The Data Protection Act (DPA) is designed to protect the privacy of personal data stored on computers or in an organised paper filing system. But with a number of high profile cases of data protection breach hitting the press recently, Keystone’s Oliver Smith and Maureen Kelly examine the current legislation and share tips for ensuring that you’re protected.
In recent months, we have witnessed a plethora of well-publicised cases that see organisations’ handling of personal data being questioned. In August, the Labour Party was threatened with legal action over its use of door-step canvassing data about people’s political opinions to vet applications to vote in the Labour leadership election. A number of well-known charities were caught up in the story of elderly widower, Mr Rae, whose details were passed on over 200 times, including to conmen. Most recently a London HIV clinic accidently disclosed the names of its patients when circulating an e-newsletter. But what exactly does the current law state and how can you avoid finding yourself in a similar situation?
Data Protection specialist Oliver Smith says, “The use of contact details for marketing purposes usually requires the consent of the individual. There is a distinction in law between this type of data and “sensitive” personal data such as information about political opinions and health. Use of sensitive data requires “explicit” consent which means positive consent where you have to do something specific to indicate your consent, e.g. tick a box, in other words opt-in. Use of other data only requires “consent” which is not defined although it should be specific and unambiguous.”
“Many organisations rely on opt-out consent for this and assume that if you don’t tick the “No” box then you have agreed to the use” Oliver continues. “Whether this is lawful will depend on the particular circumstances such as how clear and prominent the opt-out notice is and this is a grey area of law which can be abused.”
It is believed that Mr Rae was the victim of a hidden opt-out consent box, whilst the HIV patients had actively opted in to an electronic communication service but it is not clear if this was to include marketing type materials such as newsletters or just medical communications.
“Clearly the patients did not consent to their data being disclosed to other patients but had they known it was to be used to send newsletters, they might have declined. In the case of the Labour party it is unlikely they had explicit consent to use the data for vetting but they may have taken advantage of an exception for non-profit organisations using data in-house i.e. not shared with third parties.”
Maureen Kelly, an Intellectual Property and IT Consultant Solicitor at the firm adds, “As the volume of digital data and the means for sharing it increase, so too do the risks of a data security breach. Last month the big story was the hacking of Ashley Madison’s customer data. This month it is the release, by email error, of patient data by 56 Dean Street. The stories will just keep coming. Today no organisation and no person is immune from this risk. All organisations need to ensure that they are clear what their legal obligations are in relation to data security, identify and implement the practical measures required to fulfil those obligations and provide regular staff training to maximise staff compliance with the measures.”
How can I protect myself?
The EU is currently negotiating a new Data Protection Directive which may require explicit opt-in consent for the use of all personal data, not just sensitive data. Data users currently are required to keep data up to date and not to hold it longer than necessary for the purpose for which it was obtained. It is therefore advisable that they check with the individuals regularly that they are still happy for their data to be used. Consent can be withdrawn at any time so individuals experiencing problems with marketing calls and mail should advise that they are withdrawing their consent and any further use of their data will be reported to the Information Commissioner. There can however be problems identifying the company or where they are based overseas. Companies that are particularly concerned about their reputations but who want to share data should ensure that they keep control of it by using a reputable third party marketing or emailing company and retain ownership of the data.
To see Oliver Smith’s recent comments on the case of Mr Rae, click here: http://www.bbc.co.uk/news/magazine-34114583
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.