Data Protection Basics
Background
Laws relating to the fair use of data have been around since the 1970s in Europe. The UK Data Protection Act '84 enacted the OECD principles into UK law fro the purposes of trading.
The Data Protection Act 1998 (DPA) is about the right to respect for private life in relation to processing of your data.
The Human Rights Act will affect Data Protection in so far as the Commissioner has to decide what is fair processing of your data in the context of it.
Preferences
Use of the terms 'Opt-in', 'Opt-out', and more recently 'Permission Marketing', in relation to direct marketing, are misleading.
Consent as a term has not been defined by EU legislators, and therefore these terms are open to a variety of interpretations.
For example, consent is required in Germany, but it is an implied consent concept, not an explicit one. In Italy explicit consent is required in relation to fax or email communications.
In the UK, consent is not necessary as long as you are clear with your data subjects about what it is you intend to do with their personal information.
Repeated mailings containing notification to the same people with a view to building up their preferences over time is good practise, but response is not necessary.
Rather than Opt-in or Opt-out, think in terms of implied consent versus explicit consent.
Key Aspects of the DPA
Notification is a strict liability offence (although prosecution is not automatic, it is at the Commissioner's discretion). An enforcement notice that is ignored will lead to court action. No one, contrary to rumour, will face prison!
Notification is the first key aspect of the DPA (used to be called 'informing' under the old Act). Without notification, the data controller is unequivocally not compliant.
Notification can be given at point of first use in cases where it is not feasible to notify the subject at point of collection, for example, where personal data of people in business is collected at the switchboard or from colleagues.
Fair processing:
Also key to the DPA, it is critical to provide an easy means for individuals to exercise their right to object to receiving communications from you.
In terms of evolving best practice, think of their right to object as the key element within the broader context of data subjects being able to tell you what their communication preferences are, since it will become increasingly common for choices to be provided by the data controller to the subject in his way. The right to object is what is commonly expressed as an Opt-out.
If collecting information on-line, the related rights to object or the mechanism to provide express consent (if that is the business's preference) must also be on-line.
In any on-line environment where personal information is collected, essential components of compliance should be:
- Primary statement (notification)
- Jurisdiction
- Rights
Subject Data Access:
Request by a subject for access to information you hold on them must be done within 40 days.
Suppression files:
The Telephone Preference Service (TPS), Fax Preference Service (FPS) and Mailing Preference Service (MPS) are easy to enforce by the Information Commissioner, and she will take action against all breaches without fail.
Consent
Consent is not required for direct marketing to individuals, the reason being that consent clauses are to vague to be enforceable.
However, you do need consent when there is a change of purpose.
Implied consent given by a customer to a business overrides the suppression services, as long as you have demonstrable proof that it has been given. When you then seek to update the record at a future date, at least the first new contact with that person is likely to be also allowable without first screening against a suppression file.
Legitimate Interests
Direct Marketing is seen by the Information Commissioner (and was envisaged by the legislators) as a legitimate interest and therefore does not require consent. Notification, nonetheless, must be very clear i.e. you must tell them clearly what you intend to do with their information.
Storing Personal Data
There are no hard-and-fast rules for how long personal data may be kept. This will vary according to the product or service being offered. It should not be longer than is necessary, which I imply to mean useful, and may vary according to the context of a particular market.
The key is to have a clearly defined policy that is documented.
Renting Personal Data
The user of mailing lists should take reasonable steps to ensure that they have done everything reasonable to comply with the DPA and related laws.
Setting Policy
In respect of all the issues that presuppose a thought through approach to conforming to the DPA, it is essential to have policies clearly documented.
Demonstrably thought-through and planned solutions will serve the data controller well. In such cases the office of the Information Commissioner will work with an organisation that is subject to a complaint at a later date.
Back to White Papers