1. Start with a list

 

You’ll probably have personal information saved on your phone, tablet or computer to enable you to do your job – such as the names and contact details of customers, members or clients. You may also have details of upcoming bookings or appointments, or other notes. If you can identify someone personally from something you have stored, then it’s personal information and you need to account for it.

 

Start by making a list of the personal information you have, or plan to collect, even if you don’t have much at first. For this list, you should be generalizing types of information such as ‘phone numbers of customers’, rather than listing actual phone numbers.

 

Information privacy and protection laws don’t apply when you’re using personal data for purely personal or household activity, so don’t worry about things like your family photo album and personal holiday planning calendar.

 

2. The Power of ‘why’

 

Creating a balance between what you want to do with people’s personal information, the benefits that it will bring to them or to society as a whole, and any harm that might be caused as a result is a top goal.

 

If you’re holding or using people’s personal information, it must always be fair as well as lawful. This means you should only use their information in ways they’d reasonably expect so, if you’ve got their personal information through means that are deceitful or misleading, then everything you do after that (whether you think it’s lawful or not) is unlikely to be fair.

 

You also need a valid reason or condition for using the personal information. Be sure to choose the best condition for the purpose and keep a record of your decision.

 

3. Think holistically with security embedded.

 

Check your security measures line up with the sensitivity of the data you hold. Put stronger security measures in place if the data poses a higher risk or is sensitive.

 

The measures you choose are up to you but could include things like locking filing cabinets and putting strong passwords on your devices.

​

4. Transparency is key!

 

To build trust it’s essential to explain to people why you hold their personal information, what you'll do with it, and how long you'll keep it before getting rid of it.

 

You should record this information in a document, describing your approach to information privacy and protection. This is known as a privacy notice.

 

You have to have a privacy notice before you collect any information from anyone. Use our privacy notice template and make sure you include everything you need to.

 

5. Beware of information access requests

 

By law, people have the right to know what personal information you hold about them. There are other rights, too, but one of the most commonly asked questions is how to deal with a request for this personal information, which is known as a subject access request (SAR).

 

Keep an eye out for our guide on how to deal with a request for information or information access request.

 

6. Prepare for the worst

 

If you lose personal information – such as in a cyber-attack, flood, fire or theft – it could be a potential personal data breach. If it’s likely to result in a risk to the people affected, you'll need to report it to us. We’re here to help.

 

Soon, we will publish a guide on how to respond to a personal data breach so you know what steps to take in an emergency.

 

7. Set reminders

 

Data privacy and protection compliance is a journey. We update our website regularly to help you take simple steps towards improving your information privacy compliance. By setting regular reminders to check our news and advice pages, you will remain aware of current events and best practices.