Data Shred Ltd - Secure Data Protection Systems for Business Datashred Ltd Get a Quote
you are here >> Home > Data Protection > Data Protection FAQs

Data Protection FAQs

1.  What is personal data?

Personal data can be defined as information about living, identifiable individuals. The data does not need to be particularly sensitive information - it could just be a person's name and address.  Sensitive information covers areas such as a person's racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, trade union membership or non-membership, physical or mental health or condition, sexual life, any actual or suspected criminal offence and any proceedings being brought in connection with this.  The Information described here can only be processed in certain restricted circumstances such as the individual involved has freely given explicit written consent to its use for clearly stated purposes, the data is required for legal reasons or the information is needed for ethnic or anti-discriminatory monitoring.

2. How do I know whether the Data Protection Act 1998 applies to my business/organisation?

Those that are exempt from compliance with the Data Protection Act 1998 include:

  • An individual holding information for only personal reasons (e.g. an address book or Christmas card list)
  • An organisation holding personal information only for:
    -  staff administration (including payroll)
    -  advertising, marketing and public relations for your own business
    -  accounts and records (some not-for-profit organisations)

You will probably be required to comply with the Data Protection Act 1998, and to 'notify' the Information Commissioner (this office regulates and enforces the Act) that you are processing personal data. Visit to determine whether the Act applies to your business, and confirm whether you need to notify the ICO.   Alternatively, you can contact the Commissioner's Notification Helpline - 01625 545740.

Click here to go to the Compliance checklist to see whether your business needs to notify the Information Commissioner.

3. What legal responsibilities do I have under the Data Protection Act 1998?

If your business is subject to the Data Protection Act 1998, you have a number of legal responsibilities:

  • The Information Commissioner must be notified about your processing and holding of personal data, plus what type of information your business processes, together with the purposes for which you use it. This information will be placed on a public register.
  • Any personal data held by your company must be processed according to the 8 Data Protection Act principles.  If you are processing sensitive personal data (such as an individual's health records, ethnic origin, trade union membership or political opinions) further requirements and restrictions apply see
  • The terms of the legislation stipulate that any company holding personal data on an individual is duty bound to answer an individual's access request. (A charge of up to £10 may be levied against individuals requesting such information.)  Any requests must be handled within 40 days of receiving the request or 40 days from receiving monies to answer the request.

4.  What can I do to make sure data is held securely?

Any rooms and IT systems used to store data must be secure and data which is no longer in use must be destroyed (click here for more information on the secure shredding of confidential data).  All staff responsible for handling data should be trained to ensure they comply with the terms of the Data Protection Act 1998 and as part of that training they should be reminded that it is a criminal offence to pass on personal data, either recklessly or for money.

5.  When should data be destroyed?

Under the fifth principle of the Data Protection Act, data should only be kept for as long as is necessary to carry out and fulfil the objective of your business.  The type of data being stored will determine the length of time the data needs to be held.  In any case, businesses should put in place procedures for the secure shredding of confidential data when it becomes obsolete.

6.  What is deemed to be a secure method of destroying data?

Datashred Limited adhere to the standards as outlined by the BSIA.  For the secure shredding of paper based data, we will ensure that:

  • The collection of confidential data is by Datashred's box bodied vehicles with lockable doors;
  • The said vehicles are live tracked;
  • Containers can be supplied either by the client or Datashred;
  • Shred size will be according to BSIA standards and will be confirmed with each client;
  • All material is destroyed within 24 hours at our secure site;
  • A Certificate of Destruction is issued (compliance with Principle 7 of the Data Protection Act).

If you think we can help, complete our Request Quote form or for more information go to: