The Business is required to comply in a number of ways with the Data Protection Act 1998 (DPA 1998). The first of these is registration under the DPA 1998. It is the responsibility of the Compliance Director (CD) Martin Langan to ensure that:
- the Business is registered with the Information Commissioner for all necessary activities under the Act;
- there is a process of continual review to determine whether any changes in the Business' registration are required as a result of changes in the nature of the business;
- the details of the Business as registered are kept up to date.
The second aspect of compliance is the observance of the principles that underlie the DPA 1998, namely that all data covered by the Act (which includes not only computer data but also personal data held within a filing system) is:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- not kept longer than necessary;
- processed in accordance with the data subject's rights;
- not transferred to countries without adequate protection.
It is the responsibility of the CD to ensure that all Directors and staff are aware of their obligations under data protection law and are provided with any update as to how they are required to support the practice in ensuring compliance.
The Business has a policy for the overall management of all electronic data. The responsibility for its management is with the CD.
The Business will inevitably hold various categories of data to include: financial, marketing, client details, third party information and so on.
The practice provides periodical training to all staff as follows at Induction and periodic training as organised from time to time.
The practice will ensure the management and safe storage of electronic documents in particular by way of restriction of access permissions to the same. The information is also backed up across the drive and is backed up to tape.
Management of the practice's electronic document technology will be the responsibility of the CD in conjunction with the IT Manager.
The practice will invest in and has put in place the following procedures and technologies for safeguarding the integrity of electronic documents:
- Firewalls and anti-virus software together with approved user licences and for the operation of the Business' case management system.
- All files to be closed by the fee earner. They will be archived by Finance both physically and on the case management system. Access to archived documents will only be possible via network passwords and case management passwords. The network drives are available to IT Support and each fee earner has their own secure area on a nominated Drive (the C Drive) to which no one else has may have access.
Subject access requests
Any individual whose data is held by the Business may make what is called a 'subject access request', i.e. a request to see what data is actually held about them. All such requests should be addressed in writing to the CD and he will arrange for the Business to comply promptly with the request.