ICO clampdown on freelance journalists processing personal data throws the spotlight on freelancers in the marketing industry. Surely they don’t need to be “notified” with the ICO or contracted as “data processors”? Lloyd Davey lights the fuse.
Topic: Data protection
Who: Marketing agencies and freelancers
When: Ongoing
Where: United Kingdom
Law stated as at: 24 September 2008
What happened:
The Information Commissioner's Office ("ICO") is reportedly targeting freelance journalists who process personal data but have not registered with the Information Commissioner's Office as data controllers.
At least one freelance photographer has been fined £1,000 after failing to reply to two letters from ICO calling on him to register. The ICO has stated that a freelance journalist would be required to register under the Data Protection Act ("DPA") where they hold, electronically, personal information about other people, such as contact details, names and photographic images.
Relevance to the marketing services industry?
Another industry that makes heavy use of freelancers is marketing services. If, for example, agencies use freelancers who are accessing and manipulating clients' customers' personal data, then both agency and freelancer would do well to stop and think about compliance with the DPA.
For example, if a freelancer is acting 100% on behalf of an email service provider when arranging to send an email marketing campaign to a list of email addresses supplied by the agency's client, then the freelancer will be processing data on behalf of the agency.
This means that the freelancer will be a mere "data processor" (as opposed to a "data controller") and as such will not be obliged to register with ICO. However, this is not necessarily the end of the story.
The agency, assuming that it will also be a data processor, will need to consider taking steps to ensure that the use of a freelancer will not put its client in danger of breaching its obligations under the DPA. Also, depending on the terms of the agency/client contract, the agency may also be in breach of contract.
For instance, just as the DPA requires that a written contract is in place between the client and the agency (as respectively "data controller" and "data processor") covering prescribed aspects such as data security, the client will also be in breach of its DPA obligations if there is no written contract in place between the agency as data processor and the freelance as "sub processor" which covers the prescribe areas.
Marketing services freelancer might be a "data controller"
Alternatively the freelancer may be contracted by the agency to take his own decisions as a particular specialist about the manner in which data relating to clients' customers is processed. For instance the freelancer might be deciding unilaterally to profile the customers in a particular way and making targeting decisions off the back of this which are passed back to the agency. In this scenario it is possible that the freelancer is a "data controller" ("a person who either alone or jointly with others determines the purposes for which and the manner in which personal data are, or are to be, processed") and, if so, he or she will need to register with the ICO. Proper regard will also need to be had to including suitable data protection terms in the contract between the agency and the freelancer.
Why this matters:
The fine for failing to register as a data controller with ICO can be as high as £5,000. Given that the fee for registration is only £35 per year and the registration process can be completed easily online, freelancers working with personal data in the marketing industry might be well advised to minimise risks in this area and get themselves registered without delay.
Also, agencies who use freelancers might want to check whether the individuals are involved in any way with accessing or manipulating personal data in their day to day work. If they are, then depending on exactly what they are doing with this data, there may be implications, both from the point of view of the contractual arrangements between agency and client and agency and freelancer and from the point of view of the freelancer's potential personal obligations to register under the DPA.