Basic techniques such as establishing robust policies, training all new staff, developing a working process to ensure safe employee access to data, remaining transparent, ensuring the protection of electronic data and removing staff access when needed are good practice and likely to meet minimum legal requirements.
But what exactly is personal data? “There is no one definition,” comments Stephen McCartney, Head of Private Sector Data Protection Promotion at the Information Commissioner's Office - the UK's independent authority set up to promote access to official information and to protect personal information. “To some extent, what constitutes personal data depends on who is holding the data. Most of us are data controllers – we make decisions regarding data, and this means we have responsibilities and an obligation to process lawfully and transparently.” He suggests that we mitigate risks by only collecting what is necessary, keeping it accurate, updated, secure, and as long as necessary – and to be exceptionally careful to safeguard sensitive and exported data.
The idea is to bridge the fine line between allowing the access we need to do business and protecting access when it is likely to be invasive or misused. It’s a constantly moving target that requires us all to stay informed.
As managers we need to be aware and vigilant – taking full advantage of the resources offered by the expert public and private agencies offering guidance on a complex topic. |