Data Protection Issues

Source eBusiness Live

In today's "information age", the protection of personal data is becoming increasingly important. Companies that handle and store customers' personal information, including those who use electronic means to do so, have an obligation to safeguard such data, to only use it for a specified purpose and to dispose of it safely when finished with it. With eSecurity an increasing concern, companies also have an obligation to protect individuals' personal information from outside threats. Compliance with legal responsibilities, along with a heightened awareness among consumers of privacy issues, means that data protection has become a vital business issue. 

Data protection, as defined by the Ireland's Data Protection Commissioner, Joe Meade, is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection Acts 1988 and 2003 confer rights onto individuals and place responsibilities on the shoulders of those processing personal data.

"Personal data protection applies to all our interactions with public and private sector organisations and thus applies to applications, purchases and transactions in State services, business and economic matters, in the social and medical areas, in the workplace and in the globalised technological arena," says Meade.

Data controller or data processor?

In order to formulate an effective data protection policy, companies need to first determine whether they are a "data controller" or a "data processor", according to Stuart Fennell, executive director of the Office of the Data Protection Commissioner.

"A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer, while a data processor simply holds personal data for someone else, for example payroll companies or outside accountants," says Fennell.

An easy way of establishing whether you are a data controller is if you answer "yes" to the following question: do you keep or process any information about living people?

Some data controllers, especially those who hold sensitive personal data, may be required to register with the Data Protection office, according to Fennell. "Health professionals, legal representatives, schools and politicians are examples of people and organisations who would need to register with us so that we can keep a closer eye on their procedures."

Data protection principles

Being a data controller comes with many responsibilities, and companies that have identified themselves as such are required to comply with the eight basic principles of data protection.  

  • Obtain and process the information fairly
  • Keep it only for one or more specified and lawful purposes
  • Process it only in ways compatible with the purposes for which it was given to you initially
  • Keep it safe and secure
  • Keep it accurate and up-to-date
  • Ensure that it is adequate, relevant and not excessive
  • Retain it no longer than is necessary for the specified purpose or purposes
  • Give a copy of his/her personal data to an individual, on request

"There is so much to upholding data protection obligations that we would suggest nominating one person in an organisation to deal with all things data protection-related," advised Fennell.

Such a person would be responsible for processing individual data access requests, which the Data Protection Commissioner regards as a company's uppermost responsibility. All requests need to be dealt with within 40 days, and failure to provide an individual with access to their data is an offence against the Data Protection Acts of 1998 and 2003.

Though important, this is not a company's only obligation: all staff are required to be made aware of the basic principles of data protection through regular updates and training if necessary. The person responsible for data protection within an organisation should also document procedures and conduct regular security reviews.

Moreover, all company websites and forms that require consumers to part with personal data need to be accompanied by comprehensive privacy statements. These statements should make clear in plain language, and with appropriate prominence, exactly what is being consented to by individuals.

The price of non-compliance

Companies that are concerned about obeying legislation can find out if they are complying by completing the self-assessment checklist on the Data Protection Commissioner's website. The checklist is a series of questions based on the principles of data protection. If a company answers "yes" to all the questions they can rest assured they are upholding data protection laws. The checklist is also a good starting point for companies to find out if and what they are doing wrong and can be used to formulate a company policy on the subject. 

Any individual who feels that their personal data is being misused or that they are being denied access to their data has a right to formally complain to the Office of the Data Protection Commissioner.  

The Data Protection Commissioner himself is charged with investigating complaints and, if required, prosecuting offences under the Data Protection Acts of 1998 and 2003. Under section 31 of the Acts, the maximum fine on summary conviction is set at EUR3,000. On convictions of indictment, the maximum penalty is a fine of EUR100,000. In addition to being fined, long-term effects of non-compliance could include loss of consumer trust and loyalty, with a company's brand suffering as a result.