This time, it’s personal

Data Protection may not appear a core priority for construction businesses, yet to ignore it creates a risk. Last year’s well reported prosecution of businessman Ian Kerr, who operated an illegal blacklist of construction workers, has highlighted the need to take note of this area of law.

The government is introducing higher penalties for breaches of data protection legislation. In January, the Ministry of Justice increased the maximum fine for serious breaches from £5,000 to £500,000. The government is also considering jail sentences for those who knowingly leak personal data.

The key piece of legislation is the Data Protection Act 1998, which puts responsibility on “data controllers” who process personal data – those who determine the purpose for and the manner in which “personal data” is processed. In the case of a construction firm, the company itself may be the data controller.

The term “processing personal data” covers a wide range of activities including holding, collecting or using personal data either on computer or in a structured filing system – for example, HR and payroll records.

Compliance falls into three main areas.

Notification

Most data controllers are required to submit a “notification” to the Information Commissioner’s Office (ICO), the body that enforces the act. The form can be completed online (see www.ico.gov.uk) and must be kept up to date and renewed annually. The cost for firms with a turnover of more than £25.9m and more than 250 staff is £500 a year, and for firms with a turnover below £25.9m or fewer than 250 staff, is £35 a year.

Dealing with subject access requests

In january, the Ministry of Justice increased the maximum fine for serious breaches from £5,000 to £500,000. it is also considering jail sentences

Individuals may request details of personal data held about them from data controllers and these must be dealt with within 40 days. Controllers may charge a nominal amount for dealing with the request (up to a maximum of £10). Certain exemptions apply to requests (see www.ico.gov.uk).

Data protection principles

The act outlines eight principles of compliance. These are that data should be:

• 1 Processed fairly and lawfully
• 2 Obtained only for specific, lawful purposes
• 3 Relevant, adequate and not excessive
• 4 Not kept for longer than necessary
• 5 Kept where adequate security precautions are in place to prevent loss, destruction or unauthorised disclosure of that data
• 6 Accurate and up to date
• 7 Processed in accordance with the rights of data subjects under the act
• 8 Not transferred outside the European Economic Area unless you are satisfied that the country in question can provide an adequate level of security for that data.

The first principle, for personal data to be processed “fairly and lawfully”, means if its use is not obvious to the individual giving their details, consent to its use may be required, or the use will need to be necessary for a specific purpose outlined in the legislation.

Principal four requires personal data not to be kept for longer than necessary, so firms should consider implementing data retention policies – retention of personal data must be justified, and excess and old data deleted.

The “measures against unlawful or unauthorised processing and accidental loss or destruction of personal data” that are required by principle five could include:

• A document management system;
• Data security (for example, use of passwords or encryption techniques)
• Policies dealing with the above and protection when working from home.

Regarding principle eight, the rules governing overseas transfers are complex and exceptions apply. For example, it may be permitted if consent is given or a recipient in the US has signed up to the safe harbour provisions. Global companies can consider putting in place pre-approved agreements or implementing corporate binding rules particularly for intergroup transfers.

Businesses of all types need to be aware of their obligations under the act as otherwise it could cost them greatly.