Debunking six myths of the Data Protection Act
There are probably two stock phrases guaranteed to make me see red: one is Health & Safety, the other Data Protection Act.
As I’ve noted previously (with Health & Safety) the problem is not with either of these subject themselves, but with those incompetent Jobsworths who are actually useless at their own jobs, and use these expressions to either force those who are less well informed to do something they would otherwise not do (claiming the reason to be due to, or because of, Health & Safety requirements), or to get out of doing something they have been asked to, in which case they will claim they cannot comply because of the Data Protection Act.
They rely on misinformation, and on the fear of those they abuse with these excuses, implying that some dire legal consequence will arise if their greater wisdom is ignored or challenged.
I thoroughly enjoy challenging and ignoring these little people and their inflated view of the power they think they have, especially if the confrontation leads to an even bigger confrontation to their superiors, who will also be taken down a peg if the challenge proves successful.
The following article is a little gem that should be memorised if you are amongst those who find their reasonable requests blocked by some little snot who uses the DPA as a means of avoiding compliance with such requests, and getting themselves time for an extra teabreak…
Myth 1: The DPA says you can’t market to people without their consent
No it doesn’t. All it says is that you have to tell people when you collect their information that it will be used for marketing. But individuals can object to marketing whenever they want under a DPA right, and electronic marketing (including phone and email) normally requires consent under the Privacy and Electronic Communications Regulations.
Myth 2: You can’t process my details without my consent
There is nothing in the DPA that stipulates that consent must be obtained for any specific processing operation. The Act offers six ways in which you can comply, you only need one, and only one of them is consent of the individual. Some people think that they can dictate to banks and other organisations as to how their information is used, but although there are limited rights to object to certain processing which causes distress, if processing is necessary for a contract, for example, then no consent is needed.
Myth 3: We will never share your details with anyone else
Not exactly true. Someone making this promise might not give customer data to a spammer but they may be forced to give it to the police. Alternatively, the company might be bought, in which case the customer data may pass to a new owner.
Myth 4: We can’t investigate the theft/loss/fraud because of the DPA
The DPA allows organisations to disclose information to the police and other law enforcement agencies if they believe that not to do so would be prejudicial to the prevention and detection of crime. It also allows disclosure where the organisation has a court order or is exercising a statutory power to require disclosure. The corollary is that disclosure can be refused if the requesting party has no court order or other authority.
The provisions in the DPA that allow you to do this accord with human rights legislation and strike a balance between the interests of a crime-free society and the individual’s right to privacy.
Myth 5: We’re not allowed to tell you what went wrong because of the DPA
You shouldn’t be hiding behind the Act if you have made a mistake. People exercising subject access rights will generally have the right to be told what went wrong. There are other provisions that allow disclosures where they are in the public interest.
Myth 6: We can’t talk to you about your grandmother’s electricity bill
Wrong. If Gran authorises you by phone or letter to discuss her bill and the company accepts that, there is no problem.