Managing Data on Customers & The Data Protection Act
Businesses need to hold a range of information on customers, staff and the business itself. It is essential to ensure that this information is protected and as secure as possible. Any business holding information must also be sure that they are meeting the terms laid out in the Data Protection Act 1998.
Make sure you and your staff are aware of the Data Protection Act 1988. The Act governs the collection and storage of personal information and possible systems abuse.
A self-assessment guide explaining whether or not you need to register is on the Information Commissioner’s website. If you are still uncertain check with the Information Commissioner who enforces the Data Protection Act.
There are eight principles of data protection and anyone processing personal data must comply with them. These state that data must be:
- fairly and lawfully processed
- used for limited purposes
- adequate, relevant, not excessive
- not kept longer than necessary
- processed in accordance with the data subject’s (eg the customer) rights
- not transferred to countries without adequate protection
A more comprehensive definition of these principles is on website of the Information Commissioner’s Office.
You must be clear as to the type of information you wish to store on customers or potential customers and why, eg name, address, any personal details. This includes information taken electronically, eg from e-commerce transactions. Make sure that you take the data protection principles into account when storing customer data.
You need to ensure that any customer information is stored securely. Manual (paper) data is vulnerable to accidents such as fire or flood and, if stored in a basement, can be damaged by rodents, damp or vandals. Electronic information, stored on floppy discs, CD-Roms etc are easily stolen, fire damaged or can corrupt. Practical security should be considered. For example it is pointless storing sensitive documents in a safe if the keys are left lying around or anyone has access to the information stored.
Risk evaluation should be carried out to ensure that security systems are in place to protect data. For example it may be decided not to give out client details over the phone, part of the security system would be in ensuring all staff are aware of this policy.
Storing or archiving all of the business correspondence and documentation can be time consuming and make retrieval difficult, you must have systems in place to manage data storage and retrieval. Make sure there is minimum duplication of customer information between for example the accounts system and a customer database. This helps manage the customer data and comply with data protection law.
Businesses should always back-up or copy essential data as damage to files can mean the loss of essential information, including data on sales and market predictions or the businesses financial records.
Staff should receive training in the business data protection policies and understand the reasons behind confidentiality procedures.
- Contact the Information Commissioners Office if you have any questions regarding registration requirements under the Data Protection Act.
- Security of information should be treated with the same level of seriousness as that of premises or cash.
- The storage and retrieval system should be monitored to ensure it continues to meet the needs of the business whilst complying with legislation.
- Business Link advisers will be able to help you identify the information you need to retain and how to establish data management systems.