Debunking six myths of the Data Protection Act

Recent security scandals have raised the profile of the Data Protection Act (DPA).

But 10 years after it was passed, many organisations still misunderstand it.

Sue Cullen of Pinsent Masons' information law team debunks some of the common myths.

Myth 1: The DPA says you can't market to people without their consent

No it doesn't. All it says is that you have to tell people when you collect their information that it will be used for marketing. But individuals can object to marketing whenever they want under a DPA right, and electronic marketing (including phone and email) normally requires consent under the Privacy and Electronic Communications Regulations.

Myth 2: You can't process my details without my consent

There is nothing in the DPA that stipulates that consent must be obtained for any specific processing operation. The Act offers six ways in which you can comply, you only need one, and only one of them is consent of the individual.

Some people think that they can dictate to banks and other organisations as to how their information is used, but although there are limited rights to object to certain processing which causes distress, if processing is necessary for a contract, for example, then no consent is needed.

Myth 3: We will never share your details with anyone else

Not exactly true. Someone making this promise might not give customer data to a spammer but they may be forced to give it to the police. Alternatively, the company might be bought, in which case the customer data may pass to a new owner.

Myth 4: We can't investigate the theft/loss/fraud because of the DPA

The DPA allows organisations to disclose information to the police and other law enforcement agencies if they believe that not to do so would be prejudicial to the prevention and detection of crime.

It also allows disclosure where the organisation has a court order or is exercising a statutory power to require disclosure.

The corollary is that disclosure can be refused if the requesting party has no court order or other authority.

The provisions in the DPA that allow you to do this accord with human rights legislation and strike a balance between the interests of a crime-free society and the individual's right to privacy.

Myth 5: We're not allowed to tell you what went wrong because of the DPA

You shouldn't be hiding behind the Act if you have made a mistake. People exercising subject access rights will generally have the right to be told what went wrong. T

here are other provisions that allow disclosures where they are in the public interest.

Myth 6: We can't talk to you about your grandmother's electricity bill

Wrong. If Gran authorises you by phone or letter to discuss her bill and the company accepts that, there is no problem.