The Data Protection Act
People often talk about the Data Protection Act, but in reality few people know very much about it. It is a very powerful piece of legislation aimed at protecting consumers against the unlawful handling of their personal information, and one which provides rights and remedies if you suffer damage or distress as a result.
The responsibilities of companies and organizations
The Data Protection Act requires that any organization which handles or processes personal data must comply with eight data protection principles – that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not transferred to other countries without adequate protection
In practice this means that if an organization causes you additional expense or long term inconvenience as a result of incorrect personal information about you, that organization would be in breach of the Data protection Act and liable to pay you compensation.
The rights of individuals
One of the principle purposes of the Data Protection Act is to give individuals the right to know and control what data is stored and how it is used. Therefore if you are in any way curious or suspicious as to what information organizations might hold on file about you, you have the right to make a Subject Access Request. This is a simple request in writing to the organization you believe to be holding or processing the data. Your request must include the relevant fee (maximum £10) and the reply must be received within 40 days. Many Subject Access Requests are made to credit reference agencies, so that people can find out about their various credit ratings. In this case, the fee is only £2 and a reply must be received within 7 days.
In addition to the right to know what information exists about you, you also have the right to request that inaccurate or inappropriate personal details be corrected or removed, or that personal information not be processed at all, if it leads to significant damage or distress on your part. But even in the absence of damage or distress, you can still stop all processing of your personal data for direct marketing purposes by writing to the company which is targeting you and requesting they take your details off their mailing lists.
Most common ways in which companies breach the Data Protection Act
- If companies mix up your details with someone else and wrongly charge you – typically telecoms and utility companies
- Where you have been refused credit as a result of the wrong information given by a credit reference agency
- CCTV without warning signage
- Recorded or monitored telephone calls without warning
Taking further action
If you feel an organization you’ve had dealings with is in breach of any of the 8 principles listed above, perhaps because you are being denied access to personal information they hold about you, or this information is inaccurate or being handled improperly, your first course of action must be to write to the data processor for the company itself (there must be a contact postal address on the website or correspondence). If you are unsure as to whether there has been a breach, or the organization is simply not responding to a request you have made, you should ask the Information Commissioner’s Office to undertake an Assessment Procedure. The Outcome of the Assessment is usually enough to force the organization to comply, if it isn’t, the ICO can take enforcement action. Under the act, if you can show the improper handling of personal data has caused damage or distress to you, you have the right to claim compensation through the courts.
The Data Protection Act is a very powerful piece of legislation as far as consumer rights are concerned – when it is mentioned, companies usually listen. However, it is also very much under-utilised and few people exercise their rights or invoke the assessment procedure which is offered by the ICO.
More info: http://www.ico.gov.uk/
Preventing junk mailing or cold calling as a whole
In accordance with the Data Protection Act, most firms’ marketing departments have to comply with the principles of the Data Protection Act in terms of how they deal with personal data. Nobody likes to receive excessive amounts of junk mail, and it is your right not to receive any. The Direct Marketing Association (DMA) runs the Mailing Preference Service and the Telephone Preference Service. If you apply to have your details (and the details of anybody else living in your household) put on the list, most firms will pay reference to this list when sending out marketing material.
More info: http://www.dma.org.uk/
Related posts:
Question about the DPA.
I recently had contact via letter from a company called ‘Clarity’ who were acting on behalf of a payday loan company (pounds till payday), okay I owe them some money and am having real problems getting them to accept a payment plan.
Anyway what really annoyed me was that this third party company (Clarity) were using my National Insurance Number as a reference number, obviously from their client.
Would this breech DPA, sending information like that via the post?
Looking at the information commisionars website, I can find an entry that says ‘Sensative information like Passport numbers which could be used as identity theft should be handled very seucrly. Now call me ld fashioned buy surely they should not be using my NI number as a reference number and I cannot see why PTP gave it to clarity in the first place.
Anyone have any suggestions, would be appreciated?
James
James – NI number is personally sensitive information as it can be used to access other info – such as Inland Revenue data. It is inappropriate to be using it as a reference number and may even be in breach of S7 of the DPA. My advice would be to report this to the ICO who will then be able to confirm whether this is correct and may even be able to take this up with Clarity on your behalf.
We have been receiving letters marked “private & confidential” to our business address in the name of one of our employees. We have passed these on to him and they are from a pension company which he has had no dealings with. He has called them several times to ask for this information to stop being sent in his name to our workplace. We receieved another letter today which was accidentally opened with all our other post. We called the number on the letter and were told they cannot deal with the employee in question because he is not at the address they have on file, and they will not discuss it with us…as we are not the named person they have the account in the name of. We have explained we are concerned someone somewhere could have a fraudulent policy set up with our, and one of our employees details but they just keep quoting “data protection act” and that they cannot speak to either of us.
Any ideas?
How long can a company keep your debit or credit card details on file?
Julie, I don’t think a time limit is mentioned in the act, but details can only be kept as long as they are relevant to the company concerned – i.e. that they are still using them to debit your account.
Thank you Catriona for letting me know – much appreciated. THe company are still holding my debit card details 3 weeks after transaction had taken place for the ski lift passes. There has been some dispute over the deposits for passes, as there was lack of communication from the reps working for the ski tour operator who did not inform us at the start of the company nor was it in writing in documentation we received prior to our departure that it was a different procedure to previous holidays with them, we, along with other groups staying at the same chalet, took the lift passes back to the lift pass office ourselves to retrieve our refundable deposits. The tour operator did not make it clear that they actually paid for the deposits and that we should have handed them back to the reps. This confusion has resulted in the tour operator informing me that they will charge my card to get the money back. This is what concerns me is that the fact they have been holding our card details for so long, and then decide to take money back whenever they wanted to. I would have quite happily handed over the passes on the last day, or indeed given them the 3 euro deposit per lift pass at the start of the holiday. But instead, it’s resulted into accusations from the owner of the tour operator informing me (and the other guests) that we have committed a deliberate and fraudulent act.
Julie, You did nothing of the kind, if no written or verbal contract or Ts and Cs existed, how could you have acted fraudulently? I’m not too sure of the rules concerning what kind of card info they can hold, but I’m fairly sure you must give your approval for your card to be used at a later date – exactly as they do in hotels. if they are going to keep hold of your card details, there must be some mention of this in their Ts and Cs. If not, request your card details be removed on the basis that they are no longer relevant. You can always report them to the ICO who are always very helpful.
A company who has been dealing with my contents insurance has spoken to me on three separate occasions on my mobile phone without confirming any details to establish if I am the correct person. Is this a breach of DPA 1998?
Ewan, companies should establish you are who you say you are before they can discuss personal details, although from my experience this is more when you phone them rather than when they phone you. I wouldn’t have said it was a breach of DPA as it hasn’t been passed on or unlawfully processed. Go to the ICO’s website for more clarification.
My partner was contacted by a debt collection agency, they asked for Mrs Hughes she answered that she was Mrs Hughes, (although were not married, and she has a different surname – she does this sometimes). It transpires that the debt is in the previous occupants name, from about 5-6 years ago, the debt collection agency still has their details linked to my house. Suffice to say, they refused to believe me and quoted the data protection act by threatening my partner with court action for misleading them saying it was against the law to impersonate someone else!!! What I want to know is, have they acted accordingly and is my partner liable to get prosecuted? p.s. This is not the first time we’ve been harassed by debt collection agencies, therefore I believe all of them are holding out of date information.
Dion, No, there is no possibility of your partner being prosecuted. It is the job of the DCA to ensure they are acting on the correct information – clearly they failing in this duty and harassing you like this puts them in breach of the OFT’s guidelines. Please see our section on DCAs for more:
http://whatconsumer.co.uk/debt-collection-agencies/
Thank you Catriona for your reply. It’s a weight off our minds. I have contacted the Citizens Advise Bureau and they say we might have a case against them for harassment. I have a meeting with them soon. The Debt Collection Agency even phoned me again today!!! I told them I was in contact with the CAB and couldn’t continue any dialogue with them. Ha! They put the phone down very quicky!!!
Again thank you very much. All the best Dion.
Dion, well done. As I say it is the DCA’s responsibility to get their facts right. You can also file a complaint against them with the OFT.
hi there i need help, monday just gone i had a friend staying at my house i had to go to work for a 12 hour shift. while my friend had been staying at my prperty, a bailif knocked on my front door and asked my friend if i was in. of cousre i was not as i was at work. the bailif handed my friend a notice uncoverd and unenvolped to my friend and sttarted talking to my friend about my buissness. i feel really embrassed and humilliated. i really did not want my friend to find out my personal buissness. when i returned home i was horrified want my friend had told me. please can you help me what can i do about this????