The purpose of this short article is to help businesses who use or sell data for marketing purposes to stay abreast of the law.
None of us is ever under an obligation to tell anyone we have complied with any law. (“I promise I never parked on a double yellow / murdered my grandmother today”). We just have to comply. Since compliance with the DPA does involve provision of information, it is best practice to make a virtue out of an obligation by using compliance as an opportunity to sell your image. The Net Lawman privacy policy is designed to do just that.
Now here is the essence of the law in a form you can read in under two minutes!
- Scope of DPA
Data protection laws come into play whenever a data controller (you or someone you manage) processes personal data. DPA defines processing as 'obtaining, recording or holding the data or carrying out any operation or set of operations on the data'. It includes organising, adapting, amending, retrieval, consultation and use of data, disclosing, erasure and destruction of the data. Personal data are defined as data relating to a living individual (called 'data subject'), who can be identified from data which are into possession or are likely to come into possession of the data controller. These definitions are very wide, so if in doubt, assume your info is included. There are stricter rules relating to processing personal sensitive data. Following categories of information constitute personal sensitive data:
- Racial or ethnic origin of the data subject
- Political opinions
- Religious beliefs or other beliefs of similar nature
- Membership of a trade union
- Physical or mental health and condition
- Sex life
The commission or alleged commission of the data subject of any offence.
- Notification under DPA
One of the key requirements under the DPA is to notify the Information Commissioner of the processing activities carried out by the organisation and to provide certain details in relation to that processing. The notification is to be renewed every 12 months with fee payable each time. Notification will be required by organisations which process data automatically. No doubt you already pay your annual £35 fee. If not, we assure you that this is the easy bit.
- How to ensure compliance with DPA
DPA requires that the processing of personal data should be done keeping eight data protection principles in mind. These principles and how to comply each respective principle is explained below.
- Data are obtained and processed fairly and lawfully
Data subject must be provided with the identity of the data controller, the purpose for which data are to be processed, type of data to be processed and particular aspects of the processing. Data subject's consent to the processing should be taken. It is enough to provide ID of data controller when asked. Consent can be specified in your t&c (it is specifically included in all t&c produced by Net Lawman). Type and purpose can be set out in your privacy policy.
- Data is processed for specified purposes
It is recommended that data controllers try to identify the minimum amount of information that is needed to properly fulfil the stated purposes. It is also good business practice to avoid upsetting customers by asking for unnecessary information. But it is more important to comply than to worry about obtaining info you do not use. There can be no objection to asking for a piece of info from 100% of people even if you use it only in connection with 2% of transactions.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed
If you are asking people to complete web forms, you should clearly mark the mandatory and optional fields.
- Ensure that the personal data are accurate and kept up-to-date
Data that are out-of-date or inaccurate are likely to be regarded as excessive and irrelevant for their declared purpose.
- Ensure that the personal data are kept for no longer than is necessary for the purposes for which it is processed
However, if the data is required to be retained under some law, this provision will not apply.
- Process personal data in accordance with rights of individuals
Such rights are as under:
- The right to access his personal information
- The right to object to automated decision making
- The right to object to direct marketing
- The right to object to certain processing causing substantial damage or distress
- The right to compensation
- The right to rectify, block, erase or destroy
You do need to be careful here. Make sure your system can provide information when asked. Where large volumes of data are processed, an auto system is obviously essential.
- Process data in a secure environment
In the event that you use a third party data controller to process some or all of your data, you are still liable under the DPA to ensure that the processing is carried out in accordance with DPA. The data controller is obliged to:
- Ensure that he has a written contract with the data processor.
- Ensure that the data processor acts only on his instructions.
Compliance here would be sufficient if you clicked on the t&c of an Interennt service provider such as Pure, provided you had read them and accepted any limitations.
- Do not transfer personal data to a country that does not offer an adequate level of protection for the individual
There are two areas to watch here: first, be careful to avoid using agents or service providers who may be situated outside the UK, or who may process data outside the UK, even if located here. Second, where personal data are posted on a website without the specific consent of the data subject that would be breach of DPA because the data could be accessed in countries having less vigorous data protection regulations.
- Consequences of non-compliance
Finally, remember that offences under DPA are criminal in nature and can be prosecuted by the Information Commissioner, DPP or Procurator Fiscal in Scotland. An unlimited fine can be imposed on conviction. We are not aware of any unfair application of this law, but you could be the first!
- How to avoid problems
A good start is to use a model privacy policy as a template to provide information about your data processing procedures. This can be combined, as we have said, with user friendly re-assurance as to what you will not do with data.
![[layout image]](/assets/img/spacer.gif){kind=small}
![[layout image]](/assets/img/template/tl.gif){kind=small}
![[layout image]](/assets/img/template/tr.gif){kind=small}
![[layout image]](/assets/img/template/444.gif){kind=small}
![[layout image]](/assets/img/nav/subnav_bullet.gif){kind=small}
![[layout image]](/assets/img/template/footer_bl.gif){kind=small}
![[layout image]](/assets/img/template/footer_br.gif){kind=small}