The Data Protection Act

The Data Protection Act- Introduction

The Data Protection Act is mandatory. ALL organisations that hold or process personal data MUST comply. This website is intended to assist. It identifies services and tools to help ensure successful compliance, audit and management. Whether you are entirely new to the Data Protection legislation, or whether you have an established strategy, this directory should hopefully prove to be of significant value

Data Protection Act 1998

The 1998 Data Protection Act came into force early in 1999 and covers how information about living identifiable persons is used. It is much broader in scope than the earlier 1984 act, but does contain some provision for a transitional period for compliance with the new requirements. The act covers eight 'Data Protection Principles', which are detailed in this section So where do you start with this complex piece of legislation? How do ensure you meet the requirements? How do you measure your compliance? What tasks are required? The Data Protection Act governs the use of personal information by businesses and other organisations. You will need to comply with the act if you use personal information as part of your business, for example, because you hold customer details or details of employees. Personal information is information about a living individual who is identified or who is identifiable. It includes information such as a name and address, bank details, and opinions expressed about an individual. If you are processing personal information covered by the Act you must comply with the data protection principles. These require that personal information is:

processed fairly and lawfully

processed for one or more specified and lawful purposes, and not further processed in any way that is incompatible with the original purpose

adequate, relevant and not excessive

accurate and, where necessary, kept up to date

kept for no longer than is necessary for the purpose for which it is being used

processed in line with an individual's rights

kept secure with appropriate technical and organisational measures taken to protect the information

not transferred outside the European Economic Area (the European Union member states plus Norway, Iceland and Liechtenstein) unless there is adequate protection for the personal information being transferred

The Data Protection Act

The Data Protection Act contains 8 Principles. These state that all data must be:

Processed fairly and lawfully

Obtained & used only for specified and lawful purposes

Adequate, relevant and not excessive

Accurate, and where necessary, kept up to date

Kept for no longer than necessary

Processed in accordance with the individuals rights (as defined)

Kept secure

Transferred only to countries that offer adequate data protection

The legislation underpinning these principles is complex and not really suitable for direct devolution to all the staff that may have responsibility for personal data. Nor does it provide a measure of compliance. Hence the need for supporting products and information

Data protection and Marketing

Direct marketing is any marketing or advertising material that is directed at particular individuals. It includes messages trying to sell goods or services and those promoting an organisation or its values or beliefs, such as material from charities or political parties asking for support. Direct marketing could be an email advertising car insurance or a phone call from a charity asking for a donation. It does not include calls that are purely for market research. This guide explains what you need to do to comply with the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 when carrying out direct marketing activities The Data Protection Act applies to the use of personal information for marketing purposes. To comply with the first data protection principle of the Act you have to tell individuals:

who you are

what you will use their information for

anything else necessary to make sure you are using their information fairly, including whether you plan to pass your marketing lists to other organisations and how you will be contacting people, such as by post, phone or email

If you share your marketing lists with other organisations, you'll need to tell individuals about who you will pass their information to and give them an opportunity to object. By telling them about a specific organisation, or providing a more general statement such as "we will pass your details to other organisations with similar aims and objectives", you are being open about how you will use their information. If it is impractical to name these organisations, you should make this information freely available on request. When you collect information from people you are in direct contact with, such as in a phone call or on a website, you should give them an immediate opportunity to object to future contact. You could also find out how they would like to be contacted in future.

An individual's right to object

You need to be aware that section 11 of the Act gives all individuals the right to stop their personal information being used for direct marketing. A request must be made in writing - if you receive one you must act on the request in a reasonable period of time. Normally this should not be longer than 28 days. You are using personal information for marketing purposes if you use an individual's details to send them mail advertising your products or services. Some email addresses will be personal information, eg an email address in the format firstname.surname@company.com. An email address that does not name or identify an individual will not be personal information. Under the Data Protection Act individuals have the right to see the information you hold about them. Individuals also have the right to have any personal information you hold about them corrected if it is wrong or misleading. For further information on the data protection rights of individuals, see our guide on how to comply with data protection legislation.

Providing personal information to Third Parties

Under the Data Protection Act 1998, you may provide personal information about individuals to a third party if: they are authorised to obtain that personal information on behalf of the individual

your business outsources the processing of personal information - for example, payroll processing

the police need it as part of an investigation

The Privacy and Electronic Communications Regulations

The Privacy and Electronic Communications (EC Directive) Regulations 2003 are the rules that govern how you conduct your marketing by electronic means, such as by email or by telephone. The regulations will affect you if you use cookies on your website or if you operate telephone or similar directories. One of the key elements of the regulations is that you must have the customer's consent to be able to send them electronic marketing. If an individual has opted out of receiving marketing information, you are not allowed to send it. To comply with the regulations you must: Ensure that you have the customer's consent to electronically market to them by phone, fax or email.

Identify yourself when you carry out marketing.

Provide appropriate contact details when sending marketing material or messages so that the individual or organisation receiving the marketing can contact you. This should be a postal address, email address or Freephone number.

For telephone marketing, you must identify yourself. You must also give your address or Freephone number if the person you are calling asks for it.

The regulations cover various methods of electronic marketing including:

Email - you may only carry out unsolicited marketing by email if the individual you are sending the message to has given you permission. There is an exception to this rule, known as the 'soft opt-in', where messages are marketing similar products or services to those which the customer has already bought from you. Individuals can opt out of receiving marketing at any time and you must comply with any opt-out requests promptly.

Email marketing to organisations - if you are sending marketing to organisations, you don't have to have their consent but you must include the name of your business in the email and provide a valid address where opt-out requests can be sent.

Telephone marketing - you can't make unsolicited telephone calls to an individual or organisation who has told you they do not want your calls, or has registered with the Telephone Preference Service. Businesses can register with the Corporate Telephone Preference Service.

Automated calls - you cannot make automated calls (pre-recorded phone messages) without getting the individual or organisation's permission first.

Fax - organisations cannot send unsolicited marketing faxes to individuals unless they have agreed to receive them. You can't send faxes to individuals or organisations who have registered their number on the Fax Preference Service.

The Information Commissioner's Office

The Information Commissioner's Office (ICO) is the UK's independent public body set up to promote access to official information and to protect personal information. It enforces the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations and the Environmental Information Regulations.

The ICO promotes good practice by:

publishing guidance to simplify compliance with the law

running a helpline

encouraging the development of codes of practice

taking enforcement action where necessary

seeking to influence national and international bodies on privacy and access matters

maintaining a register of organisations and businesses that process personal information

The ICO handles complaints from individuals about electronic marketing practices and the use of their personal information. If the ICO receives a complaint about your business, you will usually be contacted with regards to it. If the ICO believe that you may have broken the law, they may recommend you take certain action to make sure that your future electronic marketing practices or use of personal information complies with the law. Individuals can also ask the ICO to assess whether the use of their personal information is likely to have complied with the Data Protection Act.

The Data Protection Act - Security

The Data Protection Act places clear demands upon those holding personal data in terms of the security that must be applied to protect it. It is necessary to apply a wide range of security measures to meet these, perhaps utilising various solutions. The start point for security is often to implement an information security policy? If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important to deal with the breach effectively. The breach may arise from a theft, a deliberate attack on your systems, the unauthorised use of personal data by a member of staff, accidental loss, or equipment failure. However the breach occurs, you must respond to and manage the incident appropriately. You will need a strategy for dealing with the breach, including: