Search Every Day Life

Friday, 4 September 2009

The Data Protection Act 1998

FRIDAY 04 SEPTEMBER 2009 14:30

The Data Protection Act 1998 (DPA) is an important piece of legislation that ensures that any data that is collected on an individual is only used for the purpose for which it was gathered and that it is kept secure.   It is enforced by the Information Commissioner who is actively campaigning against the “surveillance society”, but also is becoming much more strict in the enforcement of the legislation. The Information Commissioner also has the power to impose fines for breaches of the Data Protection Act.
Much of what is in the legislation is largely commonsense, but it is important that anyone who undertakes casework, production of campaign literature and the processing of canvass, membership or other personal data complies with this legislation.

What the DPA covers

The key principle as to whether the Data Protection Act applies to what you are doing is whether the information you are using relates to a living individual or whether a living individual can be identified in the information.  This applies regardless of whether the information is stored electronically or on paper. Essentially, the personal information has to be organised or filed in some way, so as you can identify a record for a specific individual.

Whilst the DPA covers a huge range of different items, the main Liberal Democrat activities that are affected by the DPA are:
Data that is entered in to EARS as well as any personal information that then comes out of it
Membership lists and information contained in HandS and Membership Data Online, as well as printed membership lists.
Personal casework relating to a specific individual, especially if this is stored in a computerised database such as Casework Manager or similar.  Paper files are also covered by the DPA but only if they are filed by name and address, not if they are filed by date.
Collection of data relating to issues that individuals are interested in and campaigns, petitions and surveys that they have supported.
For all of these activities, the information must only be used for the purpose for which they were given, they must be stored securely and only relevant people should have access.  Further details on how to comply with the Act is given in the section ‘Tips to make sure that you comply with the DPA.’

Registering under the DPA

Although anyone who handles personal information of this nature is required to comply with the DPA, anyone who stores this information electronically (as opposed to just on paper) is also required to register as a “Data Controller” with the Information Commissioner.

Liberal Democrat registration

The Liberal Democrats have a national registration that also covers all local party campaigning activity, fundraising and membership.  Full details of the registration can be viewed by clicking here and searching for 'Liberal Democrats' under 'Name'.

Council registrations

All councils are registered under the DPA, but this only covers councillors for any personal information they receive as part of their work on the council, such as a member of a committee or the cabinet.  It doesn’t cover councillors for any casework they take up in their role as a ward representative.

Personal registration as a councillor

The Information Commissioner has recently written to many councillors informing them that they need to register as a Data Controller in their own right.  Although this is correct legally, we are encouraging councils to automatically register all councillors from all parties, as the data they gather is an integral part of their work as a councillor rather than because they are gathering the information for their own personal use.  We have also spoken to ministers in the Department of Communities and Local Government and discussed the issue with our counterparts in the Conservatives and Labour to encourage the removal of the requirement for councillors to register individually.
In the meantime, the law still stands that individuals who handle casework are expected to register as Data Controllers in their own right, (although any staff or volunteers who assist someone with their casework will be covered by the registration of the person they are working for).  Again, this only applies if the records are recorded electronically using something like Casework Manager or if they are filed in some way that identifies individual names rather than just an issue.

It's worth checking whether your council has automatically registered all of their councillors individually as they don't always inform councillors they have done this.  You can check whether this has been done by searching for your name in the Register of Information Controllers.

If you do need to register as a Data Controller individually, you can do this on the Information Commissioner’s Office on their website here.  Although this website gives you the option of registering online, there is a specific form for councillors which makes the process easier and so they advise you to call them instead to obtain the correct documentation.  There is an annual charge of £35 to register as a Data Controller.

Tips to make sure that you comply with the DPA

To comply with the DPA, there are a number of simple tasks that you should do.
Put a password on your copy of EARS to ensure that it cannot be accessed if someone loses the disk or a laptop with the program on.  It is also advisable to password protect any laptop that you use for party activities as well.
Ensure EARS backup files are kept securely.
Before you pass on any details of casework to a ward colleague or another member of the party, you should check that the local resident is happy with you doing this, ideally in writing.  This applies if the data is specific to a person who you identify to others, it doesn’t apply if it is just a general issue or you don’t give details of who it relates to.  For example, it's fine to say "I've had a complaint about the street light outside number 10 not working", but not that "the person at Number 10 has complained the street light isn’t working”
Ensure that any personal information you pass on to an external organisation to help with casework is only what they need to progress the case.
Include a DPA statement on all Liberal Democrat literature; see under ‘Covering the DPA on literature’ for more details.
Requests for personal information under the DPA

Under the DPA, all members of the public are legally entitled to request a copy of any personal information that is held by a Data Controller.  That personal information must then be supplied within 40 days of the request being received.  An individual, (or ‘data subject’ as they are known legally), may only request their own personal information, and not that of any other member of their household.  

You are entitled to make a nominal charge of up to £10 for supplying the information, but unless a request becomes especially time-consuming then it isn’t advised to make such a charge as it could create negative publicity and look as though you are trying to use it to raise party funds.  An example of a reply to a personal information request can be downloaded here.

If the personal information request is made to a specific councillor, local party or MP, then it is fairly straightforward to identify all of the information that you have on this individual.  However, if the request is addressed to ‘the Liberal Democrats’ then that individual’s information could be held locally, regionally and nationally, and in a variety of different databases.  If a request is of this more complex nature or if it could be politically controversial, it is best to contact the party’s Data Protection Officer on 020 7222 7999 or by asking people to write to 4 Cowley Street, London, SW1P 3NB.

Covering the DPA on your literature

The main obligation is to include the Data Protection Act statement on all literature that solicits feedback, e.g. it includes a ‘grumble sheet’, petition or survey.  This statement can be in the small print and the recommended wording (which has been agreed with the Information Commissioner) is:

If you return this [survey/petition/slip] the Liberal Democrats and their elected representatives may use the information you’ve given to contact you.  Some contacts may be automated.  You can always opt out of communications at any time by contacting us.

The benefit of this wording is that it covers you if you wish to phone or email the person concerned.  It also means that this specific information can be shared between the party and your local councillors or MP, unlike information gathered without this wording.

It is also advisable to include a DPA statement in the footer of casework letters and emails.  This then allows you to write to these same people about another issue in the same area or a related political issue at a future date.  The recommended wording is as follows:

[Cllr X] and their authorised staff and volunteers may use the information you provide to contact you about issues you may find of interest. Some of these contacts may be automated. You can opt out of some or all contacts at any time by contacting us.

What are the penalties for failing to comply with the DPA?

Anyone who is found to breach the Data Protection Act can be fined an amount of up to £5,000.  Obviously this would have a severe impact on any local party’s finances, but it would also of course lead to a lot of negative publicity for the party both locally and nationally.