This article, written by Beverley Flynn, first featured on 12 February 2010 in Building magazine
Data Protection may not appear a core priority for construction businesses, yet to ignore it creates a risk. The recent high profile prosecution of businessman Ian Kerr who operated an illegal contract workers database has highlighted the need for the industry to take note.
The Government plans to introduce higher penalties for breaches of data protection legislation, meaning that businesses which ignore data protection may end up paying huge fines. In November, the Ministry of Justice recommended that the maximum fine for serious breaches be increased from £5,000 to £500,000 by 2010. The Government is also considering jail sentences as a penalty for those that knowingly or recklessly leak personal data.
Construction firms, like any other business, are likely to be subject to data protection obligations. The key piece of legislation is the Data Protection Act 1998 (the “Act”) which places the majority of obligations on “data controllers” who process personal data. Data controllers are those who determine the purpose for which and the manner in which “personal data” is processed. In the case of a construction company, the limited company itself may act as the data controller.
Firms must be aware of how they process personal data - This covers a wide range of activities including simply holding, collecting or using personal data either on computer or in a structured filing system. For example, the keeping of HR and payroll records will constitute the processing of personal data.
What can firms do to avoid breaching the Act? - Compliance falls broadly into three key areas:
- deal with subject access requests
- comply with the 8 data protection principles.
Notification - Most data controllers are required to submit a ‘notification’ to the Information Commissioners Office (ICO) (the body that enforces the Act). The form can be completed online (see http://www.ico.gov.uk/what_we_cover/data_protection/notification.aspx) and must be kept up to date
and renewed annually. The cost of for firms with a turnover of over £25.9 million and more than 250 staff is £500 per annum, and for firms with a turnover below £25.9 million or less than 250 staff is £35 per annum.
Dealing with Subject Access requests - individuals may request details of personal data held about them from data controllers and these must be dealt with promptly and within 40 days of receipt of the request and appropriate documentation. Controllers may charge a nominal amount for dealing with the request (the maximum is £10). Certain exemptions apply to dealing with requests –for further information see www.ico.gov.uk
Compliance with the data protection principles.- The Act outlines 8 principles of compliance.
Broadly, the 8 principles require that personal data is:
processed fairly and lawfully;
- obtained only for specific and lawful purposes and not processed in any matter incompatible with those purposes;
- relevant, adequate and not excessive for those purposes;
- not kept for longer than necessary;
- kept where adequate security precautions are in place to prevent loss, destruction or unauthorised disclosure of that data;
- accurate and where necessary kept up to date;
- processed in accordance with the rights of data subjects under the Act; and
- not to be transferred outside the European Economic area unless you are satisfied that
- the country in question can provide an adequate level of security for that data.
Principle 1 requires that personal data is processed “fairly and lawfully”. If its use is not obvious to the individual giving his details, consent to its use may be required, or the use will need to be necessary for a specific purpose outlined in the legislation.
Principal 5 requires that personal data is not kept for longer than necessary. Consider implementing appropriate data retention policies - retention of personal data must be justified and excess and old data deleted.
Principle 7 states “appropriate technical and organisational measures against unlawful or unauthorised processing and accidental loss or destruction of personal data” should be put in place, eg.
- a document management system;
- data security (e.g. use of passwords ,encryption techniques, data storage devices,
- security software)
- implement policies to deal with the above and protections to be adopted when working from home, use of laptops and data keys.
Principle 8 prohibits transfers of personal data outside of the EEA unless the destination country affords an ‘adequate level of protection’. The rules governing overseas transfers are complex and exceptions can apply. For example, it may be permitted if consent is given or the recipient in the US
has signed up to the safe harbour provisions. Global companies can consider putting in place appropriate preapproved agreements or implementing corporate binding rules particularly for intergroup transfers of personal data.
Employees - Employment records and monitoring (e.g. email monitoring) of employees will be subject to data protection laws. To assist, the ICO has issued a specific Code of Practice (the Employment Practices Code) which guides employers on how to comply with their data protection responsibilities.
Businesses of all types need to be aware of their obligations under the Act as otherwise the forthcoming charges, and any adverse publicity associated with data protection breaches, could cost them greatly.