Related posts:No related photos. The 23 October deadline for compliance with the Data Protection Act 1998sailed past many HR managers unnoticed. Here we look at some of the mainbusiness implications of the Act and offer advice on how to get systems up andrunning – fastAll UK businesses should now be complying with the provisions of the DataProtection Act 1998. On 23 October the first transitional period of the DPAexpired. However, most employers remain ignorant of the new rules and arerunning the risk of prosecution. A survey last month by Tarlo Lyons and the Opus Group showed nearlytwo-thirds of firms were not aware of the deadline. Of 137 responses frommanagers responsible for data protection, 61 per cent were not aware of theimpending date for compliance. And a poll in Personnel Today found 40 per centof HR practitioners unprepared for the new duties. “Businesses must take urgent steps to tackle these issues so that theyare fully compliant with the Act,” said Andrew Rigby, head of e-businessand banking technology law at Tarlo Lyons. “Bringing in new procedures andsystems to cope in such a short time frame will challenge most businesses, butthe issue cannot be ignored.” One of the most important issues likely to impact on businesses with aglobal presence, Rigby said, is the prohibition on exporting personal dataoutside the European Economic Area. “Under the DPA, a business cannot generally transfer data outside theEEA unless the country of the receiver provides a similar level of protectionto personal data,” he said. “To date, few countries outside the EEAhave been recognised as providing adequate protection. The US and somecountries in the Far East provide no such protection, yet they are significantin terms of export business, trade and financial relationships with theUK.” Only in limited circumstances will a business be able to transfer personaldata lawfully to such countries, and businesses will need to enter intocontracts with third parties or even with overseas members of theirorganisations to provide adequate protection. Potentially all businesses which use the Internet could be caught out by theDPA, Rigby warns. A UK business which sends an e-mail containing the name andaddress of an employee, job applicant or customer to the US office of the samecompany will be in breach of the Act. Ultimately, the authorities may order thebusiness to stop exporting any personal data, which could bring manyinternational companies to a standstill, he adds. Other aspects of the DPA could have a fundamental impact on the way UK companiesdo business via the Internet. For example, any business using a third-party toprocess data will need to ensure via the contract that the third party willtake “appropriate technical and organisational measures” to protectpersonal data. “This will have a significant impact on businesses that use athird-party to run, operate and process data received on its website,”Rigby warned. Ten steps to compliance 1. Go through all manual and personnel data and check for any personal orsensitive data, such as opinions on an employee, race, medical information. 2. Ensure all filing systems are covered, including those held bydepartmental managers. 3. Remove any unnecessary or unhelpful data. 4. Devise a data protection policy (see box). 5. Devise consent forms for processing personal data as well as processingsensitive personal data. 6. Devise plans for regularly updating information, such as the regularcirculation of new addresses and so on. 7. Put in place procedures for obtaining information on new employeescorrectly. 8. Work out how you will answer requests within time limits. 9. Decide whether you will make an administration charge for complying withrequests. 10. Plan to review your policy as soon as the Data Protection Code ofPractice comes into force. n Devising a policy– What do you need to hold and why? – Who should have access to the information? – Who should hold the information? – Make time limits clear – 40 days for access to records and 21 days foraccess to information. – Make exemptions clear, such as the administration of justice exemption. – How will disputes be dealt with? Follow the internal procedures first. – Revise your disciplinary and grievance procedures to cover abuses of data. A data remember… that most forgotOn 1 Nov 2001 in Personnel Today Previous Article Next Article Comments are closed.