The data protection act makes it the responsibility of organisations that store personal data to ensure that the data is secure. There are 8 principles that must be abided by:
- Personal data must be collected and stored fairly and lawfully. This means that data must not be collected appropriate ways. Eg. You cannot create fake competitions to encourage people to enter their details.
- Personal data should be used for limited, specifically stated purposes. If customers supply their details for delivery purposes, it should not be used for any other reasons. Eg. Address details should not be used to promote other products without the customers consent
- Personal data should be used in a way that is adequate, relevant and not excessive. If a customer agrees to receive promotional updates, they should not be inundated with excessive adverts.
- Personal data should be accurate. If a customer supplies data, the correct data should be stored.
- Personal data should be kept no longer than is absolutely necessary. Organisations should not hold data indefinitely unless they have a legitimate reason to do so.
- Personal data should be handled in accordance with the data subjects rights. Data subjects (customers) have the right to a copy of the data held about them or to opt out of direct marketing. Individuals have the right to compensation for any negative consequences to their data being stored or used.
- Personal data should be stored securely. Data should not be at risk or loss, theft of corruption. Organisations should password protect and encrypt files and devices. Computers or servers that store data should be kept in secure locations.
- Personal data should not be transferred to countries outside the EEA unless there is adequate legislation in place. Data should not be sent to countries where the laws to not protect the data from abuse.
Some organisations get around these laws by including lengthy terms and conditions in their sign up process to get permission from customers to use their data in a variety of ways. For example, all images posted on Instagram become the property of Instagram – customers lose all rights to these.
To keep data safe organisations may impose different access rights for employees –
- No access – files cannot be opened
- Read access – they can open the files but not alter them
- Read and write access – they can open and alter files
For detailed information on the data protection act, check out the ICO website.