Professional Documents
Culture Documents
Data protection
Introduction 3
5
Principle 1: Data must be fairly and lawfully processed 4
5
Principle 2: Data must be processed for limited purposes 7
6
Principle 3: Data must be adequate, relevant and
not excessive 9 10
Principle 4: Data must be accurate and up to date 12 13
15
Principle 5: Data must not be kept for longer than is necessary 16
18
Principle 6: Data must be processed in line with the data
subject’s right 19
22
Principle 7: Data must be secure 23
25
Principle 8: Data must not be transferred to other
countries without adequate protection 28 26
Glossary 32 27
2
Introduction
OUR AIM
To ensure that Experian’s Compliance Department is a centre of
excellence; developing robust, professional, reliable and effective
policies and processes, which underpin and fully support the
business in meeting its regulatory and best practice obligations.
3
Principle 1:
Data must be fairly and
lawfully processed
4
Case Study: Principle 1
The newspaper subscription
5
Checklist: Principle 1
Notes:
6
Principle 2:
Data must be processed for
limited purposes
7
Case Study: Principle 2
The mailing list
8
Checklist: Principle 2
Are you processing the data only for the purpose(s) that you
have specified?
Notes:
9
Principle 3:
Data must be adequate,
relevant and not excessive
10
Case Study: Principle 3
The gym membership
11
Checklist: Principle 3
Have you identified the minimum amount of data you require for
the purpose you wish to process it?
Is all of the data you are collecting relevant to the purpose for
which you are processing it?
Are / will you be processing any sensitive personal data? (If so,
consideration of the above is especially important!)
Notes:
12
Principle 4:
Data must be accurate
and up to date
Challenged accuracy
If the data subject challenges the
In certain circumstances, it would accuracy of data you hold about
be impractical to check and double them, although it is not a legal
check every single item of data you obligation to mark the record as
receive – and the Data Protection being in dispute – it is good practice
Act recognises this. The legislation to do so. The advantage of this is
therefore makes special provision that, if it does transpire that the data
about the accuracy of information is inaccurate, you are not likely to
that is obtained from the data subject be found in breach of this principle
themselves or that is provided by a - as long as you have met the other
third party. criteria in the three points previously
described above.
13
Case Study: Principle 4
The Credit Reference Agency
14
Checklist: Principle 4
If so, how will you make sure you record the data accurately as it
is provided to you?
What ‘reasonable steps’ will you take to ensure that the data you
process is accurate?
Notes:
15
Principle 5:
Data must not be kept for
longer than is necessary
Retention of personal data Defining retention periods Data should not be retained ‘just
The Data Protection Act does not It is a good idea to consider the in case…’ however it is acceptable
specify how long you should retain following points, as they may help to retain data for foreseeable
data for, it simply states: you to decide on how long your circumstances that may only happen
retention periods should be: occasionally. The data should still
only be kept for as long as the
• The purpose for which the data purpose for which it is stored is
“Personal data will be processed. reasonably foreseeable, and there
processed for any • Any surrounding circumstances, must always be a genuine business
e.g. whether or not you still have reason for keeping it.
purpose or purposes dealings with the data subject.
shall not be kept for • Legislation and regulatory Depending on the size of your
longer than is requirements. business, you may wish to create a
• Agreed practice within the data retention policy to define the
necessary for that industry. periods for which you are going to
purpose or hold data and to ensure consistency
those purposes.” You should also consider the across your organisation. Your policy
implications of retaining data, should also be reviewed from time to
for example: time to ensure that it is
still appropriate.
As with some of the other principles, • Larger capacity may be required
this suggests that, in order to in order to store larger amounts of
decide how long you should keep data, i.e. if data is needed and kept
data for, you need to be clear on for a long time.
the purpose(s) for which you intend • You must be able to satisfy a data
to use it. You must also ensure that subject’s request for access to
information is securely deleted or their personal data. This could be
disposed of when it is no longer more difficult if you retain data for
required for its specified purpose. longer than you need it.
Data which is still required for • It may be more difficult to verify
the specified purpose, however is the accuracy of data that was
not accessed regularly, should be obtained a long time ago.
archived and stored securely. It is • Data may become out of date and
important to regularly review the could be used in error.
personal data you hold and delete or
archive it as appropriate.
16
Case Study: Principle 5
The online account
17
Checklist: Principle 5
Have you defined the retention periods for which you will keep
each type of data you hold?
Do you have the facility and capacity to keep data for the length
of time you require?
Notes:
18
Principle 6:
Data must be processed in line
with the data subject’s rights
19
Prevention of processing for Finally, an individual has the right to Alternatively, the court may order
direct marketing request that an automated decision you to add a statement of true facts
The Data Protection Act is reconsidered or reviewed. The to the record that contains the
defines direct marketing as “the individual has 21 days from when personal data (any such statement
communication (by whatever they are notified of the automated must be in terms approved by the
means) of any advertising or decision to appeal against it. As the court). It is good practice to take
marketing material which is data controller, you have 21 calendar reasonable steps to notify any third
directed to particular individuals.” days within which you must respond parties of changes to or deletions
An individual has the right to ask to the individual. of inaccurate personal data. The
an organisation not to process or court may also order you to do this,
to cease processing their personal There are some automated however they are only likely to do
data for this purpose. The request decisions which are exempt from so if it is reasonably practicable to
can be made at any time and must be the individual’s rights under the act. comply with the request.
complied with by the data controller. These include decisions that are:
A response to such request should Compensation
be sent to the individual within 21 • Authorised or required by The Data Protection Act gives
calendar days legislation. individuals the right to compensation
• Made in preparation or in relation for damage or distress caused by
Prevention of automated to a contract with the individual the data controller failing to comply
decision making who is the data subject. with their obligations under the act.
An individual has three rights in • To give the individual something The DPA does not specifically define
relation to automated decisions that they have requested. damage, however if an individual has
made about them and which may suffered financial loss as a result of a
have a significant impact on them. Or: breach of the act, then they are likely
Examples of ‘significant’ decisions to be entitled to compensation.
defined within the Data Protection • Where safeguards have been put
Act are performance at work, in place to protect the individual’s Distress alone is not usually
creditworthiness, reliability legitimate interests, for example sufficient to entitle an individual to
and conduct. allowing them to appeal the compensation. The act states that
automated decision. an individual will only be entitled
The first right is the right to prevent to compensation in relation to
automated decision making. You Recification, blocking, erasure and distress, if damage has also been
must not make an automated destruction of data suffered as a result of contravention
decision where an individual has The fourth principle covers the of the act, or the breach relates to
provided a written request not to. accuracy of data. In the event that the processing of personal data for
Individuals also have the right to personal data is inaccurate, the special purposes.
be informed when an automated data subject can apply to the court
decision has been made. to have the data rectified, blocked, The DPA also allows you to defend
erased or destroyed. a request for compensation, on the
An organisation must notify the basis that you took all reasonable
individual that an automated care in the circumstances to avoid
decision has been made using the breach.
their personal data as soon as is
reasonably practicable to do so.
20
Case Study: Principle 6
The letting agent
21
Checklist: Principle 6
Notes:
22
Principle 7:
Data must be secure
Information security Security within the DPA also extends • Risk Assessment: will help you
The Data Protection Act states to state that the data controller must: to establish actions to take in
that a data controller must response to the breach and learn
‘take appropriate technical and • Take reasonable steps to ensure how to prevent future breaches of
organisational measures’ to the reliability of employees a similar nature.
protect personal data from being • Obtain guarantees from any data • Notification: you should consider
compromised. The measures processor working on their behalf who needs to be notified and
appropriate will depend on the nature in respect of using adequate why. Examples of who you may
of the personal data that you hold protection to keep personal consider making aware of the
and the impact or harm that could data secure. breach include the data subject(s)
result in the event of a security • Put in place a written contract concerned, the ICO, other
breach. Data that is particularly with the data processor, under regulatory bodies, the police or
valuable, sensitive or confidential which they are only able to the media.
is likely to have a more significant act under the data controllers • Evaluation and response: It is
impact if it were to get into the wrong instructions and must comply with important to investigate causes
hands or be used in an inappropriate equivalent obligations to those of the breach and evaluate the
way. In order to protect personal data under the DPA. effectiveness of your reaction and
and keep it secure, it is important to: response to it. You should take
Breach management the opportunity to learn from a
• Create and implement robust It is important for an organisation to breach and update any policies,
policies and procedures regarding consider how they would react and procedures and other security
information security respond to a breach, as breaches elements where necessary.
• Put in place sufficient physical can occur even when there are
and technical security that is appropriate security measures Further information
appropriate to the data you hold in place. There is further information in
• Train staff to ensure that they are relation to breaches and breach
aware of and are able to meet their management on the ICO website:
obligations A good breach www.ico.gov.uk
• Be clear about who within your
organisation is responsible for management plan can You can also find further information
ensuring information security help damage limitation and advice on information security at
• Be prepared and able to respond and aid recovery from the following sites:
to any breach of security swiftly
and effectively the breach. General Information Security:
www.berr.gov.uk/sectors/infosec/
Although the act does not define infosecadvice/page10059.html
the term ‘appropriate’, you should
take a risk based approach which There are four main topics to Information Security Advice for
takes into account technological consider when creating and Small and Medium Businesses:
advances and the cost involved in implementing a breach management www.berr.gov.uk/infosec
relation to information security. plan:
You should also regularly review the E-Learning Package:
data you hold, how you use it and • Containment and recovery: www.bobs-business.co.uk
how you protect it in order to ensure reaction to an incident should
that the security measures in place include a recovery plan and
remain appropriate. procedures to limit any damage
caused by the breach.
23
Case Study: Principle 7
The travel agent
24
Checklist: Principle 7
Notes:
25
Principle 8:
Data must not be transferred
to other countries without
adequate protection
The principle The current EEA member countries A list of companies that operate
The Data Protection Act states: are listed below: within the ‘Safe Harbour Scheme’
“Personal data shall not be can be found on the US department
transferred to a country or territory Austria Latvia of commerce’s website:
outside the EEA unless that country Belgium Liechtenstein
or territory ensures an adequate Bulgaria Lithuania www.export.gov/safeharbor/doc_
level of protection for the rights and Cyprus Luxembourg safeharbor_index.asp
freedoms of data subjects in relation Czech Republic Malta
to the processing of personal data.” Denmark Netherlands Transferring data to other countries
Estonia Norway You may be able to transfer data
Transferring data Finland Poland to countries that are not approved
Transferring data means sending France Portugal as having an adequate level of
personal data to someone (in another Germany Romania protection. In order to do this, you
country). If data can be accessed in Greece Slovakia should do at least one of
another country outside of the EEA, Hungary Slovenia the following:
for example on a website, then this is Iceland Spain
also considered a transfer. However, Ireland Sweden • Assess the adequacy yourself.
a transfer does not include data Italy • Use contracts to ensure that
passing through another country on an adequate level of protection
route to its destination. For example Countries with an adequate level is provided. You may wish to
if you transfer data from the UK, via a of protection include the model contractual
server in country A to its destination The European Commission has clauses approved by the European
country B – as long as the data is not deemed some other countries to Commission.
accessed or manipulated in any way have an ‘adequate level of protection’ • Operate ‘Binding Corporate Rules’
while in transit, the eighth principle for personal data and therefore and have these approved by
of the DPA will only apply to the data data can be transferred to these the ICO.
having been transferred to country B. countries:
Alternatively, an exception to the
It is good practice to consider Argentina Isle of Man rule may apply to some transfers.
whether you need to process Canada Jersey
personal data or whether you can Guernsey Switzerland Assessing Adequacy of Levels of
still meet your requirements by Protection in Other Countries:
making the data anonymous. If it is An up to date list of countries with In order to assess whether an
not possible to identify individuals an adequate level of protection adequate level of protection is
from the data (now or at any point in can be found at the European in place in another country, you
the future), then the data protection Commission’s data protection should carry out a risk assessment
act does not apply and you would website: http://ec.europa.eu/justice/ which takes into consideration the
therefore be free to transfer data policies/privacy/thridcountries/ following factors.
outside of the EEA. index_en.htm
These have been set out within the
European Economic Area (EEA) Although the USA is not included Data Protection Act:
Countries in the list above, US companies that
Personal data can currently be are signed up to the ‘Safe Harbour • The nature of the personal data
transferred freely within the EEA Scheme’ are considered to have an being transferred.
without restriction. adequate level of protection. • Where the data is being
transferred to and the laws,
obligations and practices adopted
by that country (and to what
extent).
26
• The purpose(s) and period for You can however, incorporate the outside of the European Economic
which the data will be processed. clauses into other contracts instead Area (EEA), within a group
• Whether it can be ensured that the of having two separate documents. of companies.
required standards are achieved
in practice. If you choose to have a contract Exceptions
• Any procedure under which drawn up yourself, you do not It is always good practice to
individuals can enforce their rights have to have a separate contract ensure, where possible, that there
or obtain compensation if things relating to data protection. The is an adequate level of protection
go wrong. clauses can be incorporated into for an individual’s personal data
any general contract you have that when transferring it outside of
There are documents that offer covers your relationship with the the EEA. There are however, some
further guidance on assessing levels company concerned. You should exceptions that allow you in certain
of adequacy available on the ICO however, ensure that your contract circumstances to transfer personal
website: www.ico.gov.uk is comprehensive to minimise the data, even where there may not be
risk of the contract’s adequacy being an adequate level of protection. The
Using contracts to ensure adequate challenged in future. exemptions are:
levels of protection
Another way to ensure that adequate Transfers approved by the • Where consent to transfer the
levels of protection are in place information commissioner data has been obtained from the
in another country that you are Only in exceptional circumstances, individual (it is worth noting that
transferring data to, is to put a the Information Commissioner may the consent cannot be relied upon
contract in place between you and authorise transfers of personal where the individual has no choice
the organisation to which you are data on the basis that there is but to consent).
transferring the data. an adequate level of protection. • If the data is part of a public
Although the ICO has the power register (as long as the recipient
You can either create a contract to do this, it would only be done in complies with restrictions
yourself within your organisation, cases where the ICO can be satisfied regarding access and use of the
or you may wish to use the European that there is absolutely no other way information).
Commission’s approved to satisfy the eighth data protection
model clauses. principle. Or the processing is necessary:
The model clauses are attached Binding corporate rules • In relation to contractual
as an annex to the European Binding Corporate Rules (BCR) performance, where the contract
Commission decisions of adequacy, are codes of corporate conduct that has been entered into is with
which approve their use. This can be that can be implemented within the individual or is in their
found on the European multi-national organisations. They ‘vital interests’.
Commission’s website: are legally binding and are usually • For reasons of substantial public
implemented through the use of interest, such as the prevention
http://ec.europa.eu/justice/policies/ intra-group declarations, agreements and detection of crime, national
privacy/modelcontracts/index_ or corporate governance. BCRs give security and tax collection. The
en.htm rights to individuals, which can be public interest must be that of the
exercised before the courts or data UK and this exemption should
If you intend to use the European protection authorities. The standard be considered very carefully on a
Commission’s model clauses, of an organisation’s Binding case by case basis.
you are not able to amend them in Corporate Rules must be assessed • To protect the ‘vital interests’ of
anyway, such as removing parts or by all of the relevant European data the individual.
adding additional clauses to change protection authorities in order to use • In relation to legal proceedings.
the meaning. them freely transfer personal data
27
Case Study: Principle 8
The mail order
28
Checklist: Principle 8
If so, is the country to which you are transferring the data within
the European Economic Area?
Have you put a contract in place between you and the person /
organisation to which you are transferring the personal data, to
ensure that it is sufficiently protected?
Notes:
29
Glossary
Data subject
The individual who is the subject of
personal data, i.e. who the personal
data is about.
30
Contact details and
other useful resources
www.ico.gov.uk
T: 08456 306 060 / 01625 545 745
mail@ico.gsi.gov.uk
31
Landmark House
Experian Way
NG2 Business Park
Nottingham
Nottinghamshire
NG80 1ZZ
© Experian 2011.
CMDS - 18.10.