Financial Times Q&A on the Data Protection Act

08/08/2009

By James Herbert, Partner and Head of Corporate & Commercial. Published in the Financial Times.

Q) I run a medium-sized contracting firm in Kent which employs over 50 labourers and I have a number of their personal details on record. I have been given much advice about data protection, some of which is confusing, and have recently heard the British Standards Institute issues guidelines on the matter. Are these of use or do they just confuse the issue further?

A) To help businesses like yours comply with the Data Protection Act 1998 (DPA), two sets of guidance were issued in June. The British Standards Institute published standard BSI10012 (Standard) and the British Computer Society and the Information Security Awareness Forum issued "The Personal Data Guardianship Code" (Code). If you achieve the Standard or comply with the Code, your firm will be well placed in relation to data protection generally. In relation to employee records specifically, the Information Commissioner's Office (ICO) should still be the first port of call. The ICO is the UK data protection regulator and has issued an employment Code of Practice, available through www.ico.gov.uk. This creates guidelines for dealing with employee records and although compliance with its recommendations is not mandatory, they are relevant to any enforcement action under the DPA. In the Code of Practice, the ICO recommends that a senior manager takes responsibility for compliance with the DPA. The manager should carry out an audit to identify how data is held and used to make sure that the principles of the DPA are being complied with. The manager should also create a data protection policy explaining to the employees how the firm manages its records.