A completely different aspect of business transactions is the need for a business to keep records and information about persons. The law attempts to provide some protection for individuals:
to prevent businesses holding data about them, when there isn't a legitimate reason for doing so
to require businesses to make sure that the data is not inaccurate
to allow individuals the right to inspect any personal data about them that is retained by a business.
The data protection rules affect businesses. This is because businesses hold personal data records, for example about their customers and employees, mostly on their computer systems. Businesses find personal data useful for marketing and other purposes.
Personal data is data relating to a specific individual. It could include not just the name and address, but age and date of birth, education details, annual salary, family details, and so on. Personal data about a customer may include not just how much the customer owes, but how much was purchased in the past and details of those purchases. In other words, a personal data record could include a history of the customer's purchasing history.
As an example of relevant legislation, businesses in the UK that hold files of personal data about individuals are required to comply with the Data Protection Act 2018 which introduced the General data Protection Regulations (GDPR). Many other countries have similar legal requirements relating to obtaining, using, managing and retaining personal data.
First, they must register with the Data Protection Commissioner as a user of personal data. As a user of personal data, a business must comply with certain data protection principles. These include the following:
information in personal data files must be obtained and processed lawfully and fairly
personal data should be held only for specified lawful purposes
personal data should not be used or disclosed in any way except for those purposes
the amount of personal data held should be sufficient and relevant for its purpose, but should not be excessive
personal data should be accurate and, where necessary, should be kept up-to-date
personal data should not be held for longer than is necessary
an individual is entitled to know that a data user is holding personal data relating to them. The individual has the right to look at this data and, where appropriate, to insist that it should be corrected or deleted.
If the personal data about an individual is inaccurate, or if there has been an unauthorised use or disclosure of that information by the data user to someone else, the individual has a right of legal action against the data user.
Processing personal data is not permitted except under certain conditions, such as
with the consent of the individual
as part of a contractual arrangement between the data user and the individual
for legal reasons.
100
Some personal data does not come within the scope of the Act, such as:
personal data about employees for payroll purposes
personal data about customers and suppliers for the purpose of maintaining accounting records.
Risks to data security and storage include the following issues:
accidental loss or corruption of data due to poor business practices and procedures
deliberate loss or destruction of data due to criminal or other inappropriate behaviour
unauthorised access to data leading to misuse of data for an improper purpose.
The risks to data security and storage may be managed in a number of ways, including:
recruitment of appropriate staff who act with honesty and integrity
training of staff so that they understand the risks associated with data security and storage and how to effectively manage those risks
good business practices regarding data management, processing and updating
effective segregation of duties between employees to minimise the risks of undetected errors and similar problems
physical controls regarding management of risk of damage to data from fire, smoke and other hazards.
ACTIVITY 6
You are employed in an accounts office and receive a telephone call from a person who says that they are the bank manager of North Bank in the local High Street. The bank has been approached by a customer of your employer, for a loan to pay off the debt they still owe your employer. The bank manager would like to know how much the customer owes, and would also like to check the marital or relationship status of your customer.
What should you do in this situation? For a suggested answer, see the 'Answers' section at the end of the book.