The UK Government will soon be implementing new data protection and privacy laws that will have a major impact on all businesses, particularly the marketing industry.
The Data Protection Act 1998 and the Telecommunications (Data Protection & Privacy) Regulations 1998 have been created from two European Commission directives, and are wider in scope than previous data protection legislation.
Once they come into force, the new laws will give individuals increased rights of access to information held on them, rights to stop certain uses of such information – including telesales calls and faxes – as well as rights to compensation for misuse.
Together, they more clearly and systematically spell out the rules for fairly obtaining and using personal information.
Under the 1984 Data Protection Act, individuals can demand to see copies of their personal files. With the new act, people can also demand to know the processing purposes and actual or intended recipients of the information.
Individuals can also find out the logic behind any automated decision-taking – for example, for assessing credit-worthiness – that forms the sole basis for decisions that materially affect them. People now have the right to demand that the processing be stopped if it involves this form of decision-taking – a new right that can cause difficulties if any credit scoring or point scoring system forms the sole basis for determining the eligibility of an individual to join a scheme.
People can also demand that any processing done for direct marketing be stopped. And individuals can also stop any processing if it would cause them – or other persons – damage or distress.
Compensation rights have been broadened to cover any form of processing that causes damage or distress where a provision of the new act has been breached.
The Department of Trade & Industry has issued the first draft of the Telecoms (Data Protection & Privacy) Regulations. They are aimed at granting consumers – both individuals and businesses – protection against unwanted direct marketing faxes and calls. The DTI says that the draft regulations do not at present treat e-mails as “calls”.
The draft regulations provide for individuals to selectively omit details from phone and fax directories. Individuals can also indicate that their personal information is not to be used for direct marketing purposes. In the long term, this could affect the usefulness of such directories in relation to marketing initiatives based on geography.
There has been furious debate about whether an opt-in or opt-out scheme will be implemented in respect of individuals and direct marketing faxes and phone calls. The draft regulations state that direct marketers who use faxes and automated calling systems may not use them to contact individuals unless they have expressed consent. The onus will be on the direct marketing company to build up a register of persons who have consented to such faxes and automated calling system calls.
Direct marketing faxes sent to corporate subscribers will be dealt with through an opt-out scheme using a statutory register similar to the Fax Preference Service.
In relation to direct marketing telephone calls, intense lobbying from the direct marketing industry seems to have so far won the battle. The Government has provided for an opt-out scheme for individual subscribers despite consumer bodies’ misgivings.
Labour favours an opt-out scheme for individuals but reserves the right to change its mind if this method proves ineffective.
The new Data Protection Act 1998 states that there must be no misleading information, or deception of the individual, when personal data is being collected. Organisations must also provide certain information to the individual at the time of collection.
Companies can ensure compliance with the new act when directly collecting information by following two sensible steps:
First, they should properly notify the individual of what they intend to process the data for and then give any other details that it would be reasonably fair to give.
Second, they should obtain the requisite level of consent from the individual. A useful test is whether they would be surprised to hear that a particular activity had been carried out in relation to their personal information. If they were surprised, and would arguably try to stop such activity, then it is likely the information was obtained unfairly and that the particular activity represents unfair processing. It would be unfair, for example, to obtain details on a person’s partner’s age, gender and smoking habits if that person were applying to join a book club.
Direct marketing companies which obtain lists from third parties are not usually in control of the data collection procedures of such parties. This raises the question of whether improper data collection methods cause problems for those who rent or buy such lists. In the past, the Data Protection Registrar has indicated that you will not be treated as unfairly obtaining personal data if the collector did not obtain proper consent. But it may be unfair to use such personal data if you have not run it against your in-house suppression file and the relevant Mailing Telephone or Fax Preference Services suppression files.
This position is the same under the 1998 act. The statutory opt-out schemes will bring about statutory suppression files that will be of greater significance than the industry regulated files already in existence. The use of suppression files is more important now because of the extended rights individuals have to get their names removed and, secondly, to obtain compensation from organisations for damage or distress.
It may also be worth getting contractual warranties from the list seller/lessor outlining that it has obtained the personal data by following the requirements of the new act. Some companies are asking for refunds of part of the purchase price depending on how many entries are found to be – or become – useless due to complaints and deletions.
Businesses that rent or “buy” lists and then merge them with their own databases without the list owner’s consent need to be aware of the new criminal offence of unlawfully obtaining, disclosing, procuring or selling personal data obtained without a data controller’s consent. Sleeper addresses that are used to prove copyright or database right infringement could also prove the committing of a criminal offence. Therefore, the terms of list rental and so-called “purchases” should be checked to see whether the buyer has the right to absorb the lists into databases.
Apart from sanctions already in place to avoid these problems, those that most companies will be concerned with are the risk of bad publicity if it is found that your organisation has unfairly obtained and processed personal information. Elizabeth France, the Data Protection Registrar (DPR) – to be known as the Data Protection Commissioner under the new act – has every intention of using this as a key weapon in her armoury.
In conjunction with these sanctions are contractual warranties that may be demanded from organisations in relation to how they have compiled and processed personal data. Such contractual terms will indirectly force compliance.
Under the new act, any data transfer from the UK to a location outside the European Economic Area (EEA) is prohibited unless the receiving country or territory ensures an “adequate level of protection” for individual’s rights and freedoms in relation to personal data processing.
The DPR has indicated two ways to deal with the issue of “adequate protection”. First, provide a publicly available list of non-EEA countries and territories that have sufficient data protection legislation to meet the EU’s basic requirements. Second, she is encouraging respected bodies – such as the CBI – to produce “model contract clauses” to specify protections for individual’s rights and interests. To date, neither of these measures has been finalised.
The key concern is that the vast majority of countries provide weaker data protection laws than EEA states. Important trading nations such as the US and Japan fall outside the list of “acceptable” countries. Various director-generals of the European Commission have voiced concern over the lack of progress by the US in producing data protection legislation. The current US approach is to favour industry self-regulation – which the European Union is moving away from.
The new act and regulations are ex-pected to be implemented by October 24. However, the Government has announced that implementation will be delayed until next year – hence, organisations have some leeway.
Nonetheless, they need to take active steps right now. This is despite the fact that the DPR believes “80 per cent of compliance with the act flows from complying with the 1984 act”. This is because few companies are likely to have comprehensively followed the 1984 act because of the Registrar’s weak enforcement powers.
There were no practical means to properly check-up on all organisations. The Registrar’s annual report suggests that compliance with registration was not strictly adhered to by a large percentage of businesses. Alarmingly, many organisations have wrongly assumed that registration under the 1984 act was the main requirement. These companies will therefore view the 1998 act as a “retrospective” application of burdens and obligations that they did not heed before.
There is a three-year transitional exemption period for “processing under way” immediately before October 24. However, organisations should not blindly rely on it as this ambiguous expression is still being debated by parliamentarians and legal practitioners. Essentially, existing databases – which remain unchanged after October 24 – that were being processed in accordance with the 1984 act need not fulfil most of the requirements under the 1998 act until October 24 2001. Nonetheless, unless there are straightforward and accurate ways to divide data that was first collected and processed before October 24 from data obtained and/or processed after October 24 the transitional exemption may not be usable in practice. Where the transitional exemption cannot be relied upon, companies will have to try to comply with the provisions of the new act as soon as possible – in relation to “old” personal data and “new” personal data – in readiness for next year’s implementation date.
The new UK data protection laws force more transparency in the ways in which organisations obtain, process and use personal information. But provided sensible precautionary measures are taken in collecting, maintaining and using personal information, companies need not be alarmed. What is crucial to note, however, is that every organisation will be required to have a greater understanding of data protection issues in order to manage its use of personal information. Those which forget or ignore the issue will face greater risks in relation to enforcement, bad publicity and irate clientele. The time to take avoidance measures is now.