Information Awareness Training
Questions that need to be answered
The Data Protection Act offers protection to the employee and lists down the rules which have to be followed by the employers while collecting private information about the employee. Every organization should have a regulatory compliance program which should offer training to the employee about the entire provisions of the Data Protection Act. It should be noted that the Data Protection Act lays down rules in general. Every organization should frame their own compliance requirements based on their own environments. There are many questions which have to be answered which would enable employees as well as employers to have a clear idea about their rights and responsibilities.
Are there any restrictions put forth by the DPA in connection with data collection?
It is stipulated that the organization or the individual who processes the personal data must follow the following three principles scrupulously.
Data collection should be done in a fair manner and must comply with all legal provisions.
The purpose for which the data collection has to be done should be clearly specified.
Only the data that is relevant to the issue on hand should be collected.
Is it compulsory to inform the people whose data is being collected?
Yes, it is invariable on the part of the employer to inform the people about the fact that their data is being collected. They should also know as to why it is being collected. In fact the Act stipulates that a notice should be given before the collection of the data. The individuals should have knowledge as to what exactly the company will do with the data so collected. The notice should be in a language that the employee understands.
Can the information so collected be divulged to others?
No, the DPA prohibits the divulging of the information to other parties. There are certain legal exemptions for which disclosure is allowed. The law is very clear that the individual has to be specifically informed before the data is shared with third parties including the police as well as the social security system. The law is explicit about the fact that specific authorization from the senior management is required before disclosure of data to law enforcing authorities as well as new employers. One more important aspect is that the disclosure should be relevant to the requirements of the organization asking for it. Disclosure procedures may differ from organization to organization.
How should one ensure the security of the personal data so collected?
There should be a well framed policy document which should list out the procedures to be followed for protection of the collected data. The security measures should comply with international standards set out by the law of the land. Many a time data is collected for marketing purposes through e-commerce websites. Such data should also be subject to security measures. Every type of data collection comes under the purview of the DPA.
What should be status of data collection?
It is the prime responsibility of the employer to ensure that the data collection should be updated as much as possible. It may happen that the employee might have changed their addresses. Updating of data should be done as much as possible.
Is there any time frame for retention of personal data?
It is very clearly stated in the law that the personal data should be stored only for that long as it is necessary. It is therefore envisaged that those who collect data should have a clear cut data retention policy. It should also be ensured that after the expiry of the requisite period the data should be permanently wiped out.
Who should know and to what extent?
Data collection should be purpose specific. For example, a bank or a financial institution engaged in the business of processing loans would require certain extra personal data which a marketing company would not. Thus the requirement of the loan processing company would be different from that of a loan marketing company. Excessive sharing of information is prohibited under the law. This is more so if the information sought for is for ethnic reasons. Political and religious issues are delicate and hence should be carefully handled. Similarly issues relating to health or sexual preferences have to be dealt with in a different way altogether so as not to hurt any sentiments.
How should it be ensured that data stored in computers or other portable devices are secure and tamperproof?
The best way to secure data stored electronically is to encrypt them. In this way they become tamperproof and cannot be pilfered in an easy manner. Care should also be exercised by the collecting company that such security mechanisms are constantly updated as technology is growing at a tremendous pace. Such data can also be stored in a cloud server so that the retrieval becomes easy in case the device gets stolen or damaged.
In case of staff, is it appropriate to monitor their movements using CCTV or email scanners?
Staff activity can be monitored but it should be noted that the provisions of the DPA will be applicable and the employer should not infringe upon the privacy rights of the employee. Yes, CCTV as well as email scanners can be used provided it complies with the rules and regulations that have been laid down by the DPA. It goes without saying that staff should be in the knowhow of such monitoring measures. It is only when the integrity of the staff seems suspect that the employer may resort to covert monitoring. Specific rules have been laid down for the purpose and it should be followed in all respects.
It is advisable to obtain legal advice before resorting to covert monitoring. 10. What is the procedure to be followed in case of data breaches in spite of taking all procedures? Ensuring security of personal data collection is the prime responsibility of the Data controllers. As far as reporting of breaches is concerned, there is no hard and fast rule as to whom the data breach is to be reported. It is always better if the breach is brought to the notice of the ICO.
These were some questions which required immediate clarification in connection with issues of personal data collection.