One of us must know something (Sooner or Later)
A large brown envelope. It arrived during the summer and had something from the Arts Council of Great Britain about data protection inside. If you or your organisation holds any information on computer about any individual and have not had time to peruse its contents, read on. If you hold information on computer about individuals and have not yet received one – get one. Get one if you are a gallery, a workshop or simply an artist who keeps the names and addresses of clients on a home computer. Its advice may not only help to make your management of computerised information more efficient; it might prevent you from breaking the law.
The envelope contained a very readable guide: The arts and the data protection act by Paul Williams, which can be obtained on request from the Arts Council. A Data Protection Act 1984 Registration Pack should also be acquired from the Data Protection Registrar; it contains two pamphlets, one covering exemptions from the Act, the other explaining how to fill in the registration forms contained in the pack.
The Data Protection Act 1984 requires that almost any organisation or individual using a computer to hold and process data about identifiable living individuals register as a data user with the Data Protection Registrar. It may be tempting to think – with an Act dated 1984 and still no police knocking at your door – that this can be left undone. However data protection legislation was introduced to define the rights of individuals over personal information kept on computer. The Data Registrar has been given significant powers to protect against abuse of those rights. If you do not register or fail to register properly, the Registrar has the power to prosecute and will normally do so. Breaches of the registration requirements can be punished by unlimited fines plus costs. In the case of criminal offences, the Registrar can obtain a warrant to enter and search any premises if it is suspected that evidence of such an offence can be found.
The first step is to decide who will collect the relevant information, fill in the registration form, and send it off, but who will be responsible from now on for the information on computer. The data protection officer is born. If you are an individual you are your own data protection officer. Data protection officers in any size of arts organisation need support from the rest of the organisation. They will need to conduct a data audit to get together all the necessary information. Everyone who could be affected should be told who is conducting the audit and why. The audit is not just a matter of finding the information to fill in the registration form; it is about informing everyone who handles data what their responsibilities are towards personal data held on computer.
To register data protection officers need to know who is holding the information. This means they will need to know the organisation’s legal structure, and the various divisions and individuals within it who hold information on computer and the kinds of information the organisation keeps on computer payroll, invoicing mailing lists, subscriptions and so on. They will need to say what is done with that information: are mailing lists exchanged with other organisations, or is information which is kept for one purpose used for another – for example, analysing subscriptions information for patterns to assist long-term planning. They will also need to know to whom the information might be disclosed.
Data protection officers should become specialists. They should be in charge of, or consulted on, any changes in the use the organisation makes of its computerised information. One danger that must be avoided is that they will become the people unto whom is given the large unfriendly parcel which is the Data Protection Pack and told to get on with it. With the data protection officer in place, the organisation or individual should be ready to assess the changes in practice necessary to comply with the data protection principles laid down by the Act. Firstly, all data must be obtained and processed fairly and lawfully. This means that customers or clients should be informed by the organisation holding the data, why and to whom it may be disclosed. The customer or client should be given the opportunity to decline receiving any further marketing material via an opt-out clause. The Institute of Practitioners in Advertising suggests the following wording as a guide: ‘We will not make your name and address generally available to commercial organisations. However we will allow carefully screened companies who are in sympathy with our objectives to contact you, with your permission. We may from time to time allow other non-profit organisations to contact you. If you would prefer not to hear from such organisations please tick the box below.’
Make the notification clear and not simply part of the small print: not only will this addition comply with the Act, but it will provide a service to customers and clients. Remember, you must then be able to comply with the policy you have laid down in the notification. The information held must be only for the lawful purposes specified in the data user’s register entry. Complying with these principles depends on an effective data audit, and the data protection officer being consulted on any changes which might occur in the future.
Three other principles guard against sloppy practice: information held on an individual should be adequate and relevant; it should be accurate and kept up to date; and it should be kept no longer than necessary for the purposes specified. These principles have always been the basis of good practice, but they are now underpinned by the power of the Data Registrar.
A registered organisation or individual must have a system to make available information held to the individuals concerned on request. A £10 fee can be charged for such a request to cover costs. Finally, the information must be protected against loss or unauthorised access, alteration or disclosure. This principle is again dependent on an efficient data audit. Include data protection in staff training working with computerised information on individuals, post a notice of the data protection principles beside the terminals.
Data protection legislation does not require that all organisations or individuals holding computerised information on individuals should register. There are a few exemptions. But it would be better for all organisations and individuals holding such information to carry out a data audit before deciding that they are exempt. Registration costs £75 for three years. The legislation is not onerous, most of it is common sense and depends on good practice. Ignore it at your peril – for at least three reasons. First, it is the law and the Data Protection Registrar has powers to enforce it. Second, it is a matter of individuals rights over personal information kept about them on computer; more, that individual could be you. Finally, it is an issue on which there is likely to be legislation on a European level. Some of the proposals being considered by the EC would be very restrictive and seriously affect arts organisations’ ability to use computerised information, therefore it is important that the Data Protection Act is both effective in defending individuals’ rights and that it is seen to be effective.
The arts and the data protection act by Paul Williams, available from the Arts Council of Great Britain. 14 Great Peter Street, London SWIP3NQ.
The Data Protection Act 1984 Registration Pack available from Information Services, The Data Protection Registrar Springfield House, Water Lane, Wilmslow, Cheshire SK9 5AX, Tel: 0625 535777, fax: 0625 524510
© Henry Lydiate & James Odling-Smee 1991