IT managers are responsible for looking after vast amounts of data which is key to their company's success. They will, amongst other things, be involved in system design, development and testing, implementing security and access policies and storing data. IT managers may also keep contact details of business partners e.g. IT suppliers as well as data which relates to their staff. Most of this data will relate to living individuals and therefore be governed by the Data Protection Act 1998 ("DPA"). As a result, IT managers should be aware of the obligations imposed by the DPA.
The Data Protection Act
In short, the DPA applies to personal data which are processed by a data controller. Thus the Act will only apply to data held about living individuals (ie personal data). The definition of "processing" under the Act is so wide, including the collecting, storing, analysing, deleting or destroying of data, that it will cover virtually any activity carried out in relation to data. The Act applies to personal data held on computers or if they are contained in paper records which are within the filing system. A data controller is someone who determines the "purposes and manner" in which personal data are processed and this is likely to be the company itself rather than the individual IT manager.
As a data controller, the company (and therefore its employees) are obliged to comply with eight principles of good practice in relation to data-handling. These say that data must be:
Principle 1: Fairly and lawfully processed
Principle 2: Processed for limited purposes and not in any manner incompatible with those purposes
Principle 3: Adequate, relevant and not excessive
Principle 4: Accurate
Principle 5: Not keep for longer than necessary
Principle 6: Processed in line with the data subject's rights
Principle 7: Secure
Principle 8: Not transferred to countries outside the EEA without adequate protection
How the DPA might affect IT Managers
IT Managers may have contracts in place with third parties who provide off-site back-up facilities on behalf of the company. (These third parties are likely to be "data processors" under the DPA). The company must ensure that there is a written contract in place between the parties which must require the data processor to act only on the company's instructions and to comply with the security obligations which the DPA imposes on the company. The company must also select a data processor that can provide suitable guarantees of the security of the processing to be carried out. Finally, the company must take reasonable steps to ensure the data processor complies with its security obligations.
Companies may need to transfer personal data overseas and IT Managers may be responsible for facilitating such transfers. The DPA prohibits the transfer of personal data to a non- EEA country unless there is adequate protection. If a company breaches this principle then it could be the subject of an enforcement notice by the Commissioner (who enforces the DPA in the UK) and could be liable to compensate individuals whose data is transferred. "Adequacy" is determined by a number of factors, the most important of which are: the nature of the data, the country of origin; the country of final destination; the purposes of the processing; the laws and codes of conduct in force; and the security measures in place. There are some limited exceptions to this principle (e.g. the individual has given consent). In addition, the European Commission has recently approved some "Model Clauses" which if used by data controllers will be considered to provide "adequate" protection for the data.
Finally, IT managers should be aware that under the DPA, individuals have the right to request (and the company is obliged to provide) a copy of all personal data which a company holds about that individual. IT managers therefore need to ensure that procedures are put in place to deal with any such requests and that information can be easily retrieved. This will mean keeping a record of all the databases where such personal information may be kept. Although information may be withheld on certain grounds under the Act, there is generally no justification under the DPA for simply deleting information which a company thinks is inappropriate (e.g. rude or embarrassing comments made by the employees).