While almost every business in the UK is required to notify the Information Commissioner under the data protection act, many are unclear as to what data is being protected.
Of course, it is good practice to protect all data relating to the business, it is also important to know your statutory obligations under the Data Protection Act.
“Personal Data”
The act is intended to regulate “Personal Data”, which is defined in the act as quoted below:
Personal data means data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Even if a reference number or other code is used in place of a name, it will still be “personal data” covered by the act if there is a method of identifying the individual, whether that method is classed as ‘data’ or not.
Common “personal data” stored by companies include:
Employment and Payroll information.
Employee medical information.
Customer delivery addresses
Feedback from customers.
Personal contacts within a company, for example emails and letters marked to the attention of.
As part of a structured information security management system, data protection act compliance can be easily measured and managed.
For help with your Data Protection Act Notification or implementing a ISO 27001 Information Security Management System contact our consultants on 020 3432 2854.
References
Key definitions of GDPR – https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/
Data Protections Services at Assent – https://www.assentriskmanagement.co.uk/dataprotection/
ISO 27001 – https://www.assentriskmanagement.co.uk/iso27001/
entry120315-104845