Category Archives: Data Compliance

CCTV Data Protection Guidelines from ICO

1 Reply

drone delivering parcelClearly surveillance has both benefits and drawbacks, and the level of public interest and debate about both is increasing. Technology is advancing swiftly, and surveillance cameras are no longer simply passively recording and retaining images. They are now also used proactively to identify people of interest, to keep detailed records of people’s activities both for social (eg schooling, benefits eligibility) and political (eg terrorist) reasons.

There’s a real risk that, despite the benefits, use of CCTV can be very intrusive.

The ICO’s new CCTV code of practice continues its focus on the principles that underpinned the previous code of practice. However, it has been updated to take into account both the changes in the regulatory environment and the opportunities to collect personal data through new technology.

There is some fascinating information in the guidelines – specifically around some of that new technology, where three of the key recommendations are:

  • Privacy Impact Assessments – a requirement that involves ensuring that the use of surveillance systems is proportionate and addresses a pressing need (see the
  • Privacy Notices / Fair processing – a key issue for many of the new technologies is finding creative says of informing individuals that their personal data is being processed – particularly where such processing is simply not obvious.
  • Privacy by design – for example, the ability to turn the recording device (audio and / or sound) on and off as appropriate to fulfil the purpose; the quality must be high enough to fulfil the purpose; the use of devices with vision restricted purely to achieve the purpose

The new technology specifically covered in the guide includes:

Automatic Number Plate Recognition (when to use it, data storage, security issues, sharing the data and informing individuals that their personal data is being processed – something of a challenge needing some creative thinking);

Body Worn Video (warnings against continuous recording without justification; the use of BWV in private dwellings, schools, care homes and the like – and, again, the thorny issue of informing subjects that they are being recorded);

Unmanned Aerial Systems drones are now increasingly used by businesses as well as the military (Amazon has stated its intention to use drones to deliver parcels …). Some of the key issues are privacy intrusions where individuals are unnecessarily recorded when the drone has some other purpose; the distinction between domestic and commercial use; providing justification for their use; the ability to switch the recording system on and off; the whole system of data collection, storage, accessibility, retention periods and disposal requires compliance.

Automated recognition technologies are increasingly used commercially to identify individuals’ faces, the way they walk, how they look at advertising and suchlike. Again, the issues of fair processing, degree of accuracy of images and their identification, storage, retention, transfer, disposal and security are all key to compliance.

If you are using surveillance devices to view or record and / or hold information about individuals, then it’s worth noting that such use is subject not only to the Protection of Freedoms Act (and its Surveillance Camera Code of Practice), and the Data Protection Act, but you also need to consider your obligations under The Freedom of Information Act 2000 and the Human Rights Act 1998.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Surveillance Camera Code of Practice – 12 Principles

2 Replies

security cameraDo you use a surveillance camera system within your organisation?  If so, it’s worth noting that the Surveillance Camera Code of Practice must not only comply with the Data Protection Act and its 8 Principles, but also provides its own 12 guiding principles:

  1. Purpose: Use of a surveillance camera system must always be for a specified purpose in pursuit of a legitimate aim, and necessary to meet an identified pressing need
  1. Privacy Impact: Use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified
  1. Transparency: There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  1. Accountability: There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  1. Policies and procedures: Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them
  1. Relevance and Retention: No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged
  1. Access to retained images and information should be restricted. There must be clearly defined rules on who may gain access for what purpose; the disclosure of images and information should only take place where it is necessary for such a purpose or for law enforcement purposes
  1. Standards: Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose, and work to meet and maintain those standards
  1. Security: Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
  2. Audit: Effective review and audit mechanisms should be in place to ensure legal requirements, policies and standards are complied with in practice.  Regular reports to be published.
  3. Public Safety: When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
  4. Accuracy: Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Data Privacy and the Internet of Things

Leave a reply

iStock_000044457776Small (1) Earlier this month (August 2014) Offcom announced that UK adults spend an average of eight hours and 41 minutes a day on media devices – which compares with an average night’s sleep of eight hours and 21 minutes …

I have to admit to being something of a science fiction fan and it seems to me that our own world has some interesting parallels with that created by E M Forster in his short novel, The Machine Stops.

The setting is a world where humans live in isolation in underground cells, and where everything is provided by the global “Machine” – music, art, literature, conversation, education, knowledge, interaction with other humans, food, religion, medicine – truly everything that humankind allegedly requires. In Forster’s world, travel is available, but unpopular and treated with suspicion. The physically strong are culled at birth. The weak survive.  When the Machine breaks down, the humans – its subjects – perish, leaving the only hope for the human race with those who had previously escaped the underground world and made their way to the surface to live outside the Machine’s jurisdiction.

In our own world, we have the internet, social media, online music, art, and the ability to educate, work and communicate, both personally and in business, from a distance.

And, of course, we have the Internet of Things, which is currently generating a great deal of interest and discussion, and which brings us ever closer to Forster’s world.

What is the Internet of Things?

The answer lies in the name, though it’s worth mentioning that “Things” include people.

??????????????????????????????????????????????????????In a nutshell, we are living in a world where broadband is an ubiquitous fact of life, technology is moving faster and faster – and becoming increasingly less expensive, and more and more devices are being created with wifi capability and sensors – from smartphones to fridges,  remote household heating systems to tumble-dryers, razors to kettles, and TVs to wearable devices.

According to Gartner (a Connecticut-based IT research and advisory company) by 2020 there will be over 26 billion connected devices.  With an assumed 8 billion people on the planet in the same year, that’s an average of over 3 ¼ ‘smart’ devices per man, woman and child!

For example, LG has developed a fridge that has a camera which allows owners to see what food is inside.  It scans items as they’re added, tracks expiry dates and recommends recipes based on the food available. The owner can also programme Body Mass Index (BMI) and weight loss targets.  Using smart TV and voice recognition technology, the fridge can see who is opening the door, recommend a recipe … and even in future turn on the oven to the right temperature if you choose that recipe!

It’s intended that this fridge will link with online food shopping services so that it can restock itself when supplies run low.  The fridge’s data will all be accessible to the owner vie smartphone, tablet or PCF so the owner can stay in control. (If you like the idea, the fridge is scheduled to be on sale in the UK later this year for around £2,000.)

RFID Tags and Security Issues

There is no doubt that the opportunity for automated household management may be appealing and is possibly unavoidable in the future.   And there are many other potential uses too, including tracking wildlife, chipping pets (and even humans), providing access to a person’s medical records, and monitoring our medical conditions to notify us of drugs and dosages to be taken.  We already have RFID technology in our passports, our travel passes, even our clothes (though primarily for stock control reasons rather than intended tracking).

But privacy is a real concern.  Given the sensitivity of some of the data to be collected, it is alarming to read that the default security settings on these devices are often very weak, making it straightforward for hackers to break into devices.  This has been amply demonstrated already:

‘Smart’ Devices Send out Spam emails …

Between December 23rd 2013 and January 6th 2014, about 750,000 spam messages were sent out by smart gadgets.  The malware involved was able to instal itself on a range of kitchen appliances, home media systems and web-connected televisions.  It was able to do so because the gadgets had not been set up securely, used default passwords, and the owners were unaware of the potential for security issues – if they even knew the devices carried RFID tags.

Privacy and Security

Data Compliant Cloud considerationsBusinesses must be mindful of the consumer’s privacy and security when they develop products that can gather and share data about what they, their owners, and other, linked “smart” products do.  This new technology will be collecting private, and sometimes deeply personal and sensitive data about the owners who may be wearing the technology or installing it in their homes.

Currently it seems that companies are storing data from these smart devices onto the cloud, without necessarily informing the consumer or giving them a choice.  Even with the antiquated Data Protection legislation currently in place, if such data would allow individuals associated with that data to be personally identified, that must be a breach of the DPA.

There’s no doubt that becoming compliant and secure in the RFID environment will be much simpler for businesses if they start the process at the very beginning of the technological developments.  They would also be well advised to make their compliance and security solutions scalable to avoid significant problems in the future.

The EU Directive on the Protection of Personal Data states that a person must freely give specific consent and be informed before their personal information is processed.  EU Member States are required to ensure confidentiality of communications by prohibiting unlawful interception and surveillance of personal information unless consent has been provided.

This suggests that using RFID chips unleashes serious privacy implications.  To remain compliant with EU data protection legislation, organisations should make it absolutely clear that:

  • The merchandise includes RFID tags
  • Whether the user’s data will be will be collected and stored by the organisation
  • What data will be collected
  • How the data will be used

 

EU RFID Technical Standards

RFD-Blue-1bAt the end of July, the European Commission has put out a series of recommendations to protect consumers from privacy risks associated with RFID chips.  Viviane Reding, former EU Commissioner said: “While smart chips working with RFID technology can make businesses more efficient and better organised, I am convinced they will only be welcomed in Europe if they are used by the consumers and not on the consumers. No European should carry a chip in one of their possessions without being informed precisely what they are used for, with the choice of removing or switching it off at any time. The ‘Internet of Things’ will only work if it is accepted by the people.”

Privacy Impact Assessments

While the sentiment is admirable, it has, until now, been difficult to see quite how it is enforceable.  A good starting point, however, is that an RFID Privacy Impact Assessment has been agreed, which should ensure data protection within current EU privacy regulations.

rfid logo

RFID Logo

In the meantime, the European Commission’s new RFID logo has been developed for items that include RFID tags so that individuals will know that they are carrying items that can be tracked – eg Oyster cards, fashion items, wearable technology and so on.   Unfortunately the scheme is voluntary, which means that businesses are not obliged to use the logos.

The Future

RFID items are increasingly widespread and popular – the technology is cheap and efficient, retailers find it enormously helpful from a stock control perspective, consumers find it useful.  It will be fascinating to see how the development of RFID products impacts on our lives, our privacy and our security.  Perhaps we’re not so very far away from the world envisioned by EM Forster back in 1909 – long before the internet and all its trimmings were in place.

As Shakespeare so tellingly put it:  “O brave new world that has such people in’t”

Big Data and the Data Protection Act

1 Reply

big data privacyBig data is a big issue for organisations across the world.  Businesses, governments, health organisations, analysts and scientists are all looking at the opportunities to be gained from using big data.

Another big issue is the matter of individuals’ privacy and data protection. The EU data protection principles are already established throughout the member states, and in the UK we have the Data Protection Act, which is regulated and enforced by the ICO.

So what is big data?

I first wrote about big data in 2012.  Analyst Doug Laney described it as being three-dimensional – a combination of volume, velocity and variety.

It probably began when customers started shopping over the internet.  Businesses started to save and analyse data from clicks, searches, registrations, purchases and so on. Then came social networks where individuals post personal and business information about themselves, hold conversations with their friends, family and colleagues, post updates and opinions, store their photographs and music and films and videos in the cloud…

This technology is continuing to develop at speed, while big data analysis and algorithms are becomng ever more sophisticated.  As a result, big data’s relationship with data protection and privacy regulations is becoming a serious and significant issue.

Big Data and the Data Protection Act

Of course, not all big data actually uses personal information.  For example, researchers analysing data from particle physics experiments at CERN’s Large Hadron Collier sift through approximately 16 million gigabytes of data every year.  This is hardly a serious threat to individuals’ privacy.

On the other hand, businesses using data from social media, in combination with sales transactions and loyalty cards does indeed use personal data, and in this case the Data Protection Act (DPA) comes into force to protect the individual.

Regardless of whether or not we think the DPA is adequate to protect individuals against organisations working with data, it is the only legislation we have.  And the ICO has just produced a report suggesting a number of areas where organisations must be mindful of their big data regulatory responsibilities:

  1. Fair processing: Where big data is used to make decisions affecting individuals, a key requirement is that such processing – including the initial collection of that individual’s data – is fair and transparent.  A clear explanation of why the data is being collected (the Purpose) and, where necessary, consent of the individual to that purpose is a key element in the compliant use of such data.
  2. Consent: any consent must be ‘freely given, specific and informed’.  People must be able to understand how their data is to be used, and there must be a clear indication that they have consented to such use. If an organisation is relying on consent as a condition for processing big data, it is important that the data subjects have a clear choice and are able to withdraw their consent if they wish. Otherwise, the consent does not meet the requirements of the DPA.
  3. Repurposing: where data has been collected for one reason, and is now being used for a completely different purpose, then the organisation needs to make its users or customers aware of this – most particularly if the data is being used for a purpose that the individual could not reasonably have expected at the time the data was initially collected.  In this case, where consent is relied on, consent is required.
  4. Excessive, relevant data: using all the available data for analysis might be expected to contravene Principle 3 of the data protection act which states that data must be adequate, relevant and not excessive.  An organisation must be clear from the outset what they expect to learn or do by processing all the data.  They must also be in a position, if necessary, to demonstrate how they have satisfied themselves that the data they are using from perhaps a multiplicity of sources is relevant and not excessive.
  5. Security: organisations using personal data should always be mindful of security and the potential for data security breaches.  The use of big data is no different in this respect – but the number of new datasets that may be acquired in combination with the existing data used may make the security issues a little more widespread, and will require robust risk assessment and risk management policies and procedures.
  6. Anonymisation: if data is correctly anonymised it will no longer be considered personal data and will therefore not be subject to the DPA.  However, when using the multiple data sources associated with big data analytics, achieving genuine anonymisation can be difficult to achieve and the ICO advises organisations to carry out a robust risk assessment of the risk of re-identification, and provide solutions proportionate to the risk.
  7. Privacy Impact Assessment (PIA): a PIA is an important part of being compliant as it helps gain an understanding of how the processing will affect the individuals concerned.  For example, there is a difference between using personal data to identify general trends, and using it to make decisions that affect those individuals.
  8. Long-term use: using big data for analytics does not waive the requirement that data should be kept only for the period required for the stated business purposes.  If a business wants to hold the data for long-term use, the reasons must be articulated and justified.
  9. Subject access: don’t forget that people can request to see the data you are processing about them.  When using big data, systems can become complex and unwieldy making such requests difficult, time-consuming or expensive to fulfil.  Keeping the system simple will obviously benefit the organisation.
  10. Third parties: if data has been purchased from a third party in order to run its big data analytics, the purchaser becomes the data controller for the purchased data.  It is now responsible for ensuring it has met the DPA’s conditions for further use of that data, and, if it is relying on the original consent obtained by the supplier, then the purchaser must ensure that this is adequate to cover its further processing requirements.

In summary

When using big data, always make sure you comply with the DPA.

Don’t be secretive, deceptive or misleading.  Make sure you obtain appropriate consents as required.  Explain clearly what you’re doing with big data to your users, your customers and those from whom you’re collecting data.  And make sure the information is utterly transparent.  It’s also worth being creative about how you tell them what you’re doing, by finding, describing and providing visible benefits that they will appreciate.

If you have any compliance or security questions on your own use of big data, please contact victoria@datacompliant.co.uk or call 01787 277742. Data Compliant offers the following services:

Services

Data Compliance and Cloud Computing

Leave a reply

It’s clear that the innovative and accessible technical services provided by cloud computing are increasingly being selected and used by businesses.  And there are good reasons for doing so – not least accessibility, cost, reliability, resilience, and innovative products.  However, there are also risks to data protection which data controllers need to consider and be sure that such their cloud processing activity complies with the Data Protection Act.

What is cloud computing?

Cloud computing covers a broad range of services and technology, but the Information Commissioner’s Office (ICO) defines it as:

“access to computing resources, on demand, via a network”

To explain:

Resources include storage, processing, software

On Demand simply means that the resources are available to the customer or user on a scalable, elastic basis, typically through virtualised resources

Via a Network refers to the transit of data to and from the cloud provider, which may be over a local or private network, or across the internet.

The Data Protection Act (DPA) and Cloud Computing

All operations involving personal data that take place in the cloud – including storage – must comply with the DPA, and it is the data controller who has ultimate responsibility for that compliance.

However, if layered cloud services are being used (eg different cloud providers of software, platforms or infrastructure) then it’s quite possible that there will be a number of data controllers and data processors working together to deliver services which included processing personal data.

The cloud customer is most likely to be the data controller, and will therefore have overall responsibility for complying with the DPA.  However, depending on precisely the role of the cloud provider, the customer must assess whether the cloud provider is simply a contracted data processor or is, indeed, a data controller in its own right – which may be the case if a cloud provider in any way determines the purpose(s) for which the personal data are to be processed. In this case the cloud provider will be responsible for its own data protection compliance.

12 Cloud-specific DPA Considerations

Data Compliant Cloud considerationsThere are some specific considerations for data controllers who have moved or are considering moving personal data to the cloud.  Below are twelve:

  1. What personal data is to be processed (and how) in the cloud, and what are the inherent data protection risks
  2. What steps can be taken to mitigate those risks (eg authorisation protocols)
  3. Who is the data controller
  4. What additional personal data may be collected in the cloud (eg usage stats, transaction histories of users and other such ‘metadata’)
  5. Does the cloud customer’s privacy policy provide adequate information about processing data in the cloud
  6. Does the cloud customer need to run a privacy impact assessment to identify any privacy concerns and address them from the beginning of the process
  7. Does customisation of an existing cloud service cause any additional privacy risks
  8. What monitoring, review and assessment requirements between cloud customer and cloud provider should be put in place to ensure the cloud service runs as expected and to contract
  9. What commitment does the cloud provider have to keep the cloud customer informed in the event of changes in the chain of sub-processors taking place during the provision of the cloud service
  10. A written contract is required by the DPA between the data controller and the data processor – beware of a cloud provider which offers terms and conditions with no opportunity for negotiation.  The risk that those terms and conditions may subsequently change needs to be taken into consideration.
  11. The data controller is responsible for the security of its data processor – assessment of the security of the cloud provider is mandatory
  12. Data outside the UK / EEA – the data controller must check the countries where data is likely to be processed and satisfy itself that the relevant security arrangements are in place

8 Essential Policies and Processes

Cloud with lock on white background. Isolated 3D imageAny business will benefit from formal, documented policies and procedures.  Having made a decision to use cloud services, there are some specific requirements that are particularly important from a personal data compliance perspective:

  1. Access control – the data is, by the nature of cloud computing, accessible from any location – home, the office or on a range of devices.  Sufficient measures need to be put in place to prevent unauthorised access to the data
  2. Authentication processes – to verify that a cloud user is authorised to access the data
  3. A system is required to create, update, suspect and delete user accounts
  4. Leaver protocols need to be put in place
  5. Data retention and deletion policies are required – consider your cloud provider’s deletion issues across multiple locations and back-ups
  6. Cloud provider access policies need to be in place for occasions when the cloud provider needs access in order to provide services
  7. Staff training on cloud processes and controls is required to maintain the security of the cloud service
  8. Regular audits of procedures and policies in place will help ensure ongoing compliance

The cloud is here to stay.  If you’d like any information or have any concerns about your own cloud provider contracts, policies or compliance issues, please don’t hesitate to contact us:

victoria@datacompliant.co.uk

01787 277742

Safe Harbor – how does it work?

1 Reply

safe harbor pic

The Data Protection Act 1998 prohibits the transfer of personal data to non-European Union countries unless those countries meet the EU “adequacy” standard for privacy protection. Although both the US and EU profess to similar goals of protecting individuals’ privacy, their actual approaches are quite different.

As a result, the US Department of Commerce consulted with the European Commission, and developed the “Safe Harbor” framework – a cross-border data transfer mechanism that complies with European data protection laws and allows businesses to move personal data from the EU to the United States.  There is a similar but separate framework between the US and Switzerland.

To join the Safe Harbor framework, a company self-certifies to the Department of Commerce that it complies with seven data privacy principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and that it meets the EU adequacy standard.  This self-certification needs to be renewed annually.  If a company fails to complete the annual re-certification process in time, the organisation’s certification is changed to “not current”.

The Federal Trade Commission addresses any violations – indeed on 21st January 2014, the FTC identified twelve companies who claimed in their marketing material that they currently complied with the US – EU Safe Harbor Framework, but who had allowed their certification to expire.  The twelve companies range from technology, consumer products and accounting – as well as National Football League teams.

To “set an example” and to help ensure the ongoing integrity of the Safe Harbor framework, the twelve companies have been prohibited from misrepresenting the extent to which they participate in any privacy or security programme sponsored by the government or any other self-regulatory or standard-setting organisation (including the Safe Harbor Framework).

It is worth noting that agreeing to adhere to the Safe Harbor Frameworks is a permanent undertaking in that an organisation must continue to apply the Safe Harbor Privacy Principles to personal data obtained through the Safe Harbour Frameworks for as long as the organisation stores, uses or discloses the data, even if the organisation has left the Safe Harbor.

There is a Safe Harbor list, which anybody can check to verify an organisation’s status:   https://safeharbor.export.gov/list.aspx

If you are planning to transfer data between the EU and the US, and would like us to help you, just call Michelle or Victoria on 01787 277742 or email victoria@tuffillverner.co.uk or michelle@tuffillverner.co.uk

Data Protection Compliance – who cares?

1 Reply

iStock_000025097331XSmall

More than half the UK population cares enough to bother to start using tick boxes and opt-outs.  And then, of course, there is the Information Commissioner’s Office … they certainly care.  There’s been a general uproar over Google’s methods of data collection … over the NHS hard drives containing sensitive patient information being sold on an internet auction site … over PPI telemarketing calls … and so on … we’re all starting to care more and more over who has, who uses, who owns, who controls and who processes our data – and for what purpose.

What is the Data Protection Act anyway?

That’s why we have The Data Protection Act 1998.  It establishes a framework designed to keep yours and my personal data safe.  And it requires anybody who is a “data controller” – regardless of the size of the business – to register with the Information Commissioner’s Office if they are processing personal information.  There are  a very few exemptions.  To date, over 370,000 organisations are registered.

The Data Protection Act has been designed to balance organisations’ need to collect and use personal data for business and for other purposes versus the rights of individuals to privacy of their personal details.  This balancing act is complex and can be hard to understand.

In addition, the evolving complexities of the internet and e-commerce needed further data protection consideration, so the Privacy and Electronic (EC Directive) Regulations were introduced in 2003. And on top of all that, the EU Directive is still under discussion – this will require further data protection steps to be put into place.

Do I have to comply?

The answer is YES.  Regardless of the size of your business, if you are a data controller and processing personal data, it is a legal requirement to be data compliant.  Part of that process is to notify the ICO that you are a controller and the purpose for which you are collecting and using data.  And it is worth noting that all personal data is covered, including business contacts – business to business contacts are not exempt.

The consequences of non-compliance

handcuffs and money computerIt is progressively unlikely that companies can “get away with” non-compliance.  UK individuals are increasingly aware of their rights in relation to data protection, and are ready to complain to the Information Commissioner’s Office (ICO) if they believe (or just suspect) that a business is not using their personal data compliantly, The ICO can impose fines of up to £ 500,000 against those who are in serious, reckless or deliberate breach of the Data Protection Act.

  • Fines and imprisonment – many breaches are criminal offences, and it’s worth noting that Directors may be personally liable for companies in breach and can be prosecuted and imprisoned.  Having the Information Commissioner turn up on your doorstep with a court order and inspection warrant is highly damaging in terms of reputation, time and resource requirements, and fines.  For example, Tetrus Telecomms was fined £300,000 for serious compliance breaches, and a number of county and borough councils have also been fined for a range of breaches including leaving personal data on a train; losing a laptop containing sensitive personal data and so on.  At the time of writing, the Information Commissioner’s Office has issued 36 fines, totalling £4,236,000 – an average of £117,667 per fine.
  • Publicity – any investigations as a result of complaint are likely to result in very high administration costs, and the Information Commissioner will publicise successful prosecutions or upheld complaints.  In this case, all publicity is absolutely not good publicity.
  • Subject access requests – non-compliance can result both in fine and compensation claims
  • Staff – can be held individually responsible for breaches, and if their employer hasn’t given them the necessary training to comply, they may sue their employer
  • Lost revenue – if the marketing permissions have not been correctly provided when collecting data, then that data may not be used.  In addition, if it is deemed that the data has been collected unfairly, it is quite feasible that the company will be required to eliminate all customer and prospect records from databases.  In either event this can be costly – both in terms of original collection costs and lost revenue

To avoid these issues, the first step towards compliance is to understand the eight clearly defined common-sense principles within the legislation.

The Eight Principles of Data Compliance

The Information Commissioner’s Office summarises the principles of data compliance very clearly:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For point 1 above, Schedule 2 examples include:

  • The individual whose personal data is being processed has consented to the processing
  • The processing is necessary in relation to a contract into which the individual has entered or is about to enter
  • The processing is necessary to protect the individual’s “vital interests” – such as medical history for emergency treatment
  • The processing is necessary for administering justice or for exercising statutory, governmental or other public functions)

The term, “sensitive personal data” (in 1(b) above) includes such data as ethnicity, political or religious beliefs, physical or mental health and so on.

How do I comply?

There are a number of considerations in relation to data compliance, including, among the main areas:

  • Notification – the ICO must be notified and accurately advised of the purposes of the personal data you are processing
  • Principles – follow the data protection principles when handling personal information
  • Fairness – the subjects of the data you process must be aware of what you are doing with their personal data
  • Security – this is a vital area, and covers computers, systems and staff.  In summary, it is  vital to

keep personal data secure whether in storage, in use, or legitimately being shared

make sure that data access is restricted only to those who need access to it

be certain than any records or equipment which are destroyed or disposed of do not hold personal information which can subsequently be accessed

    • Policies – data governance is an essential part of data compliance.  Policies and procedures for handling personal data need to be both clear, practical, monitored and enforced.
    • Subject access requests – individuals are perfectly entitled to request a copy of the personal information your organisation holds about them.  You must provide the information requested within 40 days, and may charge a fee of up to £10.  Schools and health authorities operate on a sliding scale up to a maximum of £50.  It is helpful to log and monitor such subject access requests
    • Data processors – when using data processors to process data on your behalf, ensure they are doing so securely and compliantly
    • Training – it is essential that employees and those with access to personal information are fully trained in data compliance.  Employee negligence is a significant factor in terms of data and IT security breaches.  Effective training mitigates the risk of unwitting breaches.
    • Transfer abroad – though sending data to an organisation in the EEA involves the same security and compliance principles as in the UK.  Exporting data to the US requires Safe Harbor or contract to ensure adequate protection for the data subjects.

Keeping your Marketing Compliant

Between them the Data Protection Act 1998 and the Privacy and Electronic (EC Directive) Regulations 2003 are the backbone of compliant marketing use of customer and prospect data – both business-to-business and business-to-consumer, both physical and electronic.

It is increasingly important both to be compliant and to be seen to be compliant in terms of collection and use of personal data, whatever the size of your business.  But it can be a tricky area to navigate.

In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B.  With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals.  We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.

If you’d like to chat about your data compliance or governance needs, please call Victoria or Michelle on 01787 277742.