What is data protection?
Personal data is any information relating to you, whether it relates to your private, professional, or public life. In the online environment, where vast amounts of personal data are shared and transferred around the globe instantaneously, it is increasingly difficult for people to maintain control of their personal information. This is where data protection comes in.
Data protection refers to the practices, safeguards, and binding rules put in place to protect your personal information and ensure that you remain in control of it. In short, you should be able to decide whether or not you want to share some information, who has access to it, for how long, for what reason, and be able to modify some of this information, and more.
Governments also have a security interest in ensuring the protection of personal data. In 2015, criminals stole 21.5 million records from the US Office of Personnel Management that contained the highly sensitive personal data of federal employees and their family members. This type of attack is happening more frequently across the globe, and countries must take action to better protect individuals’ information.
Why is this relevant to you?
For individuals: be aware of how information you give to others can be used. You have certain rights relating to data held about you, including:
the right to access your data and be informed about how your data is being processed;
the right to have your data rectified if it’s inaccurate or incomplete;
the right to object to the processing; and
the right to have your data erased in certain circumstances.
For business owners: if you handle personal information (and, let’s face it, you are always going to be handling personal information because as a business you have to keep records on your customers), you have a number of legal obligations to protect that information.
What is ‘personal data’?
Personal data is information (whether held electronically or physically) relating to individuals only (ie not companies or other organisations) who can be personally identified from that data (on its own or with other data held). It includes:
addresses (including email addresses)
dates of birth
online identifiers (eg IP addresses)
There is a further ‘special category’ of ‘sensitive personal data’ which includes information about:
racial or ethnic origin
religious or similar beliefs
trade union membership
physical or mental health or condition
biometrics (eg fingerprint data/facial images)
The DPA’s requirements are even stricter when it comes to sensitive personal data. Information about criminal convictions is treated separately and subject to even tighter controls.
What is ‘processing’?
‘Processing’ is any use of personal data (other than for personal reasons). It includes:
retrieving personal data
Who are ‘data subjects’?
Data subjects are natural persons from whom or about whom you collect information in connection with your business and its operations. For example, if you run an online business, you’ll collect information about:
your customers, ie the people who buy your products
the people who work in the business, ie employees/consultants
What are my obligations if I collect personal information?
You must make sure the information is:
processed fairly, lawfully and in a transparent manner
collected for specified, explicit and legitimate purposes
adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
accurate and kept up to date
kept in a form which enables identification of data subjects for no longer than is necessary
processed in a way that ensures it is appropriately secure
not transferred outside the European Economic Area (EEA) without adequate protection
These are strict rules known as the ‘data protection principles’. How they are interpreted and enforced depends upon the perceived risk of harm arising from failures. Therefore today, if you collect a person’s credit card details, you must keep that data safe and secure at all times and not send it unencrypted. The ICO has guidance on this topic.
Moreover, if you collect personal information, you are responsible for and must be able to demonstrate compliance with the law on data protection. This is referred to as ‘accountability’ in the legislation.
Data protection and your business
You must follow the rules on data protection in relation to information you retain about staff, customers and account holders. This applies when, for example, you:
retain records about your employees
need to access employees’ emails or computer
market your goods and/or services to customers
use a form of security such as CCTV
Why do we need data protection laws?
There are two main reasons that governments should pursue comprehensive data protection frameworks:
Laws need to be updated to address today’s reality. Ever since the internet was created, people have been sharing more and more of their personal information online. In many countries, privacy rules exist and remain important to help protect people’s information and human rights, but they are not adapted to suit the challenges of today’s connected world.
Corporate co- and self-regulation is not working to protect our data. Around the world, companies and other entities that collect people’s data have long advocated for regulation of privacy and data protection not through binding frameworks but rather through self- or co-regulation mechanisms that offer them greater flexibility. However, despite several attempts, we have yet to see examples of non-binding regimes that are positive for users’ rights (or, indeed, for business as a whole).