PRIVATE, KEEP OUT - THINGS ARE LOCKING
The consumer may be king, but the companies they are buying from want to know everything about their personal lives. The revised Data Protection Act aims to give some degree of control back to individuals who want to keep their private details just that. Paul Bray discovers the implications.
One of life's delicious ironies is that although the UK enjoys theant to know everything about their personal lives. The revised Data Protection Act aims to give some degree of control back to individuals who want to keep their private details just that. Paul Bray discovers the implications. highest standard of living the western world has ever known, its citizens no longer seem to own their most intimate personal data. It seems impossible to buy anything, on or off-line, without being quizzed about addresses, phone numbers, age, family circumstances, sexual proclivities and lifestyle choices.
Samantha Brierley, compliance manager at the Data Protection Registrar (DPR), which enforces the law on data privacy, says: "Consumers' greatest concern is lack of control. If they want to live a remotely normal life, they can't help but give out their personal data to all and sundry. They feel as though they can't control how that data is used without losing out in some way."
In one sense, this is literally true, since many websites now require users to complete personal questionnaires before they are allowed access - although if everyone was called Elizabeth Windsor of Buckingham Palace, it would most probably go unnoticed.
Chris Rowsell, senior researcher at Which? magazine, says: "Information is becoming a currency - in some circumstances you are effectively paying for a service with your demographic information."
But the concerns expressed by Brierley reflect a fundamental dilemma.
On the one hand, the majority of people expect, quite rightly, that data held about them should remain private and be looked after properly. The public is especially concerned that data shouldn't be leaked or sold to third parties without their prior knowledge and consent. On the other hand, people expect to be treated as individuals, which means that companies with which they have dealings must know something about them. Individuals want a bank to know they already have a mortgage with one of its partners, so it won't pester them with mortgage offers, and they don't mind supermarkets knowing they're pregnant, if it means getting discounted rusks and rattles for a year.
This dichotomy is reflected in the way the issue of data protection is being officially tackled. Superficially, privacy seems to be winning.
The Data Protection Act (1984), the main attempt to control how personal data is stored and used in the UK, was improved last year. The most recent Act (1998) is due to come into force this autumn.
This will make it an offence to procure personal data fraudulently, and oblige organisations to implement measures to combat this. Transferring personal data overseas will be restricted where the receiving country does not have adequate data protection laws and the passing on of data obtained from third parties will be restricted. At present, if a company receives personal data from a third party, rather than the individuals themselves, it can pass the data on to other organisations. But under the revised Act, this will only be legal if the company can prove the individuals gave their consent.
Holding sensitive information such as peoples' ethnicity, religion, health, sex life, politics, trade union membership and criminal records, will only be allowed for good reasons. Any data can be held at present, providing it is accurate, was fairly obtained, and isn't held any longer than necessary.
Using data for a purpose different from that for which it was obtained will be restricted. People will have the right to appeal against automated decisions - for example, when a computer decides to turn down a credit application - and to know the logic behind such decisions.
And the scope of the recent Act has also been widened to include, for the first time, non-computerised records, such as paper and microfiche.
Exemptions will disappear for some amateur and non-profit making organisations, such as unincorporated members' clubs and organisations which don't process data much - these will have to register within three years.
The business community will get more protection as the Data Protection Act (1984) applies only to private individuals, partners, sole traders and the self-employed.
Recent telecoms regulations, which came into force on 1 May, restrict direct marketing by telephone. They make it illegal to cold call people who have registered with the Telephone Preference Service, and unsolicited faxes to individuals are outlawed completely, unless the individuals have signed up with the Fax Preference Service to say they are willing to accept them. The DPR has hinted it would like to see this rule applied to email as well, though the DTI is still considering this.
Consumer awareness is rising, too. Experian, one of the main credit reference agencies in the UK, has seen a big jump in the number of people who ask to see the information held about them, which stands at about 650,000 a year. Just under one in 100 ask for something to be altered, though the errors are usually cosmetic.
The Data Protection Act and Consumer Credit Act give everyone the right to see any personal data or credit reference files held about them. They must make the request in writing, and be prepared to pay a fee of up to £2 for a credit reference. In return, the data user must provide a copy of all the data it has on that individual, or confirm that it doesn't hold any.
But appearances can be deceptive, and few people realise quite how little protection the law gives. Most importantly, the Data Protection Act does not require organisations to obtain a licence to use personal data. It only requires that they should register the fact that they use such data, and obey basic rules on procurement, accuracy and disclosure (see box, page 39).
Although the DPR can prosecute organisations that break the rules, this is almost always for the administrative offence of failing to register, rather than because of what the organisation does with the data. While it is a criminal offence not to register, breaching the principles of data protection is not an offence in itself. It only becomes an offence if the DPR can't re-educate the offender, and has to issue an enforcement notice, and the data user then ignores the enforcement notice.
In the year to March, the DPR received 3,653 complaints from individuals, and considered 215 cases for prosecution - 59 were actually charged and 55 convicted. All were penalised, the most severe punishment being a £3,000 fine, plus costs, although the poor publicity might be more damaging for a business than the fine itself.
The DPR cannot refuse a registration in the first place. An organisation that collects personal data in the normal course of business - which now means virtually anyone - can reasonably analyse it and use it for marketing and segmentation purposes, as long as it declares this. It does not even have to provide an opt-out box on paper forms or websites, unless it wants to pass the data onto third parties.
Once in the international sector - say, the internet - even this limited protection may be denied. The Data Protection Act (1998) is based on a European directive and will therefore be replicated throughout the EU.
But the US has no federal laws on data protection. Some developing countries will doubtless readily offer virtual flags of convenience to less scrupulous traders.
David Smith, assistant data protection registrar, warns: "One of the big barriers to the development of consumer trading on the internet is that people are worried about the security of their personal information." This goes way beyond the security of credit card payments.
The sheer power of internet and customer relations management technologies makes individuals more vulnerable, as companies and supply chains build up a more complete picture of us. "Technology is no longer the limiting factor it once was," says Smith. "You could end up with one big pool of data about everybody."
These pictures are sometimes in long shot rather than close up, as inferred data becomes widely used. Inferred data is not provided by the individual, but deduced from other data - for example, a postcode gives an indication of the size of the house lived in, and therefore the potential value as a customer. Potentially, it could indicate how likely the occupant is to pay debts.
Inferred data is already widely used for calculating insurance premiums, and targeting the new style of direct mail which is not addressed to individuals, but is delivered to every house and flat in a likely area.
Insiders warn that its use could increase.
Richard Webber, managing director of micro-marketing at Experian, says: "If the industry is prohibited from using personal data, it'll use inferred data instead."
Given that inferred is a polite word for guessed, this should perhaps cause us some concern. The DPR's view is that inferred data is okay for direct marketing, but not for making decisions, such as whether to grant a loan application. It should also not be stored with personal data, but only calculated at run time when the data is being processed.
An example is the row over the electoral roll being used in direct marketing.
The electoral roll is in the public domain and isn't covered by the Data Protection Act. Registration officers are legally obliged to supply the roll, at least in paper format, to anyone who asks for it. Some credit reference agencies have already begun to sell it on disk, allowing it to be used widely.
Webber says: "We think the electoral roll is an extremely useful database. For example, it validates whether people actually live where they claim to live. Having said that, I believe anyone who holds that data should have to apply for a licence which specifies the uses to which it can be put."
The government, however, is concerned about low turnouts in elections, and is worried that use of the roll in this way will discourage people from registering to vote - as happened in the 1980s when the Poll Tax came about. The Home Office is looking into the issue.
The DPR is against the electoral roll being made available electronically, except in special cases such as police use. "It shouldn't be made available and the consumer should have a choice," explains Smith. "We would prefer to see an opt-in scheme, especially for the electoral roll, because people don't have a choice about whether they register, and it's one person who usually registers for the whole household."
In general, for the good guys, data protection should hardly be an issue at all. "Mostly, it should be no more than good business practice," says Smith. "It shouldn't be a big burden for a business to keep personal information secure and not go against its customers' wishes."
But against the bad guys, especially abroad, we have little defence except vigilance.
THE EIGHT PRINCIPLES OF DATA SECURITY
If organisations want to ensure that they are within the law on data privacy, they should register with the Data Protection Registrar (DPR) and follow the eight principles of data protection. Failure to do so can result in prosecution. At present, registration costs £75 and lasts for three years, although this may change. The principles in force, as stipulated by the Data Protection Act (1984), state that personal data must:
1. Be obtained and processed fairly and lawfully.
2. Be held only for lawful purposes which are described in the registration.
3. Be used or disclosed only for those or compatible purposes.
4. Be adequate, relevant and not excessive.
5. Be accurate and, where necessary, kept up to date.
6. Be held no longer than necessary.
7. Be able to allow individuals to access information held about them and, where appropriate, to correct or erase it.
8. Be safeguarded by proper security.
In the Data Protection Act (1998), due to come into force later this year, the principles are similar, except that point seven is replaced with a stipulation that personal data must not be transferred outside Europe unless the receiving country has adequate data protection laws.
Individuals will still have the right to access and correct personal information held about them, even though it will no longer be one of the eight principles.