With data scams still in the news, Phil Mellows asks what the law really means.
Nobody is quite sure how many licensees have been caught out by Data Protection Act (DPA) scams that are sweeping the country, but the £95 they have typically been persuaded to cough up must have added up to a thick lining for the pockets of many a racketeer.
The money's gone now, of course. But a serious question remains. What is really required of licensees under the 1998 Data Protection Act?
The answer is not as straightforward as it might be. Like all laws the DPA, which came into force almost four years ago, is open to a degree of interpretation - most evident in the recent furore following the Soham murder trial. And an extra level of confusion has been created by the need for some businesses - but not all - to register with the body set up to enforce the law, the Information Commissioner's Office (ICO).
The ICO's website (www.informationcommissioner.gov.uk) includes a handy form to help you check whether you need to register. But even if you don't have to register, it doesn't mean you don't have to comply with the DPA.
The DPA is designed to protect individuals against organisations abusing the information kept on them. The phenomenal growth of IT, computers and other technologies, which have made it much easier for this data to be recorded, organised and disseminated, is the main factor that prompted the act.
Generally speaking, the act makes it illegal for data recorded for one purpose to be used for another. For instance, if you give your contact details to a company you have bought products or services from, it isn't allowed to pass that information on - unless you've ticked a box giving authorisation.
Perhaps more seriously, if you're caught by one of the thousands of security cameras that have sprouted in towns and cities around Britain, there are very strict rules about how that image is recorded and used.
As well as being protected by the DPA, however, it is likely that, as a publican, you have obligations under the act.
If you record personal data on employees, customers or suppliers - and this certainly includes CCTV images - you are a "data controller" and must conform to the principles of the act by ensuring that the information is accurate, is only used for the purposes intended and is not kept for an unnecessary length of time.
Also, people you have data on have the right, under the Freedom of Information Act, to see what you've got on them.
You may not have to register with the ICO if:
- your records are manual and kept only on paper
- they are only used for staff administration, such as the payroll
- they are only used for marketing the business, for instance direct mailing customers with news of promotions.
But it still means you are subject to the act and it might well be a good idea to register voluntarily anyway. After all, it only costs £35.
The dodgy outfits that have been mailing pubs and other small businesses demanding £95 to register them, even if they do what they say they will do, are making a clear £60 for the price of a couple of stamps.
To complicate matters further, there are some reputable firms, such as Insight Data Protection, which offer a full service to larger organisations and can save companies money thanks to their in-depth knowledge of what even the ICO admitted last week is "a cumbersome and inelegant piece of legislation".
CCTV and the law
Increasing numbers of pubs are installing CCTV equipment for security purposes in and around the premises. In some cases it is a requirement of the local authority and the police.
It you have CCTV you must register with the ICO and since October 2001 the DPA has introduced a number of conditions, covering warning signs, tape recording and video editing procedures, documented system policies, system maintenance agreements, tape erasure and data destruction.
"It can be somewhat expensive to comply in this area," said data protection expert Owen Sayers. "A one-off cost of up to £750, with £250 to £350 per annum thereafter is about the average. In an analogue system you need to change the tapes every year - and they should be erased between each recording. Each recorder will require a log-book system to record tape use.
"Digital systems require a special log book and, wherever possible, should be backed up like a business PC. All CCTV systems need signs that identify who is recording, their contact details and must state why the CCTV is operated."
A full code of practice for CCTV is available from the ICO.
Q&As
Security adviser Owen Sayers answers some common questions on data protection
- I have received an official-looking "final demand" notice to register for the DPA - what's that for?
- These letters have been doing the rounds for the past 18 months or so and are not in any way official. The ICO does not send out these notices. Many people who have made a £95 payment have subsequently found that they have not been registered at all, or have been registered incorrectly.
Surely charging £95 is illegal?
There have been cases where the ICO has taken action against those who are passing themselves off as official enforcement agencies. However, it is not illegal to charge a fee to make a notification on your behalf and because the notification process can be complicated there are some companies which are performing this service quite legitimately and ethically. If in doubt, though, steer clear of this type of service.
But am I affected by the law?
The act relates to personal data - effectively anything to do with any living individual which can be used to identify them. This can include employee information, bank details, credit card details, telephone numbers, photographs and video images. If you have employees, club members, suppliers or customers you almost certainly need to comply with the act.
Is there anything else I need to be aware of?
Firstly, any person on whom you hold data has a legal right to obtain a copy from you on request. The person making the request has to tell you what they are looking for and you may charge them up to £10 for supplying the data. You can refuse the request under certain circumstances, as when legal action may be involved, but you should seek professional guidance before refusing a request.
What happens if I don't comply with the DPA?
Because the ICO is understaffed, in the short term you are not likely to run into any official problems. However, if it receives a complaint from someone who feels you have broken the act it can and does take action and you could be fined up to £5,000 in the magistrates court.
If your CCTV system does not comply it is possible that individuals who suffer damage from your non-compliance have a statutory right to compensation. Insurers have also started to look at this area, and you may experience some difficulties if they decide you have not met all your obligations.
So what do I need to do?
The ICO will be happy to advise you - it would rather help businesses to comply than prosecute them. There are also compliance specialists throughout the country - but it is important that you deal with a bona-fide adviser who understands your industry and your particular requirements. It is always a good idea to check with your trade association or to ask for references - good advisers will not have a problem with this.
Contact
If you are in doubt about your responsibilities under the Data Protection Act phone the Information Commissioner's Office helpline on 01625 545400 or go to www.informationcommissioner.gov.uk.
If you need professional help wi