Data protection and your business

Printable version

1. Overview

You must follow rules on data protection if your business stores or uses personal information.

This applies to information kept on staff, customers and account holders, for example when you:

  • recruit staff
  • manage staff records
  • market your products or services
  • use CCTV

This could include:

  • keeping customers’ addresses on file
  • recording staff working hours
  • giving delivery information to a delivery company

For information on direct marketing, see marketing and advertising: the law.

Data protection rules

You must make sure the information is kept secure, accurate and up to date.

When you collect someone’s personal data you must tell them who you are and how you’ll use their information, including if it’s being shared with other organisations.

You must also tell them that they have the right to:

  • see any information you hold about them and correct it if it’s wrong
  • request their data is deleted
  • request their data is not used for certain purposes

The main data protection rules are set out in the data protection principles.

What you have to do

You must:

You could be given a heavy fine or made to pay compensation if you misuse personal data.

2. Recruitment and managing staff records

You must keep any data you collect on staff secure - lock paper records in filing cabinets or set passwords for computer records, for example.

Only keep the information for as long as you have a clear business need for it, and dispose of it securely afterwards - by shredding, for example.

Recruiting staff

You must give the name of your business and contact details (or those of the agency) on job adverts.

Only collect the personal information you need on application forms, and do not ask for irrelevant information, like banking details.

Example
You will usually only have to ask about motoring offences if driving is part of the job.

Only keep the information for recruitment - do not use it for a marketing mailing list, for example.

Keeping staff records

Make sure only appropriate staff, with the right training, can see staff records, and store sensitive information (such as health or criminal records) separately.

Example
Do not let managers access a worker’s sickness record if they only need to see a simple record of their absences.

If you’re asked to provide a reference, check the worker or ex-staff member is happy for you to do so.

Letting staff see their records

Your staff have the right to ask for a copy of the information you hold about them.

This includes information about grievance and disciplinary issues.

You must respond to their request within 30 days.

You may be able to withhold some information when responding to a request if the information concerns someone else - you need to protect someone who’s accused them of harassment, for example.

Staff can complain if they think their information is being misused, and you could be ordered to pay a fine or compensation.

3. Monitoring staff at work

You must be able to justify monitoring staff at work, which could include:

  • using CCTV
  • keeping records of phone calls
  • logging their email or internet use
  • searching staff or their work areas

Employees have rights at work and if you do not treat them fairly they could:

  • take you to an employment tribunal
  • complain to the Information Commissioner

You must make them aware that they’re being monitored, and why - for example by sending them an email.

Also explain your policies on things like using work computers or phones for personal use.

Monitoring staff without their knowledge

You can monitor staff without their knowledge if:

  • you suspect they’re breaking the law
  • letting them know about it would make it hard to detect the crime

Only do this as part of a specific investigation, and stop when the investigation is over.

4. Using CCTV

If your business uses CCTV, you must register your details with the Information Commissioner’s Office (ICO) and pay a data protection fee, unless you are exempt.

Check if you need to pay the data protection fee.

You must also:

  • tell people they may be recorded, usually by displaying signs, which must be clearly visible and readable
  • control who can see the recordings
  • make sure the system is only used for the purpose it was intended for - for example, if it was set up to detect crime, you must not use it to monitor how much work your staff do

The ICO has guidance with more details about CCTV.

How to pay the fee

You can register and pay the fee online.

Letting people see CCTV recordings

Anyone can ask to see images that you’ve recorded of them. Usually, you must usually provide the footage free of charge within 1 calendar month.

Find out more about CCTV and data protection rules.

Data protection rules do not apply if you install a camera on your own home for household purposes - for example, to protect it from burglary. Find out more about using CCTV in the home.

5. Get advice on data protection

For more information and advice: