• Back to Data Protection

    • Data Protection Act

    Home  >  Legal Services  >  Corporate Services  >  Data Protection  >  Data Protection Act

    Data Protection Act

     

     

    The Data Protection Act 1998 covers all "processing" of personal data in the UK. So whether your business is storing, using, copying, transferring, deleting or otherwise dealing with personal data, such actions will almost certainly fall within the terms of the Data Protection Act. With this in mind, your business should be fully aware of the provisions of the Data Protection Act and have all appropriate policies, processes and procedures in place to ensure full compliance with this wide-reaching legislation.

    Our data protection solicitors have significant experience and expertise in guiding and advising clients on the application of the Data Protection Act. Our proactive and expert approach will ensure your business is fully compliant with the terms of the Data Protection Act. We also have considerable expertise within litigation matters and in responding to and defending claims for breach of the Data Protection Act. 

    The core aim of the Data Protection Act is to ensure that an individual's 'personal data' is processed fairly and in accordance with his or her wishes.

    Personal data is any data from which a living individual can be identified or from which he or she can be identified when collated with other data in the data controller's possession.

    The "data controller" (i.e. the person or entity who determines the purposes for which the personal data is collected and processed) is obliged to comply with the 8 Principles of Data Protection in all processing of personal data. If your business is a data controller processing personal information, in most circumstances it must register with the ICO.

    The "processing" of personal data has an extremely wide meaning and basically covers all use of personal data including obtaining, holding, organising, adapting, retrieving, consulting and deleting.

    Our expertise

    Whilst not exhaustive, the following examples provide a broad context to the scope of our work:

    • carrying out data protection audits.
    • drafting data protection policies
    • advising on the rights and obligations under the DPA including storage, use and disclosure of personal data
    • advising on transfers of personal data to USA and other non-EEA countries
    • drafting data protection notices, data processing agreements and website privacy policies
    • advising on and taking action in respect of complaints concerning misuse of personal formation
    • advising on the use of unsolicited telephone and e-mail marketing campaigns
    • advising on data protection issues in the context of business sale and purchases
    • responding to Enforcement Notices and the threat of civil claims arising from alleged breaches of the DPA

    Failure to Comply

    Failure to comply with the Data Protection Act can result in the ICO taking various steps against your business to enforce compliance. A data controller who fails to register with the ICO or who does not notify relevant changes to the data it holds and how it is processed commits a criminal offence.

    When investigating a potential breach of the Data Protection Act the ICO can issue an Information Notice requiring the business to provide it with details concerning the information it holds and how it is used. On identifying a breach the ICO can issue an Enforcement Notice requiring the data controller to takes steps to remedy the breach. Failure to comply with either an Information Notice or an Enforcement Notice is also a criminal offence. From April 2010 the ICO will also have the power itself to impose fines.

    As well as action from the ICO, a business which fails in its data protection obligations can also face civil claims by individuals claiming they have suffered damages as a consequence of the business' breach.

    There are other damaging consequences for a business which fails to comply with its data protection obligations. Enforcement and investigation actions will consume management time, as will responding to litigation brought or threatened by individuals. Further, as recent high-profile data protection failings in both the public and private sector have highlighted, there is likely to be significant damage to the reputation of your business if it does not demonstrate its commitment to the protection of data.

    Is your Business Compliant?

    In considering whether your business is compliant with the Data Protection Act, consider the following questions:

    • Is your business processing personal data fairly and lawfully?
    • Is your business registered with the Information Commissioners Office?
    • Is it processing personal data for the purpose it was collected and for no other purpose?
    • Is your business only keeping personal data which is adequate, relevant and not in excess of the purpose?
    • Have your business recently reviewed the personal data for its accuracy?
    • Does your business keep personal data for longer than is necessary?
    • Is your business processing personal data in line with the data subject's individual rights?
    • Are the data subject's personal data secure from misuse?
    • If you are transferring personal data outside of the EEA, do you have all appropriate consents and data transfer contracts in place?

    Data protection solicitors

    To arrange a discussion with a data protection solicitor click here or call us on 0800 840 4929.

    Read more