The Deputy Information Commissioner, David Smith's criticism in a recent press release by the Information Commissioner's Office (ICO) on the use of the Data Protection Act (DPA) "in a way that defies common sense" was paid no regard in a recent case, where a seven year old boy was asked to come to the phone and identify himself before his mother could speak to a Marks and Spencer call centre operator.
The mother had ordered a superman suit in the name of her seven year old son, Jacob, for his birthday, and discovered that it was missing its belt. When she called Marks and Spencer's call centre to resolve the problem, she was told that Jacob had to speak to the operator himself because of 'data protection laws'.
In response to the Mother's subsequent complaint, an ICO spokesperson commented "Whilst it is right for organisations to be careful before releasing personal information ... In the circumstances it was obvious that the seven-year-old child would not have ordered the superman suit himself. Further, M&S were not being asked to release any personal information. They were simply being told that a yellow belt was missing from that order."
Press release on data protection 'duck outs'
The Superman case is an example of the 'duck out' behaviour described in the press release of 1 September 2008 by the ICO, which urges organisations not to hide behind the DPA when dealing with certain types of enquiries. While it is important for organisations to comply with the data protection principles, including keeping information secure, accurate and up to date and retaining it only as long as it is required for a specified purpose, erring too far on the side of caution can mean that organisations sometimes use the DPA as a justification not to do something.
Mr Smith advocates a common sense approach to the DPA, stating "The Data Protection Act does not impose a blanket ban on the release of personal information. What it does do is require a common sense approach. It should not be used as an excuse by those reluctant to take a balanced decision."
Data protection myths
Along with the press release, the ICO published a list of "data protection myths" which are common misapplications of the DPA.
According to the ICO it is not true that the DPA prevents parents from taking photographs in schools, as photographs taken purely for personal use are exempt. The data protection principles would only apply where "photographs are taken for official use by schools and colleges, such as identity passes, where these images are stored with personal details such as names. Where the Act does apply, it will usually be enough for the photographer to ask for permission to ensure compliance with the Act".
Another example given is that the DPA does not prevent an insurance company from sending out a claim form if it has been requested on behalf of the policy holder. The ICO list states "We would expect staff working in the insurance company to take a common sense approach."
The data protection principles are important and designed to protect an individual's personal information from misuse. However, through misunderstanding and misapplication of the DPA, organisations are often erring too far on the side of caution and using the DPA as an excuse not to release information which in any way relates to an individual. Although this is a complex area of law, the ICO's press release is helpful in terms of advocating a commonsense approach to the DPA's practical application.