The Data Protection Acts 1988 and 2003 confer responsibilities on any organisation that processes or controls personal data. Personal data is data that relates to a living individual who may be identified from the data or in conjunction with other information in the possession of the data controller. You will be involved in the processing of data if you perform any operation on the data including obtaining, recording or keeping data, collecting, organising, storing or disclosing the data or making it available to others. On a day to day level, you need to ensure that the eight rules of data protection are followed:
- Obtain and process the information fairly
- Keep it only for one or more specified and lawful purposes
- Process it only in ways that are compatible with the purposes for which it was given to you initially
- Keep the data safe and secure
- Keep the data accurate and up to date
- Ensure that the data is adequate, relevant and not excessive
- Retain the data for no longer than is necessary for the specified purpose or purposes for which you held it initially
- Give a copy of personal data to any individual who makes a request under the legislation
Issues of privacy and compliance with the data protection legislation can arise in businesses on a day to day level. In addition to general observance of data protection rules in your business, other issues can arise in relation to attempts at direct marketing and in relation to employees.
Direct marketing is a popular and effective way to reach a large audience with information about your business however it must be done properly. In the year 2012, the Office of the Data Protection Commissioner received 606 complaints in respect of direct marketing which made it the biggest single source of complaint to the Data Protection Office in that year. In order to ensure that your direct marketing complies with the Data Protection Acts, you need to ensure compliance with the eight rules of data protection as set out above. Under the Data Protection Acts, recipients of direct marketing can request their removal from a direct marketing database at any time and the data processor or controller must comply with this request within forty days.
In addition to your obligations under the Data Protection Acts, the Privacy and Electronic Communications Regulations (Statutory Instrument 336 of 2011) contain the main law relating to direct marketing by electronic communications. The Regulations provide that consent must be obtained for any unsolicited communication to an individual for the purposes of direct marketing therefore an individual must provide what is known as ‘opt-in’ consent. An exception to this is if you are sending an email to an email address that reasonably appears to be used in the context of the individual’s business activity and the email or communication relates to that business activity.
Communications that are sent to businesses requires the ‘opt-out’ regime. Unsolicited communications for the purpose of direct marketing between businesses is permitted unless the user has opted out of receiving same. If a business user opts out of receiving the direct marketing, then it must cease. Emails and texts must have a valid address to opt out.
Any breach of Regulation 13 is a separate offence. This could be expensive for a company that sends out hundreds or thousands of texts – each text is a separate offence.
Data Protection and Employees
There are many data protection issues involved in a typical employment relationship. Employees have privacy and data protection rights that are not lost just because they are an employee. In the workplace, the employer is the data controller because it controls the contents and use of personal data of its staff and it is bound by all of the provisions of the Data Protection Acts.
Section 7 of the Data Protection Act provides that an employer owes a data protection duty of care to employees in the workplace. In the area of employee monitoring, a balancing act is required as employers may not be able to rely on a uniform consent if what they are seeking to do goes further than is necessary for the purposes of protecting the employer’s legitimate interest. In order to protect the employer’s legitimate interests, the employer may be able to justify certain limitations to the privacy of employees in the workplace. As a broad guide, employees must be informed of the existence of any surveillance and the purposes of which personal data is processed. Any personal data that is processed in the course of monitoring of staff has to be adequate, relevant and not excessive and should not be retained for any longer than is necessary for its original purpose.
It is useful to follow a data protection checklist if your business is involved in the processing of personal data and many of these items will be relevant to your everyday business and to direct marketing or employees:
- Are the individuals whose data you collect aware of your identity?
- Have you told the data subject what use you make of his data?
- Are the disclosures you make legitimate disclosures?
- Do you have appropriate security measures in place regarding protection and access of data?
- Do you have appropriate procedures in places in relation to keeping data up to date?
- Do you have a defined policy on retention periods for all items of personal data?
- Do you have a data protection policy incorporating the eight rules of data protection to your particular business?
- Do you have a procedure to handle requests from data subjects?