Introduction
[Company name] needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
Why this policy exists
This data protection policy template ensures [company name]:
Complies with data protection law and follow good practice
Protects the rights of staff, customers and partners
Is open about how it stores and processes individuals’ data
Protects itself from the risks of a data breach
Data protection law
The Data Protection Act 1998 describes how organisations — including [company name]— must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
Be processed fairly and lawfully
Be obtained only for specific, lawful purposes
Be adequate, relevant and not excessive
Be accurate and kept up to date
Not be held for any longer than necessary
Processed in accordance with the rights of data subjects
Be protected in appropriate ways
Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
People, risks and responsibilities
Policy scope
This policy applies to:
The head office of [company name]
All branches of [company name]
All staff and volunteers of [company name]
All contractors, suppliers and other people working on behalf of [company name]
It applies to all data that the company holds relating to identifiable individuals, even if that information security policy for small business technically falls outside of the Data Protection Act 1998. This can include:
Names of individuals
Postal addresses
Email addresses
Telephone numbers
…plus any other information relating to individuals
Data protection risks
This policy helps to protect [company name] from some very real data security risks, including:
Breaches of confidentiality. For instance, information being given out inappropriately.
Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
Responsibilities
Everyone who works for or with [company name] has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, [company name] will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
Providing information
[Company name] aims to ensure that individuals are aware that their data is being processed, and that they understand:
How the data is being used
How to exercise their rights
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.
[This is available on request. A version of this statement is also available on the company’s website.]