The Data Protection Act 1998 (DPA) applies to the “processing” of “personal data”. Pursuant to section 1(1) of the DPA “processing” includes obtaining, recording, holding, using, disclosing or erasing data and “personal data” is data relating to living individuals who can be identified from such data for example; names, addresses, telephone numbers, job titles and dates of birth. It therefore follows that practically any business operating in the United Kingdom which holds information about individuals in the course of its business activities will be affected by and must therefore comply with the provisions of the DPA.
The Information Commissioner’s Office (ICO) has warned employees in particular about the potential consequences of illegally sharing personal data after a recruitment manager was prosecuted and fined for illegally disclosing the personal information of job applicants to another employment agency. The recruitment manager was employed by HomeServe Membership Ltd and was found to have sent copies of 26 CVs containing the personal data of applicants seeking employment with HomeServe to another recruitment firm during his employment, without a business need to do so. The court held the recruitment manager to be guilty of an offence under section 55 of the DPA and imposed a fine in the sum of £573.00 together with an order for costs in the sum of £421.00, totalling £994.00 which was to be paid within seven days of the order.
The ICO is responsible for enforcing the regime under the DPA and where it finds a breach of the DPA, the ICO may elect to serve data controllers with information notices requiring the data controller to provide information about their processing operations and policies, enforcement notices requiring the data controller to comply with the data protection principles and may impose a fine up to a maximum of £500,000 for serious contraventions of the DPA. Before the ICO elects to impose a fine, it must first be satisfied that the contravention was serious and was of a kind likely to cause substantial damage or distress and that the data controller either deliberately contravened the DPA or knew or ought to have known that there was a risk that the contravention would arise and still failed to take reasonable steps to prevent the same from happening.
Since breaches of the DPA can result in both criminal and civil liability, it is vital that any business holding information about individuals is aware of the obligations set out in the DPA. If you should have any queries in respect of the Data Protection Act or your responsibilities in respect of the same, please do not hesitate to contact me on 01908 660966 or alternatively at firstname.lastname@example.org.