What is it? Data protection law in the UK is designed to protect individuals from misuse of their data.
Key legislation: The key piece of legislation in this area is the Data Protection Act 1998 (DPA) which sets out eight principles. Any organisation which collects information about individuals will have to comply with the eight principles. There are several other pieces of legislation which also apply.
Top ten legal points:
- At the point at which information is collected, individuals must be given three things:
- the name and contact details of the organisation that will hold their data (the Data Controller);
- general details about how the data will be used; and
- the types of organisations that it will be shared with.
- If any sensitive data is being collected (such as information about mental or physical health or about religious or political beliefs) then extra steps have to be taken.
- Data held by an organisation must be relevant to the activities which have been described to the individual. It’s important to make sure that the data is kept up to date and accurate. If you can’t to this - then the data should be archived or destroyed.
- You must ask for consent if you are going to use the data to send marketing (including fundraising) information to the individual by email or text. Note that, provided the use of the information has been described to the individual and they then supply their details, they have given consent. This is because they have made the choice, knowing how their details will be used, to supply those details. It is good practice but not essential to give individuals an opportunity to tick a box to opt out of such use (or even to untick a box, which is regarded as slightly less good practice). It is best practice to give people an opportunity to tick a box to opt in to such use.
- It is unlawful to telephone an individual for marketing purposes if they have registered with the Telephone Preference Service.
- Security measures need to be put in place to minimise the risk of loss or damage to personal data. This should be proportionate, so does not always require the latest expensive technology, but any data leaving an organisation’s premises in portable electronic storage such as laptop or tablet, memory stick, or mobile phone memory must be encrypted (not just password protected).
- If you employ sub-contractors who may use the data then the organisation must have a written contract with that sub-contractor which is compliant with the requirements of the DPA. Sub-contractors could include consultants, cloud services providers, payroll agents, fulfilment houses, or even fundraisers.
- If the individual has not consented, then specific steps must be taken before data can be transferred to most countries outside of the European Economic Area. There are a few exceptions including Australia, US companies which have signed up to the “safe harbor” protocol, some Canadian states and a handful of other countries. This applies to data which is given to call centres and cloud services providers with servers outside of the EEA.
- Individuals have a right to be given, within 40 days of request, a copy of any data held about them by the Data Controller, subject to payment of a maximum fee of £10.
- The Information Commissioner has the power to impose fines of up to £500,000 for breaches of the DPA.
This is a broad summary only of some of the key obligations imposed on Data Controllers under the DPA. If you have questions regarding more specific circumstances, please contact Lawrence Simanowitz (firstname.lastname@example.org).