People often talk about the Data Protection Act, but in reality few people know very much about it. It is a very powerful piece of legislation aimed at protecting consumers against the unlawful handling of their personal information, and one which provides rights and remedies if you suffer damage or distress as a result.

The responsibilities of companies and organizations

The Data Protection Act requires that any organization which handles or processes personal data must comply with eight data protection principles – that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

In practice this means that if an organization causes you additional expense or long term inconvenience as a result of incorrect personal information about you, that organization would be in breach of the Data protection Act and liable to pay you compensation.

The rights of individuals

One of the principle purposes of the Data Protection Act is to give individuals the right to know and control what data is stored and how it is used. Therefore if you are in any way curious or suspicious as to what information organizations might hold on file about you, you have the right to make a Subject Access Request. This is a simple request in writing to the organization you believe to be holding or processing the data. Your request must include the relevant fee (maximum £10) and the reply must be received within 40 days. Many Subject Access Requests are made to credit reference agencies, so that people can find out about their various credit ratings. In this case, the fee is only £2 and a reply must be received within 7 days.

In addition to the right to know what information exists about you, you also have the right to request that inaccurate or inappropriate personal details be corrected or removed, or that personal information not be processed at all, if it leads to significant damage or distress on your part. But even in the absence of damage or distress, you can still stop all processing of your personal data for direct marketing purposes by writing to the company which is targeting you and requesting they take your details off their mailing lists.

Most common ways in which companies breach the Data Protection Act

  • If companies mix up your details with someone else and wrongly charge you – typically telecoms and utility companies
  • Where you have been refused credit as a result of the wrong information given by a credit reference agency
  • CCTV without warning signage
  • Recorded or monitored telephone calls without warning

Taking further action

If you feel an organization you’ve had dealings with is in breach of any of the 8 principles listed above, perhaps because you are being denied access to personal information they hold about you, or this information is inaccurate or being handled improperly, your first course of action must be to write to the data processor for the company itself (there must be a contact postal address on the website or correspondence). If you are unsure as to whether there has been a breach, or the organization is simply not responding to a request you have made, you should ask the Information Commissioner’s Office to undertake an Assessment Procedure. The Outcome of the Assessment is usually enough to force the organization to comply, if it isn’t, the ICO can take enforcement action. Under the act, if you can show the improper handling of personal data has caused damage or distress to you, you have the right to claim compensation through the courts.

The Data Protection Act is a very powerful piece of legislation as far as consumer rights are concerned – when it is mentioned, companies usually listen. However, it is also very much under-utilised and few people exercise their rights or invoke the assessment procedure which is offered by the ICO.

More info:

Preventing junk mailing or cold calling as a whole

In accordance with the Data Protection Act, most firms’ marketing departments have to comply with the principles of the Data Protection Act in terms of how they deal with personal data. Nobody likes to receive excessive amounts of junk mail, and it is your right not to receive any. The Direct Marketing Association (DMA) runs the Mailing Preference Service and the Telephone Preference Service. If you apply to have your details (and the details of anybody else living in your household) put on the list, most firms will pay reference to this list when sending out marketing material.

More info: