PART 1: DATA PROTECTION POLICY RESPONSIBILITY AND TRAINING
Does your organisation have an appropriate data protection policy?
A policy will help you to address data protection in a consistent manner. The policy should clearly set out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance. The policy should be approved by management, published and communicated to all staff. The policy should also be reviewed and updated at planned intervals or when required to ensure it remains relevant.
Does your organisation have a nominated data protection lead?
It is good practice to identify a person in your business with day-to-day responsibility for developing, implementing and monitoring the data protection policy. Allocating these responsibilities to a data protection lead will help you effectively manage and co-ordinate data protection, and make your business more accountable. The lead should be appropriately skilled and have the necessary authority and resources to fulfil their duties.
Does your organisation provide data protection awareness training for all staff?
Many data security breaches are accidental and result from insider actions. You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required. Specialist training for staff with specific duties, such as marketing, information security and database management, should also be considered. The regular communication of key messages is equally important to help reinforce training and maintain awareness.
PART 2: REGISTRATION, FAIR PROCESSING AND SUBJECT ACCESS
Has your organisation registered with the Information Commissioner’s Office?
If you process personal data you may need to record the types of data you hold and why on the public register of data controllers. This is called ‘registration’, which should be renewed and updated annually.
Has your organisation made privacy notices readily available to individuals?
The DPA requires that you process personal data fairly and lawfully. To ensure the processing is fair you must be transparent about how you intend to use the data. It is good practice to include privacy notices on your website and any forms that you use to collect data. These should clearly explain the reasons for using the data, including any disclosures.
The DPA requires that you do not process personal data in any manner that is ‘incompatible’ with your specified purposes. If you want to use personal data for a new or different reason that was not anticipated at the time of collection you need to consider whether this would be fair. In practice, you often need to get prior consent to use or disclose personal data for a purpose that is additional to, or different from, the purpose you originally obtained it for?
Has your organisation established a process to recognise and respond to individuals’ requests to access their personal data?
The DPA requires that personal data is processed in accordance with individual rights under the DPA. In practice, this means you must be able to recognise and respond to any individual requests or notices in line with your legal obligations. A written data protection policy together with appropriate awareness training can help you to meet these obligations.
The most significant of these is the right of access, which gives anyone you hold personal data about the right to request, to see and obtain a copy of the information. You should therefore have a process in place to recognise and respond to requests within statutory timescales.
PART 3: DATA QUALITY, ACCURACY AND RETENTION
Has your organisation established processes to ensure personal details of sufficient quality to make decisions about individuals?
The DPA requires that personal data is adequate, relevant and not excessive for your purposes. In practice this means you should avoid collecting data without a legitimate business reason and collect only the minimum required to meet the purposes you need it for and which are specified in your privacy notice.
The DPA requires that personal data is accurate and, where necessary, kept up-to-date. Personal data is inaccurate if it is factually incorrect or misleading. Where you identify any inaccurate data, make sure you update the records accordingly. You should regularly review information to identify when you need to do things like correct inaccurate records, remove irrelevant ones and update out-of-date ones. Records management policies, with rules for creating and keeping records (including emails) can help.
Has your organisation established a process to routinely dispose of personal data that is no longer required in line with agreed timescales?
The DPA requires that personal data should not be kept for longer than necessary. In practice, you should identify what types of records or data sets you hold and discard, delete or anonymise personal data as soon as it becomes surplus to requirements. A written retention policy will remind you when to dispose of various categories of data, and help you plan for its secure disposal.
PART 4: SECURITY
Has your organisation established an information security policy supported by appropriate security measures?
The DPA requires that personal data is protected by appropriate security measures. Before you can decide what level of security is right for your business you will need to assess the risks to the personal data you hold and choose the security measures that are appropriate to your needs.
Does your organisation ensure an adequate level of protection for any personal data processed by others on your behalf?
If you outsource the processing of personal data you will still remain responsible for the data under the DPA.
The requires that you choose an organisation that provides sufficient guarantees about how it will protect the data, and ensure written and enforceable contracts are in place setting out information security conditions.
Does your organisation ensure an adequate level of protection for any personal data transferred outside the European Economic Area?
The DPA requires that you ensure there is an adequate level of protection for personal data transferred to a country or territory outside the European Economic Area. You should consider whether outsourcing involves the transfer of data overseas and whether the recipient will provide adequate protection. You are likely to make such transfers if you use hosted services (including cloud computing solutions) that are based overseas.
PART 5: PRIVACY IMPACT ASSESSMENTS
Has your organisation established processes to ensure new projects or initiatives are privacy-proofed at the planning stage?
Build in privacy considerations at the start of projects or initiatives that involve the processing of personal data. Thinking about privacy early on will reduce risks and avoid costly changes at a later date. It is good practice to conduct privacy impact assessments (PIA) during the development, testing and delivery stages of any project.
If your answer to any of the above questions is ‘no’ or ‘don’t know’ then your organisation may be breaching data protection law or at risk of a data security breach.