The incorrect use of personal data could land you in court following recent changes to the Data Protection Act. Allianz Cornhill's Sharon Curd assesses the act's implications and explains how brokers can avoid being caught out

Wise up, or risk an unlimited fine. That's the message to businesses harvesting personal data following important changes to the Data Protection Act (DPA) 1998 which came into force on March 1, 2000.

The new act places a number of additional responsibilities on businesses that collect, hold or process personal information on individuals, sole traders, partnerships, company directors or shareholders.

It shifts the balance firmly in favour of consumers, who have the right to check or withdraw their personal data and claim compensation where it is used wrongly.

The key principle of the act is that personal information belongs to the person it relates to. They have full rights over that information and can insist on seeing it at any time. They can also demand compensation if records are wrong or damaged – even if the data has not been used for activities such as marketing or credit referencing.

In the insurance world, data is gathered from customers at every opportunity, from proposal, at renewal and then when making a claim. Once collected, personal information is used in a variety of ways, including cross-selling over the telephone and direct mailing, the time-honoured method of generating new business for generations of brokers.

Case study

A broker has a customer base of large and small businesses, sole traders and personal lines' clients. This brokerage will hold data, either manually or on computer, on:

  • sales records
  • survey reports
  • credit payments/records
  • loss adjuster's reports
  • mailing/prospect list
  • proposal forms
  • policies
  • cover instructions
  • file notes
  • intentions, such as reissue at renewal
  • claims records
  • employees and job applicants.

    All of this information falls under the requirements of the act. As a result of fundamental changes to the act, the freedom to use personal data for direct marketing activities is severely curtailed. Individuals now have the right to block the use of their personal details in this way. Businesses abusing this right risk enforcement action by the government-appointed Data Protection Commissioner and possible heavy fines.

    Individuals must be made aware of the purposes for which the data will be processed:

  • to market other products and services
  • to use for telemarketing.

    The new act does provide certain exemptions, from gaining consent on the use or processing of data for research purposes providing that it is exclusively for that purpose, and that:

  • the analysis does not identify individuals
  • the analysis is not in support of measures or decisions relating to particular individuals
  • substantial damage or distress is not, or is unlikely to be, caused to any individual.

    Another key area of concern for brokers is the introduction of the Telephone Preference Service (TPS) that prohibits unsolicited calls to consumers registered on its file. Despite claims that it had not been adequately publicised to businesses or consumers, more than one million UK phone numbers have been registered since it became compulsory last year. The Data Protection Commissioner has already identified companies that have failed to comply with the TPS and is deciding whether to take formal action against them. Second Telecom and Top 20 are two companies that have been sent enforcement notices for sending unsolicited marketing faxes in breach of the regulations.

    At the heart of the act are two new roles brokers must incorporate into the day-to-day running of their businesses. These roles have been introduced to regulate the handling of personal data and involve the allocation of direct responsibility for upholding the requirements of the act. These roles are the Data Controller and the Data Processor.

    The Data Controller is the person, company or organisation responsible for deciding the purposes for, and the way in which, any personal data is processed. These decisions cover:

  • what data is held
  • how it is held
  • why it is held
  • who has access to it.

    All organisations keeping personal records must designate someone to be responsible for making decisions on the data records. Ignorance of this legal requirement is not an option. Where personal records are held, a Data Controller must be nominated. The Data Processor is, as the name suggests, the person who processes the data.

    Under the act, the word "processing" has a wider meaning than in normal terms. It applies to obtaining, recording or storing information and the administration, alteration, recovery, accessing and disclosure of that data. It also covers erasure or destruction of personal information, whether it is stored in a manual or electronic system.

    Areas of change
    The act gives a number of new rights to the individual over the processing of data that brokers need to be aware of (see box).

    There are some critical steps that companies need to undertake in order to comply with the regulations of the act:

  • First check the records that are used by your business, whether manually or held on computer. Look at files held at head office, branch office or even outside the business, such as at the homes of salesmen or on the premises of a computer bureau. Decide the extent to which they are made up of personal data and come within the scope of the act.
  • Assuming the records can be defined as personal data, appoint a Data Controller.
  • Notify the Data Protection Commissioner of the data being stored and the person or persons responsible for their control. The simplest way to register your details is by phone by calling 01625 545 740.
  • Set up the systems by which consent is obtained from data subjects to hold and use information about them.
  • Install effective systems enabling individuals to inspect the data you hold on them
  • Brief all relevant staff about the terms of the act relating to how they collect, hold and access personal data.

    New rights for the individual over the processing of data under the act
    1. Right of access
    Individuals can make a written request and pay a fee (maximum £10) to find out if they are included on a database, learn what information is held, why, and who can have access to the information. If a computer system is used to calculate an assessment or rating of an individual's status, such as a credit rating or limit, then the individual has the right to know how the automated decision was made.

    2. Right to prevent processing likely to cause damage or distress
    An individual can give written notice preventing Data Controllers from processing data that can cause substantial damage and distress. The Data Controller has 21 days to show that they have complied or give the reasons why they think the individual's request is groundless.

    Examples of substantial damage or distress:

  • Sending letters to dead people or to their family, relating to the deceased
  • Passing adverse data relating to business premises rather than the occupants to debt collectors
  • Revealing payment details to a third party without consent

    3. Right to prevent processing for direct marketing
    Individuals can insist that Data Controllers do not use data for sending them advertising or direct marketing material.

    4. Right in relation to automated decision-making
    Using computer-held data automatically to produce in-house league tables or to assess individuals is a growing trend. Under the DPA, an individual has the right to give written notice stopping a Data Controller from making a decision using information based on criteria such as customers payment performance, employees timekeeping and drivers vehicle accidents solely on scorecards or processing by other automatic methods.

    5. Right to compensation
    An individual who has suffered damage or distress following the wrongful use of data can claim compensation where the Data Controller is unable to prove that all reasonable care has been taken to comply with the terms of the act.

    6. Correction, blocking, erasure and destruction
    Individuals can obtain a court order forcing Data Controllers to correct, block, erase or destroy incorrect data or any assessment or opinion based on such inaccurate data.

    7. Requests for assessment
    Any person, a Data Controller as well as individuals, can ask the Data Protection Commissioner, who reports directly to Parliament, to assess whether data is being processed in compliance with the act. Compliance with the DPA 1998 is essential if a business is to continue trading. The following step by step guide shows how to ensure that your brokerage meets the requirements of the act.