Wisteria Accountants

One of the most fundamental factors that a company needs to consider is its treatment of data, and the relevant regulations that control this. It is important that companies consider data handling and protection from two different perspectives: internally and externally. When focussing on the internal side, considerations with regards to data refer to document retention and destruction. Externally, the attention needs to be on the data protection of client information.

A data controller is a party, in this case a company, that has control over some personal information and details of individuals. This can be information that is held about members of the company such as directors or shareholders, or it may be information about customers. The treatment of data is covered in the Data Protection Act (1998), and it refers to a wide range of personal details that a company may hold as a result of their association with individuals. It is important that all data controllers register with the Information Commissioners Office (ICO) where appropriate to ensure that regulation takes place.

When a data controller register with the ICO it must follow the eight principles of data protection, regardless of whether they use the information they hold or not. The eight principles are as follows:

1. To use personal data in a fair and lawful manner
2. To only gain data for a purpose that is lawful, and process it in an appropriate manner
3. To limit the amount of information gained to what is required
4. To ensure data kept is accurate
5. Not to keep any information for longer than is necessary
6. To process data withing the rights of the subject
7. To keep data securely
8. To ensure data is kept within the European Economic Area

There are, however, certain circumstances where the data can be used and processed for purposes without the consent of the individual. For example, the data could be used to fulfil a contractual obligation of the individual. Alternatively, the data can be used without permissions if it is to meet a legal requirement, or is in the best interests of the individual.

Internally, it is important that companies have a specific policy with regards to the handling and maintenance of documents beyond their initial usage. The policy will not only help to meet legal requirements in specific areas, but will also help in the general administration of the company. It is important that time lengths and potential storage options are considered in the policy, for example what format documents should be kept in. Furthermore, it is vital to consider the disposal and destruction of documents, so that they are kept for the minimum relevant periods. This is important as the validity of certain contracts, and therefore the necessity to keep them, may vary.

The data protection policy of a company is not only important to meet basic legal requirements and protect the rights of consumers, but is also important in efficient administration. Consideration of the varying areas of data is important to meet statutory requirements, and minimise excess costs relating to storage of unnecessary information. If you have any queries on data protection, please contact us on 020 8952 0140 (note that we can only provide basic guidance).