SMS Marketing – A Brief Guide to the Data Protection Act 1998

The Data Protection Act 1998 (DPA) is one of those laws that seems to be referenced regularly in the news and in conversation but many people are not clear on what it actually covers. Only this week has it appeared in the headlines again with London’s Royal Free Hospital breaching it by transferring 1.6 million patient records to Google’s DeepMind subsidiary without consent.

If your business collects, stores and uses other people’s personal data for purposes such as marketing and selling, then it is likely to apply to you. Having a basic understanding of the DPA legislation and its main requirements is useful to maintain best practice in direct marketing such as SMS marketing and also helps to uphold your hard won customer trust.

Why was the Act Passed?

The Data Protection Act 1998 (DPA) was passed by Parliament to control the storage and use of personal information by government, organisations and businesses and to provide legal rights to those whose details were being stored. It is enforced by the Information Commissioner’s Office (ICO).

The DPA was created in response to the rapidly growing use of computer technology in business in the latter half of the last century and the equally growing concerns about how information that could identify individuals was being handled. As it became routine for businesses to use computers to store databases of personal details about their staff, clients and customers, there were worries about the accessibility, accuracy and transfer of such databases.

What is Personal Data?

Personal data means any data or information relating to a living individual, who could be identified from it. This includes opinions about the individual. These individuals are also called ‘data subjects’ under the DPA. It covers all personal data being held for commercial purposes. Personal data held for domestic purposes such as an address book holding your friend’s contact details is not covered.

There are additional safeguards for ‘sensitive personal data’ which is information presumed by the Act to be private in nature and potentially could be used in a discriminatory way. This includes but is not limited to; race, sexual life, religious beliefs, political beliefs, health and potential criminal proceedings involving the individual. Any business processing sensitive data needs to meet exacting conditions to do so which are laid out by the ICO.

Data Controllers & Processors

All businesses in the UK that hold or store personal data on computer or any organised paper filing system are required to register with the ICO and define whether they are data controllers or data processors. A data controller is the person and/or legal entity (for example, a limited company) who decides how and why personal data should be collected. An organisation can nominate a single person to oversee compliance with the DPA.

A data processor is a person or organisation which processes data on behalf of another. For example, a call centre business handling customer services for another company. They would need to access the contracting company’s collected data but the call centre is not responsible for deciding how and why the data is collected, that remains with the contracting company who would be the data controller in that case.

However, data processors are often still data controllers in their own right when they hold and process records for their own business ends, such as employee records. If it is unclear, the ICO will usually look at it as to who has decided the business purpose for which the data will be or has been collected.

When registering with the ICO, data controllers must give certain information in advance which includes their name and address, what data they intend to collect and store, what they propose to do with the data, whether they plan to pass the data onto third parties, whether the data will be transferred outside the EU for any reason and what measures they have in place to keep all data secure.

The Data Protection Principles

The Act sets out eight clear Data Protection Principles that must be followed. These principles rule that information must be:

• used fairly and lawfully
• used for limited and specifically stated purposes
• used in a way that is adequate, relevant and not excessive
• accurate
• kept for no longer than is absolutely necessary
• handled according to people’s data protection rights
• kept safe and secure
• not transferred outside the European Economic Area without adequate protection

Conditions for Processing Personal Data

There are several conditions for processing, or using, personal data set out in the Act, of which data controllers must meet at least one. They are:

• That the data subject has given permission for the collection, storage and use of their data.
• The processing is necessary in relation to a contract or that the data subject has asked for something prior to entering a contract.
• Required because of a legal obligation that applies to the data controller (excluding contractual obligations).
• A need to protect the individual’s ‘vital interests’ (a life and death matter such as a hospital dealing with an emergency).
• Necessary for carrying out judicial, statutory, governmental or other public functions.
• That the processing meets the ‘legitimate interests’ condition.

The ‘legitimate interests’ condition is there to cover data controllers who have a legitimate purpose for processing the data but may not fit under the other conditions. An example would be a debt collection agency hired to recover a debt on behalf of a finance company.

The ICO is clear that meeting the conditions does not necessarily mean that the processing is being carried out fairly and/or lawfully and that data controllers should check carefully.

Exemptions

There are special circumstances where personal data is not covered under the remit of the DPA. There are full exemptions such as any data being held for a National Security reason and partial exemptions like the police or HMRC who do not have to disclose their case files to individuals. There are also exemptions from having to register for some businesses if their activity is limited but further clarification should be sought as it can be complex.

Data Subject Rights

Individuals or data subjects are given several rights under the DPA

• A right of subject access, meaning they can ask the data controller to provide a copy of the information held on them. Unless an exemption prevents release, the data controller must do this within 40 days of the request and charge no more than £10 for doing so.
• A right to prevent distress. A data subject could block the use of information if it could cause them distress.
• A right to prevent direct marketing. A data subject can reasonably request in writing that their details are not used for direct marketing.
• A right to prevent automated decisions, such as those used on loan application websites.
• A right of correction. A data subject is entitled to request that any mistakes are corrected.
• A right to compensation or damages if their personal data is compromised.

How Does it Apply to Businesses Using SMS Marketing?

In order to effectively market through SMS text messages, or indeed any other method of direct marketing, you need to maintain a database of your customer’s details. In essence, the DPA requires that if you intend to collect and store such information, you must check if you need to register with the ICO and you are responsible for making sure that this information is securely protected and used appropriately, fairly and legally. You must have consent from individuals to hold this information and you must respond promptly to any request by individuals regarding their personal data.

Every member of staff within a business that handles and controls personal data has a responsibility under the Data Protection Act 1998. All employees should be well trained to recognise their responsibility, think carefully about how they handle customer personal data and understand security procedures.

Failure to comply with the DPA can lead to enforcement action by the ICO which could range from advisory notices, undertakings and audits through to fines or even criminal prosecution.

The DPA is scheduled to be replaced in May 2018 by new EU regulations called the General Data Protection Regulations, so expect to hear and read a lot more about data protection laws in the news over the coming months. Watch out for more information from FastSMS to help explain the new changes.

At Fastsms, we offer some of the UK’s most competitively priced business bulk SMS solutions, supported by an award winning customer service team who you can trust to be at the ready 24/7. T0 learn more about just what we can offer your business, give us a call today on 0800 954 5303.

Disclaimer – This article is intended only as general information. It is not intended to be comprehensive or constitute legal advice. If you need help on a specific issue please seek advice from a qualified legal representative.

Further Information and Reading: https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf