Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

5-minute guide: Tax advisors and the Data Protection Act.

by
2nd Jul 2008
Save content
Have you found this content useful? Use the button above to save it to your profile.

Accountingweb's tax editor, Nichola Ross Martin considers the Data Protection Act; "All bark and no bite?"

Data security seems to have been very low on parliament's list of priorities when it signed off the 1998 Data Protection Act. In fact, given the limited powers of the Information Commissioner, it is difficult to see what the Act practically achieves other than being another method of raising revenue for the government.

HMRC’s loss of its child benefit data CDs and breach of data protection laws may have seemed shocking, but lack of bite in the Data Protection Act is more so. Is there much for the accountant and tax adviser to worry about?

All public and private organisations are legally obliged to protect any personal information they hold and the 1998 Data Protection Act applies to all firms holding information about living individuals in electronic format and, in some cases, on paper. They must follow the eight data protection principles of good information handling. These say that personal information must be:

  • fairly and lawfully processed;
  • processed for specified purposes;
  • adequate, relevant and not excessive;
  • accurate and, where necessary, kept up to date;
  • not kept for longer than is necessary;
  • processed in line with the rights of the individual;
  • kept secure; and
  • not transferred to countries outside the European Economic Area unless the information is adequately protected.

What sort of personal information is covered by the Act?
The Act covers any information that relates to living individuals which is held on computer such as, but not limited to, name, address, date of birth and opinions about the individual or any other information from which the individual can be identified. information held to complete an individual's tax return will fit this bill.

If you hold personal data you must notify the Information Commissioner. Failure to notify is a criminal offence. Registration requires the payment of an annual fee of £35 and you will be added to the register of data controllers. This is available to the public for inspection so that the public can then find out who is carrying out the processing of personal information as well as other details about the processing (such as for what reason it is being carried out).

You can find the https://forms.informationcommissioner.gov.uk/cgi-bin/dprproc?page=7.html notification form online’.

Protecting personal data
It is up to organisations to work out their own policies for safeguarding data. The type of data breaches that seem to be the most common are the leaving of sensitive data in the normal office rubbish (banks and building societies have all had their knuckles rapped over this one) and of course losing laptops and the odd CD.

Most data protection measures are the stuff of common sense; shred all sensitive documents before disposing of them. For the “eco minded”, note that you will not be able to contribute much to the planet’s health if you compost your paperwork as inks tend to be toxic, and so not good for your veg' patch. You might be better off recycling.

Experts agree that physical removal and breaking up of hard drives provides the best protection when disposing of old computers. Formatting the C: drive is an unreliable method of data removal.

Laptops represent a challenge to data controllers, as does any portable device. The information commissioner does say:
“Where the information held on a laptop or other portable device could be used to cause an individual damage or distress, in particular where it contains financial or medical information, they should be encrypted.”

The level of protection provided by the encryption needs to be regularly reviewed and updated and if you find IT challenging, you may need to seek specialist technical advice. Staff need to be trained appropriately.

Reporting data breaches
There is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data. The Information Commissioner believes serious breaches should be brought to his attention all the same. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA.

Penalties for data breaches – bark but no bite
Although the failure to register as a data controller is a criminal offence, the Information Commissioner has no powers to impose fines or penalties for data breaches. He can issue formal enforcement notices demanding that the offending data controller takes appropriate action to prevent further breaches.

The rights of the public
The Data Protection Act 1998 gives anyone the right to apply for a copy of their personal information. Such a request is made in writing, by letter or email, and sent to the person or organisation who is holding this information. A fee of up to £10.00 may be levied for each request made.

If you do not supply the data requested by a member of the public the Information Commissioner may write to ensure that you do so.

If you find that your personal data has slipped into the wrong hands and you have suffered damage as a result you will be pleased to hear that you may claim compensation from the organisation who lost the data. Unfortunately for you, the Information Commissioner has no powers to award compensation and so this means that claimants must fund court action if compensation cannot be agreed with the offending organisation.

Tags:

Replies (4)

Please login or register to join the discussion.

avatar
By User deleted
09th Jul 2008 19:54

Peter
Who is this "security disposer"? Sounds like an advertising standards issue.
You can only be "fined" as in having to pay damages - if someone proves that you have lost their data and if they can prove loss. Also don' t forget that they have to fund the court action, so the chances of having to pay out anything are pretty remote unless you have really high profile clients!

In my humble opinion there should be whopping great fines, it would make us all (government dept included) take data security much more seriously.

I would guess that since our government likes the idea of ID cards etc and is not adverse to sending our data over the pond for upkeep this will never happen. Government departments it seems have the most to lose, in more ways than one!

Thanks (0)
avatar
By peterlashmar
09th Jul 2008 14:05

Fines for beaches
Nicola,

Very good advice I am sure - as always.

What I cannot reconcile is that our security disposal supplier constantly tells us that for each single identiifable name and address that we dispose of in a non-secure manner we can be fined £5,000.

We are also urged to recycle telephone directories by simply putting them in a paper recycling bin - each directory, of course, contains thousands of identifiable names and addresses!! I have not been able to find any exemption for telephone directories.

Peter Lashmar
Lashmars

Thanks (0)
avatar
By garethgreen
08th Jul 2008 13:10

Don't assume you aren't caught
Blimey, I had always assumed I am not caught, as I only advise companies. However, having looked into this, I think I have to register.

For instance, if I have a letter on my computer addressed to an individual, including their job title and name (as is normal), that seems to be personal information about them, so I have to register. Or if I have a note of meeting stating who attended and when and where it took place, that is personal information because it tells of an individual's whereabouts. Or if I have any staff, I am bound to have personal information about them.

Thanks (0)
avatar
By mikewhit
07th Jul 2008 12:39

Toothless indeed
Personal data was misused by a company, I made a complaint to the police citing Data Protection legislation, they identified the phone number used by the perpetrator but would not take it any further due to a prosecution being "unlikely to succeed".

Thanks !

Thanks (0)