home| T: 029 2038 5542| contact us| print page
private sector
why is data protection important? | private sector | public sector | employee data | financial data | health records | IT systems | marketing data

private sector

Although, for the most part, private sector organisations will not be affected by the Freedom of Information Act, the Data Protection Act still holds large ramifications for them in their data processing activities.

Private sector organisations still need to bear in mind that they may receive subject access requests from their data subjects (clients, customers and various other external parties).

Under the Act, data subjects are entitled:

  • to know if a Data Controller processes information about them; and
  • to have communicated to them in an intelligible form, the personal data itself.

If the information held about the person making the subject access request can be defined as personal data, then they may be entitled to receive it, so long as none of the exemptions under the Act apply.

It is also important for private sector organisations to consider the following factors.

  • Is fair processing notification given when data is collected, and if it is subsequently processed for different / additional purposes?
  • Is the data subject aware of what their data is being used for?
  • Do employees know how to recognise and deal with subject access requests, and are they aware of the time limits involved?
  • Have employees been given appropriate training on data protection issues?
  • Are there policies and procedures in place to protect personal data?
  • Do you have sufficient technical and organisational measures in place to protect data?
  • Where data is processed on your behalf by external data processors, sub-contractors or agency staff, are there agreements in place to make sure that they are safeguarding the data? (Note that the data controller has overall responsibility for the actions of its staff as well as any external parties employed to process data.
  • Is there a data retention policy in place to ensure that data is not kept for longer than necessary?
  • Where data is transferred outside of the European Economic Area, are there safeguards in place to protect it?
  • Is the HR or Personnel team appropriate qualified to handle personal data (including some that is sensitive personal data) and adequately processing the data in accordance with the business's data protection policy?
  • Are sales and marketing agreements that involve the processing of data by the business or a third party adequately taking into account the eight principles of the Data Protection Act?