Data Protection – Avoiding the Nasty Civil Monetary Penalty

By Zac O’Neil & Mike Neumann www.its-training-uk.com

As of 6th April 2010 the government will introduce a new Civil Monetary Penalty (CMP) for breaches of the Data Protection Act 1998 (DPA). If you deliberately, or recklessly, breach the DPA principles, your organisation could receive a penalty of up to half a million pounds. 

With all that has been happening to data protection recently – including proposed prison sentences for criminal breaches to name one – you’d be forgiven for feeling a bit overwhelmed. But it’s not surprising that these things are happening: it seems that everyone is concerned about their privacy (or lack of it)! With some of the stories we’ve heard about personal data being lost and stolen, for once this concern might not be misplaced… which means that you have an ever-greater duty to make sure you don’t break the rules. 

I’m sure that no one is going to shrug their shoulders at the thought of getting a CMP, so you’ll want to make sure you’re doing everything right, right? It’s strange then that we should be arguing for a less stuffy approach to using personal data. We all know that you mustn’t give out personal data to just anyone, but can you be too heavy handed? If what you do results in someone else not being able to lawfully carry out his or her job properly, are you actually doing the right thing? 

What this comes down to is awareness. Does everyone in your organisation know about DPA? If the answer is that they think that the correct response is to tell anyone who asks for data that, “DPA says no!”, then maybe they’ve been watching too much Little Britain. Do they know that they can lawfully disclose personal data if criteria are met? Can they describe the rules for giving data to colleagues in other departments? Will your staff follow a formal procedure when someone requests personal data? Do they have access to corporate guidance telling them how to follow the DPA principles? Do they know how long to keep data for? Do they have a procedure for taking information from members of the public? 

Many people think that if a police officer asks for information, they have to tell them. If you know that this isn’t true, and that you could be breaching the DPA non-disclosure rules, then you’re thinking the same as us. No one in their right mind wants to get landed with a new CMP (or convicted of an offence!) and the best way to avoid this is by doing the following: Tell your staff how it all works – don’t let them breach the rules through ignorance. Put the procedures in place and tell them why the procedures are there – people are more likely to follow the rules if they know why they do things rather than that they just need to ‘tick the box’. Publish guidance on the intranet, tell staff where it is and give them clear instructions on what to do if they’re not sure – having this will ensure that no one can argue that the information wasn’t there or that they didn’t know what to do. Follow these simple steps and ultimately you will be processing and disclosing personal data in the interests of everyone. 

Get it right – getting it wrong can lead to a CMP or a criminal conviction – NASTY! 

Get a NASTY poster : Please remember that this is only an overview – for details of our Law Update and DPA briefings or to get your very own NASTY poster, just email phil.tosh@its-training-uk.com or call Frankee on 08454 300 212. 

Built and managed by Testled

Opportunities is Digg proof thanks to caching by WP Super Cache