Data protection for CA Students

Picture of a padlocked data server
By Alex Burden, Student Blog

27 July 2017

If you’ve ever handled data pertaining to a person, then you have been working within the boundaries of the Data Protection Act. But what is the Act, and how does it affect what we do?

Most of you will already be familiar with the Data Protection Act and how it affects the way we use information in everyday business. There are even more stringent measures in place when the data concerns sensitive information, such as political or religious beliefs, ethnicity, health and criminal records.

Think about the data that might be held on you – how would you want that data handled and protected. It is important to treat information in the way you would want your own details to be accurately recorded and not used for any other purpose than that which was intended.

The UK Government states that data must be:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate
  • kept for no longer than is absolutely necessary
  • handled according to people’s data protection rights
  • kept safe and secure
  • not transferred outside the European Economic Area without adequate protection

You also have the right to find out what data is held on you; the Act makes provision so that you can write to any organisation (eg the company secretary) that holds your data and ask for a copy of the record.

There are some situations in which data cannot be shared, and the organisation does not have to state why. 

Reasons why data might be withheld are:

- the prevention, detection or investigation of a crime

- national security or the armed forces

- the assessment or collection of tax

- judicial or ministerial appointments 

On top of this, the UK and European countries are subject to EU Data Protection rules – and Brexit is unlikely to affect that, according to a new report by Computer Weekly. Why won’t it affect anything? Because any organisation that deals with a company situated in the EU will have to behave according to EU legislation, which, as you may already know, is even more strict. 

The rules won’t come into force until 2018 however, so there’s plenty of time to brush up on General Data Protection Regulation (GDPR); ‘right to be forgotten’ is now creeping into general usage and that means secure destruction of data on request.

This will also mean that businesses cannot ask for data to provide services – it must be voluntarily given by the individual! It will be interesting to keep an eye on how this develops and what it means for competition; it will make it easier for customers to transfer to other organisations by gaining access to the data you hold on them.

Computer Weekly points out that IT architecture will be put under pressure and departments will start looking to CFOs and finance departments for extended budgets to fulfil requests. In the meantime, strict adherence to the UK rules is always recommended; check out this guide to protecting your business data by Information Security Consultant, David Reynolds.


  • CA Student blog

Previous Page