Checklist: Privacy Policies and Data Protection Online
It’s happened to all of us at some point: we buy something online or sign up for more information from a company or organisation and end up getting bombarded with offers, advertisements and spam. So how do companies get away with doing this? It’s usually because you haven’t ticked a box somewhere on the page which prevents this from happening, or you’ve entered a competition and the organizers then sell on their lists of leads to third parties.
The LawBy law companies and organisations are required to comply with the Data Protection Act 1998. This piece of legislation provides ways in which personal data can be stored, processed and used by organisations and sets out ways in which data should not be used. Failure to comply with the Act can have serious consequences for those in breach, and there can be very hefty fines for the most serious offenders.
What the Law MeansThere are several key principles for the way in which personal data must be used by data processors. They include:
- only using the data for the specific purposes for which it was collected
- not disclosing data to third parties without first obtaining the consent of the person the data is about, unless there is a legitimate reason to do so, for example in the prevention of crime
- allowing people to know details of the information that is stored about them
- ensuring that the data is only kept for as long as necessary and that it is kept up to date
- ensuring that data is not sent outside the European Economic Area without consent of the individual or without there being adequate protection in place for the transmission of the data
- registration of data processors with the Information Commissioner’s Office
- Keeping proper security measures in place to make sure that the data cannot fall into the wrong hands, including computer
- security and staff training
- allowing people to have their data corrected if appropriate.
How to Find Out What Information is Being Held About You
If you do know who is holding your data, you can make a ‘subject access request’ in writing under the Data Protection Act for a fee of £10. The organisation must respond to you within 40 days. If the organisation doesn’t respond, you may be able to get incorrect information destroyed or corrected by court order. In some circumstances people have been awarded compensation. This process will allow you to correct anything that is wrong, ensure that your data is not used in a way that causes you ‘damage or distress’, and you can also require that your data is not used for direct marketing purposes.
Beware CompetitionsAlthough some ‘free’ competitions are just that, very often the competition organizers will sell on the details of the entrants and you will be bombarded with sales calls and emails afterwards. Online surveys, with a chance to win in a prize draw, often produce the same effect and once you’ve filled out a few of these it can be difficult to track down and prevent whichever organisation is using your data in this way. If there is an ability to ‘opt out’ of communications from others, whether third parties or ‘partner organisations’, make sure you tick the box!
We strongly suggest that if you want to avoid receiving spam emails, getting telephone calls telling you that you’ve won a prize, asking you to switch mobile phone providers, buy mobile phone insurance, or to have your credit card debts ‘wiped off’ you should avoid entering competitions online. If you do, take a note of the organiser’s contact details to ensure that you can make an approach to them later on if it transpires that your information is being used in a way otherwise than in accordance with your wishes.