When asking customers for their details, it is common to allow them to opt out of having these used in certain ways, typically various forms of direct marketing. These decisions must be recorded and the subject’s wishes must be respected at all times.
If there is the possibility that people’s records could be transferred to third parties (other than parties that have a legal right to ask for access, such as the police) then this must be specifically documented.
- drug and alcohol testing
- storing medical information
- searching employees of their possessions
RetentionIt is useful to create clear guidelines for staff about the length of time for which personal files should be kept. The more specific the advice, the better. In this way, everyone involved in the collection, storage, modification and maintenance of personal data will understand what their obligations are.
The Data Protection Act states that records should be kept for no longer than is necessary to achieve the purpose for which they were collected. A clear and coherent written strategy will help a business to comply with this aspect of the Act.
The EU General Data Protection Regulation (GDPR) superseded the UK Data Protection Act 1998 on May 25, 2018. The new policy expands the rights of individuals to control how their personal data is collected and processed and it places a range of new obligations on organisations to be more accountable for data protection.
Organisations are obliged to have technical and procedural measures in place to safeguard the personal information they hold.