DPA refers to the Data Protection Act which was passed by UK Parliament to establish a minimum baseline for companies to ensure the protection of the information they process and give legal rights to people who have information stored about them.
Information businesses may collect on their customers (or potential customers) can be personal and as such may need to be kept confidential. People want to keep their pay, bank details, and medical records private for instance and away from the view of just anybody. If someone who is not entitled to see this information can obtain access without that person’s permission it is unauthorised access. The DPA sets up rules to prevent this happening.
The DPA recognises two types of information: “Personal Data” (PD) and “Sensitive Personal Data” (SPD). PD about a customer (data subject) could be their: name, date of birth, height, weight, driver’s license number, street address, telephone number, email address etc. SPD on the other hand is a customer’s racial or ethnic origin, medical records, political or religious beliefs, sexual preference as well as their financial, credit or debit card details. Generally speaking there are fewer safeguards required for PD than there are for SPD. In most cases a person must be asked specifically if SPD can be kept about them.
The DPA establishes regulations that all UK companies should adapt for processing, storing and transmitting personal and sensitive personal information. The regulations outline overall objectives for ensuring the data is collected and used fairly, relevant and used only for the purpose it was collected, kept up to date and only for the length of time it was needed for and not transferred outside of the EU unless the country has a suitable data protection law. Above all companies must provide an appropriate level of security to ensure the protection of this data. Find out more about the DPA.
How much security? How long is a piece of string? You decide. You see, the DPA are just a set of regulations and do not establish any specific controls or even a general level of security for businesses to implement. Your business needs to make that decision. Your business needs to design a framework conducive to adequately protecting the data based on its sensitivity. If you just process customer’s names and addresses or other data that is already public knowledge perhaps you do not need as much security as if you were processing their credit cards or medical histories.
The framework you design needs to be simple, effective and appropriate to the sensitivity of the data and documented in order to stand as proof of due diligence in the event you have a problem. Above all it should be based on common sense. Never forget that the data your business processes, stores and transmits every day is information about someone’s life. Ensure that your business protects this data to a standard that you would want a business to protect your personal information and you’ve got it exactly right.
This website has been designed using modern web technologies which unfortunately, are not supported by your browser. This means that many parts of the site will not function as intended.
