This is an introduction to the law. If ever there was a time to follow the suggestion of checking first with a lawyer, then if you are involved in direct marketing by email, this is it: and probably a specialist lawyer. The law can change by way of stated case at the stroke of a judge’s pen.
The Data Protection Act
The intent of The Data Protection Act 1998 (The DPA) is to strike a balance between the conflicting interests of individuals and those who wish, for valid and lawful reasons, to store and use personal information. It does this by giving rights to the individual with regards to information held about them and places obligations on those who retain and process such information.
The DPA and email marketing
From the point of view of those engaged in direct email marketing, it is most appropriate to start with the obligations, a breach of which could well result in prosecution and penalty.
Whilst the wording of The DPA is fairly straightforward, definitions are often general and can be subject to interpretation. However, one requirement is very clear: if your business includes the processing of personal information then you must conform to the requirements of The DPA. These are reasonable and do not limit good business practice to any great extent.
Those who store a considerable quantity of personal data are advised to seek specialised legal advice on their arrangements for systems and support. For those with smaller horizons at present, this document should be treated as an introduction only and not relied on as a comprehensive explanation of the law.
The first definition one must crack is that of personal information. This is data about living, identified or identifiable individuals and includes facts and opinions.
The definition of personal data is expected to be refined by courts over time but it is clear that an email address, such as Albert.Smith@Abig company.com comes comfortably within the definition even if his secretary is likely to open it. Be careful with titles such as sales.manager@Acompany.com. Whilst in most companies this position would change from time to time, if it was a sole trader it could well be considered personal. Time will tell.
Both customers and employees are covered under The DPA.
If your business processes personal information then you must, unless exempt, notify:
The Information Commissioner’s Office (ICO), www.ico.gov.uk. Notification at January 2009 cost £35 per annum.
Exemptions are few and can include information for accounting or auditing, pensions and insurance administration.