When the Data Protection Act 1998 came into force in March 2000, it soon became clear that many companies were confused about the actions they needed to take to comply with the new law. To provide guidance, the government's Information Commission started work on a code of best practices. The code has gone through numerous drafts, and its release date has slipped since it was first suggested by David Smith, the then deputy information commissioner.
Initially it was planned for the guidelines to be issued in a single short document, but they are now being released in four parts covering: recruitment and selection, records keeping, employee monitoring, and medical information storing. These documents will offer guidelines for companies to manage the information they hold about staff, customers, interviewees and others. They will explain how firms should manage any records, such as emails, that can identify individuals. The guidelines will also explain the conditions under which companies may monitor staff communications, such as phone calls and emails, and under what conditions medical information may be held and divulged. Although much delayed, the final two instalments of the guidelines, covering monitoring and medical records, are expected to be released by November.
For activities such as data collection and monitoring, companies will have to set up appropriate systems. This may require the use of archiving tools for email and other documents, which may create a need for extra storage. Firms may also need tools and systems to analyse and monitor use of the Internet, email and phones.
Staff monitoring
Some aspects of the act are straightforward - for example, the stipulation that employee data should be treated in the same way as any other personal data, and should be easily accessible - but other aspects of the law are less clear-cut, such as the conditions under which companies may monitor their staff. The Information Commission's code of practice provides advice for compliance. However, for more information firms may need to turn to lawyers or other resources.
Security is an important consideration, as companies may be liable for information that is lost or stolen, including data lost to hackers or viruses.
A virus such as Bugbear could take sensitive information such as passwords, or data that could be used to identify individuals. To protect themselves, many companies should therefore set up and prop- erly manage security tools available from vendors such as Sophos or MessageLabs.
For firms that need to monitor or filter the way their staff use the Web and online systems, IT vendors such as Websense, Secure Computing, Advanced Productivity Software and SurfControl offer a range of tools. Such products will be necessary for any companies that monitor staff Internet use in the workplace, and want to control the content of emails that employees send and receive.
The Websense Reporter suite, which works alongside Websense Enterprise, is an example of an easy-to-use reporting tool. Another option is HyperScape's UC.LAN, which is designed to manage and monitor Internet use, enhance productivity and reduce the potential for litigation.
Have your say: contact IT Week
Resources
- Information Commission guides on best practices for compliance
www.dataprotection.gov.uk - Details of the Data Protection Act are available on the government's Stationery Office Web site
www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm - Law firm Sprecher Grier Halberstam's Weblaw group offers legal guidance on data protection
www.weblaw.co.uk/dataprotection.htm - The British Standards Institution has produced a series of guides giving advice on how to ensure compliance with the Data Protection Act
www.bsi-global.com/DISC/Working+Withyou/DataProtection+Guides.xalter - The British Chambers of Commerce has on its Web site various pieces of advice covering the Act, many by legal professionals
www.chamberonline.co.uk - Research company Experian has a Data Protection Advice Centre on its Web site that explains how compliance should be achieved and gives examples of how the Act applies in everyday business situations
www.uk.experian.com/nbd/dpac.html
reader comments