Data protection - personal information as property
No doubt you’ll be interested to know that on my way to our offices at Beechwood Business Park recently, I filled my car at Tesco’s petrol station (other supermarkets are available).
And when I paid, I dutifully presented my loyalty card.
While this tale may not yet have you on the edge of your seat, would it help if I added that, along with all other drivers at the pumps, I was filmed by Tesco’s CCTV cameras?
Perhaps not, so I’d better get to the point.
In the course of this seemingly mundane transaction, Tesco took on a significant number of duties under the Data Protection Act.
How data protection works
Although we have all heard of the Act, both the extent of its reach and the challenges it presents for all businesses are not always appreciated.
So how does data protection work?
Put broadly, the Act contains a series of rules and guides as to how businesses should process personal data: information that can be used to identify individuals.
Here, processing covers anything that may be done with the data, including how it is collected.
In practice, because I can be identified from an image and through my car registration, when Tesco filmed me on the forecourt they were processing my data.
Given my use of their loyalty card, they know where I was and the fact that I succumbed to the temptation to buy a packet of Hula-Hoops at the checkout. All this information will no doubt be added to Tesco’s Sine Mackay file.
As they now hold my personal data what can I expect of Tesco?
I could make a “subject access request” asking them to disclose all the details they hold about me. Separately Tesco should not do anything with the information that I have not agreed to, or at least anything that would come as an unwelcome surprise.
Importantly, data protection is not just an issue for supermarkets: it affects all business.
As an employment lawyer, I regularly advise on matters such as the extent an employer can check on employees’ emails; terms in employment contracts covering the handling of employees’ details; and how to deal with disgruntled employees’ subject access requests, where employers may need to detail information held identifying that employee.
Something worth bearing in mind before pressing send on that particularly candid email about a colleague.
How the act works: risks and responsibilities
Given the wide reach of the Act it makes sense to have a feel for how it works.
One way to understand data protection is to regard personal data as the individual’s property: I may allow you to use my property, but it is reasonable for me to expect that, if I ask, you will tell me what you are doing with it.
Further, I expect you to take reasonable care of it, and not give me any unwelcome surprises.
For example, it is reasonable enough for Tesco to film me just in case I drive off without paying, but they should not then sell the film to Channel 5 for inclusion in a fascinating documentary on “Britain’s Worst Drivers”.
This also highlights one of the biggest risks for business in relation to data protection.
One thing you should not do with someone’s property is lose it or give it away. Unfortunately there is an increasing number of cases where businesses have been fined for doing just that.
In the past, we have seen the likes of Marks & Spencer and Talk Talk getting into trouble for not looking after customers’ details.
And the authorities do not only target large organisations: there is an increasing tendency to take action against smaller businesses. For example a sole trader was fined £5,000 after his briefcase containing customer information was stolen, and a nursing home that failed to look after residents’ details was fined £15,000.
With this in mind, the reach, and indeed the risks and responsibilities surrounding data protection are something we should all be aware of both as individuals having our data “processed,” and in our businesses as organisations processing other people’s personal information.