DP News: State of Play in Wilmslow…

June 30, 1999

Rosemary Jay is Legal Adviser to the Data Protection Registrar.This is the first in an occasional series of updating columns.


It has to be said that the victories of local football teams have figuredlarge in discussions in the Registrar’s office over the last few weeks anddays but some time has been spared to consider other matters…


Data Protection Act 1998


Still no date has been announced for implementation of the 1998 Act, althoughthere is limited movement in that direction as some of the secondary legislationhas reached the stage of publication. Six draft SIs were published on the HomeOffice web site at www.homeoffice.gov.ukon 10 May. These are the orders modifying the subject access rights in relationto education, social work, Crown appointments and miscellaneous cases; settingthe fees for certified copy register entries; and designating the Commissioneras the supervisory body for co-operation with other States which are parties tothe Council of Europe Convention. The ones everyone is waiting for, on sensitivedata, notification and disproportionate effort, are still gestating.


Midland Electricity Case


On 10 May the Data Protection Tribunal delivered its judgment on the casebrought by the Registrar against Midlands Electricity Plc over the use of theutility’s database. The Tribunal ruled that the use of customer data byMidlands to insert copies of its magazine ‘Homebright’ with bills sent todomestic customers was unfair because the magazine contained advertising forgoods and services not associated with the sale of electricity or relatedproducts when customers had not agreed to accept such advertising. This is thesecond case in which the Registrar has fought to establish the boundaries of theuses a privatised utility can make of its customer database. In the firstdecision, delivered last March, British Gas Trading Limited were held by theTribunal to be using customer data without consent for gas and (broadly)gas-related marketing only. The Tribunal has imposed a similar ruling in thiscase, even though the marketing complained of was relatively limited, themagazine promoted the data user itself at the same time and its circulation waslimited to customers (as the witness for Midlands wryly accepted,‘Homebright’ would never be a major title). However there was some comfortfor Midlands who were given until January 2001 by the Tribunal to bring theirprocedures into line and obtain consent from customers, on the basis that theydid not process customer data without consent other than to circulate themagazine. The Tribunal decided not to include a final wording of the order,which it remitted to the parties to agree if possible.


The Midlands ruling allows the Registrar to breath a sigh of relief that thesame rules are being applied throughout the utility sector. It leaves twooutstanding appeal hearings by utilities on similar or related pointsoutstanding, together with a number of cases where utility companies havecarried out advertising outside the current rulings, waiting for formaldetermination.


Telecomms


The Telecommunications (Data Protection and Privacy) (Direct Marketing)Regulations 1999 (SI 1999 No 3170) will probably never be a major title eitherbut are good value at »3, containing, as they do, the new rules for the use offaxes for direct marketing aimed at individuals (not without consent) the use ofautomated calling systems for direct marketing (ditto) and the use of thetelephone for direct marketing calls to consumers ( an opt-out system based onthe old telephone preference service). SI 1999 No 3170 came into effect on 1 May1998 but has a limited shelf-life. It will be repealed when the full set ofregulations implementing the Telecommunications Directive 97/66/EC is brought inbut the wording and content of the direct marketing provisions will remain thesame. No date has been set for the full set of regulations (theTelecommunications (Data Protection and Privacy) Regulations 1999 to give themtheir full title) to come into force but it is expected that it will be at thesame time as the Data Protection Act 1998 (as to which see above).


Personnel


Much publicity was generated for the Registrar in the press in May by piecesabout a proposed code of practice on personnel policies. Regrettably thepublicity was distinctly premature. The Registrar had commissioned some researchon personnel policies as preparatory work for a code but the substantive work onthe code has not yet been carried out. Even if work can be started onconsultations on the code (and, although we hope to do that, there are competingpressures) it could not be formally adopted until after the new Act is in place(as to which see above).


Freedom of Information


Finally staff at the Registrar’s office will have to begin to consider whatwill be involved in taking on responsibility for Freedom of Information. TheHome Secretary, Jack Straw, published his long awaited draft Freedom ofInformation Bill on 24 May. This will go through the new ‘pre-legislativescrutiny’ stage before going into Parliament, probably in the autumn.


The Bill provides for an Information Commissioner who will be responsible forboth Data Protection and Freedom of Information. It is proposed to appoint theRegistrar as the first Information Commissioner. The FoI responsibilities willinvolve ensuring that access is given to information when it should be. TheRegistrar has considerable experience of subject access rights which are a corecomponent of any data protection regime. Breach of the subject access rights canput data users on the fast track for enforcement. The Registrar has immediatelyflagged concern that the access rights under the two regimes should dovetailsmoothly together.