In spite of its name, the Data Protection Act (DPA) was passed not to preserve data, but protect people. It regulates what information may be kept about identifiable individuals and dictates how such information may be used.
Everyone using information about identifiable individuals in their everyday work is subject to the DPA. You don’t need to be doing data-related jobs for the law to apply and how you store information makes no difference. B2B marketers may be targeting businesses, but they are dealing with identifiable individuals within their marketplace. Any data about their contacts are therefore subject to the DPA.
Background
Since 1984 employees have been legally responsible for making sure that the personal information they handle as part of their job is processed accurately; UK legislation does not distinguish between data held electronically and data held on paper. The Data Protection Act 1998 was drawn up specifically to implement the European Data Protection Directive and to recognise that the possibilities, complexities and economies of data processing had changed radically over the 14 years since the previous legislation. The Act came into force on 1 March 2000 and for most records should have been implemented by 24 October 2001. Some manual records created before 1998 need not comply fully with the Act until 23 October 2007.
The privacy of individuals was further reinforced by the Privacy & Electronic Communications (EC Directive) Regulations (PEC Regulations) which came into force on 11 December 2003. The regulations add new rules for direct marketing by email, fax, automated calling system or SMS.
What must you do?
Any time you collect personal information about named individuals you must inform those whose data you are intending to store:
The name of the data controller(s) and his/her representative(s), if any.
Why you are collecting the data and intended use.
Other relevant information such as intended recipients of the information.
If information is to be used for direct marketing purposes, individuals must also be given the means to prevent this (ie. an opt-out).
Marketers intending to contact individuals by electronic means email, SMS, etc. must not send unsolicited marketing messages unless they have the recipient’s prior consent to do so (often referred to as opt-in). If an individual has opted in, you must include your identity within any message you send, plus the means to opt-out of receiving any future messages.
The Information Commissioner’s (IC’s) definitions of what constitutes opting-in are quite broad. For example, an individual who has provided data in the course of a sale, or negotiations for a sale, would be counted as having opted-in. Marketers may then contact them providing their messages relate to similar products and services.
Data collection
Collecting personal information from individuals via a website is also subject to the principles of the DPA (see box-out). Websites must tell visitors the name of the data controller, the reasons for the data collection and recipient(s) of the information before collecting any personal data.
The IC says: it is not sufficient to provide the above information simply in the form ‘click here to view our privacy statement’. At least the basic messages and choices should be displayed in an intelligible and prominent form wherever personal data is collected.
Some websites can track the online movements of their visitors to build up individual profiles which may then be used for targeted marketing. Such profile information is considered as personal data by the IC and its processing is subject to the DPA. Visitors to the website must therefore also be informed if tracking technology is used.
Note the difference
The DPA does not distinguish between contacting individuals privately and contacting them as employees. The PEC (Privacy & Electronic Communications) Regulations do; the difference is important for many B2B marketers.
The DMA legal team advises that the PEC regulations apply to individual subscribers, ie. the person who pays the bill. Employees are not individual subscribers and so the regulations do not apply to them.
On the other hand, a sole trader or partnership is regarded as an individual subscriber and so would come under the regulations. The type of business targeted can therefore make a difference to the way B2B marketers may contact them.
The rules governing different media are also inconsistent. Individuals and businesses may opt-out of telephone marketing by registering on Telephone Preference Service or Corporate Telephone Preference Service. Electronic communications can be opt-in or out as above, while businesses may not register on the Mailing Preference Service.
Data controllers
The person within a business who decides what personal data is to be collected and the manner in which such information is to be processed is the data controller. As such they are responsible for complying with the DPA. The IC maintains a public register of data controllers and a brief description of what they do with the personal data under their charge.
If personal information is processed as part of the work of your business your company should notify the IC’s office. The annual statutory notification fee is currently £35, on which no VAT is payable.
Guidance and advice about data collection is available on the IC website and also free of charge to members of the DMA on the DMA legal advice helpline. Other trade associations provide similar assistance for their members.
If businesses hold information about identifiable living individuals sometimes called data subjects they have the right to ask for details about the data concerning them. If an individual requests such information data controllers may charge up to £10 to cover administrative costs. On receipt of payment they have 40 days to send:
- A copy of the information
- Why it’s held
- Notification of anyone it may be seen by or passed to
- The logic involved in any automated decisions.
Data subjects have the right to ask for the information held about them to be corrected, deleted or the processing of it blocked. Data controllers do not have to comply with the request, but if they refuse, must have an extremely good reason for doing so. Individuals do, however, have the right to demand that businesses cease data processing for direct marketing purposes.
Key offences
Any breach of the eight data protection principles (see box-out page 41) is an offence. The IC can take action against data controllers to make their data processing comply with the DPA principles. The main offences committed by businesses are:
1. Failure to notify individuals that their personal data is subject to processing.
2. Failure to notify the IC of changes to the processing of personal data.
3. Failure to comply with an enforcement notice.
4. Making a false statement about the data processing conducted.
5. Obtaining, selling or offering for sale personal data without the individual’s agreement.
6. Obstructing anyone executing a warrant to search premises for evidence of breach of the DPA.
The IC usually deals sympathetically with companies that accidentally mishandle personal data and corrects the error by means of consultation or a tribunal. Deliberate breaches of the Act are subject to fines of up to £5000 at a magistrates’ court or an unlimited amount at a crown court. Imprisonment of the data controller and deletion of part or all of the business’s database are also possible.
Transmission of data abroad
Personal information legally held in the UK may be sent to any organisation or company within the European Economic Area (EEA) which is not synonymous with the EU. Switzerland, for example, is not part of the EEA, while Iceland is but not a member of the EU.
Personal information can also be passed to countries outside the EEA if there are sufficient controls in place in the laws of the country of destination to ensure adequate protection of the rights of the individuals to whom the data refer. The DPA states that it is the duty of the data controller to ensure that the recipient’s country has such controls in place before transferring information. From the point of view of marketing, pan-European promotions are legally subject to the laws of the country in which the processing takes place.
The philosophy behind the DPA is simple. If businesses hold information about identifiable individuals then those individuals should know who has it, who can view it and what is done with it. As Rosemary Smith, managing director of specialist data protection advisor Opt 4, says: Interpretation is important and businesses should be extremely careful how they write their permission statements. Extra time spent thinking through the various ramifications can save a huge amount of grief later.