rss feed

Data protection act

26 January 2004 by
Data protection act

The problem

Every hotel, pub, restaurant and other catering establishment operator holds information about its customers, employees and other individuals. Under the Data Protection Act, any information through which a person can be identified is known as "personal data" and there are restrictions on how this can be used. There are additional constraints in respect of "sensitive personal data".

The Data Protection Act grants rights to individuals when their data is being processed and it also imposes obligations on those who process the data. "Processing" means doing just about anything with the data, including recording it, storing it or transferring it.

Organisations controlling personal data must notify the Office of the Information Commissioner before processing any data. The Information Commissioner is the UK's independent supervisory authority and is responsible for maintaining the public register of data controllers. There is a statutory annual fee of £35 for notification and failing to do so is a criminal offence.

Once registered, data must be processed in accordance with the Data Protection Principles. Ideally, the data subject's consent should be obtained for any processing. If not obtained, then the processing must be necessary for one of the purposes specified in the act.

So if, for example, an establishment runs a competition for its customers and thereby obtains individual contact details, it will need to obtain specific consent to use this information for further promotions.

The data controller is responsible for the security of the data and must ensure it is adequate, relevant and not excessive in relation to its purpose. Any individual can submit a request to an organisation to gain access to personal data relating to them. This must be answered within 40 days and the maximum fee that can be charged is limited to £10.

CHECK LIST

If you are the person to determine the purposes for which, and the manner in which, personal data about individuals is to be processed, you are a data controller. This means you have to:

  • Notify the Office of the Information Commissioner before you process any data. Once registered, you must process data in accordance with the Data Protection Principles.

  • Obtain consent from data subjects before processing data. If it's not obtained, the processing must be necessary for one of the purposes specified in the act. For example, if a company runs a competition as part of product promotion and obtains individuals' names and contact details, the consent of the participants to the processing of their personal data by the company is implied, but only to the extent necessary for the competition to be run.

Customers may be recorded on CCTV as part of the security arrangements of an outlet and these images constitute personal data as an individual can be identified from them. The Information Commissioner has issued a detailed code of practice relating to the use of CCTV, which recommends establishing and documenting procedures to assess the appropriateness of a CCTV scheme.

Ensure security of the data. This means appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data. For example, if a brewer or pub company wishes to pass personal data to a marketing organisation for the purpose of running a trade promotion, it must ensure that there's a written contract with the person or company who will process that data.

Make reasonable efforts to ensure the accuracy of data, keep it (where necessary) up to date and not keep it longer than you have to.

BEWARE!

Additional restrictions on "sensitive data". Examples of sensitive data are an individual's racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical/mental health, sex life, drinking habits, and criminal record.

To process sensitive data, explicit consent must be given or one of the other specified purposes in the Data Protection Act must be met. These purposes include the exercising of a right imposed by law on the data controller in connection with employment or using the data for the purposes of legal proceedings.

CONTACTS

Dino Wilkinson, IT and intellectual property lawyer at Kimbells LLP, Tel: 01908 668555,
E-mail: ino.wilkinson@kimbells.co.uk

Data protection and freedom of information; Office of the Information Commissioner, www.dataprotection.gov.ukwww.oic.gov.ie

Recommended Articles

Archive

Pelican boosts profits during ‘fabulous' half-year

Archive

Caterer and Hotelkeeper – 30490

Archive

TEMPLES OF STYLE

Archive

Simplicity and style

The Caterer Breakfast Briefing Email

Start the working day with The Caterer’s free breakfast briefing email

Sign Up and manage your preferences below

Details given will be used in accordance with our Privacy Policy
Check mark icon
Thank you

You have successfully signed up for the Caterer Breakfast Briefing Email and will hear from us soon!

Jacobs Media is honoured to be the recipient of the 2020 Queen's Award for Enterprise.

The highest official awards for UK businesses since being established by royal warrant in 1965. Read more.

© {{year}} All rights reserved. Jacobs Media Group Limited is a company registered in England and Wales, company number 08713328. 3rd Floor, 52 Grosvenor Gardens, London SW1W 0AU.

close

Ad Blocker detected

We have noticed you are using an adblocker and – although we support freedom of choice – we would like to ask you to enable ads on our site. They are an important revenue source which supports free access of our website's content, especially during the COVID-19 crisis.

trade tracker pixel tracking