The effect of the Data Protection Act on e-marketing
This guide is based on UK law. It was last updated in
March 2008.
The law relating to data protection is designed to regulate
organisations known as data controllers who collect and process
information relating to living and identifiable individuals and to
provide those individuals with rights in relation to such data. In
the UK the position is currently governed by the Data Protection
Act 1998 ("the Act"), which is designed to comply with a European
Union Directive on Data Protection to harmonise the different data
protection laws within different Member States.
Personal data are information about a living individual who can
be identified from that information and other information which is
in, or likely to come into, the data controller's possession and
can be minimal such as a name, address, e-mail or even a phone
number. Certain data (e.g. political opinions, religious beliefs,
ethnic origin, health information, sexual life, criminal
convictions or membership of a trade union) are classified as
sensitive personal data. To process this type of data a data
controller must have special reasons for doing so.
The Act applies whenever personal data are processed. Processing
covers anything done to personal data, for example when it is used,
disclosed, stored, collected, amended or deleted. Once personal
data have been irretrievably deleted they can no longer be
processed and the Act ceases to apply.
The Act applies to data processed automatically by computers and
manually, where data are stored in a structured set by reference to
an individual which enables specific information about that
individual to be readily accessible.
The Data Protection principles
For personal data to be lawfully processed in the UK, a data
controller has to ensure that all processing activities with
respect to personal data comply with the eight Data Protection
Principles. The Principles comprise a broad code of good processing
practice which balances the legitimate need for organisations to
process personal data in order to deliver goods and services, but
which at the same time protects the privacy of the individuals to
whom such data relates.
Schedule 1 of the Act sets out eight Data Protection Principles
which require personal data to be:
- processed fairly and lawfully, and to be processed only under
certain specified conditions;
- processed only for specified lawful purposes and not processed
in any way incompatible with those purposes;
- adequate, relevant and not excessive in relation to the purpose
(or purposes) for which personal data are processed;
- accurate and where necessary kept up-to-date;
- processed no longer than is necessary for the purpose or
purposes;
- processed in accordance with the rights of the data subject,
e.g. so that a copy can be made available to the individual
concerned;
- protected by appropriate technical and organisational measures;
and
- not be transferred to any country outside the European Economic
Area unless that country ensures in relation to processing of
personal data an "adequate level of protection" for rights and
freedoms of data subjects acceptable to the EU.
Security and Data Processors
The seventh principle requires that all data controllers put in
place appropriate technical and organisational measures to
safeguard personal data against unauthorised or unlawful processing
or accidental loss, destruction or damage. The interpretation
section to this principle takes this requirement one step further
by imposing upon all data controllers who use data processors
certain additional obligations.
Data processors are defined in the Act as any person (other than
an employee of the data controller) who processes personal data on
behalf of the data controller. This is a very broad definition made
more so by the wide meaning of "processing" which covers every
processing operation imaginable from collection to destruction. A
data processor is, therefore, any one who does anything with or to
personal data. For example, IT consultants, statutory auditors,
pension administrators, external payroll providers, mailing houses
and even other companies within a group, are all potentially data
processors.
The Act requires that a contract in writing must be put in place
between the data controller and each of his data processors. The
contract must:
- require the data processor to comply with obligations
equivalent to those of the seventh principle. In fact, a data
controller must not use a data processor who is unable to provide
sufficient guarantees in respect of the technical and
organisational security measures it will take in respect of the
processing;
- grant to the data controller the right to audit the data
processor at any time (this will enable the data controller to
ascertain whether the data processor is complying with its
contractual obligations); and
- specify that the data processor is to act only on instructions
from the data controller.
It also makes sound commercial sense to ensure the contract
specifies that under no circumstances will the data processor gain
any rights in the personal data. The contract should also describe
what is to happen upon termination (e.g. the return or
irretrievable destruction of the personal data or it being held by
the data processor subject to continuing obligations or
confidentiality).
Many organisations have for many years transacted business with
their data processors in such a way that the initial contract (if
there ever was one) has long expired, and the parties conduct their
business on the basis of a course of dealings. There is no doubt
that this is a contract. However, the Act requires that contract to
be in writing or at least evidenced in writing. Companies with
group structures will also be affected and have to put in place
inter-group processor contracts. For example, where one company
deals with payroll for all the others and another handles the
company car scheme for the group's employees. According to the
European Commission, inter-group transfers may now also take place
on the basis of "binding corporate rules" subject to strict
conditions.
Marketing
Nothing in The Privacy and Electronic Communications (EC
Directive) Regulations 2003 ("the Regulations") replaces or changes
the responsibilities of organisations under the Act. Organisations
will therefore have to comply with both the Act and the
Regulations.
Contact details held on individuals in a private capacity or
individuals in a business capacity, are likely to be personal data
under the Act. Organisations will therefore have to comply with the
eight data protection principles. The first principle requires data
to be processed fairly and lawfully and a key requirement of this
is that individuals are aware who is the data controller, what
their information is being used for and anything else necessary in
the circumstances to make the processing fair. This information is
provided in the data protection notice.
In a marketing context this means that communications should be
clear as to who they are from and that when contact details are
collected individuals should be told about the use for marketing
purposes and generally how this will be done, for example by
telephone, email, SMS or fax.
Where a data controller uses a marketing company to carry out
mailings on its behalf then the processor requirements of principle
seven must be met.
In addition, the Act contains an absolute right for individuals
to object to marketing at any time by notifying the data controller
in writing.
Contacts
