The 23 October deadline for compliance with the Data Protection Act 1998
sailed past many HR managers unnoticed. Here we look at some of the main
business implications of the Act and offer advice on how to get systems up and
running – fast
All UK businesses should now be complying with the provisions of the Data
Protection Act 1998. On 23 October the first transitional period of the DPA
expired. However, most employers remain ignorant of the new rules and are
running the risk of prosecution.
A survey last month by Tarlo Lyons and the Opus Group showed nearly
two-thirds of firms were not aware of the deadline. Of 137 responses from
managers responsible for data protection, 61 per cent were not aware of the
impending date for compliance. And a poll in Personnel Today found 40 per cent
of HR practitioners unprepared for the new duties.
"Businesses must take urgent steps to tackle these issues so that they
are fully compliant with the Act," said Andrew Rigby, head of e-business
and banking technology law at Tarlo Lyons. "Bringing in new procedures and
systems to cope in such a short time frame will challenge most businesses, but
the issue cannot be ignored."
One of the most important issues likely to impact on businesses with a
global presence, Rigby said, is the prohibition on exporting personal data
outside the European Economic Area.
"Under the DPA, a business cannot generally transfer data outside the
EEA unless the country of the receiver provides a similar level of protection
to personal data," he said. "To date, few countries outside the EEA
have been recognised as providing adequate protection. The US and some
countries in the Far East provide no such protection, yet they are significant
in terms of export business, trade and financial relationships with the
Only in limited circumstances will a business be able to transfer personal
data lawfully to such countries, and businesses will need to enter into
contracts with third parties or even with overseas members of their
organisations to provide adequate protection.
Potentially all businesses which use the Internet could be caught out by the
DPA, Rigby warns. A UK business which sends an e-mail containing the name and
address of an employee, job applicant or customer to the US office of the same
company will be in breach of the Act. Ultimately, the authorities may order the
business to stop exporting any personal data, which could bring many
international companies to a standstill, he adds.
Other aspects of the DPA could have a fundamental impact on the way UK companies
do business via the Internet. For example, any business using a third-party to
process data will need to ensure via the contract that the third party will
take "appropriate technical and organisational measures" to protect
"This will have a significant impact on businesses that use a
third-party to run, operate and process data received on its website,"
Ten steps to compliance
1. Go through all manual and personnel data and check for any personal or
sensitive data, such as opinions on an employee, race, medical information.
2. Ensure all filing systems are covered, including those held by
3. Remove any unnecessary or unhelpful data.
4. Devise a data protection policy (see box).
5. Devise consent forms for processing personal data as well as processing
sensitive personal data.
6. Devise plans for regularly updating information, such as the regular
circulation of new addresses and so on.
7. Put in place procedures for obtaining information on new employees
8. Work out how you will answer requests within time limits.
9. Decide whether you will make an administration charge for complying with
10. Plan to review your policy as soon as the Data Protection Code of
Practice comes into force. n
Devising a policy
– What do you need to hold and why?
– Who should have access to the information?
– Who should hold the information?
– Make time limits clear – 40 days for access to records and 21 days for
access to information.
– Make exemptions clear, such as the administration of justice exemption.
– How will disputes be dealt with? Follow the internal procedures first.
– Revise your disciplinary and grievance procedures to cover abuses of data.