You must follow rules on data protection if your business stores or uses personal information.
This applies to information kept on staff, customers and account holders, eg when you:
- Recruit staff
- Manage staff records
- Market your products or services
- Use CCTV
This could include:
- Keeping customers’ addresses on file
- Recording staff working hours
- Giving delivery information to a delivery company
For information on direct marketing, see marketing and advertising: the law.
Data protection rules
You must make sure the information is kept secure, accurate and up to date. For example, when you collect someone’s personal data you must tell them:
- Who you are
- How you’ll use their personal information
- They have the right to see the information and correct it, if it’s wrong
Also say if the information will be used in other ways – eg if it may be passed to other organisations.
The main data protection rules are set out in the data protection principles.
What you have to do
- Tell the Information Commissioner’s Office (ICO) how your business uses personal information
- Respond to a data protection request, if someone asks to see what information you have about them
If you misuse personal data, you could be given a heavy fine, or made to pay compensation.
Recruitment and managing staff records
You must keep any data you collect on staff secure – eg lock paper records in filing cabinets or set passwords for computer records.
Only keep the information for as long as you have a clear business need for it, and dispose of it securely afterwards (eg by shredding).
You must give the name of your business and contact details (or those of the agency) on job adverts. Only collect the personal information you need on application forms, and don’t ask for irrelevant information, like banking details.
Example: You will usually only have to ask about motoring offences if driving is part of the job.
Only keep the information for recruitment – eg don’t use it for a marketing mailing list.
Keeping staff records
Make sure only appropriate staff, with the right training, can see staff records, and store sensitive information (eg about health or criminal records) separately.
Example: Don’t let managers access a worker’s sickness record if they only need to see a simple record of their absences.
If you’re asked to provide a reference, check the worker or ex-staff member is happy for you to do so.
Letting staff see their records
Your staff have the right to ask for a copy of the information you hold about them. This includes information about grievance and disciplinary issues. You must respond to their request within 40 days.
You can turn down their request if the information concerns someone else – eg you need to protect someone who’s accused them of harassment.
Staff can complain if they think their information is being misused, and you could be ordered to pay a fine or compensation.
Monitoring staff at work
You must be able to justify monitoring staff at work, which could include:
- Using CCTV
- Keeping records of phone calls
- Logging their email or internet use
- Searching staff or their work areas
Employees have rights at work and if you don’t treat them fairly they could:
- Take you to an employment tribunal
- Complain to the Information Commissioner
You must make them aware that they’re being monitored, and why – eg by sending them an email.
Also explain your policies on things like using work computers or phones for personal use.
Monitoring staff without their knowledge
You can monitor staff without their knowledge if:
- You suspect they’re breaking the law
- Letting them know about it would make it hard to detect the crime
Only do this as part of a specific investigation, and stop when the investigation is over.
If your business uses CCTV, you must tell people they may be recorded. This is usually done by displaying signs, which must be clearly visible and readable. You must also notify the Information Commissioner’s Office (ICO) why you’re using the CCTV. You should control who can see the recordings, and make sure the system is only used for the purpose it was intended for.
If the system was set up to detect crime, you should not use it to monitor the amount of work done by your staff.
Letting people see CCTV recordings
Anyone can ask to see images that you’ve recorded of them. You must provide these within 40 days, and can charge up to £10. Find out more about using CCTV on the ICO website.
Data protection rules don’t apply if you install a camera on your own home to protect it from burglary.
Get advice on data protection
For more information and advice:
- Read the Information Commissioner’s Office (ICO) guidance for organisations
- Contact the ICO
ICO Head Office – England
0303 123 1113
029 2067 8400
0131 301 5071
ICO Northern Ireland
028 9026 9380