The much heralded Data Protection Act 1998 will become law on 1 March 2000. It will impose greater burdens on those who process personal data for marketing purposes and will considerably strengthen the rights of individuals whose personal information is used in this way.
The Act gives a number of rights to data subjects. These include the right to request a data controller to inform them whether their data is being processed, the purposes for which the data is being processed and to whom it may be disclosed. Data controllers may also be required to disclose the source of the data unless this would involve identifying an individual. Any request for information must be made in writing and be accompanied by payment of a fee up to a maximum of £10.
Data subjects can also require a data controller to cease or not to use their data for the purpose of direct marketing. If such a request is made the data controller must comply within a reasonable time and if it fails to do so the individual can make an application to the court.
Even if an individual does not exercise his or her rights under the Act data controllers are still obliged to process personal data in accordance with the eight data protection principles set out in the Act.
The first principle requires the data controller to process data fairly and lawfully. This will be the case where the data subject has given consent or where the processing is necessary to enter into or perform a contract with the data subject.
Processing which is “necessary for the purposes of the legitimate interests of the data controller”, provided it does not prejudice the rights, freedoms or legitimate interests of the data subject, is also included within the scope of fair processing, although it remains to be seen how this will be interpreted.
The term “consent” is not defined in the Act but in some cases it may be possible to imply the data subject’s consent to the processing even if it has not been given explicitly. By contrast the Act requires “explicit consent” to be given before sensitive personal data can be processed. Sensitive personal data includes information about a person’s racial or ethnic origin, political opinions, religious beliefs, physical or mental health or sexual orientation.
Data controllers are required to ensure that data subjects have the means to identify the data controller. This is particularly important where a company is using a trading name which is different from the company name. The purposes for which their data will be processed should be made known to the data subject and they should not be misled as to how the data will be used.
Web site owners should consider including a privacy policy on their sites identifying the company controlling the data and explaining how the data will be used. If personal data captured on the site is being passed to third parties, for example where the site user is invited to click for more information about a product or service, this should be made clear to the site user before they click.
The Act requires data controllers to ensure that data is kept secure and the degree of security required will depend on the nature of the data concerned.
The transfer of personal data to countries outside the European Economic Area will now be subject to the consent of the individual unless certain conditions are met. For example, if the transfer is necessary for the performance of a contract between the individual and the data controller or is to a country which provides what the Act describes as an “adequate level of protection”. The United States is among the many countries that do not provide such protection although recent Federal Trade Commission reports, including one on Online Access and Security, could result in new US privacy legislation to protect personal data.
It is likely that most companies using personal data will already be registered with the Data Protection Registrar and their registrations will remain valid for the period of registration or until 24 October 2001 whichever is the earlier. The registration procedure will be replaced by a new system of notification with effect from 1 March 2000 and regulations governing the new notification system have recently been published.