Whether you use a paper or computer based record system, and regardless of your local Data Protection laws, you have a moral duty to ensure that clients’ personal information is safe and secure. The following key principles of personal information handling are relevant both to data stored electronically and paper based systems.

  • Data may only be used for the specific purposes for which it was collected.
  • Data must not be disclosed to other parties without the consent of the individual whom it is about. It is an offence for Other Parties to obtain this personal data without authorisation.
  • Individuals have a right of access to the information held about them.
  • Personal information may be kept for no longer than is necessary and must be kept up to date.
  • Adequate security measures must be in place. These include technical measures (such as firewalls) and organisational measures (such as staff training). If you use a paper based system use a locked cabinet with controlled access.
  • Subjects have the right to have factually incorrect information corrected.
  • The person who has their data processed has the right to require that data is not used in any way that may potentially cause damage or distress and may request that their data is not used for direct marketing.
  • Only authorised personnel should have access to data. Security measures such as password protection and database encryption need to be in place. Keep patient care/ medical data and business accounts separate if necessary.

If you record personal data, you may be required by law to register. This is generally inexpensive and easy to do. Additionally it will give your clients an added level of confidence in you, in the same way that being registered with a professional association will reassure clients of your integrity. After all, they may be sharing some very personal information with you.

Registering is inexpensive and easy to do. For example in the UK it costs £35 for two years and you can register online.

Warning: some agencies may contact you and use scare tactics to fraudulently ask you to make payment to them in order to complete your Data Protection registration. Avoid these services altogether. In fact what you should immediately do is contact your Local Trading Standards Office and inform them of the situation.