The new edition of the Information Commission’s guide to data protection law is a stiff read at 100pages, but handsomely rewards a look, and it’s free!
Topic: Data privacy
Who: Information Commission (“IC”)
When: Autumn 2001
Where: Wilmslow, Cheshire
The IC published a new edition of its “Legal Guidance”, a 100 page opus explaining the Data Protection Act 1998 (“DPA”) in practical, lay language and offering the IC’s interpretation of its practical effect. Available free on the IC website, it’s a “must read” for all businesses making any use of data about individuals (which is just about all businesses) and contains some helpful guidance for marketers. For instance, the IC has clear views on the process of “anonymising” personal data by stripping data of personal identifiers. To the extent that the process starts with the non anonymised data, it will still involve “processing” personal data, the IC says, and must therefore be done in compliance with the DPA.
Separately, the IC talks about the “consent” requirement regarding processing personal data. The IC underlines that there are alternatives to the “consent” requirement. It also expresses the view that these alternatives should be actively considered since “consent” “is not particularly easy to achieve.” For instance, as consent has to be “signified” by the data subject, data controllers cannot in the IC’s view regard mere failure to respond to a mailing as consent. A further mind-concentrating comment is that even if consent is very clearly signified, for example by explicit opt-in, it will be completely invalid if the advertising material the individual is responding to is misleading.
Still on consent, the IC blows the accepted rationale for the “opt-in” route out of the water. It opines that even if an opportunity to opt-out of use being made of data is given, failure to tick the box is unlikely to qualify as “consent” for the purposes of the DPA. It then offers hope from what may for some be an unexpected quarter. It expresses the view that legal processing may still be achieved (all other things being equal of course) by using an alternative gateway to legality in the DPA. This is the “necessary for the purposes of legitimate interests pursued by the data controller” gateway. Even more encouragingly, the Guidance goes on to say that the IC “takes a wide view” of the “legitimate interests” condition. But what exactly does "legitimate interests mean? The good news is that the legislation empowers the Secretary of State to introduce guidance by statutory instrument as to when the “legitimate interests”condition may be satisfied. The bad news is that no such instrument has yet appeared!
There are other pointers to how this gateway can be used, however, and marketinglaw’s view is that reasonable use for disclosed marketing purposes is a perfectly legitimate interest and that provided the data collected is proportionate and not excessive bearing in mind the disclosed purpose and all other requirements are complied with, this should be a viable gateway in the place of the problematic “consent” condition.
Why this matters:
There are many more nuggets in the Guidance, and we will cover these in future Updates here on marketinglaw. It has to be borne in mind of course that much of the content is only the IC’s interpretation of the law and the only binding view of the precise practical effect of the legislation is that of the Court. But for marketers anxious for clarity when facing a much misunderstood and far from simple compliance challenge, this document is a real breath of fresh air.