We often hear stories in the news about people’s personal data being leaked or hacked into. This section looks to guide you through some of the fundamental basics around Data Protection that you need to be aware of.
What does the Data Protection Act mean by Data?
Data refers to any information held about any person, whether an employee, a job candidate, a freelancer or customer. This could include but is not limited to:
- name and address
- telephone numbers
- bank account details
- information about ethnic origins
- religious beliefs
- health
- criminal records.
What are the key rules of data protection?
The data protection act has eight key principles that must be adhered to.
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection.
Every business must have a Data Controller. A data controller is a nominated person in a compnany who applies to the data commissionner fo permission to store and use personal data. The data controller must keep to the eight key principles.
You will need to nominate a Data Controller and register your Data Controller with the Information Commissioners office. More information can be found in Next Steps at the end of this article.
When do I need to think about the Data Protection Act?
As a small business owner you will be storing and processing information about your customers, suppliers and staff on a regular basis. Under the Data Protection Act you are legally obliged to protect all this information securely. Scroll through the carousel images below to find out more.
-
Recruitment and selection
When placing a job advert, your company name should be clearly identified. Applicants should be made aware of what information is being collected about them and what it will be used for. All CVs and application forms, as well as notes made about candidates, must be kept securely and you should only keep CVs and application forms for as long as there is a commercial business need to have that information. Consent must be obtained to keep candidate details on file. You must not use their information for anything other than recruitment for the job they have applied for and should not be asking for information you don’t need – i.e. information you would only want once you have offered the role to someone (e.g. bank details).
-
Employment Records
This may include their employee file, with their original recruitment applications, their contract of employment, next of kin forms, medical records, disciplinary records, appraisals and bank details. Basically it’s all the information you have on your employees. Investigation notes, results of the hearings and possible copies of written warnings related to disciplinaries and grievances should all be kept securely. It is important that the employee file is kept up-to-date and that the information is removed from the file and destroyed once the warning period has expired. All people that need access to the employee records for the purpose of running the business need to understand the principles of data protection.
-
Payroll
If you are passing on information to an outsourced payroll provider you need to make sure that information is sent securely and to the correct place. Where you are legally required to provide information, such as to the Inland Revenue, the Data protection Act does not prevent you from doing so. You may provide salary details on a reference, if requested by the future employer. Payroll records are all bound by the rules of secure and confidential storage under the Data Protection Act.
-
Monitoring
If you record phone calls, use video cameras or monitor emails then you need to ensure that your employees are made aware of how and when and its purpose. Any information gained through monitoring is bound by the 8 principles of Data Protection. This includes only using the data for the purpose intended.
-
Staff references
Employee references will be covered by other legislation, such as the Equality Act 2010, but under the Data Protection Act an employee may seek compensation under the this act where they feel a reference has resulted in the withdrawal of a job offer.
Quiz: What rights does an employee have to see their personnel records?
An employee has the right to see the data you keep on them. If they ask to look at their record you must let them see a copy. This right is referred to as ‘subject access’. You may charge an administrative or handling fee for this request. How many days do you have to comply with a subject access request?
Correct: 
You have 40 days to provide the information requested. If you charge a fee you are entitled to wait till the fee has been paid before releasing the information.
Incorrect: 
You have 40 days to provide the information requested. If you charge a fee you are entitled to wait till the fee has been paid before releasing the information.
What is the most common amount charged for a subject access request (SAR)?
Correct: 
The correct answer is £10. You cannot make the amount you charge disproportional to the request or the time it takes to administer it. There may be different rules around fees for organisations that hold credit, health or education details.
Incorrect: 
The correct answer is £10. You cannot make the amount you charge disproportional to the request or the time it takes to administer it. There may be different rules around fees for organisations that hold credit, health or education details.
Share this content

Brought to you by:
Revolut Business
Revolut Business is the one platform for all your business finance needs. Enjoy a business account that’s a joy to use – with low fees, total transparency, and easy admin at any scale.
Visit Revolut's website