Electronic Cigarette Industry Trade Association

Tel : 01639 710 558

Email : support@ecita.org.uk

You are here

ECITA ISE: FCP Chapter 11 Data Protection Act (1998)

14 : FCP Chapter 11 Data Protection Act (1998)

Thursday, November 6, 2014


The Data Protection Act (1998) establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details. The legislation itself is complex and, in places, hard to understand.

However, it is underpinned by a set of eight straightforward, common-sense principles. If you make sure you handle personal data in line with the spirit of those principles, then you will go a long way towards ensuring that you comply with the letter of the law.

The Eight Principles

1.      Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

a) at least one of the conditions in Schedule 2 is met, and
b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
This is the first data protection principle. In practice, it means that you must:

•    have legitimate grounds for collecting and using the personal data;
•    not use the data in ways that have unjustified adverse effects on the individuals concerned;
•    be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
•    handle people’s personal data only in ways they would reasonably expect; and
•    make sure you do not do anything unlawful with the data.

2.     Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

In practice, the second data protection principle means that you must:

•    be clear from the outset about why you are collecting personal data and what you intend to do with it;
•    comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;
•    comply with what the Act says about notifying the Information Commissioner; and
•    ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.

3.    Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

This is the third data protection principle. In practice, it means you should ensure that:

•    you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and
•    you do not hold more information than you need for that purpose.

So you should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as “data minimisation”.

4.      Personal data shall be accurate and, where necessary, kept up to date.
To comply with these provisions you should:

•    take reasonable steps to ensure the accuracy of any personal data you obtain;
•    ensure that the source of any personal data is clear;
•    carefully consider any challenges to the accuracy of information; and
•    consider whether it is necessary to update the information.

5.      Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

In practice, it means that you will need to:

•    review the length of time you keep personal data;
•    consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
•    securely delete information that is no longer needed for this purpose or these purposes; and
•    update, archive or securely delete information if it goes out of date

6.      Personal data shall be processed in accordance with the rights of data subjects under this Act.

This is the sixth data protection principle, and the rights of individuals that it refers to are:

•    a right of access to a copy of the information comprised in their personal data;
•    a right to object to processing that is likely to cause or is causing damage or distress;
•    a right to prevent processing for direct marketing;
•    a right to object to decisions being taken by automated means;
•    a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
•    a right to claim compensation for damages caused by a breach of  the Act.

7.      Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:

•    design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
•    be clear about who in your organisation is responsible for ensuring information security;
•    make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
•    be ready to respond to any breach of security swiftly and effectively.

8.      Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

This is the eighth data protection principle, but other principles of the Act will also usually be relevant to sending personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas.

The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using subcontractors abroad.

Protecting Personal Data

Top tips on how to protect the personal data you hold.

For computer security:
•    Install a firewall and virus-checking on your computers.
•    Make sure that your operating system is set up to receive automatic updates.
•    Protect your computer by downloading the latest patches or security updates, which should cover vulnerabilities.
•    Only allow your staff access to the information they need to do their job and don’t let them share passwords.
•    Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.
•    Take regular back-ups of the information on your computer system and keep them in a separate place so that if you lose your computers, you don’t lose the information.
•    Securely remove all personal information before disposing of old computers (by using software intended for the purpose  or destroying the hard disk).
•    Consider installing an anti-spyware tool. Spyware is the generic name given to programs that are designed to secretly monitor your activities on your computer. Spyware can be unwittingly installed within other file and program downloads, and their use is often malicious. They can capture passwords, banking credentials and credit card details, then relay them back to fraudsters. Anti-spyware helps to monitor and protect your computer from spyware threats, and it is often free to use and update.
For using emails securely:

•    Consider whether the content of the email should be encrypted or password protected. Your IT or security team should be able to assist you with encryption.
•    When you start to type in the name of the recipient, some email software will suggest similar addresses you have used before. If you have previously emailed several people whose name or address starts the same way – e.g. “Dave” - the auto-complete function may bring up several “Daves”. Make sure you choose the right address before you click send.
•    If you want to send an email to a recipient without revealing their address to other recipients, make sure you use blind carbon copy (bcc), not carbon copy (cc). When you use cc every recipient of the message will be able to see the addresses it was sent to.  
•    Be careful when using a group email address. Check who is in the group and make sure you really want to send your message to everyone.
•    If you send a sensitive email from a secure server to an insecure recipient, security will be threatened. You may need to check that the recipient’s arrangements are secure enough before sending your message.

For other security:

•    Shred all your confidential paper waste.
•    Check the physical security of your premises.
•    Train your staff:
•    so they know what is expected of them;
•    to be wary of people who may try to trick them into giving out personal details;
•    so that they know they can be prosecuted if they deliberately give out personal details without permission;
•    to use a strong password - these are long (at least seven characters) and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols;
•    not to send offensive emails about other people, their private lives or anything else that could bring your organisation into disrepute;
•    not to believe emails that appear to come from your bank that ask for your account, credit card details or your password (a bank would never ask for this information in this way);
•    not to open spam – not even to unsubscribe or ask for no more mailings. Tell them to delete the email and either get spam filters on your computers or use an email provider that offers this service.

If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important to deal with the breach effectively. The breach may arise from a theft, a deliberate attack on your systems, the unauthorised use of personal data by a member of staff, accidental loss, or equipment failure. However the breach occurs, you must respond to and manage the incident appropriately. You will need a strategy for dealing with the breach, including:

•    a recovery plan, including damage limitation;
•    assessing the risks associated with the breach;
•    informing the appropriate people and organisations that the breach has occurred; and
•    reviewing your response and updating your information security.

You are required to have Payment Card Industry/Data Security Standards (PCI/DSS) Compliance & certification for payment processing. If you are using a payment provider, such as Sagepay, HSBC, Barclays, etc., they should be able to provide you with the compliance certification you need. If not, you will need to source credible certification from elsewhere.

Also, online retail businesses are legally required to be registered with the Information Commissioner’s Office.