You’ve identified a need to collect information about your customers, suppliers and employees, but did you know you have a legal obligation to tell individuals what you will be doing with the information you collect from them?
Here comes the technical bit – the Data Protection Act sets out at Principle 1 that personal data shall be processed fairly and lawfully and meets a specified Condition in Schedule 2 and if sensitive personal data is processed a Condition in Schedule 3 is also needed. I am only going to focus on the fairness aspect for this blog.
Ultimately fairness demands transparency, this means you must be open and honest with individuals about why you are collecting their information and what you will do with it. In particular, you have a legal obligation to provide an individual with the following information:
Your identity, or the identity of your nominated UK representative if you are based outside the UK;
The purpose or purposes of what you intend to do with the data; and
Any other information necessary to make the processing fair.
Although the last of these requirements is rather vague you need to think about what the individual would expect to know about the processing of their personal data in order to allow that processing to be fair. This is very important especially when the individual has a choice about providing you with their information. For an individual to consent to the processing, that consent must be freely given (consent is invalid if the individual has had no option but to say yes to the consent) and they must have been given enough information to enable them to make an informed decision. So, hopefully it is now starting to make more sense as to why it is important to provide further information to an individual to make the processing fair.
The big question now is, what other information should you provide? This really does depend on the type of information you are collecting and what you are going to do with it, but what you need to consider is (and this isn’t exhaustive):
Who you will be sharing the information with, for example your sister company or any other third parties.
How long you intend to keep the information for (remember personal data is not to be kept for longer than is necessary).
How the information will be kept up to date if it needs to be, for example by asking the individual to update it every year.
How the individual can access their information if they need to and how they can amend or correct any inaccuracies.
How you will store the information especially if it is of a sensitive nature (remember the security arrangements need to be proportionate to the type of information it is).
Who in your business will have access to the information.
You also need to remember that the individual who you are collecting information from understands what you are telling them so don’t be vague or too technical.
The information that you have to give an individual when collecting their information is called a “privacy notice” or “fair processing notice”, however more often than not businesses now call these “how we will use your information” which is a bit more user friendly. All privacy notices should be reviewed on a regular basis to ensure they are up to date.
For further guidance on writing privacy notices, the Information Commissioners Office has published a Privacy Notices Code of Practice which is a very useful document to read.
Dunwell Data Protection are very experienced in writing and reviewing privacy notices so if you need help writing a privacy notice or would like your privacy notices reviewing contact Samantha on 07534 258800.