How to survive the Data Protection Act

The biggest data protection obligation for an IT manager is making sure the company is registered under the Data Protection Act - well, it was until last week.

New data protection rules became law on 1 March, and the IT manager is now faced with a much more complex job.

Despite a 16-month delay in implementing the Act, many businesses have failed to use the extra time to get up to speed with the new rules. Nine out of 10 company directors are currently unaware of the impact that the legislation will have on their business processes, according to a survey by GB Information Management.

However, companies may still be able to avoid costly and damaging publicity and court action - if they start work now. A complicated transitional timeframe imposed by the new laws may benefit businesses by buying them time.

The rules
Before assessing the impact of the legislation, it is vital that you understand your company's obligations. Here are the most important aspects of the Act:

• before processing personal information you must ensure that individuals identified in the information have:
  1. been informed who will process their details, and the purpose(s) for which their details will be used; and
  2. explicitly consented to such use (although in certain circumstances consent is not required).
• before sending data outside Europe you must ensure that it is permitted under the Act's requirements
• individuals have rights of access to any information you hold on them and can require businesses to stop direct marketing activities which involves them
• any decision not involving human input which significantly affects someone can be challenged
• registry entries must be updated more frequently (most likely, annually)
• telecoms companies have been singled out for special treatment and must assess their data differently - you should check the detail of the specific legislation introduced to cover this sector.

It also worth remembering that the laws will apply not just to information held on computers but any data that identifies a living individual. None of this information can be used by a company unless it is compliant with the Act.

What to do next
You need to ensure that you understand the data storing and processing methods used by every department in your company. Here's how you should start:

• co-ordinate a review of all types of personal data held by your business, including marketing, human resources and finance, as well as IT
• assess how information is obtained. Are individuals told who will process their details and the purposes for which their details will be used?
• assess whether your business sends personal details overseas. If it does, follow relevant steps.

The transferral of data abroad, plus supplying information to individuals before their details can be used, are the most onerous obligations now facing companies in the UK. Both will affect how information is gathered, and can require that consent has to be obtained before personal data can be processed.

The already ubiquitous tick box is a useful way round this. However, a word of warning: the Registrar (now the Data Protection Commissioner) and the courts will not look kindly upon tick boxes that are ambiguously worded, or worded so that consent can be implied from a failure to respond. Informed explicit consent should be obtained wherever possible. In relation to certain sensitive information (for example, political opinion, ethnic origin and criminal record) it is an absolute requirement.

Other action points to consider include:

• aetting up a procedure to deal promptly with an individual's requests to view their data records
• ensuring that employee information as well as customer data is assessed
• appointing someone to oversee data protection compliance. As well as having responsibility for co-ordinating current compliance and ensuring on-going compliance. This appointment could include responsibility for dealing with future obligations under the Act, such as updating the business's registration entry and ensuring direct marketing activities cease when requested

Carrying out a compliance audit can help ensure the risks associated with the use of personal data are well managed.

When to do it
Although the Act came into force at the start of the month, it contains transitional provisions that may buy you time.

Briefly, use of personal details (whether in a machine-readable form or on paper records) will be exempt from some of the Act's significant obligations until 23 October 2001 if processing is said to have been under way before 24 October 1998 (when the law should have been introduced). Any processing begun after that date must now meet the obligations of the new law.

Ask yourself this question: since 24 October 1998 what information about individuals has my business started to use, used for a new purpose, or used in a way which produces new results?

One thing that might inspire you - and your board of directors - to act swiftly are the potential penalties. Managers or directors can be made personally and criminally liable, and can be fined if their company fails to observe the new requirements.

With 88 per cent of consumers vowing that they will pursue their rights - as revealed by the GB Information Management survey - getting a headstart is definitely a smart move.