There are some basic rules to obey in data protection. It is generally not a criminal offence to breach the rules but you may get an ‘enforcement notice’ and breach of that would be a criminal offence. The basic rules are generally as follows.

(i) Keep customers informed. Tell customers (a) that you keep records about them and b) why. If you intend to pass information to a third party, tell your customer this.

(ii) Obtain consent. Before you may hold information on a person’s health, sex life, political opinions, race, ethnic origin or religious beliefs, you need that person’s explicit consent. If you use information for direct-marketing purposes, inform people of this and give them the opportunity to opt out.

(iii) Don’t hold information about people for longer than necessary for the original purpose for which you collected it. If a customer has ceased to trade with you, do you need to keep information about them? You need a legitimate reason to hold on to records about people.

(iv) The information, particularly health or other sensitive information, must be stored securely. If it leaks out due to inadequate security arrangements, this will be a breach of the rules. Before allowing a third party access to the information, have them sign a contract.

(v) Keep the information accurate and up to date.

(vi) Before sending the information to a country outside the EEA, have the recipient sign a contract.

Posted: February 26th, 2008 under Business Regulation.
Comments: none