Continuing this series of blogs on data protection compliance, we’ve been exploring the first three Data Protection Principles (DPPs) established under the Data Protection Act 1998 (DPA). This week’s blog tackles the fourth, fifth and sixth DPPs that require respectively for Personal Information to be accurate, kept no longer than is necessary and used in accordance with specific rights provided under the DPA.
No4: It’s all about the Quality
Accurate information is good quality information and it’s in the organisation’s interest to ensure that the information it uses is fit for purpose (remember the Third DPP?). The Fourth DPP requires that personal information be accurate and, ‘where necessary’, kept up to date. Where there are any inaccuracies, the DPA provides a right for individuals to have them corrected. Crucially, this right is confined to matters of fact only: a date of birth, an address or attendance at a meeting. It does not cover matters of opinion such as a medical diagnosis or other professional opinion.
No5: How long is too long?
The Fifth DPP deals with the nutty question of how long records should be retained. It’s the most frequent question we get asked yet it’s the one we can’t answer other than it should be ‘no longer than necessary’! Retention periods are based on two factors: legal obligation or business case. For example, the law requires that financial information is kept for six years and insurance companies are increasingly dictating how long records must be kept under the contract of insurance. However, when the legal obligation is over or no legal timeframe exists, you can justify keeping personal information if you need it in order to carry out your business activity. If you have no legal obligation or business case to keep the information then you need to consider secure deletion or destruction, or appropriate archival of filtered files which is also good practice.
No6: Exercising your Rights!!
The DPA is all about giving individuals control over their personal information
The Sixth DPP requires that you use personal information in accordance with individuals’ rights under the DPA. The DPA is all about giving individuals control over their personal information so the two fundamental rights provided are about access to your information and being able to stop that use if it’s causing, or likely to cause, substantial damage or substantial distress. The important point to remember is that while these are absolute rights of request, the right of response is qualified by the various exemptions that exist and you only have 40 calendar days to respond to a subject access request and 21 calendar days to respond to a stop request. It’s vital therefore that you know how to recognise these requests and have good procedures for handling them. The other two rights you must consider under this DPP are about direct marketing, including newsletters, and automated decision making such as credit scoring.
Phew! A lot to take in but worth it to make sure you’re data protection practices are compliant. Next time, we look at the Principle that is breached most often – it’s all about Security.
Maureen H Falconer is Regional Manager – Scotland with Information Commissioner’s Office