Protecting and Securing Personal Data

Protecting and Securing Personal Data

Posted on 23/11/2015 by Kirsty Craig


Personal data is any information about an individual held on computer or in organised filing systems that could identify the individual, either on its own or together with other information held by a business or a third party.

There could be serious financial, commercial and reputational implications for a business (including possible criminal penalties and fines) if personal data is not handled properly.

Protecting and securing personal data

Personal data needs to be protected and kept secure. This data

may include:

  • name
  • e-mail address
  • telephone numbers
  • date of birth
  • and notes written about someone (such as an annual performance review).

Particular care must be taken with sensitive personal data (for example, medical records) as more

restrictive requirements apply to this type of data.

The individual could be a potential or actual employee, customer or supplier, or possibly someone captured on a business’ CCTV footage.

Collecting personal data

A business can only collect personal data if it has a legitimate reason for doing so (for example, because a new employee is coming to work for the business).

When a business collects data about an individual, the business will need to tell that individual what it intends to do with their data (for example, if the business is collecting a customer’s email address to confirm an order). If the purposes for which the business wants to use someone’s data changes, the individual must be informed once again.

Businesses should only collect information they require at that particular time. For example, a job applicant should not be asked for their bank details. This type of data should only be collected once the applicant has started to work for the business.

If a business wants to use someone’s data for marketing purposes, the individual must be informed. It is good practice to do this at the time the data is collected. In some cases (such as text or e-mail marketing) a business will generally require the individual’s explicit consent.

For more bulletins and information:

IN HOUSE LAWYER!the-missing-piece/c503