Faced with a prison sentence for making a mistake at work most people would be forgiven for being fastidious in their attention to detail and conscientious in ensuring that correct procedures are followed. Given several years notice of the requirements which carry a prison sentence if not properly met it would be reasonable expect people in this position to ensure correct procedures are in place and that plans to comply are made well ahead of time. But, according to Stuart Riccalton, chairman of the United Kingdom Security Shredding Association (UKSSA), many companies could fall foul of the Data Protection Act (DPA) 1998 because they have failed to audit their data handling systems correctly.

Riccalton states, "The Data Protection Act has implications for every type of business across the country and, whilst its implementation date is still uncertain, those responsible for all types of data processing should be taking stock of their procedures now. Our experience suggests that many companies do not appear to be taking measures in preparation for the Act and this could have dire consequences for individuals responsible for handling of data.''

The DPA stipulates eight basic principles and imposes a duty of care on individuals responsible for data processing. Conviction of an offence contrary to the Act can lead to a prison sentence and a fine of several thousand pounds.

The Act is expected to be fully ratified on 1st March 2000. Recent surveys suggest that between 75% and 85% of businesses have not made plans for the Act's introduction. This apparent inertia could well be due to the delay in the Act's implementation and the fact that there will be a transitional relief period to allow companies to make the necessary changes until October 2001 and a further six years to assist those holding manual records.

Nevertheless, organisations such as UKSSA are advising companies to undertake thorough audits of their data processing systems to define areas of responsibility and the procedures necessary to comply with the Act.

Among the Act's eight principles, those which could have particularly serious ramifications for companies stipulate that personal data should be relevant, accurate, kept up to date where necessary and that such data should not be kept for longer than the purpose it was intended for. In addition, the Act states that data should be held for a specific (lawful) purpose and shall not be processed in any manner incompatible with that purpose.

The Act is, therefore, extremely wide ranging and it is difficult see any data held in manual or computerised recording systems that will be exempt from scrutiny. It can include personnel records, client files, supplier information and a myriad of other types of data.

To reduce the risk of prosecution under the DPA companies will need to thoroughly review their existing filing systems, bring historic information up-to-date and dispose of records which can be considered as contravening the Act. It is here, according to UKSSA, that companies should be taking the greatest care.

''Strange as it may sound to many businesses, sorting out your filing systems and data processing procedures is probably less risky and, therefore, less onerous than disposing of obsolete files. A company can be confident in its own operations, the data disposal would invariably involve an external service provider at some stage or other and companies should make every effort to ensure they select a reputable supplier, '' says Riccalton.

UKSSA argues that disposal of confidential data, such as company records, should be treated as a separate issue to general office waste and trusted specialist companies which abide by strictly controlled performance standards. Failure to do so would not only risk embarrassment for the subjects of the data, but could also lead to a prosecution.