Are you in breach of the Data Protection Act?

Written by David Tebbutt, MacUser 11/91 item 06 - scanned

A few years ago, I was a director of a software publishing company. One of its products was a database called Cardbox. We liked the program so much that we used it ourselves to keep track of customers, enquirers and press contacts. One day, a journalist came to see it and was treated to the standard demonstration. The journalist asked to see it running a genuine file.

The salesman thought the press file would be most appropriate under the circumstances. He searched for the visiting journalist's record, only to find the comment: 'Tebbo says this guy's a twit.'

Of course, this all happened before the Data Protection Act was introduced. Since then I have pondered the legal standing of such a database. My comment was probably slanderous and its existence in the database probably libellous.

The Data Protection Act has made many of us think more carefully about what information we store about other people and what uses it is put to. Did you know that it is illegal not to register your business contact databases with the Data Protection Registrar? If you haven't, then you can be prosecuted. The registrar's legal department told me that this could apply whether the data was held on a mainframe or one of those little handheld electronic notebooks.

Imagine that - get a free electronic notebook with your subscription to a business magazine and then, the minute you actually use it, you become a criminal. You have to register yourself as a data user unless you belong to one of a small number of exempt categories. If you only used the data for your personal, family, household or recreational affairs, you might get away with it. If you only use the information as part of your accounting procedures, you'll probably be okay. But if you use it as a basis for mailing or telephoning people, then it's likely that you should be registered. To find out, get the registrar (in Wilmslow, Cheshire) to send you Guideline 6: The Exemptions.

I have called a number of friends and colleagues and, with one exception, none has registered. The main reaction was one of incredulity. Most assumed that, providing there was nothing personal attached to the raw name, address and telephone details, they were in the clear. Apparently not. You have to register, not least so they can find you to check you aren't holding more data than you said you were. (Although it strikes me that, if you were honest enough to register, then you're unlikely to spoil things by lying on the application form.)

So, what do you get for your three-yearly registration fee of £75? Apart from avoiding prosecution, nothing. It's simply a legal requirement. If, having coughed up, you get caught using your data in an inappropriate way, you will at least be warned and given a chance to put things right, rather than being prosecuted. I should mention at this point that the Data Protection Registrar concluded 20 prosecutions in the year to May 1991. Not a huge number when you consider how many people there are with unregistered business contact databases in their portable and handheld machines.

Inappropriate use of database information includes using it for a purpose different to that for which it was registered. If you kept records for a doctor and decided to sell the database to an insurance company, you'd be for the high jump. If you stored personal opinions in a way that they might be interpreted as facts, then the person described would have a legitimate complaint. If you stored information which was superfluous to the purpose of the database, you would also be in breach of the act.

You can register up to 99 uses of the data you are collecting. This limit is imposed by the design of the registrar's computer system. And, since you're about to ask, yes, the registry is registered with itself. Individuals have the right to ask whether your database holds personal information on them and, for a fee not exceeding £10, request a printout of their record. If you don't supply a printout, or if the subject contests the accuracy of the data, then the registrar can force you to comply with the subject's demands. To give an idea of the scale of the operation, the registrar processed 2,500 complaints last year.

The registry makes regular assaults on different sections of the community. In May it flooded Cambridge with publicity and random visits to companies. Right now, it is doing the same in Stockport. It's also looking at advertisements in magazines to assess whether the advertisers are likely to be building mailing lists.

I can't say that I agree with the registrar's methods, but I think it only fair to warn you that you could be breaking the law.