Ever called up a call centre and been told “can’t give you that information, the Data Protection Act won’t let me”?
Organisations do have a tendency to hide behind the Data Protection Act, which leads to the perception that the act is a bad thing. The perception is that It stops people from doing what they want to do, when they want to do it. In my time with the Police, I would often find out that Police officers would have gotten information in um… how shall we say… interesting ways. I would ask “Why didn’t you come and talk to us about proper disclosure?”, they would respond “I thought you would say no”…
And there is the problem. The DPA is often seen as something that gets in the way, that stops Data from flowing. Nothing could be further from the truth. The reason the act was created in the UK was in response to a European directive to enable common data rules across the EU. In order to ensure that where ever you are in the EU your data is treated equally and ENABLE it to flow cross borders. The DPA doesn’t really say “no”. What it says is “yes, as long as you have given some thought to doing it safely”. The problem is that organisations see these safeguards as barriers, rather than ways to take products and services to market in confident and ethical ways. I have always viewed the act as a business enabler.
Let’s take a look at some of the principles for example;
Principle 2 – this requires you to specify purposes that you process personal data to the data subject. And why not? A great chance to demonstrate your ethical conduct. To inform your customers on what you do and how you do it, and ensure that there are no catches or surprises for them – thus engendering customer trust.
Principle 3 – personal data shall be adequate, relevant and not excessive. And why should it be anything else? Collect enough to make accurate decisions weighing up all the facts, but not too much. Irrelevant and excessive data will “clog up” your business processes, costs to store it and creates an overhead.
Principle 4 – Accurate and up to date. Do you really want to hold out of date, and inaccurate information? Make the wrong decisions? send things to the wrong place? Charge the wrong amounts?
Principle 5 – Retain for no longer than necessary. Not exactly rocket science either. Keep things for as long as you need, then get rid. Data storage costs and good housekeeping will ensure a lower cost base in terms of storage space and data management.
Principle 7 – appropriate technical and organisational security. Note the word appropriate. The Data Protection act does not mandate a security level – it just asks you implement what you feel is appropriate to your risks and apply it consistently. No restrictions here, no “DPA says no”. It is the organisation that decides on the response and applies their policy on what is “appropriate”. You should remind the call centre operative above who tells you the DPA is preventing you from accessing your record that it is their company policy – their response to the DPA rather than the act itself – that is actually the issue.
I could go through each and every principle, but it seems to me that the Data Protection Act is a force for business enablement, focussing on good practice in information management, creating data flows that focus on good customer service, a level of complexity only commensurate with the size and nature of the organisation, which enables organisations to go to confident with good data management, customer trust and cost effective approaches to good information governance.
So don’t shun the DPA as an overhead. Embrace it as a force to take your products and services to market in a safe, secure, ethical and cost effective manner. Why would you want to do anything else?