Q: I am about to set up a consultancy business and will be handling sensitive client information, what do I need to consider legally around Data Protection?
A: The Data Protection Act controls how our personal information is used by organisations, businesses or the government. It is a legal requirement that anyone responsible for using data has to follow strict rules called ‘data protection principles’ summarised as follow:
- Use fairly, lawfully and only for limited and specifically stated purposes in a way that is adequate, relevant and not excessive to the work you are carrying out
- Keep the data accurate and not for longer than is absolutely necessary.
- Keep the data safe and secure, and do not transfer outside the European Economic Area without adequate protection.
You do need to gain permission to use and handle any client data and this should be agreed within your contract or terms of business. It is not recommended using any data that you cannot trace the origin, or where you have not got explicit permission. Unlawly obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998.
It is important to ensure you have adequate security systems on your computer systems to ensure the safety of any data in your care, and consider data encryption options. It is worth noting that using open Wi-fi connections in public spaces i.e. cafes could make your mobile device vulnerable for third party intervention, and you could be personally liable for the theft of any data that was in your possession.