Data ProtectionThe 1998 Data Protection Act affects almostall voluntary organisations. However, manystruggle to understand it, and worry that theymight get into trouble by not complying. Or theytake an over-cautious approach and allow theirwork to be hampered by unnecessarily tight computanews guiderestrictions. This guide aims to demystify theAct and give you a framework for deciding whatyour organisation needs to do about it.T he Data Protection Act need not be a major problem. Its aims fit veryclosely with the concerns and culture of consequences of data being misused ormost voluntary organisations. In fact, handled badly.seeking to apply good Data Protection This has to bepractice means asking questions which your top priority.can actually help to improve services or The Dataprocedures. Understanding the Act can Protection Act sitsalso help you to put up a challenge when alongside otheryour work, or your clients’ lives, are legislation that tells usfrustrated by other organisations – perhaps to look after therefusing to supply information on the people we come intoerroneous grounds that Data Protection contact with – in areasprevents it, or insisting that things be such as health and safety,done in a particular, awkward way. child protection, discrimination, consumer protection and so on. The DataWhat is Data Protection Act is generally written soProtection all that it should never need to be used as a People are increasingly q reason for doing something harmful. This aware of this and feel strongly about it.about? does not mean that the right course of No voluntary organisation can afford to alienate people by behaving in ways they action is always clear, however, especially lasaYou must comply with the Data when it’s a matter of balancing several find unacceptable.Protection Act, because it is the law. different people’s interests. These two themes: preventing harmHowever, you normally have a choice If preventing harm is the top priority, and respecting the individual, runabout how to comply. It is easier to make demonstrating respect for the individual through the Act in many areas, inyour decisions about this if you understand comes a close second. In our particular in the Data Protectionwhat the Act is trying to achieve and information-rich society, organisations Principles (see the centre pages of thiswhat your priorities should be. (and even individuals) can behave in guide). Before going on to discuss how Data Protection is not about intrusive, unpleasant or annoying ways if to satisfy the Principles, however, weprotecting data for its own sake; it is they use data without the knowledge, or need to look at exactly what informationabout protecting individuals from the against the wishes, of the individual. we are talking about. Although care has been taken in the preparation of this guide, it should be read for general information only. It is not necessarily a full or accurate statement of the law in every respect.
you collect information, or notes you Personal data take during an interview, would be covered as soon as you have them in The Data Protection Act only applies to your possession if the information will “personal data”. You probably hold other eventually end up on the database or in information which is not personal data your client records, for example. but which nevertheless needs to be Finally, from 1 January 2005 public looked after carefully because it is authorities will have to make a lot of confidential or important. That’s fine. their information available under the There is nothing to stop you having a Freedom of Information Act 2000. policy which goes further than Data Where the information relates to Protection would require – and in any individuals, it will be treated as personal case the dividing line is not always clear, data, with access provided through the so you will want to be on the safe side. Data Protection Act. Health, education In some cases, however, you do need and social work records are already to know more accurately whether subject to slightly different rules. This information is “personal data” or not – Guide does not cover these specific issues. for example when responding to a There can be uncertainty about formal “subject access request”, which whether specific information is personal we will say more about later. You must data or not, but it is likely that much of also make sure that you do not assume the information you hold about people, certain information is outside the Act whether on computer or on paper, will when in fact it is covered. be personal data. In order to be “personal”, information “set of information … structured [so With borderline material it is must relate to an identifiable, living that] specific information relating to a probably wise to take a cautious view, and individual. The Court of Appeal in particular individual is readily accessible”. treat information as personal data even if December 2003 decided1 that it must The Court of Appeal also considered the you think it may not be. There is nothing also be about them in some way. So it’s definition of “relevant filing system” and to stop you going beyond the minimum not enough just to mention someone; decided that the structure and indexing requirements of the Act, especially if the there has to be some additional was key. It must be possible for someone consequences of poor practice would be information about them. The individual is with very little prior knowledge of the harmful to the individual. The key thing is “identifiable” if you can work out who system to look someone up quickly and go to avoid assuming that things are not they are in any way (for example by straight to a specific piece of information covered when they are. That could lead matching one set of data against another). about them, without having to wade to serious mistakes. The definition of “data” is more through the file document by document. To give a sense of how the definition complicated. It covers, firstly, Data Protection does not only apply of personal affects the information found information held on “equipment to text. It can cover photographs, in many voluntary organisations, the operating automatically in response to biometrics, video, CCTV or audio table below shows examples of how the instructions given for that purpose” – in material; the key question is always: two elements of “personal data” might other words computers or any other “is it personal and is it data?” interact. The word “probably” shows how computerised or programmable system. Records intended to go onto the difficult it can sometimes be to decide. Manual information is data if it is held computer or into a filing system are also Only the top left-hand box is covered by in a “relevant filing system”. That is a counted as data. So the forms on which Data Protection requirements. Personal (probably) Not personal (probably) Data q Your membership database. q An email discussing the timetable for (probably) a project. q A card index of your management committee members. q A spreadsheet containing statistics on the types of client who used your services last year. q Most of your personnel files. q A database of voluntary organisations in the q Order forms from individuals. area, used for printing a directory.* Not data q A file of letters of complaint, in date order, q The plaque explaining why your centre is (probably) with no index. named after someone long dead. q A set of training course files, organised course q The printed minutes of a meeting where they by course, where individual participants’ refer to someone agreeing to do something. booking forms and other details are kept. * But the contact details for individuals within the organisations may well be personal data. 1 Durant v Financial Services Authority  EWCA Civ 1746, Court of Appeal (Civil Division)2 Data Protection • Lasa Computanews Guide
The worst type of harm would be right up to date at all times. If you wantThe Data Protection physical damage. For example, if you take to get a rough idea of your clients’ ages,Principles clients out on a trip and record the wrong information about the dosage of tick boxes for age bands (35–45, and so on) are probably fine; pension recordsWhenever you “process” personal data someone’s medicine the consequences must have the exact date of birth.you must comply with all eight Data could be severe. Or you may know One of the decisions you need toProtection Principles. By doing so you someone’s address or contact details; make, therefore – in respect of each setwill achieve the aims of protecting in most cases that’s fairly innocuous of data you hold – is how accurate andindividuals from harm and demonstrating data, but if the person is in danger of up to date you need to be, and how yourespect. (“Process” means doing anything harassment or physical assault then you are going to ensure that your data meetsat all with information, including would have to be very careful to protect your requirements. You need to becollecting it, storing it, using it, changing the information from being given out particularly careful where informationit, disclosing it or destroying it.) inappropriately. is not provided by the individual The Principles are given in full on the Financial harm could result, for themselves. If your clients are referredcentre pages of this Guide, with an example, if you pay people the wrong from another agency, do you take theindication of how specific Principles amount because your data is inaccurate, information they provide on trust, orrelate to the overall aims. In summary: if you give them the wrong benefits do you check it immediately with the advice because you make a mistake in client? If your staff and volunteers putq Data ‘processing’ must be ‘fair’ their own comments into a file, how do their case file, or if your inadequate and legal. security allows a fraudster to collect you make sure that they only record enough information about someone to statements and information that can beq You must obtain data only for specified perpetrate an identity theft. substantiated? purpose(s) and use it only in ways that are compatible with the purposes. Harm could be less tangible, but nevertheless serious, includingq Data must be adequate, relevant & embarrassment or breach of privacy. Security not excessive. There is no reason for someone’s colleagues to know why they are off The seventh Data Protection Principleq Data must be accurate & up to date. says that you must have “appropriate” work, unless they choose to say; it security to prevent two kinds ofq Data must not be held longer than might be the kind of hospital visit they problem: necessary. would rather not talk about. Service users may not want their case written q unauthorised accessq Data Subjects’ rights must be up in enough detail in your newsletter respected. for their friends to guess who the q accidental loss or damageq “anonymous” person was. You must have appropriate security. The use of the word “appropriate” Harm from a failure to disclose here relates directly to the aim ofq Special rules apply to transfers abroad. could result in vulnerable people being preventing harm. You need to carry out put at risk because someone who a risk assessment to see how much could help them was unaware of the harm, and to how many people, wouldPreventing harm problem, or because someone behaving result from a breach of security, then put inappropriately was not reported your main effort into preventing theYour first priority must be to prevent in time. most serious harm.harm to individuals through inappropriate Finally, the Act recognises thator irresponsible use of data. The most Before looking at security you other countries may not offer the samelikely sources of harm fall into three must spell out what access is authorised. protection as those in the Europeancategories: Any other access is therefore Union. Where data cannot be protected “unauthorised”. Some material could be when you transfer it abroad, youq If data you hold about someone is in the public domain, with no restriction normally need the consent of the inaccurate or inadequate, the result on access; for this, obviously, no security Data Subject. could be that you provide them with might be needed. For more confidential an inappropriate service or make material it is important to be clear the wrong decision. where the boundaries of confidentiality Accuracy and lie: will the information a client gives youq If you have poor security, or an inadequate confidentiality policy you adequacy stay just with the case worker? with the case worker and their supervisor or could allow data to fall into the The third and fourth Data Protection their team? within the organisation? wrong hands. Principles say that data must be And despite all that, under whatq There are cases where you should “adequate”, “accurate” and “up to date”. circumstances would you breach disclose information in order to The test of harm gives you a way of confidentiality in order to protect other prevent harm to the individual or to deciding how far you need to go. A people? Everyone benefits from this someone else. You must not let mailing list for your newsletter probably clarity: your staff and volunteers, misunderstandings about the Data need be checked no more than once a your clients, your funders and other Protection Act prevent you from year; if you are supporting a client in a external agencies that you come into doing the right thing. benefits case your information must be contact with. Lasa Computanews Guide • Data Protection 3
Breaking confidentiality Most of the time your staff and volunteers need to have a cautious approach. If you give information out inappropriately there is no way of getting it back, whereas if you hold off giving it out while you check, you can then give the information if it turns out to be the right thing. Provided you minimise any delay, this is the safest course of action. However, it is important to realise that the Data Protection Act does not impose a blanket ban on disclosure, even where you do it without the knowledge or consent of the Data Subject. Where harm to anyone – whether your Data Subject or not – would result from keeping data to yourself, you should consider whether the potential harm is serious enough to make disclosure the right thing. The Act says specifically that in effect Data Protection is not breached: Having decided who is allowed knowingly or recklessly access q if another law requires you to to see the information, and in what data without authorisation, knowingly provide information, or circumstances, you then must ensure or recklessly allow another person q if you choose to disclose that you prevent other people from unauthorised access, or sell data information because not doing so seeing it. The measures you take must be accessed without authorisation. would prejudice crime prevention, “technical and organisational”. Technical catching criminals or collecting measures would include physical security taxes or duties. – locks and barriers to access – and Transfers abroad things like passwords, anti-virus software In either case the disclosure can be on and back-up systems. Organisational When personal data is transferred your own initiative – because you spot a measures are usually more important: outside the UK you must try to maintain problem and decide to report child training (and policies to base training protection if possible. There are two protection concerns, a breach of care on), induction, supervision and a general main ways to do this: by law, or by standards or a suspected fraud, for culture of security. contract. All the countries in the example – or at the request of an official You should also think about the European Economic Area (the 25 states agency. always thorny issue of how to encourage of the European Union plus Norway, Where you are approached for people to spot and own up to security Iceland and Liechtenstein) are deemed information, it is reasonable for you to breaches. Inevitably things will go to have (and generally do have) expect the request to meet certain wrong; the best organisations learn acceptable laws, as are some others, conditions: from their mistakes, and offer redress including Guernsey, the Isle of Man without being forced into it. But security and Switzerland. q It should normally be in writing. breaches are usually embarrassing so Alternatively you can protect the q It should identify the basis for the the natural tendency is to hope that no data by having an “approved” contract with the recipient organisation or, in a request: are you being asked for help, one will notice. special provision for the USA, where the or is there a law requiring it? If the There is a British Standard on recipient has signed up to the voluntary latter, the requesting agency should Information Security Management “safe harbors” agreement. be able to spell out where their (BS7799, also known as ISO 17799). Otherwise, you should normally get power originates. While this has some useful pointers, it is more appropriate for very large informed consent from the Data Subject q The individual making the request organisations which need more formal for the transfer. Many people would say should be authorised to do so: either systems and can afford the cost of being that this means you also need consent by seniority, by the department they assessed for compliance regularly. if you are going to publish any personal work in, or by name. Although the primary responsibility data on your web site, unless you can for a security breach is the organisation’s, control where it goes or who sees it. Whenever you contemplate a breach of an individual is committing a criminal confidentiality you should have a offence, punishable by a fine, if they procedure for discussing it internally and4 Data Protection • Lasa Computanews Guide
approving it, in writing, at the procedures and policies of the If you have to deal with a Subjectappropriate senior level. Commissioner is available on their web Access request, it is important to take it The question of when you need site, www.informationcommissioner.gov.uk. seriously, but not to be panicked intoconsent for disclosures is discussed The Commissioner can only say acting too hastily. You have to reply asbelow. that a breach of Data Protection has soon as possible, but the statutory time occurred. If the Data Subject wants limit is 40 calendar days. Unless you are tangible redress – assuming you don’t absolutely sure that there is nothingIf things go wrong offer it voluntarily – they have to take controversial in the data, and no you to court. The court can order: uncertainty about which information youIf, despite your best efforts, things go should release, you should take qualifiedwrong and you end up causing harm, the q correction, deletion or clarification legal advice.Data Subject affected has several avenues of the offending information; You should not release informationfor redress. These include: in response to a Subject Access request q compensation for actual harmq suffered, and for “associated unless it is personal data, but on the requiring you to stop causing distress”, but not normally for other hand you have to make your best them harm distress on its own; effort to find all the personal data yourq Subject Access organisation holds about that individual. q that anyone to whom wrong You then have to check whether you areq “Assessment” by the Information information has been disclosed must entitled, or expected, to hold back any Commissioner be informed, so that they can take of the data on other grounds. Theseq correction, deletion or clarification corrective action, too. could include not disclosing information about your intentions in relation to anyq compensation current negotiations (such asq those who have received wrong Subject Access restructuring plans for the organisation) and, in particular, not disclosing information being told. The basic provision under Subject information that would breach someoneIf an individual believes that they are Access is that you must provide a else’s confidentiality (the “third party”being harmed by your use of data about permanent copy of all the personal exemption).them, they can require you, in writing, data that you held about that person In relation to Subject Access a thirdto stop. You then have 21 days to stop, at the time their application was made. party is anyone who is mentioned in theor give them a reason why not (which is This could include printing out information – another member of thenot necessarily the end of the story). information held on computer and Data Subject’s family, for example – orThis provision is restricted to certain copying information held on paper. anyone outside your organisation who issituations, so if you receive a demand You can make a charge for Subject the source of the information – such as ato stop harming someone you should, Access, but it must not be more than referee for a job, or someone making aof course, take it seriously, but also £10, regardless of any photocopying complaint. Where possible third partytake advice so that you know the full costs you incur. information should be released, if it islegal position. A more commonly-exercised –but still quite rare – right is that ofSubject Access. This gives the DataSubject the right to see the informationyou hold about them, so that they cancheck that it is adequate, accurate andso on. Again there are restrictions,discussed below. Although this righthas up to now not been exercisedvery often, especially in voluntaryorganisations, that does not mean itcannot happen. And it is an importantprotection for the Data Subject whenthings go wrong. Having made a Subject Accessrequest (if appropriate), a Data Subjectwho believes that they are being harmedby a breach of Data Protection can askthe Information Commissioner to makean “Assessment” of whether DataProtection is in fact being breached.The Commissioner must then, by law,make an “Assessment”, and has variouspowers to assist in enquiring into thesituation. More information on the Lasa Computanews Guide • Data Protection 5
The Data Protec Preventing harm 1 Personal data shall be pro and, in particular, shall noData Protection is unlikely to prevent you frompassing on information in order to prevent serious (a) at least one of the coharm. See the Conditions in Schedules 2 & 3 that met, andmight allow you to disclose data without consent. (b) in the case of sensitiv of the conditions in SPeople must know enough about what you are doingwith their data, so that they can alert you to anypossible harm, for example if you pass it on in ways 2 Personal data shall be obtthat they would not want you to. specified and lawful purpo further processed in any m that purpose or those puWhen you are making decisions about people orproviding a service, you must have enough data toensure that you are not missing a crucial piece of 3 Personal data shall be adeinformation. excessive in relation to th which they are processedWhen you are making decisions about people orproviding a service, your data must be accurate and 4 Personal data shall be accup to date enough not to harm them. kept up to date.People have the right to check the data you hold 5 Personal data processed fabout them. shall not be kept for longe purpose or those purposeIf your data handling causes harm to people you haveto put things right and may have to pay compensation. 6 Personal data shall be pro the rights of data subjectsYou must make sure that people are not harmed bytheir information falling into the hands of 7 Appropriate technical andinappropriate people through your poor security. shall be taken against unau processing of personal daYou must make sure that people are not harmed by loss or destruction of, oryou losing crucial data. 8 Personal data shall not beIf you transfer information abroad, you must be clear territory outside the Euroabout whether it will stay protected and, if not, get that country or territoryconsent from the Data Subject. protection for the rights a in relation to the process
ction Principles Showing respectocessed fairly and lawfully t be processed unless – People must know enough about what you are doingnditions in Schedule 2 is with their data that they get no unpleasant surprises. You must not go behind their backs or keep them deliberately in the dark.ve personal data, at least one chedule 3 is also met. You must consider whether you need consent for what you want to do. If not, you must be sure thattained only for one or more you meet one of the other conditions. This isoses, and shall not be particularly important if you are collecting or usingmanner incompatible with “sensitive” data. rposes. You should give people the chance to opt out of theirequate, relevant and not data being shared with other organisations.he purpose or purposes ford. You must be clear about why you are collecting information and must not collect urate and, where necessary, information for one purpose then use it for something completely different.for any purpose or purposes You must not ask for intrusive types orer than is necessary for that amounts of data.es. You must not hold on to information once you noocessed in accordance with longer have a use for it, provided you meet statutorys under this Act. retention periods.d organisational measures You must offer people the chance to opt out uthorised or unlawful of receiving any kind of marketing material.ata and against accidental damage to, personal data. If someone tells you to stop sending them marketing material you must comply.e transferred to a country oropean Economic Area unless You should normally get consent before ensures an adequate level of you put people’s details on your web site.and freedoms of data subjects ing of personal data.
reasonable to do so (for example if it score, they are much more likely to trust is information the Data Subject Showing respect you, and much less likely to complain. already knows), or if the third party has given their consent. But if the third for the individual Where possible, you should give them a choice over whether to provide party has refused consent then in most The main elements which demonstrate you with information in the first place cases the information that identifies respect for the individual are: (especially if you can manage without it) them must be withheld. or whether to allow you to use it in This is only a brief summary of the q fairness particular ways. Subject Access provisions. The key This does not mean that everything q information points are: depends on the consent of the Data q choice Subject. There are many things you can q Take it seriously but don’t panic. legitimately do without consent, q not being intrusive q Take advice. provided you take the interests of the q not keeping information Data Subject into account. q Don’t record information unless One area where you have no option unnecessarily. you are confident that you could about allowing people a choice is justify it being in the file should The first three of these come from the marketing. Data Subjects have the right, someone make a Subject Access first two Data Protection Principles, under the Data Protection Act, to insist request. which say that all “processing” (see that you do not use their data for above) of personal data must be fair, and marketing or appealing for funds. q Decide in advance your policy on only for specified purposes. As well as making the provision of whether to charge or not. People understandably do not like information optional if possible, you feeling tricked into providing information must not ask intrusive or unnecessary that they would not have given if they questions. All your data must be had realised how it would be used. In “relevant and not excessive”. And you Acting for others particular they do not like information should not hang on to information being passed on to other people or once you no longer need it (but make Everyone has their own organisations where they were not sure to comply with statutory retention individual Data Protection rights. aware that this would happen, or periods). (Even a married couple do not information being used to send junk mail automatically have the right to see or make annoying sales telephone calls. information about each other.) However, people can act on behalf So the key to getting people on your Transparency side is “transparency” – making sure that of someone else. For example, they have enough information about Transparency lies at the heart of the someone might ask a solicitor to what is going on, and don’t feel that you 1998 Act. Under the previous (1984) make a Subject Access request on are keeping them in the dark or going Act, the legitimacy of processing was their behalf, or a parent might act behind their backs. If they know the assured by registering the purpose with on behalf of a young child. Anyone acting on behalf of another must be authorised and must be acting in their interests. Where the person is not acting on their own behalf because of incapacity (due to age, illness or mental condition, for example) it can be difficult to establish the appropriate authority, and you should seek qualified advice if you are in any doubt. The situation with children is slightly clearer in Scotland, where children are expected to be able to exercise their own Data Protection rights from the age of 12. In England and Wales there is no specific provision; it depends on the particular child’s capacity to understand, but one would need to consider the possibility of a child exercising their rights independently of their parents once they get to around 12.8 Data Protection • Lasa Computanews Guide
the Data Protection Registrar (now theInformation Commissioner). Under thecurrent Act, legitimacy is assured bybeing transparent with the Data Subject– guaranteeing that they get nounpleasant surprises from your use oftheir data. Specifically, they must know who iscollecting their data and why, who else itmight be passed on to, and how to raiseany concerns or exercise their specificrights. The reason for this is clear: if theData Subject has no knowledge, orinsufficient knowledge, of what ishappening, they have no basis for raisingany concerns they might have and theorganisation might take actions thatcause harm unwittingly. You do not, however, have to tellpeople things they already know, or arereasonably likely to know. Theinformation must be available if they ask,but you only have to go out of your way “no” turn round and say “we don’t needto tell them things that are not obvious. Consent your consent because we meet one ofExamples would be where you intend to In addition to transparency there is a the other conditions”. That would notkeep their information for a different second plank to fairness: meeting one be fair. Secondly, if someone haspurpose (such as marketing) after they of the Act’s Schedule 2 (or ‘Fair specifically asked you not to domight expect you to have finished with it, processing’) Conditions. This is where something with their data you wouldor where you are likely to pass the have to be that much more certain that consent comes in. However, consent isinformation on to other organisations. you really do meet one of the only one of the six Conditions, and all How you tell people, again, is up conditions, since you obviously don’t processing must meet at least one, notto you. A notice in your waiting room have consent. (For example, if they say all of them.or a short paragraph in your newsletter “take me off your database”, you might In summary the Fair Processingmight do the trick. Or you could put a be able to justify keeping them there – Conditions say that you can onlystandard paragraph on your membership as part of your client records or financial process data:form or in your welcome letter. The records, for example – but guaranteeimportant thing is that people end up q with the consent of the Data Subject, not to use the informationknowing enough about what you are or for any further activity.)doing. In particular, you must allow If you do decide to get consent,them to judge whether any of your q if the processing is necessary for a it must be specific, informed and freelyactivities might pose a threat to them – contract involving the Data Subject, given. One implication is that you cannotfor example if you propose to publish or get genuine consent unless you haveinformation that would identify them met the transparency requirements.and put them in danger. Unless they q to meet a legal obligation, or Consent need not be in writing, butknow what you are up to, they will not you may feel that written consent is q to protect the Data Subject’sbe able to alert you to the problem and worth getting in case you need evidence “vital interests”, orenable you to avoid the risk of causing subsequently. Normally consent can bethem harm. q for a range of government and implied, provided the Data Subject has This new emphasis on transparency official functions, or taken some clear action, such as fillingmeans that many voluntary organisations in a form, in the full knowledge ofneed to look carefully at what they do. q if it is in your “legitimate interests” how the information would be used.Although you may have client or (or the interests of whoever youmember involvement on your agenda, disclose information to) provided theyou may want to think about whether itgoes as far as it should. Data Subject’s rights, freedoms and interests are not infringed. Disclosure and There is a common-sense provision Very few organisations will find difficulty data sharingwhich says that you need not meet thetransparency requirement if you got the in meeting at least one of these It is not unknown for organisations todata from a third party and it would conditions for their normal activities. allow their activities to be hampered byinvolve you in disproportionate effort. You need to bear two things in mind, a mistaken belief that they need consentThis means, for example, that you can though. Firstly, if you are relying on in situations where it is certainly anusually use information that is in the consent, it must be a genuine choice. option but not mandatory. If you feelpublic domain without telling the person You must not appear to offer the that a disclosure would prevent seriousconcerned. choice, but then when someone says harm to the Data Subject, for example, Lasa Computanews Guide • Data Protection 9
2003. These tidy up the pre-existing restrictions on marketing by phone and fax (including the Telephone and Fax Preference Services), as well as extending restrictions to some email and text message marketing. Under the Regulations, the Telephone Preference Service continues to operate (but from 25 June 2004 open to organisations as well as individuals), as does the Fax Preference Service. It is illegal to make a marketing phone call or send a marketing fax to anyone whose number is on the relevant preference service Register. To avoid having to check your numbers against the Register every time (which costs money), it is often easier to call or fax only those people and organisations who have given you permission. This overrides any entry in the Register. See www.dma.org.uk/ Shared/Consumer.asp for more on all the you are unlikely to need consent (although you should try to inform the Marketing preference services, including the voluntary Mailing Preference Service. Data Subject about the disclosure). Direct marketing is defined in the The Information Commissioner has In many other cases you may feel Data Protection Act, but not in a way adopted a fairly relaxed approach to the that a disclosure is appropriate because that is particularly helpful to voluntary use of email details that were collected the Data Subject knows it might happen organisations. It is clear that obvious before the Regulations came into force. and will not be harmed. You should marketing – such as promoting goods, For a limited period it appears that you check that the disclosure is “compatible” publications, training or other services – can use these to send advertising or with the purposes that you hold the data is included, as is fundraising and related marketing material, in the absence of a for, however. Some organisations have activities. Provision of information about positive opt-in, provided every message felt uncomfortable disclosing information a topic, rather than promoting your includes clear instructions on how to about clients to funders, for example, organisation, is probably not marketing, opt out. where this was not made clear at the Whether you have offered opt outs but the boundary is unclear. Also, the outset and declared as a purpose. You or opt ins, the Data Subject has the right marketing must be directed to should also check that a person asking to “require” you in writing to stop using individuals, which presumably means you for information is who they say they their details for any kind of marketing. that marketing your services to are, if necessary by phoning back on a Whether you offer a flexible range of organisations is not covered. public number, or by getting the request options or not, your system must at the Where you think you are collecting on headed paper. very least be able to cope with those information that you will use for direct If you share data with other occasions when the Data Subject insists marketing you must, of course, specify organisations routinely, you should make on not receiving any further marketing. marketing as a purpose. You must also sure to tell the Data Subjects that this is offer the appropriate opt ins and opt what happens. Unless it is essential for outs. Although this is not the only way the service you should ideally give them the chance to opt out of their data being to do it, the simplest strategy for many ‘Sensitive’ data organisations is to: shared. Otherwise they may choose not The Data Protection Act recognises a to give you information at all, which q Offer an opt out from: special class of data which it terms could leave them worse off. — mailings “sensitive”. The list of “sensitive data” You should also consider setting — sharing the data with other covers the Data Subject’s: up a data sharing protocol with any organisations q racial or ethnic origin; organisations that you regularly share q Ask people to opt in to: data with. You don’t want to end up q political opinions; getting into trouble for a mistake that — phone or fax marketing (where there are mandatory preference q religious or similar beliefs; they make, and it is easy for two organisations to see the same situation services) q Trade Union membership; in different ways without realising it. — email or text message marketing q physical or mental health or See also the discussion of who might Marketing by any electronic means is condition; be a Data Controller in these controlled by the Privacy and Electronic circumstances in the section Who is q sexual life; Communications (EC Directive) responsible for what. Regulations 2003 (SI 2003 No. 2426), q offences, alleged offences and which came into effect on 11 December court proceedings.10 Data Protection • Lasa Computanews Guide
People may be sensitive about other q where you need the information in q Each organisation is an independentinformation, but there is no special order to provide a confidential Data Controller and they just passprovision for anything except the service, including but not restricted data between them.list above. to counselling, advice or support, q Each organisation is a separate If you want to use sensitive data you and it is not possible to get consent,are more likely to need consent from or it is reasonable not to have Data Controller but they are jointly consent, or seeking consent would responsible for the data, and couldthe Data Subject. However, this is not prejudice the provision of the service. get into trouble for otheralways needed, provided you meet one organisations’ mistakes.of the Conditions in Schedule 3 of the The last Condition (which can be foundAct, supplemented by additional q The consortium itself is a Data in the Statutory Instrument) is worthConditions in Statutory Instrument 2000 Controller, independent of its considering where the Data Subject’sNo. 417. The list is long, but each constituent bodies. interests are protected by confidentialityCondition is quite specific. Since there is and you want to focus on providing an Your organisation keeps its Datainsufficient space to cover these in detail immediate service to someone who is in Protection responsibilities even if ithere, you may need to get further distress or incapacitated, rather than going outsources work. An organisation thatinformation if you want to use sensitive through the motions of getting consent. processes personal data on behalf ofdata without consent. Some of thepossible Conditions you might meet another is a “Data Processor”. Thisare, in brief: Who is responsible could include, for example, a payroll bureau, a mailing house, a telephoneq legal requirements in connection with employment; for what marketing company, or a company which develops or supports your membership Legal responsibility for Data Protection database or your web site.q to protect the vital interests of the lies with the “Data Controller”. Under the Data Protection Act you Data Subject or another person; In nearly every case this will be your must have a written contract with theq Church, Union & political party organisation, not an individual worker or Data Processor, spelling out what they membership, subject to certain volunteer. However, you cannot choose are to do for you. They must have safeguards; to be a Data Controller on behalf of appropriate security, to your satisfaction, another organisation (for example a so that you can be confident that theirq where the information has been trading company that is separate from treatment of your Data Subjects will be deliberately publicised by the Data your charity). just as responsible and reliable as if you Subject; You may well want to delegate were doing it yourself. For instance, if Data Protection activities within your your staff have to have Criminal Recordsq where you are providing legal advice; organisation to a specific Data Bureau checks, should theirs? Protection Officer. However, theq various government and official responsibility still lies with the functions; organisation and, ultimately, the Board of Trustees or Management Committee. Notificationq where you are providing medical care and owe a duty of confidentiality; Where you operate within an Many voluntary organisations have information-sharing consortium you may received letters telling them that theyq where you are carrying out equalities need to take advice on who is the Data risk immediate prosecution for not monitoring based on race or Controller, because any one of three Registering under the Data Protection ethnicity, disability or religion; situations is possible: Act, and must pay a fee of £95 or more to an official-sounding agency with a name such as the “Data Protection Registration Service”. This is a scam, although like many scams it does have a kernel of truth. Some Data Controllers do have to “Notify” the Information Commissioner about their information-processing activities, at a cost of £35 a year. However, many systems and activities are exempt from Notification. This means that they are still subject to all the requirements set out in the rest of this Guide; the only thing they are exempt from is Notification itself. The main exemptions from Notification are: q all manual systems; q computerised personnel systems, including payroll & volunteer administration; Lasa Computanews Guide • Data Protection 11
Lasaq computerised accounts and customer or supplier records; Computanews More informationq your own computer-based marketing, Guides promotion & PR activities; The Information Commissioner provides free information, on the web, by telephone Lasa’s Information Systems Teamq computerised membership and through a series of publications. publish a series of Computanews records of a non-profit organisation, This is always worth consulting, although it Guides. These clearly written booklets or records relating to activities provided does not necessarily directly address the cover many aspects of computer use for people who are “regularly in contact” concerns of voluntary organisations. and answer common queries. with your organisation “in connection www.informationcommissioner.gov.uk with” your purposes. In some cases 01625 545700 this might include service users Guides currently or clients. available Political responsibility for Data ProtectionSince you are permitted to Notify voluntarily, issues lies with the Department for (at £5 each)even if you are exempt, many organisations Constitutional Affairs:take the view that £35 a year is a relatively www.dca.gov.uk Buying ITcheap option when you consider that failing toNotify if you should is a criminal offence. The q Data Protection in Voluntary Organisations,Information Commissioner publishes a free Paul Ticher, Directory of Social Change The InternetNotification Handbook and runs a Notification (020 7209 5151), 2nd edition, £14.95helpline (01625 545740) as well as having ISBN 1 903991 19 6 qinformation on the web site. Managing IT q Much of the action you need to take will have been obvious from Networks the preceding discussion. It may be useful to summarise some of q the key issues: Project Management (available as a free PDF download – see Priority 1: Priority 2: Priority 3: www.lasa.org.uk/computanews/guides.shtml) Preventing harm q q How do we make sure q Are we giving our q Are we offering the all our data is accurate Data Subjects enough appropriate opt-outs from Security enough to prevent harm? information about the use direct marketing and opt-ins (available as a free PDF download – see we make of their data? for electronic marketing? www.lasa.org.uk/computanews/guides.shtml) q Have we got an appropriate confidentiality q Are we giving them q Do we know how to policy, making clear who is choices in the way we use respond to a Subject Access allowed to see or be given their data, whenever request? which information? appropriate? q Have we checked q Have we got an q Are we ensuring that whether we need to appropriate security policy? the data we hold is relevant “Notify” the Information and not intrusive? Commissioner about the q How do we ensure that scope of our use of our policies are followed? q Do we have clear personal data? retention policies for our For further details contact: q How will we ensure that q main sets of data? Have we identified any we learn from security Data Processors we use breaches? q Are we being particularly and checked our contracts Lasa Publications thoughtful in our use of with them? Universal House q Do we get consent for ‘sensitive’ data? transfers abroad, where 88–94 Wentworth Street necessary? q Have we thought London E1 7SA through any data sharing q Are we clear about the basis on which we can disclose information when this is necessary to arrangements? action TELEPHONE: EMAIL: FAX: 020 7377 2748 020 7247 4725 firstname.lastname@example.org prevent harm? checklist WEBSITE: www.lasa.org.uk The Lasa Computanews Guide to Data Protection Written by Paul Ticher (July 2004) Paul Ticher is a self-employed consultant, who has been concerned with Data Protection in voluntary organisations since 1986. He can be contacted by email at email@example.com. Cartoons by Phil Evans Funded by London’s local councils Layout by Third Column. Printed by Russell Press.