Data Protection

Training checklist for small and medium sized organisations

High-profile security breaches have increased public concern about the handling of personal information. As some 80% of security incidents involve staff there is a clear need for all workers to have a basic understanding of the Data Protection Act 1998 (the Act).

We recognise that some organisations have limited resources to devote to staff training. This note outlines some of the practical implications of the Act and is intended as a basic training framework for general office staff in small and medium sized organisations. Under each heading is a non-exhaustive guide to the points that should be covered in any training. Staff with duties such as marketing, computer security and database management may need specialist training to make them aware of particular data protection requirements in their work area.

1. Keeping personal information secure

Do your staff know:

• to keep passwords secure – change regularly, no sharing?
• to lock / log off computers when away from their desks?
• to dispose of confidential paper waste securely by shredding?
• to prevent virus attacks by taking care when opening emails and attachments or visiting new websites?
• about working on a 'clear desk' basis - by securely storing hard copy personal information when it is not being used?
• that visitors should be signed in and out of the premises, or accompanied in areas normally restricted to staff?
• about positioning computer screens away from windows to prevent accidental disclosures of personal information?
• to encrypt personal information that is being taken out of the office if it would cause damage or distress if lost or stolen?
• to keep back-ups of information?

2. Meeting the reasonable expectations of customers and employees

Do your staff know:

• to collect only the personal information they need for a particular business purpose?
• to explain new or changed business purposes to customers and employees, and to obtain consent or provide an opt-out where appropriate?
• to update records promptly – for example, changes of address, marketing preferences?
• to delete personal information the business no longer requires?
• that they commit an offence if they release customer / employee records without your consent?
• about any workplace monitoring that may be in operation?

3. Disclosing customer personal information over the telephone

Do your staff know:

• to be aware that there are people who will try and trick them to give out personal information?
• that to prevent these disclosures they should carry out identity checks before giving out personal information to someone making an incoming call?
• to perform similar checks when making outgoing calls?
• about limiting the amount of personal information given out over the telephone and to follow up with written confirmation if necessary?

4. Notifying under the Data Protection Act

Do your staff know:

• whether the company has a notification entry with the ICO or is relying on an exemption?
• that you need to monitor changes in business use of personal information, and notify the ICO if appropriate?

5. Handling requests from individuals for their personal information (subject access requests)

Do your staff know:

• that people have a right to have a copy of the personal information you hold?
• how to recognise a subject access request?
• who to pass it to if it is not their responsibility to answer?
• that the company has a maximum of 40 days to respond?
• that the maximum fee that can be charged is £10?
• that they may need to check the identity of the requester?
• what to do if other people’s information is contained in the proposed response?