The Information Commissioner’s Office has fined a nationwide lender £180,000 for failing to keep customers’ personal information secure.

Our legal experts, Baines Wilson, have highlighted the importance of keeping this information in order.

Sponsored content 

The fine illustrates the importance of businesses being aware of their obligations under the Data Protection Act 1998. 

If personal data is not handled properly, there may be serious financial, commercial and reputational implications, including possible criminal penalties and fines. 

Key things a business should remember: Personal data is any information about an individual held electronically or in filing systems that could identify the individual, either on its own or together with other information held by a business or a third party. 

Personal data needs to be protected and kept secure. 

  • This data may include: name; e-mail address; telephone numbers; date of birth; and notes written about someone (such as an annual performance review). 
  • Particular care must be taken with sensitive personal data (for example, medical records) as more restrictive requirements apply to this type of data. 
  • The individual could be a potential or actual employee, customer or supplier. 
  • A business can only collect personal data if it has a legitimate reason for doing so (for example, because a new employee is coming to work for the business). 
  • When a business collects data about an individual, the business will need to tell that individual what it intends to do with their data. If the purposes for which the business wants to use someone’s data changes, the individual must be informed once again. 
  • Businesses should only collect information they require at that particular time. For example, a job applicant should not be asked for their bank details. This type of data should only be collected once the applicant has started to work for the business. 
  • If a business wants to use someone’s data for marketing purposes (such as text or e-mail marketing), the individual must be informed and his or her explicit consent should be obtained. It is good practice to do this at the time the data is collected. 
  • Data should only be used for the reason that it was collected. 
  • Provided a business has an individual’s consent, a business is generally allowed to use someone’s personal data. Personal data can also be used in other circumstances, for example, if the business needs to use the data to fulfil a contract with a customer (such as using their address to deliver goods to them). 
  • If a business wants a third party to manage data (such as carrying out payroll services) it should take legal advice. The business will still be responsible for protecting the data and will need to enter into a written contract with the third party. 
  • Businesses should take legal advice if they are considering transferring any data outside the countries in the European Economic Area. 
  • If the data is being used in marketing material, businesses should ensure that the recipient is aware that their data may be used for this reason and confirm they do not object. A business will generally need the individual’s explicit consent (opt-in) for e-mail, fax and text marketing. If the individual is an existing customer, the business may be able to market similar products to them by these means without prior explicit consent. Businesses should take legal advice in these circumstances. 
  • If a business is considering using sensitive personal data (for example, information about ethnic origin, trade union membership or criminal records), it should take legal advice. 
  • All data must be accurate and up to date. Databases should be regularly cleaned and out-of-date information must be deleted securely. 
  • Personal data must be disposed of securely – use confidential waste bags (do not put confidential papers in the recycling) and securely delete electronic files.
  • Data should only be held for as long as it is required and for the reason it was collected. 
  • Personal data must be kept secure at all times - computers and files should be password protected. Limit the amount of personal data on laptops and other portable devices. Manual filing cabinets containing personal data should be locked and only accessible to authorised personnel. Confidential documents should not be left unattended on desks and electronic documents should be password protected. 
  • Only send personal data in a secure way (for example, confidential information should not be sent in the internal mail). 
  • When working away from the office or in public areas: ensure personal data stored on portable devices is encrypted and kept secure at all times; avoid leaving papers or electronic devices lying around; make sure members of the public cannot see confidential documents or computer screens; and avoid talking about confidential matters when members of the public may be able to hear. Security breaches (such as accidentally losing personal data) should be reported to the appropriate person immediately
  • The above is a summary only and businesses should always take professional legal advice in relation to any data protection queries they may have. For help and advice in relation to data protection or any other corporate commercial topics please contact John Wilson, Andrew Hill or Kate Parker on 01228 552600 or 01524 548494.