Don’t drop me a line

The provisions of the 1998 Data Protection Act came into full effect recently, putting new responsibilities onto any company that collects and processes customer data.

What did the date of October 24, 2001 mean to you? Was it important to your business? Those readers in the direct marketing (DM) industry will have recognised this as the day that the 1998 Data Protection Act came fully into effect.

But it’s pretty certain that not all those companies using DM will have fully understood and implemented the changes that this new legislation requires of any organisation using name-linked data in the conduct of its business.

In the words of George Howarth – the Home Office minister then responsible for data protection – as he introduced the new legislation: “We should avoid any temptation to over-emphasise the new at the expense of the familiar. We should recognise that the 1984 Act takes us a long way down the road to the new law. So UK data users can approach the new law with a degree of confidence. They already have practical experience of implementing similar data protection legislation. But there are also significant new elements to the new law.”

Under the new regime we say goodbye to Elizabeth France, the “data protection commissioner”, and hello to France as “the information commissioner” who, in addition to her data protection duties, now has responsibilities in other sectors, such as freedom of information.

Earlier this year, Direct Marketing Association (DMA) members were warned about the changes they would have to embrace in the DMA book “Guide to the Data Protection Act 1998 – for direct marketers”. The commissioner endorsed this industry advice. In chapter three of her Annual Report she says: “Where industry bodies or other umbrella organisations are willing to produce guidance on how the Act applies in their area, this can be very helpful. For instance, the Direct Marketing Association launched a guide on the Data Protection Act in March”. This suggests that the DMA’s guide is a reliable source of advice about the changes that we should all have made.

Notification statements

One key area where a review of practice is necessary is the notification statement. Since the 1984 Act came into effect, direct marketers have had to collect data fa

irly and inform people about who holds their data and the uses to which it will be put. For most direct marketers this takes the form of a statement made by the direct marketing company – officially called a “data user” – at the point of data gathering (for instance a coupon in a newspaper ad or an application form).

This has been the most visible manifestation of data protection law in practice. Most data users gave an “opt-out” box at the end of this statement, enabling responding consumers (known as “data subjects” in data protection-speak) the chance to prevent their details being passed to third parties.

So if a company was collecting data from people, it did not have to notify them so long as it was the sole user of that data and had no intention of letting other companies use it. It was assumed that if someone gave their details to a company, they would expect that company to use the data in future communication.

The name has been changed

Under the 1998 Act life is different. “Data users” have become “data controllers” with more responsibilities, one of which is to provide more information to data subjects. We will have to do a bit more, as the provision of an opt-out box is now a requirement of law.

For one thing, the 1998 Act gives consumers an important new right to prevent processing for the purposes of direct marketing. For another, the commissioner says that data controllers must not make the process of opting out more onerous than the normal way of doing business. This will mean that we will have to be explicit about the right of a data subject to opt out from direct marketing, not only from third parties but also from the data controller itself.

Companies should therefore always offer an opt-out and must extend this to include the data controlling “legal person” – in other words a formally constituted legal entity, such as a limited company or partnership – XYZ Ltd in the example in Panel 2 opposite.

A direct marketing company might take the view that if most of its own customers were willing to be contacted by it, mixing these up with third party “permissions” would needlessly erode its customer mailing list. Customers might be happy for a specific company to talk to them, but if, for instance, 20 per cent did not want their details passed on to other companies, this 20 per cent would be lost from the customer list.

Pick a box

One way of separating the two preferences is to give two opt-out boxes in the notification. One box would allow an opt-out from the data controlling company gathering the data and the other would give an opt-out from third party contact. So all direct marketers now need to offer an opt-out box and many will probably want to offer two separate boxes, opting out from the data controller’s use and from third party processing and contact.

But that’s not all. In this multimedia world, we may be considering contacting our databases using telecommunications media – phone or e-mail – as well as direct mail, so we must also take the 1999 telecommunications regulations in to account. Under this law, we can only make telecommunications contact if it is solicited. This requirement can be met in two ways.

Firstly, we can notify data subjects that we will be calling or secondly, we can clean our lists using in-house suppression files and the Telephone Preference Service (TPS). So far so good.

But as we are still subject to the 1998 data protection law, which makes the use of the TPS mandatory, we also need to give notice of our intention to use the telecommunications medium. This can be done in notification statements.

So what does a “model” notification statement look like?

The one advocated by Mason’s eminent data protection lawyer Shelagh Gaskill is reproduced in Panel 2 as an example. Such a statement could be used where there is little space for an expanded explanation, such as in a coupon to a newspaper ad, or in an application form.

Where there is more space, there is the opportunity to use more words and give a longer explanation. However, there are two other matters to examine first.

The first concerns data processors – companies which hold and process the data and which carry out the direct marketer’s instructions. Such a data processor might be a service company that takes over the administration, management and running of a marketing database. We therefore need to inform data users that we might be passing their details to an agent who will hold and process them.

The second concerns our need (to conform to the “fair processing” requirements of the 1998 Act) to mention any use of transactional data we hold.

With all these points in mind, it is necessary to compose a statement that economically meets the requirements described. An example is given in Panel 2 below. Such a statement is significantly different from those used under the 1984 Act, but many companies will not have appreciated this and the other changes they will have to make to conform to the requirements of the new 1998 Data Protection Act.

And now is the time to act.

For a copy of the DMA’s book: Guide to the Data Protection Act 1998 – For Direct Marketers, call 020 7321 2525 or access www.dma.org.uk. Tony Coad is chairman of profits-from-data consultancy CCB

Panel 1 – Key points

“Data users” become “data controllers” with added responsibilities.

Consumers have the right to prevent information they supply being used for direct marketing uses.

Companies now have to offer an opt-out box, and may wish to offer two – one to prevent contact with them, the other with third parties.

The consumer must solicit telecommunications contact.

Panel 2 – Example of a notification statement

This statement, by data protection lawyer Shelagh Gaskill, is designed to convey the maximum amount of information in everyday language, in space-constrained situations.

Proposal: “XYZ Ltd (or via agents) may mail, e-mail, or phone offers reflecting your preferences. Tick if you don’t want offers from us [box] or from third parties [box].”

The statement firstly shows the identity of the data controller (XYZ Ltd).

It then mentions that the agents of XYZ Ltd may be acting on behalf of DM companies or under their instructions (in other words, as “data processors”). It explains that the offers may be sent through the mail, or via e-mail or by telephone (thereby meeting the requirements of the telecommunications regulations).

The statement then describes how a person’s preferences (the decisions they have made in the past) will be used in deciding on the communications that they will receive in the future.

Finally, the two tick boxes allow the data user to express three choices. These are to receive contact from all parties; from the data controller (XYZ and the data processors under the control of XYZ); or from neither XYZ nor third parties.

Recommended

Schools football body starts hunt for sponsor

Marketing Week

The English Schools Football Association (esfa), the governing body of school football in England, is to sell its commercial rights to a single sponsor. The esfa, of which 14,000 schools are members, runs 14 competitions, including the schools FA Cup, and is responsible for the under-18s international team whose matches often appear on TV. A […]