The Data Protection Act (DPA) was introduced by parliament in an effort to ensure that organisations understand what is expected from them when having access to personal and sensitive information about for example their employees.
The DPA is a very complex piece of legislation and as such professional help may be required to ensure that organisations are adhering to the Acts requirements.
In a recent communication from the Information Commissioners Office (ICO) they have stated that there are a number of basic issues that keep recurring that organisations need to implement, in order to help protect them from any potential financial penalties.
These areas for improvement include the following:-
Tell individuals what companies are doing with their data- whilst this may seem a basic working practice, many organisations do not tell people what they are doing with the information and who it will be shared with. This is a legal requirement so it is important that data controllers are open and honest about how their data will be used.
Make sure staff are trained to the required level All employees including new staff must receive data protection training to explain how they should store and handle personal information. It would also be prudent to instigate refresher training to ensure staff keep focusing on their duties and responsibilities.
Passwords need to be strong and robust There is no point in protecting data with a weak and easily guessed password. It would be advisable if passwords contained upper and lower case letters, a number and ideally a symbol. This will help in the protection of data from would-be thieves, giving the suitable backup for business.
Make sure all mobile devices are encrypted With advancement of technology many mobile devices such as laptops, mobile phones and tablets can be used for commercial use for such things as sending and receiving emails. It is imperative that any such device that holds any personal or sensitive information is encrypted. This will ensure that the data is kept safe in the event of the device being lost or stolen. Only keep personal and sensitive information for as long as necessary Make sure your organisation has a policy for retention of data, and a process is set up to ensure that after the retention period the data is deleted safely and securely.
These improvements are not a comprehensive list of requirements to comply with the DPA but it would be a good working practice to ensure that these improvements are initiated within any organisation.