Ask the Expert: What should I include in a data protection policy?
I need to write a Data Protection policy for both staff and clients. What are the key legal points that I need to bear in mind and how can we best undertake enforcement – internally at least? The legal verdict Esther Smith, a partner at Thomas Eggar Before starting to put your policy together, it would be sensible to undertake an “audit” of what data you hold or have access to in relation to both staff and clients, and the purpose for which such data is held and used. You may discover that some data is collected, which is not subsequently processed or used. Therefore, you could modify what you collect. However, the main purpose of the audit is to ensure that your policy is comprehensive enough to cover what you actually do. Once an audit has been undertaken, you can start to build a policy around how the data should be processed and implement some rules and structures. I am not sure of the nature of the business you are in or the information you hold and process, but I anticipate that you will probably end up with two policies. The first will be targeted at customers in order to let them know what data you collect and hold and why, and to explain how their data will be processed and protected by you. To a certain extent, this is more of a statement than a policy. However, it is also usual to provide customers with a structure or mechanism so that they know how to obtain copies of any data that you hold and can ensure corrections are made if necessary. A mechanism to handle complaints about data misuse should also be put in place. The other policy will relate to your staff and cover two areas. It will include rules on how they use, hold and store customer data as well as a policy statement on how data is collected about them in their capacity as employees and how it is subsequently controlled and processed. Again, it would be usual to build a mechanism into the policy to enable staff members to request access to their data, undertake any necessary corrections or make complaints. Esther Smith is a partner in Thomas Eggar's Employment Law Unit. Adam Partington, solicitor at Speechly Bircham LLP The key legal points to bear in mind when drafting a data protection policy are the eight principles found in the Data Protection Act 1998. This provides that personal data must be:
- processed fairly and lawfully
- processed for limited purposes and in an appropriate way
- adequate, relevant and not excessive for the purpose
- not kept longer than necessary for the purpose
- processed in line with data subjects’ rights
- not transferred to people or organisations situated in countries without adequate protection.
To help ensure compliance with the DPA, it will be necessary to introduce a joined up approach to processing data across the business. As a result, the Information Commissioner recommends appointing someone with specific responsibility for this activity such as a “data protection manager”. While this is a practical way of approaching the issue, it will not, of itself, satisfy all the requirements of the DPA, however. Instead it would be sensible for a data protection manager to carry out a data protection audit in order to identify those categories of personal data that the company processes (e.g. contact details, salary information) and the purposes for which the processing of that data takes place (e.g. recruitment). The data protection manager can then make sure that (if required) the Information Commissioner has been properly notified of such processing activities and the reasons behind them. The audit will also help the company determine whether its processing activities comply with the eight data protection principles referred to above. This should, in turn, help to inform the data protection policy that you want to put in place, which should include appropriate working practices and how individual staff or line managers are to be trained. It would also be sensible to carry out these audits regularly, for example, every 12 to 18 months, in order to ensure that policies and procedures are kept up-to-date. Data protection is a complex area and, therefore, it would be advisable to take specific expert advice in order to assist you with this process. Adam Partington is a solicitor at Speechly Bircham LLP.