The Walport data sharing review has now been published, but what does this mean for marketers and what’s all this nonsense about local authorities no longer selling electoral register data? Phil Lee reports.
Who: The Information Commissioner / Dr. Mark Walport
When: 11 July 2008
Law stated as at: 28 July 2008
On 11 July 2008, the Information Commissioner and Dr. Mark Walport published their much-anticipated public and private sector data sharing review, with the final report trumpeted by the press as the beginning of the end for spam and cold-calling.
The review, which was commissioned by Gordon Brown in October 2007, called for the Information Commissioner and Dr. Walport to consider a number of issues, specifically: (i) to recommend whether changes are needed to the operation of the Data Protection Act 1998; (ii) to recommend changes to the powers and sanctions available to the Information Commissioner and the courts governing data sharing and data protection; and (iii) to provide recommendations on data-sharing policy to ensure transparency, scrutiny and accountability.
In making their recommendations, the Information Commissioner and Dr. Walport have stated their belief that five key categories of change are required, these being:
- changes to transform the culture that influences how personal information is viewed and handled;
- changes to clarify and simplify the legal framework governing data sharing;
- changes to enhance the effectiveness of the regulatory body that polices data sharing;
- changes to assist important work in the field of research and statistical analysis; and
- changes to help safeguard and protect personal information held in publicly available sources.
The final report weighs in at a (rather hefty) 70+ pages but, to save our marketinglaw readers a job, we have ploughed through the report and set out some of its key recommendations below:
Key changes to data sharing culture
With a view to enhancing data processing transparency for data subjects, the Information Commissioner and Dr. Walport recommend that all organisations (both public and private sector) should have plain English privacy policies readily accessible in all online literature and offline (i.e. printed) literature. This seems to extend beyond the belief of many businesses that privacy policies are "purely a website thing".
In keeping with this desire for greater transparency, the Information Commissioner and Dr. Walport also recommend that organisations compile and publish a list of third parties with whom they share personal data. The aim here is to avoid the common practice of many businesses simply to state in their privacy policies that they may share data subjects' personal data with "carefully selected third parties". This recommendation seeks to put an end to this practice, by requiring data controllers to identify who these "carefully selected third parties" actually are.
Key changes to the legal framework
The Information Commissioner and Dr. Walport acknowledge that the Data Protection Act 1998 is "often misunderstood" and encourage a review of the Act, together with active participation by the UK government in any review of data protection legislation at a European level.
Key changes to the regulatory body
Unsurprisingly, the Information Commissioner and Dr. Walport welcome the recent penalty regime introduced by the Criminal Justice and Immigration Act 2008 for deliberate and reckless data breaches. They further recommend, to ensure that this penalty regime serves as an effective "stick" for data controllers, that the penalties the Information Commissioner can impose should be akin to the FSA regime (where maximum penalties are linked to turnover).
As a matter of good practice, they also recommend that data controllers should notify them of "significant" data breaches. Whilst they do not recommend the introduction of a mandatory requirement to notify data breaches, the Information Commissioner recommends that it be allowed to take into account any failure to notify when deciding upon appropriate enforcement penalties.
In addition, the Information Commissioner also recommends that it is granted powers to gain entry (read: raid) premises of businesses that breach data protection laws. If granted, any such power would put the Information Commissioner on an equal footing with other (feared) regulators, such as the FSA and the Competition Commission.
Key changes to safeguarding and protecting publicly-available information
Possibly the recommendation that has received the most press attention is that the Government should ban sales of the electoral register by local authorities (other than to political parties or credit reference agencies). In the view of the Information Commissioner and Dr. Walport, allowing sale of the electoral register to organisations such as direct marketing companies sends "a particularly poor message to the public that personal information collected for something as vital as participation in the democratic process can be sold to 'anyone for any purpose'".
Marketing companies typically pay local authorities about £20 for every 1,000 local register entries sold to them, so this prohibition (if it comes into force), will not only cut off valuable information to direct marketing companies but also seriously hurt the coffers of local authorities.
Why this matters:
The Walport data sharing review makes a number of recommendations which, if they come into force, may radically transform the data protection landscape. The report highlights how, to date, many companies avoid or ignore data protection compliance simply because they perceive there to be little risk attached to data protection breaches.
However, if the Information Commissioner gets its way (i.e. the ability to impose fines by reference to an organisation's turnover, the ability to take non-notification of breaches into account when setting fines, and the ability to raid non-compliant data controllers), it will at last become a regulator with real "teeth".
In addition, if the report's recommendation that the sale of electoral register details to direct marketing companies be banned, direct marketers will find themselves cut off from a significant, and highly valuable, source of information, for instance as to "gone aways."
The further recommendations of the report – that individuals be given clearer information about how their personal data will be used and clearer rights to opt out of that use – will inevitably serve to further put the squeeze on the collection, use and disclosure of data subject's personal data for marketing purposes.