Receive our newsletter

By registering you agree to enable user authentication cookies to be stored on your PC. For more information please read our Privacy & Cookies policy statement.
Mailing Lists:
Hatch Legal Newsletter
The ‘clickable logo’ on this website is a mandatory requirement of our regulator, the Solicitors Regulation Authority. It contains embedded software taking you to an SRA-hosted page which confirms that we are regulated and outlines what protections this regulated status provides. The SRA has stated that it does not have access, record or store any additional data such as IP addresses or page navigation behaviour, and that it does not collect data that would identify an individual. A solicitor specialising in technology is reported as saying that the system’s design involves the processing of data by technology supplier Yoshki, and does not ask users to give their consent. Yoshki’s system is based in turn on technology developed by Google which, he says, ‘is in the business of harvesting personal data’. Hatch Legal does not accept liability for use of the SRA clickable logo.
Data protection
PDF Print E-mail




The Information Commissioner's Office (ICO) has published a new toolkit for businesses to use to help increase awareness among their staff of the importance of handling data securely and confidentiality. The toolkit offers a range of free downloadable materials, including posters, bin stickers and postcards for businesses to use in staff areas.  This checklist sets out the key legal obligations a business should consider when dealing with personal data about customers, suppliers, employees or any other individual who may be encountered during the course of business.


Penalties for failing to deal with personal data appropriately




There could be serious financial, commercial and reputational implications for your business (including possible criminal penalties and fines) if personal data is not handled properly.




Protecting and securing personal data




·          Personal data is any information about an individual held on computer or in organised filing systems that could identify the individual, either on its own or together with other information your business or a third party holds. It needs to be protected and kept secure. This information includes:




o    name;


o    e-mail address;


o    telephone numbers;


o    date of birth; and


o    notes written about someone (such as an annual performance review).




·          You must take particular care with sensitive personal data (for example, medical records) as more restrictive requirements apply to this type of data.




·          The individual could be a potential or actual employee, customer or supplier, or possibly someone captured on your business’ CCTV footage.




Collecting personal data




·          Your business can only collect personal data if it has a legitimate reason for doing so (for example, because a new employee is coming to work for you).




·          When your business collects data about an individual, you will need to tell that individual what your business intends to do with their data (for example, if you are collecting a customer’s e-mail address to confirm an order). If the purposes for which you want to use someone’s data change later, you must approach them again and obtain their agreement to use their data in that way.




·          Your business should only collect information it requires at the particular time (for example, a job applicant should not be asked for their bank details). This type of data should only be collected once the applicant has started to work for your business.




·          If your business wants to use someone’s data for marketing purposes the individual must be informed. It is good practice to do this at the time the data is collected. In some cases (such as text or e-mail marketing) your business generally needs the individual’s explicit consent.




Using data collected on individuals




·          Your business is generally allowed to use someone’s personal data if they have given their consent. The data can also be used in other circumstances, for example, if your business:




o    needs to use the data to fulfil a contract with a customer (such as using their address to deliver goods to them); or




o    has a legitimate interest in using it, although this must be balanced with the individual’s rights. For example, if a part of your business has been sold to a third party and you need to transfer customer data to that third party.




·          Data should only be used for the reason that it was collected (for example, if calls between staff and customers are recorded for training purposes only, they should not be used to discipline a member of staff).




·          If you want a third party to manage data (such as carrying out payroll services) you should take legal advice. Your business will still be responsible for protecting the data and will need to enter into a written contract with the third party.




·          Your business should also take legal advice if it is considering transferring any data outside the countries in the European Economic Area. It is very easy to transfer data outside of your own country (for example, by sending an e-mail to an office outside of the UK, or taking data stored on a laptop to another country.).




·          If the data is being used in marketing material, check that the recipient is aware that their data may be used for this reason and confirm they do not object. You will generally need the individual’s explicit consent (opt-in) for e-mail, fax and text marketing. If the individual is an existing customer, you may be able to market similar products to them by these means without prior explicit consent. You should take legal advice if you want to do this.




·          If your business is considering using sensitive personal data (for example, information about ethnic origin, trade union membership or criminal records), you should take legal advice.




Storing personal data




·          All data must be accurate and up to date. Databases should be regularly cleaned and out-of-date information must be deleted.




·          Data should only be held for as long as it is required and for the reason it was collected. For example, if personal data was collected to deliver a product a year ago and not used since, it should not be held on the basis that it may be needed for another reason at some time in the future.   Different time limits apply to different types of claim, and these limits may influence your decisions about how long to keep personal data. 






Keeping data secure and confidential




·          Personal data must be kept secure at all times. For example:




o    computers and files should be password protected;




o    personal data on laptops and other portable devices should be kept to a minimum;




o    manual filing cabinets containing personal data should be locked and only accessible to authorised personnel;




o    confidential documents should not be left unattended on desks; and




o    personal data should be removed promptly from fax machines, printers and photocopiers.




·          When your business sends personal data, it must be done in a secure way (for example, confidential information should not be sent in the internal mail).




·          Personal data must be disposed of securely (for example, by shredding, placing in confidential waste bags, destroying or securely deleting electronic files). Confidential papers should not be put in the recycling bin.




·          When working away from the office or in public areas:




o    ensure personal data stored on portable devices such as laptops, Blackberries, CD-ROMs or memory sticks is encrypted and kept secure at all times;




o    avoid leaving papers or electronic devices lying around;




o    make sure members of the public cannot see confidential documents or computer screens; and




o    avoid talking about confidential matters when the public can hear.




·          Security breaches (such as accidentally losing personal data) should be reported to the appropriate person immediately.   There may be an obligation to report the breach to the Information Commissioner.




·          Electronic documents, including calendar entries and meeting requests, should be password protected or designated private where appropriate.




Enquiries about personal data




·          Make sure your business has a system in place to deal with individuals who request details of the personal information your business holds on them. You are permitted to charge an administration fee of up to £10 for responding to this type of request.




·          Individual employees should not deal with this type of enquiry, unless they have been given specific authorisation to do so. The request should normally be passed to the person within your business who has responsibility for data protection issues.




·          Personal data should not be given out to the friends or relatives of an individual without that individual’s specific consent.






More information




If you have any questions about the content of this checklist, please contact Hilary Crook This e-mail address is being protected from spambots. You need JavaScript enabled to view it .






Hatch Legal 1 Sella Bank, The Banks, Seascale CA20 1QU                                                             Telephone:  0194 672 1715

Authorised and regulated by the Solicitors Regulation Authority—SRA number 463163
 Law Society number 166086
VAT number 898 292 456
© 2010 Hatch Legal. All rights reserved