n 6 May 2015, a 92 year-old charity worker from Bristol committed suicide. As part of the evidence given at her inquest it was revealed that she was receiving up to 180 requests a month for donations to other charities. 99 charities had her personal contact details (including that she was already donating to other charities), and those 99 charities gained her contact details from some 22 ‘professional data-brokers’, or other charities.
Whilst the inquest decided that the charity requests were not a cause of her death, it highlighted the ‘trade’ in personal information that happens between organisations.
Whilst is not illegal to share/trade personal data, the UK Data Protection Act 1998 states that people who give their personal data to organisations must also consent to that data being shared/sold.
‘Personal data’ under the UK Data Protection Act 1998 (DPA) relates to personally identifiable information, such as a name, date of birth, physical address, email address, telephone, National Insurance or NHS number, or even an IP address.
The DPA applies to all records systems, whether manual (such as a written journal or card index) or computerised such as a Customer Relationship Management (CRM) system, which is linked to the till on the checkout when the customer is asked for their details for the guarantee, etc.
However, under the DPA the personal data remain the property of the person that has given it to you (and your organisation), and at any time they can ask it to be deleted from the records system, unless there are legal, health or national security reasons for retaining it.
Personal data is a very valuable commodity that can be (and is) bought and sold by organisations (and even governments), because when freely given by the person concerned it is likely to be highly accurate and current. This therefore offers the opportunity for very highly targeted (and therefore effective) marketing – why do you think Google, Facebook and Twitter are so big?
In summary, there are eight principles in the UK DPA:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
As part of their training, all employees handling personal data should be advised of all of these principles, their responsibilities, and also their duties regarding that data. Like a cashier in a bank handling money on behalf of the customer, the money is not the property of the cashier, they are just trusted with it, on behalf of the customer, to make the best use of it for the customer.
Breaches of the DPA in the UK to date have resulted in a range of fines (some of which have put the relevant companies out of business), but the Information Commissioner’s Office (ICO) is starting to ‘up its game’ and are naming and shaming directors of those companies. It is only a matter of time before the liability for breach of the DPA moves down to the individual employee.
The UK is leading the way in data protection
Data protection legislation was not brought in because the UK parliament didn’t have enough to do, or because it was obliged to do it by the EU. The UK has been the leading ‘driver’ across the world in Data Protection. Principally because the UK has recognised that the abuses of personal information have led to, in addition to the ‘relatively mild’ acts of requesting money, identity theft and fraud, and have also helped in acts of terrorism.
It is important. An absence of Data Protection legislation, and more importantly adherence to it, affects everyone.
Let’s go and paraphrase the title, “Why as an employee do you need to understand about Data Protection?” Because your next conversation with a salesperson, either face to face or online, means you are giving them, and their organisation(s) further down the line, access to all your personal details forever.
You can brush up on your data protection knowledge with our comprehensive online data protection course.