Lawful, fair & transparent
Lawful is predominantly covered by the nature of consent which we’ll look at below and while fair and transparent seem the most obvious principles, they present some of the biggest challenges. Organisation are going to have to wrestle with what constitutes fair whilst also trying to achieve their goals, and this is only right. You should constantly question if your use of personal data is fair and make sure you record the choices you make.
Recording these kinds of decisions is key part of regulatory compliance and helps you to be transparent. Get into the habit of logging as much as possible in relation to your data processes, chances are you’ll not need it, but when you do you’ll be thankful it’s there.
Legitimate and necessary
What are doing with the data and what data do you really need?
We love data just as much as the next analytics geeks but you can’t gather data just for the sake of it, or just in case you can find a use for it later. So know what you’re doing with the data and make it clear to the subject.
Accurate and up to date
The point on accuracy is interesting, you are expected to ensure that the data you hold is accurate or you are required to delete or rectify the error. Seems confusing until you start to think about the kind of situations that incorrect data can lead to, the kind of annoyance or even pain it could cause.
Obviously data needs to be up to date in order to be accurate, but this raises another key consideration for the data you are storing, for what period is consent valid? Simply put, how long should you hold data?
This isn’t an easy question and this largely relies on context, you need to consider questions like are you in regular contact with this person? Do you have an ongoing contract?
Clarifying how long you will hold a person’s data for should be included at the point they give you consent. The ICO offer an average guideline of 2 years for holding a person’s data outside of any specific requirements, so if you’re not sure I’d stick with this.
This month Gloucester city council were fined £100,000 by the ICO after a cyber attack using the ‘Heartbleed’ vulnerability in 2014 accessed council employees personal data. Please do remember that personal data covers any personal data you hold about anyone, including your employees.
‘Heartbleed’ went public on April 7th, Gloucester council’s IT team identified an issue with their own system by the 17th. A patch was available but nothing was done as at that point they were outsourcing updates of this type to a 3rd party and this was overlooked.
Appropriate attention and importance needs to be placed on your data security and maintaining your software, updates are essential. And if you’re dealing with 3rd parties have appropriate processes in place to ensure the right work is getting done when it most needs to be done. This is just helpful anyway for both parties to better manage their time working together.