Paul Owens explains what the Data Protection Act requires from insurers using electronic communications to find clients

Electronic communications provide a quick and cost-effective way of reaching your clients and potential clients. They are also extremely flexible as they enable you to tailor your message to different groups, without significantly increasing the cost.

In the insurance industry, where many companies simply don't have the budget for expensive marketing campaigns, while others have clients spread across the globe, marketing through emails or electronic newsletters is a communications method that works for all. But how do you get details about those you want to communicate with?

Most insurance companies build up a database of contacts over the years. The regulations about how you manage this kind of information are covered by the Data Protection Act [1988].

The Act aims to protect the individual, by ensuring that organisations are open about the way they use information and enabling individuals to find out exactly what is being held about them.

Many companies don't fully understand how this legislation affects them. Some are also unaware that the Act was revised just over a year ago to widen its remit and remove some grey areas. This lack of knowledge could open your organisation up to prosecution.

The Data Protection Act [1988] and The Data Protection (Amendment) Act [2003] are quite complex.

Data controllers
A key area of your responsibilities should be obtaining and processing information. Companies and staff that hold personal information are known as "data controllers". As such, they must register with the Data Protection Commissioner, as they are accountable under the Act and have specific obligations in relation to obtaining and processing that information.

If your company collects personal data for marketing purposes - even if it is just basic information, such as name, company and contact details - don't think it is purely the marketer's responsibility to ensure that you are complying with any regulations.

The Data Protection (Amendment) Act 2003 puts the onus for compliance squarely on the shoulders of the data controller.

Therefore, the regulations apply to your company, even if you use a third party, such as a web agency, to process your data on your behalf.

Ultimately the buck stops with your organisation, so do your research or at the very least work with reliable people who fully understand the legislation.

The Data Protection Act [1988] strives for transparency, so that the individual is fully aware of what is going on. The 2003 amendment extended this to electronic communications, such as email and the internet.

You may gather information on visitors to your website by asking them to register. If you intend to use that information in any way, for example, to send a newsletter, you must make this clear and ask people to actually "opt in".

That information can then be used onlyfor the purpose that you stated and that the visitor agreed to. Once it has been used for that purpose, it must be destroyed.

You will need further consent if you want to pass information to another company. Similarly, if you have a mailing list from a third party - for example, when buying lists for email campaigns - you must advise the people on it that you have it and where you obtained it.

Despite the amount of junk emails that you may receive, companies are actually no longer allowed to send unsolicited emails and text messages to potential customers without first obtaining their consent.

Even existing customers must be clearly given the option to "opt out". There are some exceptions, so it is important to investigate this if you are sending newsletters and promotions by web page format or text emails.

Every precaution
The Act takes security extremely seriously and stresses the care that needs to be particularly taken by any companies that store an individual's financial information, such as insurance, tax and accounts details.

You must take every precaution to protect not only the information held about your clients but also that held about your employees - such as their payroll files.

These security measures extend to a practical level, meaning that any computer equipment that holds confidential information much be protected from misuse.

For example, if you or one of your employees leaves a laptop in the pub and the laptop contains data - in particular financial information - your company could be prosecuted.

Introduce clear policies on computer access, security and control - including firewalls, passwords and backing up restrictions - and communicate them to your staff.

If used correctly, personal data can be an invaluable marketing tool. Make sure you don't abuse it without realising. IT

‘ Paul Owens is creative director at Box

Q: We are a small traditional insurance company and we recently had a website built. We have since discovered that the site contains ‘cookies'. What does that mean and should we be worried?

A: A cookie is a harmless tracking device, which is triggered when a new user visits your site and which automatically downloads itself on to the visitor's computer.

It enables you to monitor their movement around the internet - including recording and remembering their preferences on your own site, for return visits - as well as record other sites they visit so you can build a profile of their interests and target them more effectively.

Under The Data Protection (Amendment) Act [2003] it is acceptable to use cookies. But you must make it clear to the visitor that you are doing this and then you must not only get their consent, but also give them the opportunity to "opt-out".

Principles of the Data Protection Act
The Data Protection Act [1988] has eight core principles. Personal data must:

1. Be processed fairly and lawfully

2. Be processed only for one or more specified and lawful purpose

3. Be adequate, relevant and not excessive for those purposes

4. Be accurate and kept up to date - data subjects have the right to have inaccurate personal data destroyed if it's wrong

5. Not be kept for longer than necessary and only for the purpose stated

6. Be processed in line with the rights of the individual - including the right to be informed of all information held about them, to prevent processing of personal information for marketing purposes and to be compensated if they can prove they've been damaged through non-compliance with the Act

7. Be secured against accidental loss, destruction or damage and against unauthorised and unlawful processing

8. Not be transferred to countries outside of the European Economic Area (which is the EU, plus Norway and Liechtenstein), that do not have adequate data protection.