Accountingweb's tax editor, Nichola Ross Martin considers the Data Protection Act; "All bark and no bite?"
Data security seems to have been very low on parliament's list of priorities when it signed off the 1998 Data Protection Act. In fact, given the limited powers of the Information Commissioner, it is difficult to see what the Act practically achieves other than being another method of raising revenue for the government.
HMRC’s loss of its child benefit data CDs and breach of data protection laws may have seemed shocking, but lack of bite in the Data Protection Act is more so. Is there much for the accountant and tax adviser to worry about?
All public and private organisations are legally obliged to protect any personal information they hold and the 1998 Data Protection Act applies to all firms holding information about living individuals in electronic format and, in some cases, on paper. They must follow the eight data protection principles of good information handling. These say that personal information must be:
- fairly and lawfully processed;
- processed for specified purposes;
- adequate, relevant and not excessive;
- accurate and, where necessary, kept up to date;
- not kept for longer than is necessary;
- processed in line with the rights of the individual;
- kept secure; and
- not transferred to countries outside the European Economic Area unless the information is adequately protected.
What sort of personal information is covered by the Act?
The Act covers any information that relates to living individuals which is held on computer such as, but not limited to, name, address, date of birth and opinions about the individual or any other information from which the individual can be identified. information held to complete an individual's tax return will fit this bill.
If you hold personal data you must notify the Information Commissioner. Failure to notify is a criminal offence. Registration requires the payment of an annual fee of £35 and you will be added to the register of data controllers. This is available to the public for inspection so that the public can then find out who is carrying out the processing of personal information as well as other details about the processing (such as for what reason it is being carried out).
You can find the https://forms.informationcommissioner.gov.uk/cgi-bin/dprproc?page=7.html notification form online’.
Protecting personal data
It is up to organisations to work out their own policies for safeguarding data. The type of data breaches that seem to be the most common are the leaving of sensitive data in the normal office rubbish (banks and building societies have all had their knuckles rapped over this one) and of course losing laptops and the odd CD.
Most data protection measures are the stuff of common sense; shred all sensitive documents before disposing of them. For the “eco minded”, note that you will not be able to contribute much to the planet’s health if you compost your paperwork as inks tend to be toxic, and so not good for your veg' patch. You might be better off recycling.
Experts agree that physical removal and breaking up of hard drives provides the best protection when disposing of old computers. Formatting the C: drive is an unreliable method of data removal.
Laptops represent a challenge to data controllers, as does any portable device. The information commissioner does say:
“Where the information held on a laptop or other portable device could be used to cause an individual damage or distress, in particular where it contains financial or medical information, they should be encrypted.”
The level of protection provided by the encryption needs to be regularly reviewed and updated and if you find IT challenging, you may need to seek specialist technical advice. Staff need to be trained appropriately.
Reporting data breaches
There is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data. The Information Commissioner believes serious breaches should be brought to his attention all the same. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA.
Penalties for data breaches – bark but no bite
Although the failure to register as a data controller is a criminal offence, the Information Commissioner has no powers to impose fines or penalties for data breaches. He can issue formal enforcement notices demanding that the offending data controller takes appropriate action to prevent further breaches.
The rights of the public
The Data Protection Act 1998 gives anyone the right to apply for a copy of their personal information. Such a request is made in writing, by letter or email, and sent to the person or organisation who is holding this information. A fee of up to £10.00 may be levied for each request made.
If you do not supply the data requested by a member of the public the Information Commissioner may write to ensure that you do so.
If you find that your personal data has slipped into the wrong hands and you have suffered damage as a result you will be pleased to hear that you may claim compensation from the organisation who lost the data. Unfortunately for you, the Information Commissioner has no powers to award compensation and so this means that claimants must fund court action if compensation cannot be agreed with the offending organisation.