As each and every one of us finds more and more of our personal details and habits being stored on complex consumer data systems, Briefing takes a look at what guidance the law gives to ensure such information is used responsibly.
“While perceived consumer concerns have pulled the sector into the CSR arena, the lion’s share of market advantage will fall to the ambitious supermarket that actively educates its consumers to push for CSR.”
What does the law say?
The Data Protection Act (1998) is the legal basis regulating how companies collect and use personal information about people. Companies increasingly hold large amounts of data in order to know their customers well and tailor products to what they prefer. The Act exists to make sure companies only use this information in a way that respects personal privacy, and keeps people safe from crimes such as fraud and ID theft.
What’s a ‘data subject’ exactly?
Anyone who has data held on them is defined as a ‘data subject’ by the 1998 Act, which aims to ensure the individual rights of such subjects are upheld. Organisations which hold and process such information, meanwhile, are known as ‘data controllers’.
What does it mean in practice?
While the details of compliance can be complex, the basic requirement is that companies follow the eight principles of sound data management. These include only collecting data by legitimate means and using it for reasonable, specific purposes. For example, if someone gives their name and address for a home delivery, this can’t then be used for a different purpose such as sending out junk mail. Other elements of the principles include:
personal data must be processed fairly and lawfully, and usually only with the subject’s consent
data must be accurate and up to date
data must not be kept longer than the purpose requires
data must be safeguarded against misuse or accidental loss
data must not be transferred outside the European Economic Area without the assurance of adequate protection.
What about ‘sensitive’ information?
The Act makes special provision for data on ethnicity, religious affiliation, trade union membership and other subjects which can be used to discriminate unfairly. This should only be used for an approved purpose and should be kept secure. For instance where ethnicity data is gathered as part of an equal opportunities policy in recruitment, it must be only be used for overall staff diversity monitoring and should be kept separate from the main assessment process.
Does the Act have teeth?
It has an active enforcement agency in the form of the Office of the Information Commissioner. If the Commissioner believes that a company has transgressed any of the Act’s key principles, he can apply an Enforcement Order which can lead to criminal prosecution and the suspension of data processing rights.
The Act also obliges companies to make any information held about a member of the public available to them on request. Anyone can write to a company, requesting that they disclose any data held along with the reasons for holding it and details of any automated logic by which the data is processed. Companies have 40 days to comply.
What about data on employees?
The Act requires that employees know what information is being kept about them. Employers cannot keep their staff under surveillance in intrusive ways – this applies to CCTV footage and monitoring of emails. Once again, it’s about having procedures in place that respect privacy and the wishes of the individual.
COMMENTS