Information rights
Good information handling provides a range of benefits as well as helping you to comply with the Data Protection and Freedom of Information Acts. We have produced guidance for senior managers about taking a positive approach to information rights.
Data protection – looking after the information you hold
If you hold and process information about your clients, employees or suppliers, you are legally obliged to protect that information. Under the Data Protection Act, you must:
- only collect information that you need for a specific purpose;
- keep it secure;
- ensure it is relevant and up to date;
- only hold as much as you need, and only for as long as you need it; and
- allow the subject of the information to see it on request.
Good information handling makes good business sense, and provides a range of benefits. You'll enhance your organisation’s reputation, increase customer and employee confidence, and by ensuring that the information is accurate, save both time and money.
Find out about your data protection obligations.
Requests for personal information
Your employees and customers have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. Find out more information on this and what you need to do to reply to a subject access request.
Notification with the ICO
If you handle personal information, you may need to notify as a data controller with the Information Commissioner’s Office. Notification is a statutory requirement and every organisation that processes personal information must notify the ICO, unless they are exempt. Failure to notify is a criminal offence. See our page Do I need to notify and how do I maintain my register entry? for more information.If your establishment is not-for-profit, you may be exempt. We have produced guidance about the exemption from notification for ‘not-for-profit’ organisations, which aims to answer a number of questions regularly raised by charities and voluntary organisations.
Marketing activities
We have produced charities and marketing guidance explaining what charities and voluntary organisations need to do to comply with data protection law when you carry out marketing activities.
Employment
As an employer, you are obliged to protect your employees’ personal information. For more information, see our section on employment here; our Quick Guide to the Employment Practices Code gives practical advice on handling employees’ personal information, on monitoring at work and on employees’ rights. You will also find help on your obligations regarding the storing and release of any references you supply.
Training
A toolkit has been created specifically for organisations in the charity sector – reminding staff to ‘press the mental pause button’ when handling personal data. TH!NK PRIVACY offers a range of free downloadable materials including posters, bin stickers and postcards, making data privacy relevant to, and the responsibility of everyone in your organisation. Find out more about TH!NK PRIVACY and download your free materials.
Outsourcing
If you outsource the processing of personal information, we have produced guidance on what you need to do to comply with the Data Protection Act. Typical examples would include outsourcing your payroll function or customer mailings. Outsourcing - a guide for small and medium sized businesses sets out which parts of the Act are important when outsourcing and provides some good practice recommendations.