Home > Uncategorized > Why you need a Data Protection Notice

Why you need a Data Protection Notice

Data protection notices ( commonly known now as privacy policies) often go unread and many companies handling personal data will not take the time to ensure their notices are drafted specifically with their business activities in mind. Many will seek to rely on a standard form notice, despite the potential repercussions stemming from an inadequate notice.

The Data Controller identified in the notice should use their legal name. In the case of a company, this would be its full company name, as registered at Companies House, together with any trading name, if this differs from the registered name. Where the Data Controller includes group companies, these should also be identified, either in the notice or by way of a link in the notice to a list of the relevant companies. Once the identity of the data controller is established, it is common for the data controller to refer to themselves as ‘we’ or ‘us’.

The Data Controller should also take steps to ensure they are clear about what information is being processed and the purpose for which it is being processed. Where a company is seeking to build up a customer profile in order to better understand consumer habits, for example, an appropriate reference should be included in the data protection notice.

It is important, however, to ensure that the stated purpose for which data is being processed is an accurate reflection of the organisation’s current or immediately foreseeable data processing activities. Data must be processed fairly and this means that data subjects must not be misled as to the purpose or the extent to which their data is being used by a company.

Third Parties

A notice should also mention if third parties are being used to process data on behalf of an organisation, although this does not necessarily entail disclosing the identity of each and every data processor. The data subject’s consent is also not required prior to sending the data to the third party for processing.

Consent from a data subject is required, however, where data is to be provided to a third party for a purpose other than processing that data. Under these circumstances the data controller should make the identity of the third parties clear, either by referring to them directly in the notice or referring them to an online webpage, for example, which identifies the third parties. In any event the notice must make clear the purpose for which consent is being sought.

A third party will only be permitted to use the data provided by the data controller under the terms of the controller’s data protection policy. When processing the data, however, the third party will need to provide the individual with their own data protection notice and may, as a result, process that data in accordance with its own notice and not the original controller’s. This may, however, leave the third party liable to legal action by the original data controller if there was a legal agreement between them to prevent the use of personal data in such a manner.

A fee of up to £10.00 may be levied in order to grant a subject access to the data being held which relates to them. Individuals have a right to access their data and to have inaccurate information corrected. Whilst inclusion of this right is not a specific requirement under the Data Protection Act 1998, organisation should, as a matter of good practice, seek to include this in their notice.

Data Collection

Data collection may involve the collection of email addresses or telephone numbers. The Privacy and Electronic Communications (EC Directive) Regulations 2003 state that the consent of the data subject must be obtained before they can be contacted for marketing purposes via text message, facsimile or email or before automated calling systems can be used. Consent in this context requires the individual to take some form of positive action, as opposed to passively consenting. Positive action could include clicking a tick box in the submission of an online form, for instance.

Contact by telephone does not require consent, although the telephone number must be screened against both the Telephone Preference Service and the data controller’s internal list comprising persons who do not wish to be contacted. Contact by mail also does not require consent. In practice, many organisations will benefit from obtaining consent to all forms of communication at once rather than attempting to follow the minimum legal requirements. This is particularly important where industry-specific codes of conduct go further than statutory requirements.

Credit Checks

Specific wording exists for inclusion in a data protection notice if the data controller wishes to carry out credit checks or credit scoring activities on the basis of the information received. Credit checks and credit scoring are marked against an individual’s credit record and may adversely affect their ability to secure credit. It is therefore vital that this is drawn to an individual’s attention and to ensure their consent is obtained on the basis of full and factual information.

A similar approach should be adopted when carrying out a money laundering check. The Money Laundering Regulations 2003 require that in certain circumstances where the identity of an individual needs to be verified, the data protection notice should be drafted in a way which allows the data subject to understand how the information will be used.

Sensitive Personal Data

The Data Protection Act defines sensitive personal data as information which can be used to identify a living individual. A data protection notice does not automatically give rise to a right to process sensitive personal data. A positive opt-in action is required on the part of the data subject before such data may be processed; silence or an omission to act can never constitute consent.

Michael Coyle specialises in IT and data protection. He can be contacted at michael.coyle@lawdit.co.uk.

Lawdit Solicitors is a commercial law firm based in Southampton with associate offices in London, Malaga and Rome

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: