Data Protection Procedure


Last updated September 2014

This document seeks to assist XX staff to understand the legislation regarding data protection, how data should be processed and how data can be kept secure.


The key piece of legislation covering Data Protection is the Data Protection Act 1998 (“the Act”). Data Protection is regulated by the Information Commissioner’s Office (ICO).

Key principles:

There are eight key principles of Data Protection:

  1. Personal data shall be processed fairly and lawfully.

  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  4. Personal data shall be accurate and, where necessary, kept up to date.

  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  6. Personal data shall be processed in accordance with the rights of data subjects under the Act.

  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

What is personal data?:

Personal data is defined as data which relates to a living individual who can be identified either from those data, or from those data and other information which is in our possession. Personal data can include a recorded expression of an opinion about a person.


Personal data includes:

  • Information held in electronic form
  • Information held in a filing system
  • Information held in easily accessible records


Within this definition, sensitive personal data is defined as being information regarding any of the following

  • racial or ethnic origin

  • political opinions

  • religious beliefs or other beliefs of a similar nature

  • trade union membership

  • physical or mental health

  • sexual life

  • the commission or alleged commission of any offence

  • any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.

Much greater care will need to be taken with this type of data. In normal circumstances, XX does not anticipate needing to collect data of this type.


Data processing:

The Act regulates the “processing” of personal data.

Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –

  • organisation, adaptation or alteration of the information or data,

  • retrieval, consultation or use of the information or data,

  • disclosure of the information or data by transmission, dissemination or otherwise making available

  • alignment, combination, blocking, erasure or destruction of the information or data.





In order for data to be legally processed, at least one of a number of conditions must apply. The most likely to apply to XX’s normal business are:


  • The individual who the personal data is about has consented to the processing, or
  • The processing is necessary:
    – in relation to a contract which the individual has entered into; or
    – because the individual has asked for something to be done so they can enter into a contract.

In the case of sensitive personal data (see above), the individual who is the subject of the data must give their explicit consent for it to be processed. In the unlikely event that any sensitive personal data comes into our possession, then as a member of staff of XX, you must ensure that this explicit consent is obtained.

In the course of its normal business activities, XX does not anticipate needing to pass information about its customers to other organisations, such as credit reference agencies. But if these circumstances do arise, customers must be informed of:

  • who their personal data has been passed to, and why
  • who is responsible for handling their personal information
  • what their personal information will be used for



Key definitions of people under the Act:

Data subject is an individual who is the subject of personal data.

This does not include an individual who has died or who cannot be identified or distinguished from others. But you should normally expect every customer we deal with, whether a buyer or a seller, to be a Data subject.

Data controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. In this context, XX is a Data controller as we hold personal data concerning our customers.

Data processor is a person who processes data on behalf of the data controller.

The Act must be complied with from the moment the data comes into our possession until the time when the data has been returned, deleted or destroyed.

How long should data be kept?


Data should be kept for five years following the end of a business relationship with the Data subject


Data controllers should notify the Information Commissioner of the fact that they process personal data, and will be required to pay an annual fee of £35 for this. XX has registered with the ICO under reference number XX, and our licence needs to be renewed before the expiry date of August 19 2015.


Principle 7 above outlines our obligations to take reasonable steps to ensure the data we hold is secure. Smaller companies are not expected to devote the same resources to ensuring security of data as larger companies, but we still need to take reasonable steps to reduce the chances of data loss

In respect of IT security, we will: 

  • Install a firewall and virus checking on our computers. 

  • Protect our computers by downloading the latest patches or security updates when available

  • Only allow staff access to the information they need to do their job and don’t let them share passwords  

  • Encrypt any personal information held electronically if it will cause  damage or distress if it is lost or stolen 

  • Take regular back-ups of the information on our computer system and keep them in a separate place

  • Not dispose of old computers until all the personal information on them has been securely removed (by using technology or destroying the hard disk) 

  • Consider installing anti-spyware. This protects against software that can be secretly installed on our computers. Spyware can monitor, use, look for private information or even give someone else control of a computer.

In respect of other security matters we will: 

  • Shred all our confidential paper waste.

  • Check the physical security of our premises regularly

  • Carry out appropriate checks on any staff who will have significant access to personal data.

  • Train staff:

    • so they know what is expected of them

    • to be wary of people who may try and trick them into giving out personal details

    • that they can be prosecuted if they deliberately give out personal details without permission

    • to use a strong password – these are long (at least 7 characters) and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols

    • not to send offensive emails about other people, their private lives or anything else that could bring XX into disrepute

    • not to believe emails that appear to come from a bank that ask for account, credit card details or passwords (a bank would never ask for this information in this way)

    • not to open spam email – not even to ask for no more mailings.

 Security measures regarding our internal data currently include:

  • the use of login ids which gives access only to parts of the system that are relevant to the user
  • locked office
  • locked filing cabinets
  • backup of important files to preserve integrity of data.

No client data is held in paper form at the XX office

Loss of data:

These provisions cover loss due to accidental loss, theft, attacks on computer systems, unauthorised actions of staff and equipment failure.

In the event that a data loss does occur, there are four key elements to our response:

1. Containment and recovery – the response to the incident should include a recovery plan and, where necessary, procedures for damage limitation.

2. Assessing the risks – XX will assess any risks associated with the breach, as these are likely to affect what you do once the breach has been contained. In particular, XX will assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen.

3. Notification of breaches – informing people about an information security breach can be an important part of managing the incident, but it is not an end in itself. XX will, for example, consider notifying: the individuals concerned, the ICO, regulatory bodies, the police.

(The ICO recommends that it should be notified when the data loss has a significant potential for harm to be caused to individuals, when the amount of data lost is significant or when the data lost is of a particularly sensitive nature.)

4. Evaluation and response – it is important that XX investigates the causes of the breach and also evaluates the effectiveness of our response to it. If necessary, XX will then update these policies and procedures accordingly.

Subject Access Requests:

Individuals have the right to see the personal data held on them. Such requests are known as Subject Access Requests. These must be complied with within 40 days of receipt, although XX is entitled to ask for any information it reasonably requires to find the information and check the identity of the enquirer. XX may charge a fee of up to £10 for responding to a request. Failure to comply with a Subject Access Request could result in a fine of up to £5000.

We need not treat a request from a customer for a specific piece of information as a Subject Access Request. So for example a request to remind a client of the investments he/she holds need not be treated as a Subject Access Request.

In the event that the personal data held on an individual also contains personal data from another individual, that data must not be disclosed as part of the response unless the other individual gives their consent.


Should we wish to send promotional literature to customers in order to promote our firm and the products and services we offer, we must tell these individuals at the outset and give them the opportunity to object. If an individual does object, either when we collect the personal information or later, we will not send that individual direct marketing information again unless the individual specifically asks for it.

Information on the Data Protection requirements for organisations, self-employed sole traders and partnerships can be found at

The FCA’s specific guidance on data security can be found at