Data Protection: too big, too scary, too complicated?

People are not normally deliberately obstructive when it comes to data protection. But a lack of knowledge of what it’s really all about can make people wary to the point where they’d rather do nothing than do something that might breach the Data Protection Act 1998 (DPA). Over a series of blogs, I'm going to share share some helpful advice on what data protection is all about and how it relates to your organisation, from the point of view of the Information Commissioner’s Office that regulates the DPA.

It’s all about Personal Information

What kind of information does your organisation use? To be covered by the DPA, it has to be personal information that relates to a living individual (hint No. 1 – they must be alive) who can be identified from that information (hint No. 2 – it will include their mugshot), or from that information and any other information you might have (hint No. 3 – it might just be statistics but if you’ve got that and the ‘key’ to unlock them). Personal information also includes opinions and intentions, so if you record what you think of the person or what you are going to do in relation to that person, it’s covered by the DPA. As well as this description of what personal information actually means, the DPA also separates out seven specific types of personal information that need special consideration. These are information about:

1. physical or mental health
2. religious or philosophical beliefs
3. criminal (or alleged) convictions
4. ethnicity or racial origin
5. sexual life
6. political opinions
7. trades union membership

If your organisation is using information that is covered by the DPA does that mean you shouldn’t be using it? No, of course not. However, it does means that you need to use it thoughtfully and within the framework set out in the DPA.

What it’s not about

Too often we see newspaper stories that seem to defy logic, common sense or that basic gut feeling about what’s right and wrong. The following examples are actual cases reported in the press. The vet’s assistant who wouldn’t tell a chap who’s looking after his neighbour’s cat whether there were any health issues he should know about - because of data protection. Well, it doesn’t apply to cats! It doesn’t apply to your rodent, rabbit or Rottweiler. It applies to living individuals. The telephone helpline assistant who won’t speak to a mum, calling for information about how to return a faulty pair of pyjamas bought for her six-year-old son, without his permission – because of data protection. Well, a parent/guardian/carer can act on behalf of their child (12 years and over) and doesn’t need their consent to do so. Moreover, we are talking about a pair of pyjamas – not personal information! Even if it was personal information and it was an adult, anyone can act on behalf of anyone else so long as they have a mandate to do so – written, verbal or formal Power of Attorney.

not understanding what you can and cannot do with the personal information you are responsible for will have consequences

The utility company that turned off power to a pensioner couple’s home in the middle of winter because of non-payment but didn’t tell the local authority social work service – because of data protection. Here we see the direst of consequences of a lack of proper understanding of data protection because the tragedy of this case is that the couple succumbed to hypothermia and sadly died as a result. We can forget that personal information is about people and not understanding what you can and cannot do with the personal information you are responsible for will have consequences. Hopefully, it will never be as dire or as tragic but a cavalier attitude in handling personal information can cause detriment or harm to people. The DPA sets out a framework for the safe and secure use of personal information in the form of eight Data Protection Principles and in the next blog, we’ll begin to explore how these Principles will help you to understand your obligations under the DPA and show you how a good understanding of data protection can translate into good practice for your organisation. Maureen H Falconer is Regional Manager for Scotland with the Information Commissioner’s Office.