Prepare to comply with new personal protection legislation.
A New Data Protection Act is coming into force in late October that will affect the way in which businesses collect, store and use information about individuals. Replacing the Data Protection Act 1984, the new Act is expected to extend beyond computer-based data to manual data as well.
When it becomes law, individuals will have the right to know who is processing information about them, for what purposes and, in some instances, how.
The aim of the Act is to bring the UK into line with Europe. It will cover written personal data filed in a readily accessible way, such as card index filing systems or microfiche, and probably individual personnel files too. Because the Act will give individuals improved rights of access to data kept about them, businesses should review their files now for potentially embarrassing data.
An individual's consent will be needed to process their personal data and this must be specific where 'sensitive' information such as racial or ethnic origins, health status, political or religious beliefs or sexual orientation is involved. A form of consent by default has been in operation since 1984 because people have been able to object to their details being passed on to other businesses by 'ticking a box' on the form. Now individuals will have to indicate specifically that they are happy for their details to be processed and/or passed on and they must be told who will process their data and why. It will no longer be enough to put data protection notices in small print.
The new Act will extend an individual's existing right to access data maintained about them and to have it corrected where necessary. Individuals may have a right to compensation through the courts where they have suffered loss as a result of an inaccuracy, such as missing out on a pay increase or work promotion. This is likely to encourage more litigation.
Businesses should start to audit all activities that involve the processing of personal data now. Documents ranging from job application forms to direct marketing material and existing data protection notices should be reviewed to ensure compliance with the new law. Your solicitor or the Data Protection Registry should be able to advise you on compliance when the Act comes into force.
Louise Norman is a litigation solicitor at Bond Pearce.