Data Protection Act

14 October 2020

In every business, the protection of personal data is both a legal and moral obligation.

Employees, clients, public bodies–they all might decide to share information with your organisation. Regardless of the data provided, you need to keep it secure and confidential. If any data is mistreated or leaked without consent, the fines and damages can be hard to recover from.

In this guide, we'll look at what the Data Protection Act is, the difference between personal and sensitive data, and why you need to protect such information.

What is the Data Protection Act?

The Data Protection Act 2018 is a UK-based legislation which outlines the importance of keeping sensitive or personal data safe.

Many organisations often use methods like data collection and processing. That’s why more of them are actively seeking further knowledge on what it entails.

Data can be collected through clicks, views, or surveys where consumers willingly shared their information.

(The Data Protection Act 2018 outlines the importance of protecting sensitive personal data).

What data protection legislation is found in the UK?

The UK have a legislation called the Data Protection Act 2018 (DPA). This law was enforced by the Information Commissioner's Office (ICO) who are a governing body that protect data processing and storage.

Most organisations have recently become accustomed to digitisation. The European

Parliament was one of the first to make changes to the General Data Protection Regulations. The previous Data Protection Act needed to match current forms of data processing–so it was amended.

The change set precedence for other EU countries to update their laws on data protection. By this point, the UK had decided to leave the European Union. But despite their departure, UK governing bodies also decided to update legislation too.

Newer laws provided a clearer understanding for managing personal data efficiently. This meant better methods for requesting, storing, and securing information–all whilst trying to avoid breaching the rules.

What are Data Protection principles?

Every individual is given legal rights when it comes to data protection. Under the data protection principles, people are legally entitled to:

  • The right to opt-out: You can inform companies to delete any of your information kept on their database.
  • The right of access: You are allowed to review any of your own data that's been collected.
  • The right to object: You can reject methods of unlawful processing when your personal data is involved.
  • The right to rectification: You can request changes to be made to inaccurate data.
  • The right to portability: You can request for your own data to be transferred.

(Every individual has a legal right to data protection principles).

The General Data Protection Regulation vs. the Data Protection Act

The General Data Protection Regulation (GDPR) is legislation which outlines data privacy laws within the European Union (EU). Its remit is based within EU countries, whereas the Data Protection Act is bound solely for the UK.

But where home-locations are based isn’t the most important or major distinctions. Some of the main differences which GDPR rights highlight are:

  • Child consent: GDPR states a child can consent to data processing at 16 years old. The DPA keeps consent at 13 years old.
  • Definition of 'identifier': The GDPR states an identifier's personal data also includes IP addresses, internet cookies, and DNA. (The DPA does not outline this).
  • Criminal data: The GDPR states processing criminal data can be actioned by public authorities. (The DPA does not outline this).
  • Automated decision making/processes: The GDPR states data subjects have a right against automated decision making or processes. The DPA allows this only through legitimate grounds, whilst safeguarding individual rights.
  • Data subject rights: The GDPR ensures data subjects receive all legal rights regarding personal data. The DPA states they have a right not to be ignored if compliance with such entitlements.
  • Privacy vs. freedom of expression: The GDPR allows member states to find a balance between the right to privacy and the right to freedom of expression. The DPA states certain requirements are needed first when personal data is discussed.

(The GDPR and the Data Protection Act 2018 both revolve around protecting data rights).

What is personal and sensitive data?

Every person holds different scopes of personal and sensitive data. These forms of information demonstrate details of an individual's life.

Personal data

Personal data is used to identify an individual. Some common examples of personal data include things like names, identification details, or residence information. In the workplace, HR records, performance appraisals, and onboarding details also count as personal data, too.

Sometimes, personal data is shared for public interest, by law enforcement purposes, or by the' 'identifier' themselves. However, you need to ensure your business keeps confidentiality throughout.

Sensitive data

When it comes to sensitive information, it can cover things like race, religious beliefs, and political information. Genetic or biometric data, like fingerprints and iris scans, also count as sensitive data.

When it comes to requesting sensitive data, you need to seek mutual consent from the individual involved. For example, you might need to request criminal records to check if a candidate is suitable to work with vulnerable or younger people.

Legal guidelines for processing personal and sensitive information

Almost every business that collects data will have to deal with processing. That's why it's essential to be fully aware of the seven principles and the legal guidelines they come with.

Here are the seven principles needed to process personal information:

  1. Fairness and transparency: People who share their information must be told how it will be used.
  2. Purpose limitation: The information can only be collected for specific services.
  3. Data minimisation: Whatever the data process is, data minimisation allows processes to collect a reasonable amount.
  4. Processing accuracy: All businesses which collect information must have accurate and updated processing methods.
  5. Storage limitation: All sensitive information that's collected shouldn't be kept for longer than necessary.
  6. Integrity and confidentiality: All appropriate steps must be followed to protect personal data.
  7. Legal compliance: The entire data processing system must follow legal compliance.

(Personal and sensitive data help demonstrate the details of an individual's life).

How to manage data protection in the workplace

When your business is dealing with personal and sensitive data, you need to ensure your processing methods are efficient and compliant. If not, you could end up breaching contracts and paying hefty compensation.

Here are ways to manage data protection in the workplace:

Understand the data protection process

It's so important to understand what type of data your business requires.

Determine whether you require personal or sensitive information. And check to see if both management methods meet your accountability principle.

Gain appropriate consent for every individual's data

Gaining consent for every piece of information you collect is not only a legal duty–it's a moral one.

Record whether individual data subjects have provided consent. And be explicit with what you intend to do with the data.

Set out security measures

Make sure you set out a solid security principle for every area involving personal and sensitive data. This includes providing detailed guidance through policies, procedures, and processes.

Also use encryption methods to reduce potential security breaches. And only share access to select people, with the permission of the data subject.

Provide training on data processing

All relevant employees involved in data processing should be competent with training procedures.

This includes anyone appointed as a data protection officer (DPO). DPOs need to understand how processing works; and what to do when breaches occur.

Manage data breaches

It's vital that all businesses manage data breaches in the most appropriate ways.

This includes complying with individual legal obligations, understanding how to report them, and implementing ways to reduce future repeats. Most of these are outlined under the Data Protection Act.

Get expert guidance on managing data protection with Peninsula

In recent times, more businesses are adapting to digital means of efficiency. That means, transitioning your data processing to a virtual form.

But during this shift, you need to ensure you follow the appropriate methods for managing data. Failing to follow the right procedure can result in breaches, fines, and reputational damage.

Peninsula offers expert guidance on managing data protection and GDPR. Our team offers 24/7 HR employment advice which is available 365 days a year. We also provide advice through multi-lingual support and fully trained counsellors who are ready to help with certain circumstances.

Want to find out more? Book a free chat with one of our HR consultants. For further information, call 0800 028 2420.

Suggested Resources