaccurate – check with the individual concerned.
Principle 5 – Information must not be held for longer than is necessary
The fifth principle of the Data Protection Act states that a company must not hold information about an individual for longer than is absolutely necessary. For example, if a company were to keep a former client’s details on file for an extended period of time after their original contract has terminated. There is detailed FSA regulation on the responsibility of financial firms to hold certain data for up to seven years. The length of retention for certain types of data needs to be determined on a case by case basis.
