Mike Buckworth dropped into Club Workspace’s Clerkenwell venue on Monday night to give us our monthly legal healthcheck. Data Protection was the subject of the night. Mike explained the law regarding Data Protection and how it effects startups and small businesses.

To kick off his presentation, Michael explained why data protection is more important today than, perhaps, ever before. With so many online services that users have to sign-in to or sign-up for, we disclose personal data every time we lift the screen of our laptop.

What you don’t want, Michael continues, is for the people who handle your information to sell or share your data. You don’t want them to provide your email address to a third party who will spam you, for example.

The legislation and precedent

The data protection law that we are bound by in the UK comes from Europe. Michael explained that there are two main pieces of European legislation that impact on the UK’s "Data Protection Act". These are the "Privacy & Electronic Communications Directive" and the "Data Protection Directive".

This means that the legalities of data protection is 'ostensibly' uniform throughout Europe. However, even though the mechanics of each nation’s legislation is similar, the way in which the law is applied differs from country to country. Michael gave this example: data protection infringements in Spain are punishable with a prison sentence, in the UK they trigger a fine that 'not everyone' receives.

Those who commit an office under the UK’s Data Protection act can receive a fine of up to £5k in the lower courts or an unlimited fine in the upper/appellate courts.

If your business handles other people’s data

Mike explained that the Data Protection Act is relevant to Tech Startups more than most. If a tech startup is building a website or an app that requires user-data to function, then they need to comply with data law.

There is a 'cast-list' in data law terminology. There is the Data Controller, the Data Processor and the Data Subject. The Data Controller is the person who collects the data. The Data Processor is anyone who uses the data. The Data Subject is the person whose email address, name, phone-number, address, etc. is being handled.

In law, the Data Controller is responsible for the actions of the Data Processor. Mike explained that this can be more complicated than a 'boss' presiding over someone in the same office. If the you’re a holiday-comparison-website and you legally pass the personal information of your Data Subject to a hotelier in France (who becomes the Data Processor) and they commit an offence, you could be liable.

Michael ran through the main documents that you need in place if your business handles personal data. You’ll need a Privacy Policy on your website. Mike mentioned that it’s worth getting a lawyer to build this with you, as they know what to include. You definitely need a Data Licence - without one you cannot handle personal information. If your company wants to legally share the data of others you will need a 'Data Transfer Agreement'.

The eight principles of the Data Protection Act and you

The Data Protection Act includes eight principles with which you have to comply if you are to avoid legal reprimand.

The data in question needs to be 'fairly and lawfully' processed. It also can only be 'processed for a limited purposes.' Limited purposes means that you cannot merely harvest data because 'it might be useful in the future'. You have to provide a specific reason for collecting the data otherwise you have no right to do so. The data has to be used adequately and not excessively. This is to rule out the unfair bombarding of Data Subjects with spam, for example.

The data that you collect has to be accurate and up-to-date. Mike explained that this is something that businesses fall foul of quite often. If you keep information on your records that is drastically out-of-date, you are in breach of the data protection act. The wording of the act states that data cannot be kept for 'longer than necessary'.

The Act also specifies what is meant by secure. For example, if you collect 'sensitive' personal data - the sexuality, religious views or politics of a Data Subject, for example - these details must be kept in a separate spreadsheet from the 'personal data' - name, email address, DOB etc. Also, certain information has to be encrypted. Consult the act for further details.

The final point is that the data cannot be transferred to a country that doesn’t have an equivalent to the Data Protection Act. If you wish to share data with a third-party who is bound by the law of a nation whose legislature does not make adequate enough provisions for data law, then you will be in breach of the Data Protection Act.

The difference between personal information & sensitive personal information

If your business collects information that is defined as 'Personal Information' in law then you will need a 'Data Licence'.

Personal Information in law is any information from which a 'living person' can be identified. There are complex definitional praxis which determine what details classify as 'Personal Information', but Michael blitzed through these, offering this rule of thumb: if you’re collecting a person’s name, then the data classifies as 'personal information'.

'Sensitive Personal Information' - and the reasons why this can be collected - is a slightly different issue in law.

Sensitive Personal Information is information that pertains to a person’s racial or ethnic origin, political opinions, religious opinions, membership to Trade Unions, physical or mental fitness, sexuality or their criminal history.

This information can only be collected by a company if you have explicit personal concent or if the collection of this data has become necessary in the context of employment.

Michael cleared something up here straight away. The term 'context of employment' means that if the Data Controller has ascertained a person’s 'sensitive personal information' during their term of employment. Such as, if the Data Subject works with children and is therefore obliged to undergo a CRB check. What the term 'context of employment' does not mean is that prospective employers are allowed to ask candidates questions about their 'sensitive' personal information at interview. That is not allowed in UK law.

What if you are a startup who wants personal privacy?

When you register a business your name and address become public knowledge. For most business owners, this is not a problem. However, if you’re starting a business and want to keep your personal details secret, there are a few simple steps that you can take.

You can use a 'Nominee Structure'. You will need to talk to a lawyer to put this in place, but doing so means that your name is protected.

Your personal address can be obscured from prying eyes by simply purchasing a registered address. Doing so allows you to use an established business address in lieu of your home address.

Thank You

As ever, a mammoth blog has followed Mike’s advice night! Thank you to the man himself for sharing such beneficial information and thank you to everyone who came along. I hope that you all enjoyed your Club Workspace experience! A massive thank you, of course, to Paul and Marina of Dreamstake, who co-hosted the event with Buckworth Solicitors.