Data Protection Act

How the Data Protection Act relates to companies that control data

The Data Protection Act 1998 came into effect on 1 March 2000. The Act regulates the use of personal data.

Note: The following information is intended as a non-exhaustive guide only and isn’t intended to constitute legal or other professional advice. You should consult your legal advisers for advice on specific issues.

What’s it all about?

Personal data is information about living, identifiable individuals irrespective of age or nationality. No matter how mundane the information, it’s covered as long as it’s in electronic form or in a physical database of some sort. A person’s name and address in a marketing database is personal data.

The underlying logic of the Act is to prohibit the use of personal data (including for direct marketing) unless certain conditions are met. In the realm of direct marketing the condition most commonly invoked is that the mailer has obtained the consent of the recipient.

Also, before you can process any personal data for direct marketing, or for anything else for that matter, you have to formally notify the office of the Information Commissioner (the person responsible for administering the Act). Such notification will state who you are and what sort of processing you intend to do. Information about how to do this is on the Information Commissioner’s website

What constitutes consent?

Consent really means “prior informed consent”. Consent must be obtained for direct marketing before you start doing it (hence “prior”) and you must obtain consent in a way that makes it clear to recipients what they are consenting to (hence “informed”).

Mailers usually obtain consent using an opt-out (e.g. tick here if you don’t want to receive information) or an opt-in (e.g. tick here if you do want to receive information). As long as they are worded properly, both can constitute informed consent.

It is important that you give recipients the opportunity to do something to indicate their consent or lack of it. Burying a consent clause in your terms and conditions is not recommended because it probably doesn’t meet the requirement of informed consent.

Note: There are specific Regulations dealing with direct marketing by fax, telephone, email and other forms of electronic communication (principally that a requirement is required for an opt-in before such marketing can commence). The ASA, DMA, Information Commissioner and others have interpreted these Regulations as putting in place special consent rules for direct marketing by these means. You can find out more information about these Regulations at the Information Commissioner’s website

What if I buy a mailing list?

A recipient’s name and address can be bought and sold as part of a mailing list only if the recipient consented to their information being sold for direct marketing when they originally supplied it.

It’s a very good idea to get an indemnity from whomever you buy your mailing list from that the recipients on it have consented to their information being sold for direct marketing. If it turns out the recipients haven’t consented you can still be in breach of the Act even if you thought they had.

What rights do recipients have?

A recipient can require you to stop using their information for direct marketing. This is the case even if the recipient has previously consented - a recipient can change their mind whenever they want.

A recipient can require you to correct any inaccurate or out of date information about them on your database. In fact, the fourth Data Protection Principle (see below) means that you have to take active steps to keep your database up to date even if you haven’t received a complaint. It’s a good idea therefore to have a system in place for corrections and to tell recipients in your mailings how they can use it.

A recipient can require you to provide them with a copy of all personal data you hold about them, including their name and address as it appears on your database. If a recipient makes such a request you have 40 days to respond. You can charge the recipient up to £10 for your work in complying with their request. If you ever receive any such request (or suspect that it might be a request but you're not sure) you should immediately contact:

Information Rights Team
(Data Protection Act)
Royal Mail Sheffield
2nd Floor
Pond Street
Sheffield
S98 6HR
Tel: 01142 414 217

How does the Mailing Preference Service come into it?

Individuals who don’t want to receive unsolicited mail can register with the Mailing Preference Service (MPS), which operates a suppression file.

There’s no legal requirement for you to screen any of your mailing lists against the MPS. However, codes of practice issued by both the DMA and ASA require mailers to screen against the MPS when mailing to non-customer lists (i.e. lists bought from a third party).

What are the Data Protection Principles?

The Act contains eight principles that anyone processing personal data, including for direct marketing, must comply with. In a nutshell the principles say that personal data must be:

processed fairly and lawfully. (This is where the consent requirement comes in, although the concepts of fairness and lawfulness do not stop at consent)
processed for limited purposes
adequate, relevant and not excessive
accurate
not kept longer than necessary
processed in accordance with the data subject's rights
secure
not transferred to certain countries without adequate protection

What happens if I breach the Act?

The Information Commissioner has wide powers to investigate alleged breaches of the Act and to issue Enforcement Notices to prevent further breaches if the allegations are substantiated. The adverse PR consequences of investigations and enforcement orders (both of which, to varying degrees, are made public) are serious.

If a recipient suffers damage or distress as a result of you breaching the Act they can sue you for compensation.

Some breaches of the Act are criminal offences, including not complying with an Enforcement Notice.

Where can I get more information?

Two useful places to go for more information are the Information Commissioner’s website and the DMA website
Learn about the distance selling regulations and how to do the right thing when it comes to customer service.
The Royal Mail Postcode Address File (PAF®) database is covered under the Data Protection Act. Find out how the Act affects resellers of PAF® data, or companies licensed to use PAF® themselves.

Print Page

Delivering your brand

Different ways to send letters, packets and response mail, get your mail collected and receive mail.

Letters and packets

Response mail

Collection services

Receiving services

Looking to grow your business?

Expert advice, tools and tips to help you make the most of your direct marketing.

Campaign planning

Campaign production

Campaign delivery

Fresh ideas for your business

Manage your inbound mail more effectively and cut your supply chain costs.

Distribution products

Inbound mail

Internal mail

Integrated Ecommerce Fulfilment

Get your marketing working as hard as you do

Save money on your mail with discounts for business, and alternative payment options.

Bulk mail discounts

Credit accounts

Prepaid products

Other services

Postal stationery

Increase your efficiency with bulk posting, prepaid stationery and powerful postcode products.

Stamps

Stationery

Postcode products

Clear Prospects®

Different ways that Royal Mail can address the needs of your business.

eBay solutions

Green solutions

Start-up solutions

Direct mail solutions

Clear Prospects®

Intelligent ways to improve your business.

Grow your business

Knowledge resources

Talk to the experts

Clear Prospects®

A range of online business tools to make mail management as simple as possible.

Mailing

Tracking

Marketing

Customer Service

Top Links

Data Protection Act