New and tougher legislation, the Data Protection Act 1998, came into force on 1 March. Those that make a living in the mortgage industry should treat the new Act with respect, for it has far greater bite than the one it has replaced.
To begin with, any organisation that holds personal data about living individuals must comply with this new stringent regime. Compensation can be awarded against offending dataholders and offenders failing to comply with the Act may be jailed.
Understandably, there is a real incentive to get compliance right, particularly as consumer knowledge and confidence is on the increase. There can no longer be excuses for not toeing the line. Three of the major changes extending from the Act include:
l It will now be an offence to possess personal data without ‘notifying’ your particulars to the Data Protection Commissioner, unless you are already registered under the old rules. For the first time, lenders and brokers will be forced to answer specific questions about their data security procedures and demonstrate that their security measures are adequate.
l The Act covers computer-held data and any other personal data held in paper or manual form in a ‘structured filing system’. It is advisable to start checking your card indexes now.
l The Act stipulates that personal data cannot be transferred outside the European Union unless it can be shown that the recipient has a regime with sufficient data protection. Think about this if you do business abroad or operate a website.
Personal data must be processed fairly and lawfully and, unless it is within certain categories, with the consent of the relevant individual. Explicit consent is required for ‘sensitive data’ (for example, concerning religion, ethnic origin and political affiliations). Data must also be relevant, adequate for the purposes disclosed, must not be kept longer than is necessary and must be accurate and up to date.
The Act includes a regime for the ‘processing’ of personal data. This includes everything from acquiring and holding data, reviewing files and the subsequent disposal of information. The law states that ‘appropriate’ technical measures must be taken to prevent unauthorised or unlawful processing or disclosure of, or accidental loss or damage to, personal data.
Greater powers are rightly accorded to the consumer. For instance, individuals are entitled to see all the data held about them upon payment of a fee within 40 days of requesting it. This information must be corrected if it contains inaccuracies or has the potential to cause damage or distress. If the data is used to enable automated decision-making processes to operate, individuals are entitled to details of this and how it operates. This could be relevant to credit-scoring, investment management and various direct marketing tools.
Companies and organisations that use external data processors, such as payroll bureaux and bulk mailing services, must vet their data security practices and enter into written agreements requiring such processors to comply with the security requirements of the new Act. In addition, organisations must also know what data is held, where it is held and how accessible and accurate it is. Agreements must be put in place with external data processors. There should be a Data Protection Act compliance policy in place in all organisations (including any who think they do not hold personal data) which is known to all staff.
Meanwhile, any data that is held must be secure. In future, direct marketers must also seek customer permission from the individual concerned before they can use personal data for commercial purposes. The best advice the mortgage industry can take is to be safe, not sorry – and act now.