This guide does not replace in any way the requirements of the Data Protection Act. Copies of the DPA and further information can be obtained from the Information Commissioners
website at www.informationcommissioner.gov/uk


You have every right to ask anyone who holds confidential or sensitive information about you how they intend to dispose and destroy that information.

Next time you're in a situation where someone is likely to have something with your confidential information (name, address etc) on it, maybe a shop or hotel checkout, watch what happens to the piece of paper when it's discarded, watch to see if it get's shredded or goes straight in the bin.
And remember - you always have the right to ask what will happen to it or take it away to deal with yourself.
 
  
GUIDE TO THE DATA PROTECTION ACT
FOR USERS OF INFORMATION DESTRUCTION SERVICES
This guide is an aid to understanding the Data Protection Act (the 'Act'). To ensure that you
comply with the Act, it is important you understand that certain obligations are placed on you.
1
INTRODUCTION
 The Data Protection Act 1998 was brought into force  on 1st March 2000 and replaces the DPA 1984. The  Act gives legal rights to individuals in respect of the  protection of confidentiality of their personal data.  This guide will concentrate on the seventh principle  which gives guidance to organisations on security  measures.
2
AIM
 The Act aims to balance the rights of the individual  and the companies who are legitimately holding and  using the information.
3
MATERIAL COVERED
 The Act covers all personal data including paper and  computer records, CDs and disks from which a living  person can be identified.
4
RESPONSIBILITY
 The company will be the 'data controller'. The data  controller determines the purpose for which the  manner in which personal data is processed. Although  the company may appoint a representative for the  purpose of data protection, the data controller will  remain the legal entity.
 When disposing of personal data, a company must  ensure it complies with certain obligations under the  seventh principal of the DPA, which states that when  appointing a person or company as the Data  Processor, the Data Controller must seek guarantees  regarding their technical and organisational measures  against unauthorised or unlawful processing of  personal data against accidental loss or destruction  of, or damage to, personal data.
5
VETTING
 There are various industry Codes of Practice but it is  advisable to ensure that when appointing a company  to remove information covered by the DPA you check  the company's certification and that all employees are  regularly vetted. Receiving a Waste Transfer Note  and Certificate of Destruction are also important  documents and should be received from any  appointed company.
6
SECURITY METHODS TO BE CONSIDERED
 Security
 - Company Directors have a duty to prepare a policy  that sets out their commitment to information  security.
 - Has a Data Controller been appointed?

 Staff Training
 - Are staff fully aware of their responsibilities  regarding the security of information?
 - Are staff aware that data should not be accessed  for other purposes except in the course of their  business dealings?

 Information Access
 - Is data maintained and stored correctly?
 - Have responsibilities for security been clearly  defined between the Data Controller and Data  Processor? (the Data Controller will retain ultimate  responsibility).
 - Are all documents destroyed securely, for example  by shredding, or is any information simply discarded?
7
PENALTIES
 In the event of non-compliance with the Data  Protection Act 1998 a criminal prosecution could result  in a fine of up to £5,000. Although the damage  caused to the business could be many times this  amount.

 

 
ABOUT US    |    SERVICES    |    SOLUTIONS    |    PRODUCTS
Site Design By Graphics4less.com