The UK regulator, the ICO, has ‘huge concerns’ over Uber breach – http://www.bbc.co.uk/news/technology-42079937
The short answer is no longer than necessary.
Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be based on individual business needs. A judgement must be made about:
- the current and future value of the information;
- the costs, risks and liabilities associated with retaining the information; and
- the ease or difficulty of making sure it remains accurate and up to date.
There are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.
The CIPD have a great resource regarding HR records which can be found here.
The UK’s third generation of data protection law has entered Parliament.
The Data Protection Bill was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come.
The Information Commissioner’s (ICO) website has been updated to include a new section about the Data Protection Bill.
This explains the relationship between the Bill and the GDPR, detailing the additional areas the proposed new legislation covers. It also includes links to the ICO’s GDPR and Law Enforcement pages and to a Data Protection Bill fact sheet.
When the General Data Protection Regulations (GDPR) come into effect next year there will no longer be a requirement to notify the Information Commissioner’s Office (ICO) as there is now.
There is a provision in the Digital Economy Act which means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines will be passed directly back to the Government.
The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing. The final fees will be approved by Parliament before being put into place.
For the purposes of the Data Protection Act the quick definition is data which identifies a living individual.
The Information Commissioners Office has put together a quick reference guide to help. Please click here to access the guide which will open in a new window.
Why not join us for networking with a purpose
33 Emsworth Road,
Hampshire, PO9 2SN
Reputation Matters session
We have a great insight from an industry insider.
Why does Health & Safety just seems to get in the way of getting anything done these days?
After years of bearing the brunt of this question, workplace safety advisor and Reputation Advocate John Simmons of Sim Compliance will give his views.
Book Your Place
£14 (cash only) on the door includes a light lunch
Reputation Advocates just £10 contribution to refreshments
Cultivating the ability to create in the moment, the agility to respond with wisdom, and the awareness to spot opportunities as they arise.
Find out more
There are plenty of databases out there but whether they can be used to send marketing material will depend on the basis on which the personal information concerned was collected. The general rule is that unsolicited marketing can be sent to individuals where they have agreed to this or where it is likely to be within their reasonable expectations. For example, if an individual goes on holiday with a particular travel company then it is reasonable for that company to send a brochure advertising similar holidays the next year, unless the individual has made it clear that they do not wish to receive such marketing.
Therefore, the buyer of a list needs to check the basis on which the information was collected and whether any of the individuals have objected. The buyer should also establish whether the individuals would only expect to receive marketing via a particular medium, for example by mail. When using the telephone or email the special rules governing electronic marketing should also be complied with.
Unsolicited marketing emails should only be sent to individuals who have consented (and consent cannot be assumed if an individual does not respond).
If it is established that the list buyer can use the personal information for marketing they should only market products and services which are similar to those that the information has been used to market previously. Further guidance on electronic mail marketing can be found here
The Data Protection Act requires that any personal information held should be adequate, relevant and not excessive, and that it should not be kept for longer than is necessary. The new owner of a database should decide how much of the information they need to keep. Any unnecessary personal information should be deleted. Personal information should not be held simply on the basis that it might become useful one day.
Identity theft at epidemic levels, warns Cifas – Read more on the BBC website
Are you sleepwalking into trouble?
Read more on the BBC…