The new Data Protection Act will affect almost all businesses because most use personal data (that is, name-linked information) to create and keep customers.
Certainly the Daily Telegraph’s databases are important because they power our Enterprises business and underpin a subscriptions programme that accounts for 30 per cent of copy sales.
This is why the requirements of data protection law, particularly those of the 1998 Data Protection Act which came into force on March 1, is a matter for some concern.
What should we be doing in response to this new law? Here are ten issues that top the Telegraph’s list.
We used the Data Protection Advice & Troubleshooting Partnership to help us review the Telegraph’s existing procedures and to identify any changes which the new legislation requires. Its report provided the framework for our strategy.
Changing our registrations
Registration is one of the fundamental provisions of the UK data protection legislation. It requires data users to notify the data protection commissioner of all the name-linked data they hold. Even if you hold your name-linked data in a filing cabinet or a palm-top computer, you will still need to complete a registration annually and send it to the commissioner.
Although the Telegraph’s registrations were declared comprehensive and relatively complete, we had not recently compared our activities with our register entries, so we needed to do some checking.
For example, had we fully covered our business-to-business databases (of sales prospects, for example) or the personal data we hold in our internal directories (such as phone lists and e-mail directories)?
And had we reflected the scope of the new businesses we were developing? We identified 56 registration sub-categories for further assessment.
When to change registrations
Although the provisions of the Act came into force on March 1 2000, those companies processing data before October 24 1998, as we have been, have until October 23 2001 to comply fully.
But our 1984 register entries expire before October 23 2001, and at different dates.
Because the 1998 Act demands that data controllers make only one register entry, we will submit our new entry when the first of our old entries approaches expiry. Otherwise, we would find our 1984 Act entries had lapsed before the new 1998 Act registration could replace them.
Manual files are now included
A new feature of the 1998 Act is the inclusion of non-computerised files. The test is whether the individual files in a filing system (like a card index) conform with a common structure which allows specific information about individuals to be readily accessible.
But how should we enable individuals who want to know what information is held about them, to access these files?
Some filing systems may not meet the “manual” definition, so one option is to give access to all manual files on written request, and to agree to correct any inaccuracies. This should avoid disputes with both the public and the data protection commissioner.
Contracts with data processors
A lot of personal data processing is outsourced to computer bureaux, data capture companies, list managers, call centres, laser bureaux, mailing houses and carriers such as the Royal Mail. We are surveying our supplier relationships to ensure we have contracts with each, affirming that they act only on our instructions and comply with the security requirements of the new Act.
No personal data can leave the European Economic Area unless the country or territory which receives it (for example the US or Australia) “ensures an adequate level of protection for…data subjects”. Our contracts with non-EEA data recipients now make them clearly responsible and accountable to us for any breaches of the new Act.
Policies for data protection
We need to demonstrate that the Telegraph has revised its IT data security policy document, and that the revision is available to the relevant managers and supervisors.
In addition, our staff employment contracts must specifically include a confidentiality agreement for the information we hold on individuals.
A written policy document which describes our rules for retaining personal data, such as lapsed subscribers and prospect lists, is now required. So is a written procedure covering subject access – the right of people to be supplied with a copy of the data held about them, within 40 days of request, including explanations of unintelligible codes, details of the data held, purposes of processing, sources of data and details of those to whom data is disclosed.
The Act demands that organisations nominate a person to whom such requests are addressed.
The 1998 Act now gives people a new right – to prevent their details being used for direct marketing. Because of this, lists must be screened, using the mailing, telephone, fax and the embryonic e-mail preference services, for those who don’t want to receive direct marketing.
Most companies are confused about how they should go about securing the consent of people whose data they seek. Should there be a negative option or a positive option tick-box? How must they inform people so they can hold their data legally?
The answer lies in the quality of information given to data subjects and not the type of box used. Even under the 1998 Act an opt-out box is not absolutely necessary, but if one is provided it can give people the opportunity to indicate their wish to object to their details being used for direct marketing by third parties – a new provision of the 1998 Act.
The new and old Acts both seek transparency for those giving their details, so we must tell people whom is going to process their details (including those other companies for whom we are gathering data) and how their data will be used.
Data users must also ensure that any opt-outs are clear, and that it is certain what the respondent is opting out of. In our case, are they opting out of contact from the Telegraph or contact from other companies offering Telegraph-branded products, or simply from having their data passed to third parties? Is the opt-out from contact by e-mail, fax, telephone or mail?
Given that individuals have this new right to prevent direct marketing, notifications and opt-outs need to be precise, clear and consistent. The newspaper business faces the difficulty of conveying this information clearly but in a small space, for example a coupon at the bottom of an ad, and in a type size that is easily readable.
Since 1994, we have launched Electronic Telegraph and 17 electronic magazines on the Net. Most businesses now have a website, so what are the implications of using name-linked data on the Internet?
The global nature of “cyberspace” makes it very complicated when considering whose data protection legislation we are talking about and how we avoid the unwitting transmission of personal data to unprotected countries.
How, for example, do we deal with “cookies” (the information a website stores on a visitor’s computer, which is accessible to the website during the visit and any return visits) which are designed to help individuals gather information for e-shopping and access restricted sites?
Cookies are benign, but the data could be used as a profiling tool by the website owners and with other profiling information, such as data collected from a competition or subscription form. If cookies are to be used in this way, the website will need to notify the individuals involved and tell them how to deactivate the cookie.
Gatherers and users of personal data through the Internet will need to review their activities carefully.
Data protection in other legislation
There are data protection matters contained elsewhere in law.
We need to consider the implications of the Telecommunications (Data Protection and Privacy) Regulations 1999, which superseded the Telecommunications (Data Protection and Privacy) (Direct Marketing) Regulations 1998, on March 1. These regulations deal with marketing faxes and telephone calls to individuals and unsolicited faxes to businesses.
The data protection commissioner, who enforces these regulations, believes this may be extended to include unsolicited e-mail communications for marketing purposes.
Those of us who use direct media will have to examine the way we notify individuals who are contacted by telephone or e-mail, and review how we intend to use the data and give individuals control over how it will be used.
We must also avoid appearing to suggest that consent to processing is a condition of trading with us, in a way that could give rise to a challenge under the Unfair Terms in Consumer Contracts Regulations 1999. These are enforceable by a number of bodies, including the data protection commissioner.
A point of reference
Complying with data protection law is not a trivial matter. As the use of direct media (for example, the Internet) grows, so will consumers’ demand for control over how their personal details are used. They will expect a culture which respects the rights of participants in this one-to-one commerce.
One way to encourage this is to appoint an individual responsible for overseeing data protection compliance and for building expertise in related areas, such as telecommunications, advertising and the financial services regulations which impinge on marketing.
Most companies, I am sure, will want to invest in the development of a customer-centred culture in the direct market of the future.
Tony Coad is development director at The Telegraph Group