YHAgroup.org.uk

The Data Protection Act

On 1 March 2000 a new piece of legislation came into force that will, eventually, affect all YHA groups. The Data Protection Act 1998 protects the personal information of individuals and sets out rules for those that gather it – including small clubs and their membership lists.

The following article is the result of an informed layman’s investigation into the area of data protection. I’m not a lawyer and not qualified – or attempting – to give proper legal advice.

Background

The first legislation designed to protect personal privacy in the face of the rapid advance of computer technology was introduced, ironically enough, in 1984. The Data Protection Act 1984 set out a series of principles and established an organisation with whom data users were required to register. This didn’t have much impact on YHA groups as

  • Paper-based records weren’t covered by the act.
  • “Unincorporated members clubs” were not required to register.
  • Most of the act’s strictures applied only to registered data users.

The shortcomings of this act and the effects of European legislation led to the introduction of a new act in 1998. This act includes all personal information, however it is held and whoever holds it (with some exceptions). No-one storing information about individuals can afford to ignore this act and its prinicples.

Data Protection Principles

Individuals and organisations who retain files of personal data – such as a membership list – are required to observe the following set of principles:

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained only for one or more specified and lawful purpose.
  3. Personal data shall be adequate, relevant and not excessive.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data shall not be kept for longer than is necessary.
  6. Personal data shall be processed in accordance with the rights of data subjects.
  7. Appropriate measures shall be taken against unauthorised processing, accidental loss, destruction of, or damage to personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area.

Note that, in the context of the act, simply storing information in a file or database still counts as “processing”.

How this Affects YHA Groups

The vast majority of groups will find that they already comply with the principles set out in the act, but here are some issues that might come up.As part of the “fair and lawful processing” called for by the first principle, individuals must give their consent for information to be stored. That consent may be implicit in joining the group, but it’s worth adding a note on membership forms pointing out that the group will be storing their personal data and what they’ll be using it for. This will also keep you on the right side of principle two.

Principle two requires that information only be used for the original reason. If a local outdoor shop wanted to mailshot your members using your list, it’d be illegal unless you’d sought permission beforehand. You’ll see a “do you (not) want junk mail” box on many commercial companies’ forms for this very reason.

Principles three and four are self explanatory, and unlikely to bother many groups. Principle five implies that when someone leaves your group they should leave your files as well. In fact the regulations allow information to be held on “past, existing or prospective members” of a non-profit organisation, but it’s a good idea to get their permission to do so.

Principle six covers a number of rights, but the only one likely to be relevant to groups is a member’s right to see the information held on him/her. Of course they probably see all you’ve got printed on every envelope they receive from the group.

Some modest security precautions should be sufficient to comply with principle seven, the act calls for a “level of security appropriate to the harm that might result from a breach of security”. I think it unlikely that any group could break principle eight.

Organisations holding personal data are required to “notify” the Data Protection Registrar, and pay a notification fee, currently set at £35 per year. However, the regulations provide an exemption for non-profit organisations’ membership lists – so such groups will not be required to notify (or pay), though they must still comply with the eight principles.

Implementation Dates

Although the act became law on the 1st March 2000, organisations have time to adapt to their new responsibilities.Members clubs that were operating a computer-based system before 24 October 1998 will be exempt from much of the act until 23 October 2001. Anyone operating a paper-based system before this date will enjoy a more limited exemption until 2007.

Internet Links

The Data Protection Act 1984 – The full original bill.
The Data Protection Act 1998 – The full text of the new bill.
Information Commissioner’s Office – Lots of resources related to data protection.