Data Protection Overview
At ShredMaster we are on a mission, a mission to keep you safe. We believe in giving our clients the facts to enable them to make informed decisions, and below we have outlined your obligations with reference (or in relation) to Data Protection.
We appreciate that your time is precious and that you probably want information, not waffle, or a hidden sales-pitch. So with that in mind we have kept our guide simple, short and concise however, should you need more information, then we have included links where you can read and discover more about your obligations.
What are my legal obligations?
In addition to any industry or codes of conduct or guidelines which you must adhere to EVERY organisation, from sole-trader to Multi-National, or local charity to Central Government which holds personal data, in any form, must protect that information by following the eight principles within the Data Protection Act 1998.
You can view the eight principles in full on the Information Commissioners website, but in brief they require you to: -
- Be open and transparent when you are collecting personal data, telling the data subject how you will use the information and provide a Fair Processing Notice
- Only use the information for the reason it was collected
- Not share with any third party the data subject does not know about
- Keep the information for no longer than is necessary
- Securely destroy the personal information when it is no longer required
- Prevent the information being accessed by, or disclosed to, any unauthorised parties
- Not allow it outside of the EEA without adequate protection
Data Subjects also have a right to know what is being held on them so you must give them a copy if they ask for it (read ICO instructions on this).
What is important to notes is that personal information held in computerised and most manual paper formats are covered.
How can I achieve this?
- It is relatively simple to comply with the legislation, be open and honest with the data subject the first time they interact with you telling them clearly why you want their information, what you will do with it and who you will share it.
- Decide how long you ‘need’ to keep the information and have a plan in place for securely disposing of it when no longer needed
- Have in place sufficient physical, technological and cyber-security defences to control the information and also train your staff on their legal obligations – in some circumstances it can be a criminal offence to unlawfully obtain or disclose personal information.
- Find out more about Data Protection Training
- Know exactly where information is being stored. If data is being stored electronically is it sufficiently encrypted and held in a secure server, hosting information outside on the EEA is a real issue for data security. Can employees download personal data into spreadsheets, or onto USB’s? Personal Information in Manual records should be locked away in secure cabinets and traceable if being passed from department to department. Be cautious when taking files out of the office, for example health workers performing home visits.
- Maintain an information asset register so that you know what equipment you have (PC’s, servers, Tablets, Mobile Phones, USB flash drives, external harddrives) and what manual records you hold and record when disposed of or destroyed – retain and index destruction certificates.
- Create and manage a secure document destruction policy.
Robust access controls and accurate audit trails on who is accessing information is essential.
What are the risks if things go wrong?
- Monetary Penalties & Sanctions from the ICO
- Client Trust
- Brand damage
The fallout from a breach will really depend on how serious the breach of the Act is, how many records, how sensitive the personal information was and did it have an adverse effect on the data subject.
It is important to note, when deciding on what action to take the ICO take into account what precautions the organisation had in place to protect the information. So if for example you left a sack of confidential bank statements on the pavement for the dustman (this has really happened!) the ICO will be far tougher with any sanctions or monetary penalties.
A bigger possible risk is the damage to the organisations reputation, brand image and customer trust and loyalty – just look at TalkTalk to see how easily PR goes wrong.
Precautions you can take when you no longer need information
- Securely destroy any devices and or paper holding personal information and update your information asset register NB. Always retain destruction certificates in case you need to prove compliance.
- Never send hardrives or devices used to hold personal data to refuse or recycling centres or sell on auction websites; sadly, formatting alone will not wipe information
New tougher legislation on the horizon
In December 2015 the text for the new European General Data Protection Regulations (GDPR) was agreed, and when this comes into force in 2018 the whole landscape of data protection will change.
Greater obligations will be placed upon Data Controllers. Data Processors, for example call-centres, mail-houses, web-designers, will be equally responsible for breaches whilst the data was in their care. If you wish to know more about the GDPR have a look at this short video by the Griffin House Consultancy.