DATA PROTECTION ACT
This is intended to be a summary of the requirements and effect of the Data Protection Act 1998 (“DPA”). It is not intended to be a comprehensive summary and you should obtain advice in relation to your own business.Many of ICSM’s clients and indeed, the vast majority of the Printing Industry could be classified as Small Medium Enterprise’s (SME’s). Typically, as is the case in many other industries confusion and uncertainty prevails when it comes to understanding the cause and effect of the Data Protection Act 1998. You are not alone, this uncertainty is commonplace in all industry sectors and in this case, size really doesn’t make much difference.
At ICSM we have spent some time along with our lawyers unravelling the rules of the New Data Protection act 1998 (DPA) with a view to explaining its application and implications to companies within the Printing and allied industries, also to try and provide a straightforward guide (which can be found at the end of this document) for our subscribers and anyone else who is unsure of the implications to them or their business.
Nothing we say later applies to information relating to Limited companies. The DPA does not apply to this. The DPA does, however, apply to sole traders, partners and company directors in their personal capacity (for example, when giving personal guarantees). Therefore it has a bearing in relation both to your customers, who could be individual sole traders and in relation to the individuals about whom you obtain and hold information.
The Data Protection Principles
The principle of primary concern is one that says personal data must be obtained “fairly and lawfully”. This is where the problems start. The question of whether the data you hold has been obtained lawfully and fairly from the individuals in question revolves around the question of whether the individual gave his or her consent to the data being passed on for processing. This consent can be given expressly or by implication. It also means that the individual should not have been coerced or misled into giving the information.
Consent
Lenders / Credit providers (be they banks, building societies, printers or whoever) must obtain consent from the individuals who come to them for finance / credit facilities of some sort. On the credit application form there will be a box for them to tick or some wording which confirms that they give consent to their personal information being passed to credit reference agencies for the purpose of doing a credit check and also for the credit reference agencies to retain for use for other clients of the agencies. This wording must spell out the purposes for which the data will be used. If the data will be passed on for marketing purposes, these days the individual must actually tick a box. It appears that whether or not a borrower / customer actively ticks a box, the Information Commissioner takes the view that it can be a condition of the finance that checks can be done and the information be passed on. Passing the information on for marketing purposes or checks on other family members is a separate issue. If the lender / creditor wants to pass on to the credit reference agencies more detailed information (e.g., a blow by blow account of repayments, etc.), this would also have to be spelt out very clearly on the application forms. Consent of the individual on whom a credit check is done must have been obtained lawfully and fairly. You must have wording in your documents making clear the uses to which the personal data of customers who are individuals will be put. It should include the right for you to pass information on to credit checking agencies such as ICSM.
You should also draw the distinction between your customers giving consent to credit checks being done and the sharing of information in relation to their credit record. Again, the initial application or order must make clear that in the event that they default on payment, that information may be shared with others for the purpose of debt tracing and collection.
Summary of consent point
It is important that you obtain your customers (in the case of Individuals) consent to the disclosure of information by including it in your credit application / order form. As long as the information on individuals which you hold and process is obtained with the consent of your customer and as long as your DPA registration is up to date and covers all of your business activities, you will be able to process that information. If you do not ask for consent or make clear that checks will be done on the original application form or order form, you could be in breach of your registration by receiving, holding and processing that information.
Consequences
The good news is that it is not an offence to be in breach of your DPA registration. The Information Commissioner can, if she becomes aware of some unauthorised activity, issue a compliance notice requiring that the activity be altered or stopped. Failure to comply with that notice is an offence.
Other principles
The other principles under the DPA relate to security measures to keep personal data safe, disclosure of personal data to the individual in question, accuracy of the data, how long the data can be used and also the question of the use to which the data can be put. This last point means that the data can only be used for a purpose permitted by your customer. If you tried to sell your database or split it up for marketing purposes, there could be a problem.
In terms of how long you can hold data, if we again assume that you have obtained the proper consent allowing the information to be used and held for credit checking purposes, then it would be reasonable for you to hold the information for some time. We don’t know how long this is though, and the Information Commissioner would decide on a case-by-case basis. The Information Commissioner advocates having a monitoring system so that, your database could be checked periodically to see if there is any information that should be deleted.
This is a broad-brush analysis (honest) of the basics. Although the conclusion is positive, it does all come down to you. If you just do credit checks on individuals as a matter of course without any form of authorisation then the credit check you do is unauthorised.
Requirements of the Data Protection Act 1998
Some frequently asked questions
What is the DPA?
The DPA came into force on 1 March 2000. It sets out rules to be followed in relation to the collection, use and disclosure of personal data. The DPA replaced the 1994 Data Protection Act which still applies, subject to certain changes, to personal data collected before 1 March 2000.
What is "personal data"?
This is information about identifiable living individuals from which they can be identified. For example, an individual’s name, address and e-mail address are personal data. Opinions are also caught.
In addition, the DPA includes a list of “sensitive personal data”, such as a person’s race and membership of trade unions. This sort of data is to be treated with extra sensitivity.
What does this mean for my business?
Any person, whether in business or not, who holds and processes personal data must obtain a registration under the DPA. That person is known under the DPA as a “data user”.
How do we know if we are “processing” personal data?
This is broadly defined to cover any sort of operation involving the personal data. The most obvious example is your customer database, to the extent that it holds information about individuals.
Parts of our records are manual - do we still need a registration?
Yes. Full compliance with the DPA in relation to manual records is not necessary before October 2007. However, some requirements of the DPA are already in place in relation to manual records.
How do we obtain a registration?
You will need to complete a form notifying the Information Commissioner, in broad terms, of the purpose of the processing, the personal data involved, the recipients of the personal data processed and any places overseas to which the data are or may be transferred. Notification is possible on-line - go to www.dataprotection.gov.uk and click on “Notification”.
The information you supply is available on a public register and notifications are renewable annually.
We only hold information about businesses - does the DPA still apply to us?
It is extremely unlikely that the DPA will not apply in this case. Although the DPA concerns personal data relating to individuals, this means in practice that it can apply to a sole trader in business, the partners in a partnership, your employees and the directors of a company acting in a personal capacity.
What if we fail to obtain a registration or to keep it up to date?
The Information Commissioner has the right to issue “enforcement notices” requiring you to comply with the DPA. Failure to do so is a criminal offence.
In addition, there are other criminal offences, such as:
- failure to register
- processing of personal data outside the scope of a registration
- accessing personal data without proper authorisation
No. Registration is only part of the process. It means that you can collect, process and disclose the personal data you hold, but only within the scope of your registration. If your requirements change, so must your registration.
In addition, in processing that personal data, you must comply with the eight “data protection principles”. These are that the personal data must be:
- fairly and lawfully processed
- processed for limited purposes and not in any manner incompatible with those
- purposes
- adequate, relevant and not excessive
- accurate
- not kept for longer than is necessary
- processed in line with the data subject's rights
- secure
- not transferred to countries without adequate protection
The Information Commissioner has issued guidelines on what the best practice is in relation to complying with those principles. That information is available online at the URL given above. You should ensure, as part of the notification process, that you understand their effect.
One area of particular concern is the first principle, that personal data must be fairly and lawfully processed. This principle requires that the data must be obtained with the consent of the individual in question. Explicit consent is required in relation to sensitive data.
In relation to personal data that is not sensitive personal data it is still unclear whether the individuals in question must actively consent. This is the difference between them giving written consent or ticking/clicking a box to show that they agree to their data being processed as opposed to ticking/clicking a box if they do not consent. For certainty, it is always best to ensure that your customers give active consent, in writing or by ticking/clicking an appropriate box to give consent. If you use personal data other than for your basic business needs, you must obtain active consent. So, for example, if you intend to sell your mailing lists or if you intend to do credit checks on them.
What is clear from the guidelines is that any request for consent should be accompanied by a clear indication of who you are, who is responsible for data control within your organisation and the uses to which the data will be put.
Do we have to tell people what personal data we hold about them?
Individuals are entitled to find out what information is held about themselves on computer and some paper records. There is a maximum charge that can be made for disclosing that information, which is prescribed by law.
In addition, individuals have further rights. They can, for example:
- apply to Court to have incorrect data corrected
- ask for his or her personal data not to be used for direct marketing purposes
- claim compensation for damage and distress caused by any breach of the DPA
Your first stop should be the Information Commissioner’s Office web site which sets out all the current Codes of Practice and gives advice on all aspects of data protection.
For a DPA compliant credit application form, advice on commercial debt problems, or to find out more about ICSM’s services to the printing industry, you can contact us at:
tel: 0844 854 1850
email: icsm@icsmcredit.com