INTRODUCTION

Information technology has grown at an exponential rate over the last three decades, with systems becoming increasingly powerful and more and more data being stored and processed. Database marketers more than most are businesses to which data is an essential resource, as accumulation, buying and selling of customer data and marketing contacts are key aspects of everyday business. They should be aware of the UK's central piece of legislation governing the protection of data, the Data Protection Act 1998 and will no doubt be familiar with dealing with the UK's regulatory body, the Information Commissioner's Office (ICO). Recent actions taken by the ICO would, however, indicate that not all those who process personal information are as familiar with the Act as perhaps they should be. In March 2007, several banks were found to be in breach of their data protection responsibilities following customer complaints about sensitive information found in rubbish bins outside their premises.1 More recently, action has been taken against Littlewoods in relation to unsolicited marketing mailings. This paper describes some of the ICO's recent enforcement actions and considers how the ICO is seeking to achieve compliance with the UK's data protection requirements. In doing so, it provides an overview of the requirements concentrating on those most likely to be relevant to database marketers.

THE DATA PROTECTION ACT 1998 — AN OVERVIEW

With growing amounts of data came the need for legislation to regulate how the data were handled, and this gave rise to the Data Protection Act 1984, and more recently the 1998 Act (the Act), which implemented EU wide legislation on the protection of data. The Act gives individuals rights such as the right to ascertain what information is held about them. The Act also imposes obligations on those who hold data to ensure it is dealt with properly. Importantly, the Act only applies to ‘personal data’,2 defined as any data relating to a living individual who can be identified from the data or from the data and other information in, or likely to come into, the possession of the data controller. ‘Data controllers’ are those who determine the purposes for which and the manner in which any personal data are processed.

In order to promote openness and transparency in the use of personal information, the Act requires3 every data controller who processes personal data notify the ICO unless they are covered by an exemption,4 and not doing so is a criminal offence. The exemptions are too numerous to cover in detail, but the ICO provides a useful self-assessment guide.5

To ensure information is handled correctly, the Act sets out eight data protection principles, which data controllers must comply with. The principles, which are also referred to as the principles of ‘good information handling’ require that data controllers ensure that information is:6

  1. 1

    fairly and lawfully processed;

  2. 2

    processed for limited purposes;

  3. 3

    adequate, relevant and not excessive;

  4. 4

    accurate and up to date;

  5. 5

    not kept for longer than is necessary;

  6. 6

    processed in line with an individual's rights;

  7. 7

    secure and

  8. 8

    not transferred to other countries without adequate protection.

The Act sets out what each of these principles requires, and the ICO publishes guidelines to help data controllers to comply with the principles.7 These data protection rules, coupled with the rules relating to unsolicited marketing communications set out in the UK's Privacy and Electronic Communications Regulations that have been summarised in previous articles in the Journal,8 are the principal rules, which the ICO will expect database marketers to comply with.

The guidelines published by the ICO to assist data controllers to comply include helpful good practice notes and compliance checklists. Of particular interest to database marketers are the ICO's good practice notes on the buying and selling of customer databases,9 electronic mail marketing10 and the Telephone Preference Service.11

ENFORCEMENT BY THE ICO

The ICO has various powers to ensure the Act is complied with. It can assess and request information from organisations, and if they are found in breach, it may serve enforcement and ‘stop now’ notices requiring organisations to take specific steps to ensure compliance. It can even prosecute those found guilty of a criminal offence under the Act. Presently, the sanctions that can be imposed on those found guilty of such offences are limited to fines. This is set to change and although this is unlikely to affect reputable businesses, it is worth mentioning that the government has announced its intent to crack down on those who trade illegally in personal data and concrete proposals for custodial sentences for certain offences involving the misuse of personal data have been put before parliament.12

One notable absence from the ICO's armoury is a right of audit — the ICO does not have the statutory right to inspect the processing of data at a business' premises — and perhaps for that reason the ICO has been reluctant to serve enforcement notices, preferring instead to take a more conciliatory approach. For instance, in March 2007, several UK banks were found in breach of the seventh data protection principle, which aims to ensure that data are held securely. The principle requires that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’. The institutions had used bins located outside their premises to discard material such as customer application forms and bank cards that contained personal data.

Although the actions of the banks could have resulted in serious consequences such as identity theft and defrauding of their customers, the ICO chose not to serve enforcement notices in the first instance. Instead, it obtained undertakings13 from each of the banks to ensure they would comply with the seventh data protection principle in the future, and the undertakings were subsequently published on the ICO's website as a deterrent to others. While the undertakings did not impose any punitive measures as such and sought instead to ensure that the Act would be complied with in the future, they provide the ICO with a right to audit the banks' data protection procedures in the future, which the ICO would not otherwise have had. So, as well as receiving an embarrassingly public slap on the wrist, the banks know that their activities will be subject to the scrutiny of the ICO and that in the event of further transgressions, additional sanctions may follow. In this way, the ICO seems to be taking practical steps that are likely to ensure a higher degree of compliance than might have been achieved through serving an enforcement notice in the first instance.

More recently, in June this year, similar action was taken against Littlewoods Shop Direct Home Shopping Limited after a customer had complained to the ICO about receiving unsolicited mailings. Undertakings were required by the ICO to maintain the sixth data protection principle, which requires that data be processed in accordance with an individual's rights, following the customer receiving continued mailings despite assurances given that the customer's details had been removed from Littlewoods' mailing lists. In particular, the undertakings required that:

  1. 1

    the personal data of the customer in question be suppressed from all company databases thereby ensuring that she would not receive any future marketing material from Littlewoods and

  2. 2

    Littlewoods would review procedures currently in place to ensure that customers' rights under Section 11 of the Act (which gives individuals the right by written notice to require a data comptroller to cease or not to begin to process their personal data for the purpose of direct marketing) are upheld.

CONCLUSIONS

The recent actions of the ICO against a range of businesses demonstrate that it is seeking to ensure data protection compliance, and they underline the need for data controllers such as database marketers to be acquainted with and adhere to the data protection rules in addition to the requirements that apply to electronic marketing communications. The ICO has tended to require undertakings as to future compliance from businesses it has found to be in breach of the data protection rules, including breaches in relation to the sending of unsolicited marketing communications. While unlike sanctions imposed for data protection violations by other bodies such as the Financial Services Authority,14 such undertakings do not in themselves impose any punitive measures, they allow the ICO to scrutinise these businesses' future activities in a way it would not otherwise be able to under its statutory powers under the Data Protection Act. As punitive sanctions may follow in the event of further breaches by these businesses, this course of action by the ICO may be viewed as a practical approach to ensuring compliance.

© Bristows