Problems can arise, however, when organisations misunderstand their duties under the act or, in some cases, wilfully ‘hide behind’ the DP Act to excuse their actions, or justify their lack of action.
There are many examples of this in the press, some of which have gone to court. For example:
A franchise operation, where the franchisee’s contract said they had to send customer details to the franchise owner, and they said they couldn’t under the DP Act - Court of Appeal ruled this was wrong as they would have had ample time & opportunity to seek the customer’s consent to do so. Grow With Us Ltd v Green Thumb (UK) Ltd, 2006 (1)
A Panorama programme in Februrary 2011 showed the British Legion complaining that MoD were using DP Act as ‘an excuse’ to not give departing soldiers contact details to them, so they could offer them support. Surely it would be easy for them to get soldiers to sign a consent form allowing this? (2)
Some equality researchers from the Open University were given DP Act as an excuse for not sharing information about women engineers by Microsoft. The software giant claimed privacy laws prevented it from saying how many Microsoft-certified engineers were women. The OU got a note from the Information Commissioner to show the defence was nonsense - the researchers were asking for statistics, not names and addresses. (3)
Because of this uncertainty on the behalf of organisations about what the DP Act does, and doesn’t, say they can’t do, the Information Commissioner has issued various guidelines and examples to clarify the situation:
“You should explain why you want to use an individual’s personal data at the outset, based on your intentions at the time you collect it. If over time you devise new ways of using that information, perhaps because of changes in technology, you will be able to use their personal data for the new purpose if it is fair to do so.”
“The Data Protection Act does not impose a blanket ban on the release of personal information. It requires a common sense approach, and should not be used as an excuse by those reluctant to take a balanced decision.” (4)
Another recent example has arisen recently rather closer to home, with CILIP. A newly joined member of CILIP posted a link to her blog on Twitter.
@bumsonseats Carolin Schneider
What is a new CILIP member to do? wp.me/p1IjjA-en
In her blog post Carolin made a point about new members experiences with Branches & Groups:
“I think for a new joiner going to a branch meeting is daunting. It would be nice to have a buddy, someone to help you take those first baby steps. This could be something you can opt in once your membership pack arrives in the post. With social media it should be easy enough to coordinate, no?”
In a comment responding to this, Jo Alcock said:
“My problem (as a branch committee member) is that I don’t know who our members are or when new members join. I appreciate that there are data protection legalities but I’m sure there must be a way to opt-in so that your branch and groups know that you have joined and can contact you to see if there’s anything you’d like to know or what you would like them to do for you.”
This generated some discussion on Twitter about why CILIP might feel that it shouldn’t share members details internally to allow branch or group committee members to contact new members.
Charles Oppenheim (retired Professor at Loughborough University and now independent copyright and DP consultant) was one of those contributing to the conversation:
@CharlesOppenh Charles Oppenheim
@joeyanne @NicolaFranklin I am aware of CILIP's approach to DP. There is absolutely no reason for it. No idea what its problem is.
Charles later expanded on his Tweet by saying:
“There is an obligation under the DPA that a data controller shall ensure that all necessary technical and administrative measures are taken to ensure unauthorised disclosure, etc. does not occur. So yes indeed, [their Data Controller] would be liable if something went wrong, but the law requires them to take such steps as are necessary to ensure no problem arises. Stopping people with a bona fide need from accessing the data is a quite inappropriate response to the problem. Ensuring B & G officials are properly trained is the correct response.
Equally, the centre is obliged to keep info accurate and up to date. Again, the onus is on CILIP to put into place procedures to ensure this is the case.”
Carolin has also sent in an expanded statement explaining the service she would hope to receive, as a newly joining member of CILIP:
“I recently re-joined CILIP as an associate member. Having shared on twitter and my blog that I am once again a CILIP member I received a warm welcome from several people on twitter, which was good and showed that these individuals care about new members and how to get them involved. So whilst waiting for my membership pack to arrive in the post, I hoped that my regional branch and my chosen interest groups would get in touch to share what they do and how I can get involved.
After blogging about these expectations I was informed by a colleague on twitter that my regional CILIP branch and special interest groups would not be able to send me a welcome letter as they are not notified when a new member joins their group. She was under the impression that it was due to data protection.
From looking at my online profile I know what my entry in the CILIP Yearbook says. I am able to edit the entry, and therefore have control over the details CILIP stores in their database. This would make it possible for me to not share my home address, for example, or opt out of sharing my phone number. Every member of CILIP is listed in the CILIP Yearbook, with their name, job title and workplace. Through this entry (and with the help of the internet and other resources) it would probably be quite easy to find more details about me, e.g. the address my workplace. Any details I don't want to be shared I could delete from my profile, so why can't my details be shared with a different part of the organisation that I signed up with?
Whatever you do these days, from shopping online to signing up to a newsletter, organisations ask you to opt in or out of sharing your details. If CILIP is worried about sharing something they shouldn't: I suggest that CILIP enables their members to opt-in to sharing personal data with their regional branches/special interest groups/third parties when they first sign up. It just takes a few tick boxes on the membership application form.”
When asked to comment on this situation and CILIP’s approach to sharing member’s data, CILIP’s Head of Customer Services, Francis Muzzu, made the following statement:
“Members’ information and the database are extremely important to us, and we are committed to reviewing how we can share data more effectively with Branches and Groups.”
Perhaps including a simple tick box on the application form along the lines of ‘tick here if you agree to your contact details being shared with the branch and group(s) you have elected to join’, as Carolin suggests, would help enable this process. Also, if members data were being provided from the centre, then branches and groups would not need to collect their members’ details separately. This would make keeping the data accurate and up to date easier and more effective and reduce the risks of holding two or more separate data sets.
I understand that CILIP is planning to review its policy over sharing members details internally next year, and sincerely hope that they can adjust their policy, processes and procedures, and have the IT infrastructure, to enable them to manage member’s data more effectively in the future.
As the membership body for librarians and information managers, members and prospective members expect the organisation to embody best practice in its own information management practices. In this case, where doing so would help new members feel more welcome and possibly also attract more members to join, at a time where CILIP needs to not only reverse its declining membership numbers but also widen its membership base, demonstrating good internal information management practices should surely be a key tactic to achieving its goals.
Footnotes
(1) http://update.legal500.com/index.php?option=com_content&task=view&id=1247 viewed November 2011
(2) http://www.bbc.co.uk/news/uk-12386376 Feb 2011, viewed November 2011
(3) http://www.theregister.co.uk/2006/01/18/medical_academy_privacy_complaint/ viewed November 2011
(4) http://www.ico.gov.uk/for_organisations/data_protection/the_guide/principle_1.aspx viewed November 2011
**Wednesday 30th November - Charles Oppenheim has since submitted an additional statement, outlining which data protection principles are involved and his opinion of CILIP's argument:
CILIP’s Head of Customer services had written to say that, if they distributed members’ data, they couldn’t guarantee that it would be treated confidentially. Charles’ reply to this contention is “The seventh data protection principle (schedule 1 of the data protection act 1998) requires that appropriate organisational measures shall be taken against unauthorised processing of personal data and against accidental loss or destruction to personal data. In other words, CILIP already has legal obligations to ensure everyone who handles personal data does so properly. This principle requires CILIP to educate and train anyone handling personal data. It is not an excuse to refuse to pass such data to people when they have a bona fide need to use it.”
CILIP’s Head of Customer services had written to say that a second consideration was that, if the Branches & Groups had member’s data they might overload them with information, which could be counterproductive. Charles’ response to this argument is “This is again a matter of education and training. CILIP should be training all who handle personal data in good information management practice, including avoiding information overload on members. This is not a good reason for refusing to pass to branches and groups information they are entitled to.”
CILIP’s Head of Customer services had written to say that, if Branches & Groups had copies of the data as well as the central office, it would be harder to ensure it was kept accurate and up to date. Charles’ reply to this is “The fourth data protection principle requires CILIP and its branches and groups to keep accurate and up to date personal information. Francis notes that some branches and groups fail to pass on revised details to cilip centrally. By definition, CILIP and the branch/group is then in breach of the fourth principle and could be sued/prosecuted as a result. What the data protection act requires is that cilip educates and trains. The act is no reason to refuse to pass information to branches and groups, and vice versa.”
Charles concluded by saying “In short, the legal obligation is on CILIP to ensure that its branches and groups both receive, and handle personal data appropriately. Branches and groups cannot function properly without master lists of members. At the moment, in my view CILIP is in breach of the DPA. Best to sort the matter out by releasing the data, and ensuring good information management practices, rather than burying its head in the sand hoping the problem will go away - because it won't!”