The Data Protection Act 1998 (with additions in 2001) covers the use of information about individuals held on computer or manual information systems. Users of such information (‘data controllers’) must observe eight ‘Data Protection Principles’, viz.:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
(a) the data subject has given his/her consent to the processing of the personal data;
and
(b) in the case of sensitive personal data (e.g. in connection with information about criminal offences or political affiliations) the data subject must have given his/her explicit consent to the processing of the personal data.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Personal data shall be kept securely. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
 
Under the Data Protection Act, and the additional provisions of the Freedom of Information Act 2000, individuals have the right to receive a copy of any information held about them and be informed of the purpose for which it is to be used. They may prohibit its use in, for example, direct marketing campaigns.

The Act’s main implications for publishers are:

1. the need to obtain consent before compiling and using customer mailing lists, distributing promotional materials, etc. Consent must be fully informed, and there is an onus on the publisher to ensure that this is the case. There are numerous examples of consent request templates on the internet, including:
www.witneyandwoodstock.org.uk/NewFiles/dpa_consent.html

2. the need to protect the privacy and security of such information. It must not be shared with others without the subject’s authorisation;

3. the need to notify the Office of the Information Commissioner www.informationcommissioner.gov.uk annually about the data which is being processed. There is a fee of £35 to do so. But see exemptions, below.

Exemptions

• The Act contains an exemption concerning the use of information for the purposes of ‘journalism, literature and art’. For this exemption to apply, it must be reasonably believed that, having regard to the public interest in freedom of expression, publication would be in the public interest, and that compliance with the Act would be incompatible with ‘the special purposes of Journalism, Literature, and Art’. As such deliberations involve a balance of contrary interests, there is no simple set of guidelines governing such cases and publishers need to exercise caution.
• Information gathered before 1978 is generally excluded from the provisions of the Act.
• Where the data subject has granted his/her consent, data controllers can be exempted from Principle 8 of the Act, which refers to transfer of information outside the European Economic Area and has particular implications for Web publication. The individual must be informed that, as a result of such transfer, their information will be available in countries where their rights as data subjects are not protected by law.
• Data controllers may be exempt from the requirement to notify the Office of the Information Commissioner where data is processed solely for the purpose of advertising or marketing their own business, its activity, goods, or services, and promoting public relations in connection with these things. Use of personal data from a third party for these purposes will not lose the exemption. However, this exemption does not cover marketing for others (e.g. through leaflet exchanges).

The full text of the Data Protection Act is to be found at www.hmso.gov.uk/acts/acts1998. Advice is available at www.informationcommissioner.gov.uk, which offers specific guidelines and a checklist for small businesses. For publishers, a full consideration of the implications of the Act is given by Hugh James and Christopher Benson in Publishing Law, 2nd Edition by (Routledge 2002). More detailed examinations of the Act include:

Peter Carey, Data Protection – A Practical Guide to UK and EU Law  (OUP 2004)
Rosemary Jay & Angus Hamilton, Data Protection Law and Practice (Sweet and Maxwell 1999)
Richard Morgan & Ruth Boardman, Data Protection Strategy (Sweet and Maxwell 2003)
James Mullock, Piers Leigh-Pollitt, The Data Protection Act Explained (Stationery Office 2001)
Heather Rowe, Data Protection Act 1998: a Practical Guide (Tolley Publishing 1999)
Peter Carey & Eduardo Ustaran, E-privacy and Online Data Protection (Butterworths 2002)
John Wadham, Jonathan Griffiths, Bethan Rigby, Blackstone's Guide to the Freedom of Information Act 2000 (Blackstone 2001)
 
An on-line ‘Ultimate Guide’, consisting of articles from the Privacy & Data Protection Journal is to be found at http://privacydataprotection.co.uk/guide/

Training in data protection management is provided by the Publishing Training Centre. For details of courses, go to: www.train4publishing.co.uk

Date last updated: 16 Oct 2007