Managing Data on Customers & the Data Protection Act 1998

Businesses need to hold a range of information on customers, staff and the business itself. It is essential to ensure that this information is protected and as secure as possible. Any business holding information must also be sure that they are meeting the terms laid out in the Data Protection Act 1998.

When managing customer data you need to consider the following areas:

1. Make sure you have an understanding of the Data Protection Act 1998
2. Check whether you need to register
3. Principles of data protection
4. Identify the type of information you need to store and why
5. Look at the format you will use to store information
6. Develop confidentiality procedures to maintain data security
7. Establish a retrieval system to access stored information
8. Back up or copy essential data
9. Ensure that staff understand and are trained in managing data
10. Best Practice

Managing Customer Data & the Data Protection Act 1998

1. Make sure you have an understanding of the Data Protection Act 1998

Make sure you and your staff are aware of the Data Protection Act 1988. The Act governs the collection and storage of personal information and possible systems abuse.

2. Check whether you need to register

A self-assessment guide (PDF) explaining whether or not you need to register is on the Information Commissioner's website. If you are still uncertain check with the Information Commissioner who enforces the Data Protection Act.

3. Principles of data protection

There are eight principles of data protection and anyone processing personal data must comply with them. These state that data must be:

• fairly and lawfully processed
• used for limited purposes
• adequate, relevant, not excessive
• accurate
• not kept longer than necessary
• processed in accordance with the data subject's (eg the customer) rights
• secure
• not transferred to countries without adequate protection

A more comprehensive definition of these principles is on website of the Information Commissioner's Office.

4. Identify the type of information you need to store and why

You must be clear as to the type of information you wish to store on customers or potential customers and why, eg name, address, any personal details. This includes information taken electronically, eg from e-commerce transactions. Make sure that you take the data protection principles into account when storing customer data.

5. Look at the format you will use to store information

You need to ensure that any customer information is stored securely. Manual (paper) data is vulnerable to accidents such as fire or flood and, if stored in a basement, can be damaged by rodents, damp or vandals. Electronic information, stored on floppy discs, CD-Roms etc are easily stolen, fire damaged or can corrupt. Practical security should be considered. For example it is pointless storing sensitive documents in a safe if the keys are left lying around or anyone has access to the information stored.

6. Develop confidentiality procedures to maintain data security

Risk evaluation should be carried out to ensure that security systems are in place to protect data. For example it may be decided not to give out client details over the phone, part of the security system would be in ensuring all staff are aware of this policy.

7. Establish a retrieval system to access stored information

Storing or archiving all of the business correspondence and documentation can be time consuming and make retrieval difficult, you must have systems in place to manage data storage and retrieval. Make sure there is minimum duplication of customer information between for example the accounts system and a customer database. This helps manage the customer data and comply with data protection law.

8. Back up or copy essential data

Businesses should always back-up or copy essential data as damage to files can mean the loss of essential information, including data on sales and market predictions or the businesses financial records.

9. Ensure that staff understand and are trained in managing data

Staff should receive training in the business data protection policies and understand the reasons behind confidentiality procedures.

10. Best Practice

• Contact the Information Commissioners Office if you have any questions regarding registration requirements under the Data Protection Act.
• Security of information should be treated with the same level of seriousness as that of premises or cash.
• The storage and retrieval system should be monitored to ensure it continues to meet the needs of the business whilst complying with legislation.
• Business Link advisers will be able to help you identify the information you need to retain and how to establish data management systems.