The 8 principles of data protection
It goes without saying that data protection should be a critical concern for all businesses, especially those who operate in the online world. In addition to having correct policies in place and making sure these are understood by personnel, it is essential that all businesses have an ISO27001 compliant information security management system in place.
To ensure you are protected, working with an already accredited ISO 27001 company will be beneficial when confirming you have the appropriate measures in place to prevent data loss from happening. Click here for more information from the NCC Group on how to achieve this.
One way to help safeguard information is by understanding the eight key principles of data protection. The nominated data controller in the company should know these by heart, but ensuring company-wide knowledge of this certainly isn’t a bad thing.
But what are the eight principles? Here’s your essential list:
1) Firstly, all data collected, whether this is company information or personnel files, must be fairly used inside the law. It should be understood by the individual why the data is being collected and for what purpose or purposes it will be used. An individual should also grant permission for this information to be collected.
2) The information commissioner, or data controller, is only allowed to use or hold this information under the guidance set out by the individual. If they use this information for any other purpose than what is set out when the data is initially collected, they will be breaking the law.
3) The information collected about an individual should be adequate, relevant and not excessive for the purposes it is required for. For example, a business could collect emergency contact details for an employee, but it would be inappropriate and unnecessary to ask for the name of the person’s grandparents. This type of data should not be collected or stored in any instance. All information collected should be pertinent to the job in hand.
4) The data collected must be accurate and must be kept up to date as regularly as possible. Ensuring facts are correct is essential to effective data handling.
5) Any personal data that is obtained must not be used for longer than is originally set out. As soon as the data has served its purpose, it must be securely disposed of. This in itself could cause a problem for businesses who do not observe the correct practices for permanently deleting sensitive material.
6) The data taken must be kept and used in accordance with the rights held by the person who provides it. The individual also has the right to check the information in most circumstances and is allowed to change the details if it is incorrect.
7) Perhaps the most crucial element of the eight principles for businesses to adhere to, is the requirement to effectively protect against unauthorised access. This means top quality online security is absolutely vital for businesses. The information must also be safeguarded against accidental loss.
8) Any information used must not be transferred to any country outside of the European Union unless the country in question has the same kind of data protection rights and laws.
Any leaks of this sensitive information will constitute a breach of the data protection act and will leave your company in hot water with the law, so make sure you’ve taken all the precautions you possibly can to protect yourself and your customers.