The UK Data Protection Act controls how people’s personal data is used by the government, business or organizations in the UK. The Act has eight data protection principles. Also, it requires individuals and companies to keep personal information to themselves.
The definition of “personal data” in the Act covers data that can be used for people’s identification. People can be identified in various ways including their name, address, email address or telephone number. The Act applies to data intended to be held, or held, on computers, or kept in a ‘relevant filing system’ such as a salesperson’s diary.
The Act creates rights for people who have their data kept, and duties for those who keep, process or transmit data. The right of people who have their data processed include:
- The right to view the data that organizations hold for them. The request is obtained after paying a nominal fee. As of 2014, the fee to credit reference agencies is £2 and £50 for educational and health request.
- The right to have incorrect information corrected. If the company ignores the request, the aggrieved person can get a court order that data be corrected or destroyed, and sometimes compensation can be awarded.
- Require that data should not be used in ways that cause distress or damage.
- Require that data should not be used for direct marketing.
Every individual or organization that keeps processes or transmits data has to follow strict rules known as ‘data protection principles’. These principles ensure that data is:
- Used lawfully and fairly
- Used for restricted, precisely stated purposes
- Used in a way that is relevant, adequate and not excessive
- Stored for no longer than is necessary
- Accurate and kept up to date
- kept secure and safe
- handled according to data protection rights
- without adequate protection, not to be transmitted outside the European Economic Area
If an individual or organization wants to collect personal data for a given purpose, they should seek the consent of the person whose data is collected. Consent is informed and specific indication by which individuals agree their data be kept and processed. Non-communication should not be taken as consent. In addition, consent should be appropriate to the capacity and age of the individual.
The Data Protection Act provides that processing sensitive personal data must be subjected to stricter conditions, specifically, consent must be explicit. Sensitive information includes criminal records, sexual health, health, religious beliefs, political opinions, ethnic background, race and trade union status.
Fintech businesses handle the personal information of their suppliers, customers, and employees. Therefore, it is likely their activities are caught up by the provisions of the Act. Non-compliance can lead to an enforcement notice stopping your fintech company from processing data, together with fines. In addition, your company’s officers, the directors and managers, can be held personally criminally liable for non-compliance.
To avoid getting your fintech business into problems, establish a data protection policy to ensure the legal obligations are met. The policy should consider the personal data needs of your company as well as the way it processes this data.