The incorrect use of personal data could land you in court following recent changes to the Data Protection Act. Allianz Cornhill's Sharon Curd assesses the act's implications and explains how brokers can avoid being caught out
Wise up, or risk an unlimited fine. That's the message to businesses harvesting personal data following important changes to the Data Protection Act (DPA) 1998 which came into force on March 1, 2000.
The new act places a number of additional responsibilities on businesses that collect, hold or process personal information on individuals, sole traders, partnerships, company directors or shareholders.
It shifts the balance firmly in favour of consumers, who have the right to check or withdraw their personal data and claim compensation where it is used wrongly.
The key principle of the act is that personal information belongs to the person it relates to. They have full rights over that information and can insist on seeing it at any time. They can also demand compensation if records are wrong or damaged – even if the data has not been used for activities such as marketing or credit referencing.
In the insurance world, data is gathered from customers at every opportunity, from proposal, at renewal and then when making a claim. Once collected, personal information is used in a variety of ways, including cross-selling over the telephone and direct mailing, the time-honoured method of generating new business for generations of brokers.
A broker has a customer base of large and small businesses, sole traders and personal lines' clients. This brokerage will hold data, either manually or on computer, on:
All of this information falls under the requirements of the act. As a result of fundamental changes to the act, the freedom to use personal data for direct marketing activities is severely curtailed. Individuals now have the right to block the use of their personal details in this way. Businesses abusing this right risk enforcement action by the government-appointed Data Protection Commissioner and possible heavy fines.
Individuals must be made aware of the purposes for which the data will be processed:
The new act does provide certain exemptions, from gaining consent on the use or processing of data for research purposes providing that it is exclusively for that purpose, and that:
Another key area of concern for brokers is the introduction of the Telephone Preference Service (TPS) that prohibits unsolicited calls to consumers registered on its file. Despite claims that it had not been adequately publicised to businesses or consumers, more than one million UK phone numbers have been registered since it became compulsory last year. The Data Protection Commissioner has already identified companies that have failed to comply with the TPS and is deciding whether to take formal action against them. Second Telecom and Top 20 are two companies that have been sent enforcement notices for sending unsolicited marketing faxes in breach of the regulations.
At the heart of the act are two new roles brokers must incorporate into the day-to-day running of their businesses. These roles have been introduced to regulate the handling of personal data and involve the allocation of direct responsibility for upholding the requirements of the act. These roles are the Data Controller and the Data Processor.
The Data Controller is the person, company or organisation responsible for deciding the purposes for, and the way in which, any personal data is processed. These decisions cover:
All organisations keeping personal records must designate someone to be responsible for making decisions on the data records. Ignorance of this legal requirement is not an option. Where personal records are held, a Data Controller must be nominated. The Data Processor is, as the name suggests, the person who processes the data.
Under the act, the word "processing" has a wider meaning than in normal terms. It applies to obtaining, recording or storing information and the administration, alteration, recovery, accessing and disclosure of that data. It also covers erasure or destruction of personal information, whether it is stored in a manual or electronic system.
Areas of change
The act gives a number of new rights to the individual over the processing of data that brokers need to be aware of (see box).
There are some critical steps that companies need to undertake in order to comply with the regulations of the act:
New rights for the individual over the processing of data under the act
1. Right of access
Individuals can make a written request and pay a fee (maximum £10) to find out if they are included on a database, learn what information is held, why, and who can have access to the information. If a computer system is used to calculate an assessment or rating of an individual's status, such as a credit rating or limit, then the individual has the right to know how the automated decision was made.
2. Right to prevent processing likely to cause damage or distress
An individual can give written notice preventing Data Controllers from processing data that can cause substantial damage and distress. The Data Controller has 21 days to show that they have complied or give the reasons why they think the individual's request is groundless.
Examples of substantial damage or distress:
3. Right to prevent processing for direct marketing
Individuals can insist that Data Controllers do not use data for sending them advertising or direct marketing material.
4. Right in relation to automated decision-making
Using computer-held data automatically to produce in-house league tables or to assess individuals is a growing trend. Under the DPA, an individual has the right to give written notice stopping a Data Controller from making a decision using information based on criteria such as customers payment performance, employees timekeeping and drivers vehicle accidents solely on scorecards or processing by other automatic methods.
5. Right to compensation
An individual who has suffered damage or distress following the wrongful use of data can claim compensation where the Data Controller is unable to prove that all reasonable care has been taken to comply with the terms of the act.
6. Correction, blocking, erasure and destruction
Individuals can obtain a court order forcing Data Controllers to correct, block, erase or destroy incorrect data or any assessment or opinion based on such inaccurate data.
7. Requests for assessment
Any person, a Data Controller as well as individuals, can ask the Data Protection Commissioner, who reports directly to Parliament, to assess whether data is being processed in compliance with the act. Compliance with the DPA 1998 is essential if a business is to continue trading. The following step by step guide shows how to ensure that your brokerage meets the requirements of the act.