01246 233108
[email protected]
Running a business in the Hospitality Sector? Click here

Data security - Data Protection Act

The key compliance issues surrounding data protection and the Data Protection Act. If your business is in the Chesterfield area we, at Page Ivy, can provide you with assistance or any additional information required.

Many businesses are totally reliant on the data stored on their PCs, laptops, networks, mobile devices and in the cloud. Some of this data is likely to contain either personal information and/or confidential company information.

Here we look at some of the key compliance issues surrounding data protection and the Data Protection Act 1998 (the Act). The Data Protection Act will be superseded by the General Data Protection Regulation (GDPR) in May 2018. Please see factsheets - 'Data Security - General Data Protection Regulation' and 'Data Security - General Data Protection Regulation - Preparation' for more information on GDPR.

Whilst compliance with the Data Protection Act is a good step towards compliance with the GDPR, there are a number of new compliance issues which need to be addressed before May 2018, so we recommend you read these related factsheets as well as this one.

Most businesses process personal data to a greater or lesser degree. If this is the case, compliance with the Act is required unless one of the exemptions applies (see below).

Complying with the Act includes a notification process, handling data according to the principles of data protection and dealing with subject access requests.

In the UK, the Information Commissioner (ICO) is responsible for the public Data Protection Register and for enforcing the Data Protection Act.

Summary of the principles of the Data Protection Act

  1. Personal data must be fairly and lawfully processed;
  2. Personal data must be processed for limited purposes;
  3. Personal data must be adequate and not excessive;
  4. Personal data must be accurate and up to date;
  5. Personal data must be kept no longer than necessary;
  6. Personal data must be processed in line with the data subjects' rights;
  7. Personal data must be secure;
  8. Personal data must not be transferred to countries outside the European Economic Area (EEA) without adequate protection.

Exemptions

There are 5 main categories of exemption -

  • organisations that process personal data only for:
    • staff administration (including payroll)
    • advertising, marketing and public relations (in connection with their own business activity) and
    • accounts and records
  • some not-for-profit organisations
  • organisations that process personal data only for maintaining a public register
  • organisations that do not process personal information on computer and
  • individuals who process personal data only for domestic purposes.

There are a number of more specific exemptions. However, most companies find the exemptions are too narrow, and opt to notify (see below).

Notification

Notification is the method by which a company's usage of personal data is added to the public Data Protection register maintained by the ICO. The process starts by completing the notification documentation (available from www.ico.org.uk) and sending this back with the annual notification fee (currently £35 for the small business and charities for example).

Notification needs to be performed annually (even if there are no changes).

Be aware that there are shadow organisations who say they represent the ICO and who charge more than the standard £35 fee.

Subject Access Request (SAR)

Individuals have rights under the Act to find out whether you are processing personal data relating to them. Further, the individual may make a subject access request (SAR) which means they must be provided with a copy of the data which is stored about them.

Most SARs must be responded to within 40 days.

An individual has the right to ask you to:

  • correct or delete information about them which is inaccurate;
  • stop processing their personal data for direct marketing purposes;
  • stop processing their data completely or in a particular way (depending upon the circumstances)

A fee can be levied for dealing with an SAR - but only up to £10 (except for health or education records where the fee may be higher or lower than £10).

If a fee is levied, the access request does not have to be complied with until the fee has been received.

The Act makes it clear that the SAR must contain enough information to validate that the person making the request is the individual to whom the personal data relates. So it may be necessary and is legitimate to ask for further identification from the originator of the SAR.

Data security

The Act says there should be security that is appropriate to:

  • the nature of the information in question;
  • the harm that might result from its improper use, or from it accidental loss or destruction.

The Act does not define 'appropriate' - but it does say that "an assessment of the appropriate security measures in a particular case should consider technological developments and the costs involved'.

So, there are a number of key areas to concentrate on which are considered below.

Management and organisational measures

Someone in the organisation should be given overall responsibility for data security.

Staff

Staff need to understand the importance of protecting personal data, that they are familiar with the organisation’s security policy, and that they follow security policies and procedures. There should be on-going training and refresher sessions to reinforce the need for good security.

Physical security

Technical security measures to protect computerised information are of obvious importance. However, many security incidents relate to the theft or loss of equipment, the disposal of old equipment not being wiped sufficiently and manual records not being shredded or otherwise disposed of securely.

Compliance with other Acts and regulations

As well as the necessity to comply with the Data Protection Act, there are various other Acts and regulations which have a bearing on data security. These include:

  • Privacy and Electronic Communications Regulations (PECR) 2003 - which cover 'Spam' and mass-marketing mail shots. Regulations under the PECR are also issued from time to time. For example, regulations on the use of cookies on websites and in 2016 to require anyone making a marketing call to display their number.
  • Copyright Design and Patents Act - amended 2002 to cover software theft.
  • There may be other IT standards and regulations applicable to your business sector. For example, companies processing credit card transactions need to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

Sources and links

There is a wealth of information, checklists and other material on the Information Commissioner's (ICO) website regarding both the Data Protection Act and GDPR.

How we can help

If your business is in the Chesterfield area we can provide help in the following areas:

  • performing a security/information audit
  • training staff in security principles and procedures
  • notification
  • advising on appropriate procedures to ensure compliance with regulations applicable to the organisation.

Please do not hesitate to contact us at Page Ivy if we can be of further assistance.

Menu

After completing her A-Levels in 2017, Rebecca started her career in accounting by joining the Page Ivy team. Since then she has completed levels 2 and 3 of the AAT qualification and is currently studying towards level 4.

In the office, Rebecca works with our clients to assist them in preparing their VAT returns, assists with Xero Cloud-based bookkeeping and Accounting and is also trained in all matters of payroll.

In her spare time, Rebecca likes to, spend time with her friends and family, train dogs and more recently, has started to learn Spanish.

Since school Charlie has always had an interest in accountancy and followed up on his career aspirations by joining Page Ivy in 2017.

After three years of studying, Charlie is nearing completion of his AAT level 4 qualification and is looking to start his ACCA training imminently.

Charlie deals with the preparation of Limited Company, Sole trader and Partnership accounts along with preparing VAT and MGD returns.

In his spare time, Charlie enjoys watching football and spending time with his partner, friends, and family.

Danielle joined the Page Ivy team back in 2013 as an AAT Trainee, now qualified she is responsible for managing our Payroll  Bureau.

Her role includes processing weekly, bi-weekly, and monthly payroll runs, corresponding with HMRC on behalf of our clients,  preparing and submitting CIS 300 returns, assisting clients with all areas of payroll, HR, and Administration.

In her spare time, Danielle enjoys climbing, spending time with family and friends, and going on long country walks with her partner and dog.

Declan is the newest member of the Page Ivy team, starting with us in 2020.

Declan is currently studying towards level 2 of his AAT Apprenticeship and in the office, is getting to grips with data entry and analysis.

In his spare time, Declan enjoys country walking with his family and dog, sports events and more recently, learning to play the piano!

Megan joined our team in 2014 and has been ensuring that the Page Ivy office runs smoothly ever since.

Her role includes managing the team and their diaries,  handling client queries, and assisting with Administration.

Megan is a Xero certified Payroll advisor, meaning that when Danielle is on leave, Megan is on hand to run our payroll department.

Megan has two children, Isabella and Felicity, who like to keep her busy! In her spare time, she likes to keep fit, spend time with her family and online shop!

Abby started her career in accounting in 2009, working for a small practice in Chesterfield, alongside studying for her AAT qualification.

After three short years, in 2012 the opportunity arose to become Director of Page Ivy Accountants and she hasn't looked back!

Building long-lasting client relationships are of utmost importance to Abby, she has a passion for providing a high level of customer service and ensuring that our clients feel valued.

Abby is responsible for overseeing the preparation of VAT returns and MGD return prepared by the Page Ivy team; along with providing personal tax advice to a wide range of clients.

 

In her spare time, Abby enjoys, traveling, reading, and going to the gym.

Edward joined the team as a school leaver in 2012.  From here he went on to study Business Administration, AAT, and finally progressed on to complete his  ACCA qualification 2019.

Edward is a knowledgable, pro-active Senior accountant, who prides himself on providing high quality, in-depth, technical advice in a manner that is easily understood by his clients.

He is responsible for the preparation of Sole trader, Partnerships, and Limited Company accounts. As well as monthly and quarterly management accounts and conducting business reviews.

In his spare time, Edward likes to spend time with his friends and family,  spending time in his local pub and watching Derby FC collect 3 points.

 

Gareth started his career in accountancy in 2002. Since then he has worked in both small and medium-sized accountancy practices, working with a variety of clients from small businesses to advising quoted companies on Corporate Tax compliance and specialist claims, such as for Research and Development allowances. He places high importance on technical expertise, believing this to be essential to ensure clients can be safe in the knowledge they are fully compliant with HMRC’s requirements while minimising their tax liabilities. This is reflected in him being a fully qualified member of the Chartered Institute of Taxation, and a fellow of the Institute of Chartered Accounts in England and Wales.

He joined Page Ivy in 2012, since then he has taken responsibility for overseeing the preparation of clients Sole Trader, Partnership and Limited company accounts, as well as clients personal Self Assessment Tax Returns.

Alongside Abby he hopes to continue to develop both the technical expertise within the firm, and see the business continue to grow from strength to strength.

Outside of work Gareth has served as deputy leader of the town council, enjoys eating out, and fishing.

Subscribe to our Newsletter

Please enter your information below to receive updates from our newsletter