What is the Data Protection Act?

Any organisation that retains personal data is a Data Controller and is bound by the terms of the Data Protection Act 1998 (DPA) – soon to be replaced by the Data Protection Act 2018 (GDPR). This legislation sets out in 7 principles how data can be fairly and lawfully used.

Principle 7 of the DPA clearly states that Data Controllers who subcontract the handling of their data to a third party (a data processor) remain liable at all times for the security of their data. To protect themselves, data controllers must undertake due diligence so they are assured that their processors fulfil the requirements and controls necessary to protect against a data security breach.

Data Protection ACT.pdf

Click the icon to download our Legislative Summary PDF

Point of Law – Data Controllers can not subcontract their responsibilities for the safe management of their data.

Every data controller who subcontracts the destruction of data should audit their shredding supplier’s procedures and controls. This due diligence should check, as a bare minimum, that the shredding contractor:

1. Is registered with the ICO

2. Complies, as a minimum, with shredding standard EN15713

3. Only engages staff that are security vetted and trained to BS7858

4. Has fully incorporated 2. and 3. into the scope of its ISO27001 accreditation

5. Is independently audited to operate to safe working practices eg ISO18001 or the SafeContractor Scheme

6. Complies with all EA legislation regarding Waste Carriers Licence

7. Ensures The Waste Hierarchy Regulations are adhered to

8. Operates a Corporate Social Responsibility Policy, and;

9. Provides Certificate of Destruction for every batch destroyed.

If any of the above can not be satisfied a full review should be conducted immediately. If you are interested in getting some more information about improving your data security, live chat now and we will be happy to discuss this with you.

Legislative Summary: The Data Protection Act 1998

Who must adhere to the regulations?

Any organisation, business or person who processes personal data – referred to under the DPA as a ‘data controller’.

They must be:

  • Registered with the ICO
  • With a branch/ office in the UK, but that are registered elsewhere
  • Whilst not based in the UK, store their equipment (i.e. servers) used for processing personal data in the UK (except for purposes of transit)

How to comply:

The DPA states that, at all times, personal data should be processed fairly and lawfully.

  • Only collect information that you need for a specific purpose
  • Keep it secure
  • Ensure it is relevant and up to date
  • Only hold as much as you need, and only for as long as you need it
  • Allow the subject of the information to see it on request

Recommended security management and information controls:

  • Use passwords to restrict access
  • Train staff on data protection principles
  • Ensure facilities are secure
  • Properly dispose of printed material
  • When using third party “data processors”:
  • Establish a written contract outlining what can be done with the personal data and how it will be protected Ensure the level of protection is sufficient to meet your organisation’s compliance with the DPA
  • Take reasonable steps to monitor the security measures are effective.

What the law covers:

Eight principles governing the:

  • Protection of the processing and use of personal data against unauthorised or unlawful use, accidental loss, destruction or damage
  • Rules on the processing of personal data including obtaining, recording, holding, organising, adapting, altering, using, disclosing and destroying it.

What is “Personal Data”?

Information that allows the identification of a living individual- i.e. name, date of birth, address, national insurance number, etc.

DPA and information management:

  • The DPA requires that appropriate technical and organisational measures be taken to prevent:It is critical to note that even if organisations use third party “data processors” to conduct any part of the processing on their behalf, including destruction, the organisation remains responsible for the protection of the personal data not the third party.
  • Unauthorised or unlawful processing of personal data
  • Accidental loss, destruction or damage to personal data

Waste Hierarchy Legislation The Waste (England and Wales) Regulations 2011 (UK)

Offences/ penalties for non-compliance:

For a serious breach of the DPA, the ICO can issue:

  • Monetary penalty notice of up to £500,000
  • An Undertaking – a published enforcement notice requiring the organisation to commit to a particular course of action to improve its compliance.

A serious breach, deliberate or negligent, is determined based on the volume of personal data and level of sensitivity.

Other criminal offences:

  • Processing personal data without being registered as a data controller with the ICO
  • Failure to notify the ICO of changes to the data controller’s details
  • Failure to notify the ICO of changes in the processing of data.

Under section 55, the unauthorised and wilful, or negligent, act of:

  • Obtaining or disclosing personal data or the information contained in personal data
  • Procuring the disclosure to another person of the information contained in personal data.


  • Summary of conviction: fine of up to £5,000
  • Convicted on indictment: unlimited fine

The ICO is also seeking prison sentences to further deter unlawful use of personal data.

Secure document retention and disposal guidelines:

The DPA requires data controllers to securely destroy personal data. However, the requirement must take into account other legislations that govern the rules for document retention prior to its secure disposal, and the penalties for noncompliance.

Regulatory document retention periods are in place for:

  • Employment and PAYE records
  • VAT records
  • Corporation tax records
  • Business taxpayers self-assessment returns
  • Transaction records and formal company documents (Companies Act 2006)

Recommended inclusions for a document retention policy:

  • A statement of purpose
  • Categories of documents and how long they should be kept
  • Definition of “document” and the format and length of time in which it is to be retained (electronic or hard copy)
  • Guidance on creation of documents
  • Members of staff designated to deal with the document management system
  • Methods of document destruction, including those carried out by third parties
  • How to keep an accurate record of documents destroyed

How Topwood can help?

  • Secure Document Shredding and Media Destruction
  • Secure end-to-end chain of custody
  • Certificate of destruction after every service
  • Tailored solutions to your organisations need
  • Advice and Expertise
  • Trained experts in information security
  • Provide a Data Security Survey at your organisation

Protecting your confidential business information with Topwood is safe, convenient and cost-effective. It’s also environmentally friendly – all shredded paper and hard drives are recycled.

It is important to bear in mind that the Data Protection Bill was published in Parliament (14.09.17) by Digital Minister Matt Hancock. The EU’s GDPR are fully incorporated into UK law under what will be known as the Data Protection Act 2018 – due to come into effect in May-18.

Is Topwood GDPR Compliant?

The following self-assessment is based on the ICO’s checklist for data processors. A positive response demonstrates that Topwood is compliant with the requirements of GDPR.

SECTION 1 Documentation

1.1 Information Topwood holds. Has Topwood conducted an information audit to map data flows and does Topwood document the personal data it holds, where it came from and who it is shared with?

Answer: Yes

SECTION 2 Accountability and governance

2.1 Accountability. Has Topwood an appropriate data protection policy?

Answer: Yes

2.2 Data Protection Officer (DPO). Has Topwood nominated a data protection officer?

Answer: Yes

2.3 Management responsibility. Do the Directors at Topwood demonstrate support for data protection legislation and promote a positive culture of data protection compliance?

Answer: Yes

2.4 Information risks and data protection impact assessments. Does Topwood manage information risks in structured way so that management understands the business impact of personal data related risks and manages them effectively?

Answer: Yes

2.5 Data protection by design. Has Topwood the appropriate technical and organisational measures to show data protection is integrated with data processing activities

Answer: Yes

2.6 Training and awareness. Has Topwood provided data protection awareness training for all staff?

Answer: Yes

2.7 Data processing contract. Does Topwood only process data on the documented instructions of a data controller and there is a written contract setting out the respective responsibilities and liabilities of the controller and Topwood?

Answer: Yes

2.8 The use of sub-processors. Does Topwood seek the prior written authorisation from the controller before engaging the services of a sub-processor, and there is a contract in place.

Answer: Yes

2.9 Operational base – Topwood only operates within the EU.

2.10 Breach notification – Has Topwood the effective processes to identify and report any personal data breaches to its controllers?

Answer: Yes

SECTION 3 Individuals rights

3.1 Right of access. Does Topwood have a process to respond to a controller’s request for information (following and individuals’ request to access their personal data)?

Answer: Yes

3.2 Right to rectification and data quality. Does Topwood have the processes to ensure that the personal data held is accurate and up to date?

Answer: Yes

3.3 Right to erasure, including retention and disposal. Does Topwood have a process to routinely and securely dispose of personal data that is no longer required, in line with agreed timescales as stated in the your contract with the controller?

Answer: Yes

3.4 Right to restrict processing. Does Topwood have controls to respond to data controllers’ request to supress the processing of personal data?

Answer: Yes

3.5 Right to data portability. Does Topwood have the capability to respond to a request from a controller to supply the personal data your process and in an electronic format

Answer: Yes

SECTION 4 Data security

4.1 Security policy. Does your information security policy supported by appropriate security measures?

Answer: Yes

Related Articles:

FAQ: Why do I need a Certificate of Destruction for shredding?

FAQ: What is the Chain of Custody Process?

Topwood Compliance