Data protection act
The problem
Every hotel, pub, restaurant and other catering establishment operator holds information about its customers, employees and other individuals. Under the Data Protection Act, any information through which a person can be identified is known as "personal data" and there are restrictions on how this can be used. There are additional constraints in respect of "sensitive personal data".
The Data Protection Act grants rights to individuals when their data is being processed and it also imposes obligations on those who process the data. "Processing" means doing just about anything with the data, including recording it, storing it or transferring it.
Organisations controlling personal data must notify the Office of the Information Commissioner before processing any data. The Information Commissioner is the UK's independent supervisory authority and is responsible for maintaining the public register of data controllers. There is a statutory annual fee of £35 for notification and failing to do so is a criminal offence.
Once registered, data must be processed in accordance with the Data Protection Principles. Ideally, the data subject's consent should be obtained for any processing. If not obtained, then the processing must be necessary for one of the purposes specified in the act.
So if, for example, an establishment runs a competition for its customers and thereby obtains individual contact details, it will need to obtain specific consent to use this information for further promotions.
The data controller is responsible for the security of the data and must ensure it is adequate, relevant and not excessive in relation to its purpose. Any individual can submit a request to an organisation to gain access to personal data relating to them. This must be answered within 40 days and the maximum fee that can be charged is limited to £10.
CHECK LIST
If you are the person to determine the purposes for which, and the manner in which, personal data about individuals is to be processed, you are a data controller. This means you have to:
Notify the Office of the Information Commissioner before you process any data. Once registered, you must process data in accordance with the Data Protection Principles.
Obtain consent from data subjects before processing data. If it's not obtained, the processing must be necessary for one of the purposes specified in the act. For example, if a company runs a competition as part of product promotion and obtains individuals' names and contact details, the consent of the participants to the processing of their personal data by the company is implied, but only to the extent necessary for the competition to be run.
Customers may be recorded on CCTV as part of the security arrangements of an outlet and these images constitute personal data as an individual can be identified from them. The Information Commissioner has issued a detailed code of practice relating to the use of CCTV, which recommends establishing and documenting procedures to assess the appropriateness of a CCTV scheme.
Ensure security of the data. This means appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data. For example, if a brewer or pub company wishes to pass personal data to a marketing organisation for the purpose of running a trade promotion, it must ensure that there's a written contract with the person or company who will process that data.
Make reasonable efforts to ensure the accuracy of data, keep it (where necessary) up to date and not keep it longer than you have to.
BEWARE!
Additional restrictions on "sensitive data". Examples of sensitive data are an individual's racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical/mental health, sex life, drinking habits, and criminal record.
To process sensitive data, explicit consent must be given or one of the other specified purposes in the Data Protection Act must be met. These purposes include the exercising of a right imposed by law on the data controller in connection with employment or using the data for the purposes of legal proceedings.
CONTACTS
Dino Wilkinson, IT and intellectual property lawyer at Kimbells LLP, Tel: 01908 668555,
E-mail: ino.wilkinson@kimbells.co.uk
Data protection and freedom of information; Office of the Information Commissioner, www.dataprotection.gov.ukwww.oic.gov.ie