IT contractor guide to data protection – part 1

• Worried about how your personal details and CV are used and shared by your recruitment agent?  
• Unsure if it’s necessary or sensible to provide a copy of your passport to your client?
• Uncertain about your responsibilities in handling your client’s data?

These are all common concerns for most IT contractors, writes Olivia Whitcroft, solicitor and principal at information law specialist OBEP. Before we can address each of them specifically, it is first necessary to consider data protection laws, which impose obligations on those handling personal data, and give rights to the individuals to whom the data relates.  

As a handler, here are some of your key data protection responsibilities: 

• protect personal data against misuse, loss or damage;
• only use personal data to the extent it is needed for a fair and lawful purpose;
• ensure individuals are aware of how their data is being used;
• keep data accurate and up-to-date, and delete it when it is no longer needed;
• respect the rights of the individuals to whom the data relates; and
• restrict transfers of personal data out of Europe.

This two-part guide will firstly explore your data protection obligations as a contract, freelance or temporary IT professional in a UK workplace, thereby answering the third common concern, above. Then, in part two, I will consider your rights in relation to the use of your data by other parties such as a client, agent or an umbrella company, where I will address the remaining concerns, also outlined at the start.

When do an IT contractor’s data protection obligations arise? 

You should consider data protection obligations whenever you use any personal data, meaning data relating to an identifiable living individual.  

You are responsible for personal data which you hold and use for your own business purposes, for example in emails and other communications, or in databases of business contacts. 

You may also handle personal data while providing services to a client - for example, if you are working on software which holds your client’s HR or customer details.  In these circumstances, the client will need to ensure you handle such data appropriately, and may require you (in your contract or otherwise) to meet certain standards.  In addition, if you deliberately misuse or re-use any such data, you may become directly liable. 

It is therefore important that you understand what data protection means in practice whenever you handle any personal data.

What happens if IT contractors don’t comply?

Individuals who have misused personal data have been prosecuted and faced hefty criminal fines.  Separate regulatory investigations and penalties may also be imposed.  You also risk breaching your contract with your client, or agent, or both, and risk not getting paid for your work!  As well as the financial impact of these, the results can be very damaging to your reputation.  

Data protection – what does it mean in practice? 

Seven practical steps IT contractors might consider to address data protection requirements, thereby helping to protect themselves from liability, are as follows:

1. Only use your client’s data for the purpose of services you are providing to them and don’t retain copies after you have finished the job.  Use such data on the client’s equipment rather than your own personal computer, unless otherwise agreed with your client.
2. Think about whether you actually need to hold any personal data to do your work.  For example, do you need content containing a list of identifiable individuals to test some software or could names and identifying details be removed?
3. Familiarise yourself with any data protection policies and procedures of your client, and any contractual responsibilities which you have relating to data. The client may specify particular restrictions on data use, security steps you should take, and/or whom you should contact if you have any concerns or if something accidently goes wrong.
4. As well as the protection of personal data, you should ensure you are aware of any separate obligations of confidentiality and security (to clients or otherwise) which cover a wider scope of business data and documents.
5. Be aware of any personal data which you hold or collect for your own purposes, such as within emails you send or receive, and within any contacts database which you maintain (in hard or soft copy). Use this data only for purposes relevant to your business and don’t share it with other parties. Consider whether the relevant individuals are aware that you hold their data and how you may use it.
6. As well as technological security measures, take sensible practical steps to prevent loss or misuse of data.  For example, don’t make lots of copies or share information with other people; try not to travel around with documents or equipment to minimise the risk of leaving them on the train or in the pub; lock away or hide files and equipment when not in use.   
7. Be aware who else may have access to the data you hold and where they are (e.g. any third party who hosts your IT equipment).  Take some time to investigate the reliability and security of such third parties.

Editor’s Note: This is the first article in a 2-part CUK guide for contractors, which provides a general overview of data protection issues. The guidance from OBEP in this article, and in part two, should not be relied upon as legal advice, particularly as it is provided without the context of any specific circumstances.