Assess your own Data Protection Policy

Having learned about the legal responsibilities you have as a data controller under the Data Protection Act, it will be evident that these responsibilities will not be met unless the issues involved are specifically examined in a structured manner and the results of that examination converted into a clear policy position on data protection.

Remember -you should be able to answer YES to all of the questions below. If you can, your business is in good shape from a data protection viewpoint. If you don't have a clean sheet, the checklist can help you identify the areas where you need to improve.

Fair obtaining:

• At the time when we collect information about individuals, are they made aware of the uses for that information?
• Are people made aware of any disclosures of their data to third parties?
• Have we obtained people's consent for any secondary uses of their personal data, which might not be obvious to them
• Can we describe our data-collection practices as open, transparent and up-front?

Purpose specification:

• Are we clear about the purpose (or purposes) for which we keep personal information?
• Are the individuals in our database also clear about this purpose?
• If we are required to register with the Data Protection Commissioner, does our register entry include a proper, comprehensive statement of our purpose?
• Has responsibility been assigned for maintaining a list of all datasets and the purpose associated with each?

Use and disclosure of information:

• Are there defined rules about the use and disclosure of information?
• Are all staff aware of these rules?
• Are the individuals aware of the uses and disclosures of their personal data? Would they be surprised if they learned about them? Consider whether the consent of the individuals should be obtained for these uses and disclosures.
• If we are required to register with the Data Protection Commissioner, does our register entry include a full list of persons to whom we may need to disclose personal data?

Security:

• Is there a list of security provisions in place for each data set?
• Is someone responsible for the development and review of these provisions?
• Are these provisions appropriate to the sensitivity of the personal data we keep?
• Are our computers and our databases password-protected, and encrypted if appropriate?
• Are our computers, servers, and files securely locked away from unauthorized people?

Adequate, relevant and not excessive:

• Do we collect all the information we need to serve our purpose effectively, and to deal with individuals in a fair and comprehensive manner?
• Have we checked to make sure that all the information we collect is relevant, and not excessive, for our specified purpose?
• If an individual asked us to justify every piece of information we hold about him or her, could we do so?
• Does a policy exist in this regard?

Accurate and up-to-date:

• Do we check our data for accuracy?
• Do we know how much of our personal data is time-sensitive, i.e. likely to become inaccurate over time unless it is updated?
• Do we take steps to ensure our databases are kept up-to-date?
• Retention time
• Is there a clear statement on how long items of information are to be retained?
• Are we clear about any legal requirements on us to retain data for a certain period?
• Do we regularly purge our databases of data which we no longer need, such as data relating to former customers or staff members?
• Do we have a policy on deleting personal data as soon as the purpose for which we obtained the data has been completed?

The Right of Access:

• Is a named individual responsible for handling access requests?
• Are there clear procedures in place for dealing with such requests?
• Do these procedures guarantee compliance with the Act's requirements?