Did you know that your contact book is not confidential? And that if a client or subcontractor wants to see your records on him or her, you must show them? That is just one of the implications of the Data Protection Act 1998 which came into force on 1 March this year.
The act introduces a number of restrictions on the way that you keep and use information held on third parties such as clients, subcontractors and consultants. For instance, you are not allowed to hold excessive data on people.
Company directors do not appreciate that they are liable for the accuracy of their company's databases and that under the act, individuals can ask companies to divulge exactly what information is being held about them with the consequence that the organisation is then obliged to search all its databases and report back.
Organisations are also required to adhere to strict guidelines when processing certain information and in extreme cases, directors of companies in breach of the regulations could face imprisonment. Individuals may also claim compensation if damage or distress is suffered due to a data controller contavening the act.
Previous data protection legislation concerned itself only with data held in an automatically processed form. The new act additionally covers any manually compiled records in a structured filing system. It extends the rights of individuals whose data is stored, appoints a new regulatory body, and increases the powers of the courts.
But what does this all mean in practice? If a person (or company) holds data, which relates to a living individual who can be identified from it, then this will be classed as personal data. The person (or company) who determines the ways in which personal data is processed is defined as the data controller. A third party who processes personal data on the instructions of the data controller is known as the data processor and is subject to the same conditions. The principles above only apply if personal data is processed. "Processing" applies to almost all actions taken in relation to personal data, including obtaining, recording, holding it, and destroying it.
The act applies to "automatically processed" data, such as computer records (including laptops and palmtops) and manual records held in a relevant filing system. Thus card indexes or records are also likely to be caught.
Personal data relating to employees past and present is encompassed, including temporary staff. Customer details and contract databases where this information relates to specific individuals is also covered, as will be information held on another company's personnel (perhaps for headhunting or recruitment purposes).
The act is governed by eight data-protection principles:
• Personal data must be processed fairly and must not be processed unless certain specified conditions are met.
• It must be obtained only for specified, lawful purposes, and not obtained for one purpose and used for another.
• It must be accurate and, where necessary, up to date.
• It should be adequate, relevant, and not excessive for the purposes for which it is processed.
• Data must not be kept longer than is necessary.
• Processing must be in accordance with the rights of the data subjects.
• Security measures must be applied to protect the data.
• Personal data is not to be transferred outside the European Economic Area unless adequate security for it can be ensured.
The first principle – that personal data shall be processed fairly and lawfully – is subject to further conditions which provide protection for the person to whom the data relates. These are:
• The data subject has given his consent to the processing.
• Processing is necessary for the performance of, or the taking of steps with a view to entering into, a contract by the data subject.
• Processing is necessary for the data controller to comply with a legal obligation.
• Processing is necessary in order to protect the vital interests of the data subject.
• Processing is necessary for the exercise of functions of a public nature exercised in the public interest.
• Processing is necessary for the pursuit of legitimate interests by the data controller or the person to whom the data is being disclosed.
There is further protection for "sensitive personal data" which includes information relating to a person's personal life – and includes such things as religion, racial origin, political beliefs, health, previous convictions, and sexual relationships. To process data of this type it is necessary to comply with further criteria including:
• The express consent of the individual concerned.
• A legal requirement for the data to be processed for the purposes of employment.
• Protection of the interests of the individual concerned.
• Administration of justice or legal proceedings.
So data subjects have a right of access to the data itself and can issue enforcement notices to compel data controllers to stop processing the data.
There are, of course, various exemptions to the act which allow data to be processed, for example, for the purposes of national security, public interest, in relation to crime, certain literary, artistic or journalistic matters, where the data is required by law to be publicly available, or where the data is required in relation to legal proceedings.
Source
Construction Manager
