A letter has arrived from a customer demanding a copy of your records on her. She's got a bee in her bonnet about the Data Protection Act, and reckons you've breached it by selling her details. Alarm bells ring: you've no idea what the Act says, or how to comply. You need answers fast.
Start with the basics. A policy on data protection expresses your commitment to treat personal data fairly and comply with the Act. You need a set of procedures that explain how you'll do that, and someone senior to take responsibility. It could be somebody in IT, the company secretary or a full-time data protection officer.
Compile an inventory. 'Find out what data you've got,' says Valerie Taylor of consultancy Privacy Solutions. 'Information held about companies is exempt, but you may well be holding information about the individuals who work at companies, which is covered.' So are manual records, if part of a filing system.
Do you need it? You must have a sound reason for collecting data. 'Ask yourself: if I were challenged, would I be able to justify holding the information?' says Anne Hinde, Assistant Information Commissioner.
Think of the costs. Data subjects have the right to access your records for a £10 fee, but that can cost you thousands. Says Taylor: 'Somebody may have to plough through thousands of records, and you have to protect the rights of other people, so you may have to edit the information you provide. Asking for access is usually a sign of frustration, so get your customer services right.'
Be open. The more transparent you are, the less people will be suspicious.You must notify the Information Commissioner's office about the data you hold and for what purpose, unless it fits under 'core business' exemptions. When you collect data, you should explain its purpose. 'People can't really give their consent unless they understand what you want it for,' says Hinde.
Keep it clean. 'There are three principles concerning the maintenance of data,' says data protection consultant Neil Ainsworth. 'It must be accurate; it must be kept up to date; and you should have a policy on retention and deletion.'
Build chinese walls. 'Good practice is that your staff should have access to data only on a need-to-know basis,' advises Ainsworth. Those whose job has nothing to do with the purpose for which the data was collected don't need to see it.
Don't forget your employees. 'There is a greater risk of breaching the Act with employee information, because it's more likely you will be holding sensitive data such as ethnic or religious background,' says Russell Wolak, marketing director of information specialists Amtec Consulting.
Do say: 'This information will be used for marketing purposes.'
Don't say: 'Customer's ex-husband says she is an alcoholic!'