9 June 2011 | Beverley Flynn

The DPA applies to businesses of all sizes which control personal data.

1. “Personal” data relates to a living individual who can be identified from that data or other information in, or likely to come into, the possession of the data controller. Consider your business’s activities to see what personal data is being processed or held.

2. The DPA requires registration with the Information Commissioner’s office (www.dpr.gov.uk) at a cost of £35 a year (£500 in the case of more than 250 staff and a turnover of more than £25.9 million). Make sure your registration is updated.

3. Individuals can make ‘subject access requests’, asking for copies of their personal data. The requests must be in writing and the data controller can charge up to £10 per request. Firms should deal with these requests centrally and promptly.

4. If personal data is held electronically or in a relevant filing system an employee can request details of data held about them. This can lead to difficulties as an employer’s duty of confidentiality to a third party identifiable from the data and the obligation to disclose to the employee. There are exemptions to subject access requests.

5. CCTV images can constitute personal data. Businesses should indicate by means of a notice that CCTV is being used and its purposes.

6. If using a website to gather personal data, devise a privacy statement explaining what the information will be used for, who it will be passed to and how the individual will be contacted with appropriate opt-ins and outs.

7. The DPA contains eight data protection principles controllers must comply with. These require that personal data is not excessive or held too long and it is relevant and up to date.

8. A third party can be a ‘data processor’ acting on the data controller’s behalf. The DPA obliges a data controller to appoint the data processor by written contract and compliance with certain obligations. Consider reviewing contracts to ensure they contain appropriate DPA provisions.

9. Where personal data is transferred outside the European Economic Area special rules apply. Consider obtaining the consent of the individual, or use standard clauses approved by the European Commission. Alternatively, investigate the relevant laws of the jurisdiction to which the data will be transferred for DPA compliance.

10. When creating a database of customer contacts, consider
giving people the opportunity to opt out or opt in before placing a contact on the database.

☛ Beverley Flynn is a commercial partner at Stevens & Bolton