What is the Data Protection Act?
Any organisation that retains personal data is a Data Controller and is bound by the terms of the Data Protection Act 1998 (DPA). This legislation sets out in 7 principles how data can be fairly and lawfuly used.
Principle 7 of the DPA clearly states that Data Controllers who subcontract the handling of their data to a third party (a data processor) remain liable at all times for the security of their data. To protect themselves, data controllers must undertake due diligence so they are assured that their processors fulfill the requirements and controls necessary to protect against a data security breach.
Click the icon to download our Legislative Summary PDF
Point of Law - Data Controllers can not subcontract their responsibilities for the safe management of their data.
Every data controller who subcontracts the destruction of data should audit their shredding supplier's procedures and controls. This due diligence should check, as a bare minimum, that the shredding contractor:
1. Is registered with the ICO
2. Complies, as a minimum, with shredding standard EN15713
3. Only engages staff that are security vetted and trained to BS7858
4. Has fully incorporated 2. and 3. into the scope of its ISO27001 accreditation
5. Is independently audited to operate to safe working practices eg ISO18001 or the SafeContractor Scheme
6. Complies with all EA legislation regarding Waste Carriers Licence
7. Ensures The Waste Hierarchy Regulations are adhered to
8. Operates a Corporate Social Responsibility Policy, and;
9. Provides Certificate of Destruction for every batch destroyed.
If any of the above can not be satisfied a full review should be conducted immediately.
Legislative Summary: The Data Protection Act 1998
Who must adhere to the regulations?
Any organisation, business or person who processes personal data – referred to under the DPA as a ‘data controller’.
They must be:
- Registered with the ICO
- With a branch/ office in the UK, but that are registered elsewhere
- Whilst not based in the UK, store their equipment (i.e. servers) used for processing personal data in the UK (except for purposes of transit)
How to comply:
The DPA states that, at all times, personal data should be processed fairly and lawfully.
- Only collect information that you need for a specific purpose
- Keep it secure
- Ensure it is relevant and up to date
- Only hold as much as you need, and only for as long as you need it
- Allow the subject of the information to see it on request
Recommended security management and information controls:
- Use passwords to restrict access
- Train staff on data protection principles
- Ensure facilities are secure
- Properly dispose of printed material
- When using third party “data processors”:
- Establish a written contract outlining what can be done with the personal data and how it will be protected Ensure the level of protection is sufficient to meet your organisation’s compliance with the DPA
- Take reasonable steps to monitor the security measures are effective.
What the law covers:
Eight principles governing the:
- Protection of the processing and use of personal data against unauthorised or unlawful use, accidental loss, destruction or damage
- Rules on the processing of personal data including obtaining, recording, holding, organising, adapting, altering, using, disclosing and destroying it.
What is “Personal Data”?
Information that allows the identification of a living individual- i.e. name, date of birth, address, national insurance number, etc.
DPA and information management:
- The DPA requires that appropriate technical and organisational measures be taken to prevent:It is critical to note that even if organisations use third party “data processors” to conduct any part of the processing on their behalf, including destruction, the organisation remains responsible for the protection of the personal data not the third party.
- Unauthorised or unlawful processing of personal data
- Accidental loss, destruction or damage to personal data
Waste Hierarchy Legislation The Waste (England and Wales) Regulations 2011 (UK)
Offences/ penalties for non-compliance:
For a serious breach of the DPA, the ICO can issue:
- Monetary penalty notice of up to £500,000
- An Undertaking – a published enforcement notice requiring the organisation to commit to a particular course of action to improve its compliance.
A serious breach, deliberate or negligent, is determined based on the volume of personal data and level of sensitivity.
Other criminal offences:
- Processing personal data without being registered as a data controller with the ICO
- Failure to notify the ICO of changes to the data controller’s details
- Failure to notify the ICO of changes in the processing of data.
Under section 55, the unauthorised and wilful, or negligent, act of:
- Obtaining or disclosing personal data or the information contained in personal data
- Procuring the disclosure to another person of the information contained in personal data.
- Summary of conviction: fine of up to £5,000
- Convicted on indictment: unlimited fine
The ICO is also seeking prison sentences to further deter unlawful use of personal data.
Secure document retention and disposal guidelines:
The DPA requires data controllers to securely destroy personal data. However, the requirement must take into account other legislations that govern the rules for document retention prior to its secure disposal, and the penalties for noncompliance.
Regulatory document retention periods are in place for:
- Employment and PAYE records
- VAT records
- Corporation tax records
- Business taxpayers self-assessment returns
- Transaction records and formal company documents (Companies Act 2006)
Recommended inclusions for a document retention policy:
- A statement of purpose
- Categories of documents and how long they should be kept
- Definition of “document” and the format and length of time in which it is to be retained (electronic or hard copy)
- Guidance on creation of documents
- Members of staff designated to deal with the document management system
- Methods of document destruction, including those carried out by third parties
- How to keep an accurate record of documents destroyed
How Topwood can help:
- Secure Document and Hard Drive Destruction
- Secure end-to-end chain of custody
- Certificate of destruction after every service
- Tailored solutions to your organisations need
- Advice and Expertise
- Trained experts in information security
- Provide a Data Security Survey at your organisation
Protecting your confidential business information with Topwood is safe, convenient and cost-effective. It’s also environmentally friendly - all shredded paper and hard drives are recycled.
It is important to bear in mind that the Data Protection Bill was published in Parliament last week (14.09.17) by Digital Minister Matt Hancock. The EU's GDPR are fully incorporated into UK law under what will be known as the the Data Protection Act 2018 - due to come into effect in May-18.