Virtually every business stores and uses some personal information about employees or clients, and none more so than accountancy practices. With this comes a responsibility to keep the data secure, accurate and up to date.
If you don't comply with all the principles of the Data Protection Act (DPA), the Information Commissioner's Office (ICO) has the power to take action against you. You could face hefty fines of up to £500,000 for serious breaches, or a compensation pay out if an individual has suffered damage. This is a very real threat, too: the ICO has successfully prosecuted accountants in the past, demonstrating that they are prepared to use their powers against those that break the law.
Under the DPA, all organisations and individuals that process personal information also need to register with the ICO – unless they are exempt. A handy online tool helps you determine whether or not you need to register, but if you are an accountancy practice you will need to do so. The process is very straightforward: you fill in an online form, which takes about 15 minutes, and most businesses need to pay £35 (at the time of writing).
What is "personal data"?
There are many types of data that fall into the broad category of "personal data", including the information you store about your employees; contacts on marketing databases; and information stored on customer relationship management databases.
Some data may demand a higher level of care than others. You can draw a distinction between personal data and sensitive personal data, for example, because a leak of the latter could be far more serious and potentially damaging to an individual.
Data that is regarded as sensitive includes information relating to a person's race, sexuality, health, criminal record, and political (or other) affiliations. Even within that category, some pieces of information may be more sensitive than others; data about mental health problems, for example, may be deemed more sensitive than data about a physical health issue such as a broken arm.
Working with partners and cloud providers
Not all organisations involved in the processing of personal data have the same degree of responsibility. For example, if you "own" data about your employees, but you pass this on to another company so that they can take care of the payroll, who is responsible if a data breach occurs?
To determine your responsibility, you need to understand the distinction between a "data controller" and a "data processor":
The data controller is the person who (alone or with others) controls the "why" and the "how" of a data processing activity – i.e. the purposes for which and the ways in which personal data are processed.
The data processor is the person (other than an employee of the data controller) who processes the data on behalf of the data controller.
In the example of your organisation using a payroll company to process employee data, you are the data controller, while the payroll company is the data processor. This means you retain overall responsibility for the processing, despite much of that process being out of your hands. You therefore need to feel very confident that the payroll company you use is going to process the data within the law. If there is a data breach, the ICO would determine where responsibility lies – and prosecute accordingly.
Similarly, if you are using cloud computing services it is likely that you will still be the data controller in relation to the personal data you store in the cloud, with ultimate responsibility for DPA compliance.
You will need to assess the cloud provider and the services you plan to use to make sure it complies with the DPA. The cloud can offer a huge range of benefits such as increased security, reliability and resilience, as well as potential cost-savings, but it is crucial that data controllers take some time to properly understand any data protection risks that could arise. Use of cloud computing potentially introduces some compliance requirements which you may not have encountered before, although the specific issues will depend on the type of cloud service you use.
Firstly, you will need to work out which personal data should be put into the cloud. Then you need to consider what the data protection risks are of placing that data onto the cloud service, and whether those risks can be mitigated.
The ICO has produced a very useful guide to cloud computing, outlining all the key considerations you need to make.
Keeping your business in the clear
Your accountancy practice will need to follow eight data protection principles in order to avoid breaching the Act:
Principle 1: Fair and lawful
The first principle says that you need to process personal data "fairly and lawfully". You need to have solid grounds for collecting the data in the first place, be clear about how you will use it, and handle the data only in ways the individuals would reasonably expect. It goes without saying that you also must not do anything unlawful with the data.
The DPA says you should not process personal data unless at least one of the conditions in Schedule 2 of the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Principle 2: Purposes
This principle aims to make sure your organisation is transparent about the reasons for obtaining personal data – and that what you then go on to do with the information is in line with the expectations of the individuals involved.
This means you not only need to have a legitimate reason for processing the personal data, and to make sure that the processing is fair and lawful – but also that you must state the purposes for which you are obtaining the personal data – and stick to them.
Some scenarios will be more straightforward than others. You will obviously need to hold a certain amount of personal data about your employees, for example, in order to properly look after their health and welfare, and accurately organise their salary payments. If, on the other hand, you also kept a customer database for your own marketing purposes, but then passed on the details of these customers and their interests to other companies for marketing purposes, this is likely to be deemed unfair – unless those customers have previously agreed to this use.
Principle 3: Adequacy
Principles 3, 4 and 5 all cover different aspects of "information standards". First off, principle 3 looks at data adequacy and data minimisation.
Basically, all the personal data you hold needs to be adequate (sufficient for its purpose), relevant, and not excessive. So you should work out the minimum amount of personal data you need to fulfil your stated purpose, then hold just that amount of information – and no more.
Principle 4: Accuracy
Personal data also needs to be accurate and, where necessary, kept up to date.
In practice, this means you will need to take reasonable steps to make sure the personal data you get ho,d of is accurate, and that the source is clear. Is it important to update the information, and if so, how often?
Principle 5: Retention
This principle says you must not hold personal data for longer than is necessary for the purpose for which you obtained it. This means you need to look at the length of time you keep hold of personal data, and securely delete it when you no longer legitimately need it.
The reasoning behind this principle is that the longer you hold data the bigger the risk that the information will go out of date, and that outdated information will be used in error – to the detriment of everyone concerned. It also becomes increasingly difficult as time passes to check that information is accurate.
Principle 6: Rights
You have to process personal data in accordance with the rights of individuals ("data subjects"). These include:
- the right of access to a copy of the information comprised in their personal data;
- the right to object to processing that is likely to cause or is causing damage or distress;
- the right to prevent processing for direct marketing;
- the right to object to decisions being taken by automated means;
- the right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
- the right to claim compensation for damages caused by a breach of the Act.
To fully understand your practice's duties in relation to each of these areas take a look at the full ICO guide, which elaborates on each area and offers useful examples.
Principle 7: Security
However you store personal data – whether it is on paper, on your computer, or in the cloud – you need to be satisfied that it is being held securely.
If you employ staff, make sure they are well-trained in their data protection responsibilities, and that they are consistently putting them into practice.
This is a complex area, however, and the measures that are appropriate for each individual business will vary dramatically depending on specific circumstances. You will need to take a risk-based approach to deciding what level of security you require to properly protect the personal data you hold.
Think about how you can protect personal data against accidental loss or damage. This demands both physical and technical security measures, backed up by well thought-out policies and procedures and well-trained, compliant employees. You also need to be ready to respond to any security breach quickly and effectively to minimise potential damage.
Take a look at our previous blog for further tips about security.
Principle 8: International
This final principle is aimed at organisations that intend to send personal data outside the European Economic Area (EEA). Under the DPA "Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."
If you are sending data overseas you also need to comply with the other 7 data protection principles.
This is a serious consideration, and one that has recently fallen under the media spotlight thanks to a lengthy and high profile legal case. In October 2015, the European Court of Justice (ECJ) ruled that the "Safe Harbour" data protection agreement with the US – which had been in force since 2000 – was in fact "invalid". This followed significant controversy and a complaint from Austrian citizen Maximillian Schrems regarding Facebook's processing of his personal data from its Irish subsidiary to servers in the US. Schrems argued that "...the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities." The ECJ held the Safe Harbour Principles to be invalid because they did not require all organisations entitled to work with EU privacy-related data to comply with it – so the agreement was not providing sufficient guarantees.
If you are thinking about sending personal data outside the EEA, there is a useful ICO checklist to help you work out whether or not this eighth principle applies and, if it does, how to comply.
This feature aims to offers a digestible summary of the eight principles of the Data Protection Act. If you are responsible for data protection on a day-to-day basis, the ICO's guide to data protection will provide comprehensive details and useful examples for each of the principles.