PL&B UK E-news, Issue 87

1. Data sharing provision for private sector may be dropped

Clause 152 in the Coroners and Justice Bill, which gives ministers the power to launch data sharing activities between the private and public sectors, could be dropped as a result of a public outcry and parliamentary criticism. Justice Secretary, Jack Straw, has asked cabinet colleagues to withdraw the clause from the bill. However, there is to be further consultation and it is not certain whether the Cabinet will agree with Mr Straw’s recommendation.

The Bill was debated in Parliament at Second Reading on 26 January 2009, and a Public Bill Committee finished scrutinising it clause by clause on 10 March.

Read more about the Bill’s data protection provisions and its progress in the April issue of PL&B UK.

2. ICO stops the selling of employees’ confidential data

The Information Commissioner’s Office (ICO) has put a stop to Consulting Association collecting sensitive personal information without consent, and selling it on. Employee details included employment history, personal relationships and trade union activity. Companies that bought the data for an annual fee of £3,000 include Balfour Beatty, Skanska and Taylor Woodrow. Individual records from the database, consisting of 3,213 construction workers, were charged £2.20 per record.

The ICO discovered the database during a raid and has now stopped the company operating. The database was used by 40 construction companies for employment vetting purposes. This is the first case where the ICO has issued an Enforcement Notice with a seven day compliance condition. Consulting Association, which appears to have run the database for over fifteen years, now faces prosecution by the ICO. The Economic League ran a similar service until its services were made illegal by the Data Protection Act 1998.

The ICO raided the company on 23 February and announced the outcome on 6 March.

3. DMA launches new data security standard

The Direct Marketing Association has launched a data security standard to help its supplier and client members improve information security when handling consumer data.
The ‘DataSeal’ security standard has been developed in conjunction with the BSI Management System. Where applicable, DMA members are encouraged to become certified to the ISO: 27001 standard (International Standard for an Information Security Management System).

Read more about DataSeal and the Information Commissioner’s current views on direct marketing and data protection in the April issue of PL&B UK.

4. ASA ruling on explicit consent

A recent ASA case that has DP implications involved an advertisement in the national press by Direct Home Shopping Brands Ltd t/a Kaleidoscope Ltd By for a mail-order ‘marquise ring’. The data protection notice that was challenged by a reader said: “By ordering from us, you are consenting to us sharing your information with other organisations and to us or them contacting you for marketing purposes by mail, telephone, email or otherwise. If you do not wish to be contacted by us by telephone for marketing purposes please tick this box. If you do not wish to be contacted by other organisations for marketing purposes, please tick this box".

The data protection information appeared in small print at the end of the advert. Kaleidoscope said their data protection statement was drafted by solicitors and they believed it complied with the Data Protection Act 1998.

The ASA looked at whether the notice complied with the CAP Code. The ASA reminded Kaleidoscope that the explicit consent of consumers was required before disclosing their personal details to third parties for direct marketing purposes. Because the small print stated that, by responding to the ring promotion, consumers were consenting to Kaleidoscope sharing their information with other organisations who might contact them for direct marketing purposes, ASA concluded that the ad breached the Code.

It looks like Kaleidoscope was trying to rely on customer ‘soft opt- in, where organisation acquires personal data during negotiations for a sale. However, Kaleidoscope failed to provide individuals with the option to opt-out in the future from receiving email marketing. This aspect is not included in the ASA ruling.

ASA ruled that the ad must not appear again in its current form. Kaleidoscope needs to contact the CAP Copy Advice team before running future, similar promotions.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2009