How can I trust that the companies I give my personal data to will keep it safe?
You know what it’s like… You start a new job and they ask you for a copy of your passport. You go to a hotel and they ask whether they can take a copy of your credit card. Everyone seems to need some of our personal information these days for everything, either to protect their business by double-checking our identities or because they are legally required to do so. But with identity fraud being a real threat, how do we know that these companies will protect our personal information?
It’s not unreasonable to ask a company how they will guard your personal data. And making information security part of the conversation means that businesses are more likely to take this issue seriously.
First of all, it’s worth knowing that in the UK, your personal data is protected by the Data Protection Act (DPA), which all organisations processing personal information must adhere to. The DPA comprises eight principles which outline the rules that companies which use - or 'process' - your personal data must follow. All companies must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the UK without adequate protection
Companies that fail to follow the DPA can receive fines of up to £500,000 from the ICO and may also face legal action. It is therefore within all companies’ interest to do their utmost to guard your confidential data.
If you want to understand what an organisation is going to do with your information then the first thing to do is to ask to see a copy of their Information Security or Data Protection policy. This should list the security measures that the business has in place. For example, if they wish to print a copy of your documents then you may want to make sure that the company’s physical security measures include storing the copies in a secure place, such as a locked filing cabinet. Don't forget to check the company's policy for details of how documents are securely destroyed when they are no longer needed.
If you are worried about how long a company will keep your personal data, the DPA states that organisations should only keep it for as long as is necessary for the purpose it was collected for in the first place. Asking the business to show you their data retention policy for the information they hold should give you peace of mind.
Obviously, the best case scenario is that your personal data is taken care of in a responsible manner and remains protected. However, you do have protection in the eyes of the law if you think information has been used unfairly. As a first step, you should approach the business and ask them to explain how they have used your data and to demonstrate that they have complied with the principles of the DPA. Organisations are obliged to explain how your information has been processed, if you make a formal request.
The ICO is a great place to start if you want to find out more about companies' obligations when it comes to your personal data. Have any more questions about information security? Shred-it has a range of resources for you to investigate or join the conversation on information security with us on Twitter @Shredit_UK