Anyone with a fetish for figures will find The Data Protection Act 1998 (The DPA) a joy. It has eight principles, seven rights and six conditions. The intent of the legislation is to strike a balance between the conflicting interests of individuals and those who wish, for valid and lawful reasons, to store and use personal information. It does this by giving rights to the individual with regards to information held about them and places obligations on those who retain that information and process it.
From the point of view of email marketing, it is best to start with the obligations, a breach of which could well result in prosecution.
Whilst the wording of The DPA is, unusually, fairly straightforward, definitions are often general and can be subject to interpretation. However, one requirement is very clear: if your business includes the processing of personal information then you are required to conform to the requirements of The DPA. But there is no need to be daunted as the obligations are reasonable and do not limit good business practice to any great extent.
It is good advice to seek advice from those trained in The DPA and this document should be treated as an introduction only and not relied on as definitive.
The first definition one must crack is that for personal information. This is data about living, identified or identifiable individuals and includes facts and opinions. Both customers and employees are covered under The DPA.
Exemptions are few and can include information for accounting or auditing, pensions and insurance administration.
If you process personal information the eight principles of good practice requires the data to be:
• fairly and lawfully processed,
• processed for limited purposes,
• adequate, relevant and not excessive,
• accurate and up to date,
• not kept longer than necessary,
• processed in accordance with the individual’s rights,
• not transferred to a country outside the EEC unless it has adequate protection for the individual.
For the information to be fairly processed one of the following conditions must apply:
• there has been explicit consent from the individual to the processing
• it is required by law to process the information for employment purposes or some other legal requirement
• processing is required to protect the vital interests of the individual
• processing is required to carry out public functions
• processing is required in order to pursue the legitimate interests of the data controller or third parties although this does not apply if it could unjustifiably prejudice the interests of the individual
Special provisions apply to sensitive data, including racial or ethnic origin, political opinions, religious or other beliefs, trades union membership, physical or mental health conditions, sex life, criminal proceedings or convictions.
At first glance the obligations of The DPA can seem daunting but the provisions are more or less what good practice would dictate when sending out your email marketing. It is difficult to argue against words such as fair, limited, accurate, secure and necessary.