Legal advice: Keeping your customers' data secure
NOT A day goes by without us reading some lurid story in the press about data protection lapses, often by government agencies, but also by many high-profile private sector businesses.
The HM Revenue & Customs (HMRC) debacle probably had the widest press coverage, where a junior official, in breach of procedure, sent out CDs containing details of 25million people in connection with child benefit. The CDs were lost in transit, had not been encrypted and contained names, addresses, NI numbers and, in some cases, bank details. The information needed for criminal gangs to steal people's identities was there for all to see.
This sort of press coverage results in greater awareness by individuals about the importance of safeguarding their personal information and the dangers that exist if proper precautions fail to be taken.
The licensed trade is no exception - wherever you have any dealings with personal details belonging to your customers, staff or suppliers, you should take care with those details. Security is only one aspect of data protection legislation, and in this article we will look at a couple of other aspects of the legislation which will apply just as much to pubs, as they do to other areas of business.
Security of data
Care should be taken to ensure that only those who have a reasonable expectation of seeing a particular individual's personal details will actually see them. If a junior member of staff has no business looking at the details, they should be shielded from them. Computer records should be password-protected and you should try to restrict the ability of casual passers-by from being able to read information on screens or documents. Particular care should be taken with computers that are situated in public places - make sure the screen is facing away from customers and those passing through.
Passwords should also be changed regularly, and you should take other obvious precautions, such as ensuring that there is protection in place against corruption by viruses or other forms of intrusion.
Any offices where personal data is stored should ideally have access controls. Paper files should be kept in locked cupboards when not in use.
Precautions should also be taken against burglary, fire or natural disasters. When disposing of confidential information, make sure you use a shredder.
Only last month there was an article in a newspaper about the disregard shown by a particular accountancy firm for their customers' personal information. Members of the public had called the local paper, and that firm's name was published, alongside a photograph showing bags of confidential papers spilling out onto the street. Bank details were easily viewable by passers-by. Simple precautions can avoid such embarrassing situations.
One of the key things you can do is to alert staff to their responsibilities - make sure that anyone who might find themselves dealing with the rubbish knows full well about the dangers of simply putting confidential information out with the rest of the trash. It should be made a disciplinary offence for somebody to put others' personal information at risk without having taken due care first.
Obtaining personal information
The Data Protection Act 1998 contains eight data protection principles which are central to the way in which personal details should be handled. One of those principles requires you to ensure that you process personal details fairly and lawfully.
This is particularly relevant when you first obtain someone's personal details. Before putting that person's details onto your computer or in a particular type of structured manual file, known as a 'relevant filing system', you should make sure that the person knows what you plan to do with their details.
If it is obvious why you need their details (they are a supplier and you need their details to continue to do business with them, for example) there is no need to make a special effort to point out the obvious. If, however, you plan to do something with the personal information that they would not reasonably expect, you should make it expressly clear what you plan to do and, in most cases, you will need to obtain their consent.
An example would be if you are collecting customers' details to enter them into a prize draw. If you also want to use their details to market special offers to them, this should be made clear and you should keep a record of their agreement. Normally this would be made clear in the entry form for the prize draw.
The situation is made slightly more complicated if you are handling what is known as 'sensitive personal data'. This is information which is particularly sensitive (such as that relating to the person's health, race, criminal convictions), and therefore an additional hurdle is put in your way to make sure that particular care is taken with the information.
Typically, you would need to have the explicit consent of the individual before you can lawfully use this category of information - you cannot simply assume an implied consent, as you might be able to do with less sensitive categories of information.
Rights of individuals
With increased public awareness of data protection issues comes increased awareness of individuals' data protection rights. Anybody whose personal details you process will (in most cases) have the right to know whether you are processing their personal details and, if so, they are entitled to a description of the details you process, the purposes for which they are being processed and the types of recipients to whom the details may be disclosed.
If someone wants to see the information you have on them, they can make what is known as a 'data subject access request'.
You are allowed to charge up to £10 before complying with that request, and should satisfy yourself that the person making the request is either (a) the person about whom the data is held, or (b) acting on behalf of that person and with that person's authority.
It is not unheard of for private investigators or others with no right to discover information about another individual to pose as that individual and make a subject access request on their behalf.
To disclose personal information erroneously to such a person would put you in breach of the security provisions of the Data Protection Act if you had not taken proper care to check that person's identity first. If this causes an individual loss and distress, you could be liable in damages.
If we get it wrong…?
It is possible for a disgruntled employee, customer or supplier to take action against you for breaching their data protection rights.
Usually, in the first instance, they will make a complaint to the regulator, the Information Commissioner, who is under a duty to investigate an alleged breach.
While any problems can usually be rectified through dialogue between the Information Commissioner's Office (ICO) and the alleged transgressor, it is open to the ICO to issue an enforcement notice if it believes that a breach is continuing or is not being dealt with properly. Failure to deal with an enforcement notice is a criminal offence, which could result in fines of up to £5,000 per offence.
But it's also bad for business. Nobody is forced to do business with you or work for you. They can just as easily go somewhere where their personal details are properly handled.
When it lost the CDs containing millions of people's personal details, the HMRC spent £3m sending letters of reassurance to all those affected.
While it is unlikely that any breach committed by you could result in such costly remedies, this case serves as an important reminder that if we all take some basic precautions, we can save ourselves a lot of grief in the long run.
---
Darren Clayton is partner of Doyle Clayton Solicitors based in London and Reading. Doyle Clayton specialises in employment law and act
