Search site

How will the new Data Protection Act change how we contact our customers?

Find out how the new Data Protection Act will affect how we contact out customers.


As noted in Section 5, consent is not appropriate where we need to process someone's personal data in order to deliver our statutory functions. This is a major change in our approach for most areas of activity.

It should be noted that, some areas such as regulatory activity have always proceeded without consent - this should continue to be the case. However, if we are going beyond core statutory functions, it may still be appropriate to seek consent. It is important to note that the rules regarding consent are getting much stricter - consent must be freely given and informed, and it should be as easy for the customer to withdraw consent as it is to give it.

Transparency and openness - privacy statements

The current data protection rules require us to give customers certain information about who we are and what we do with their data, or at least to make this information available to them. Normally this is by means of a short privacy statement at the bottom of forms, which should ideally refer the customer to our web site where a more detailed description of this is available under the council privacy statement.

Under the new Data Protection Act, this requirement is significantly enhanced and we will need to put much more information on all our forms - paper and electronic. We will need to include details of what we process, the legal basis for doing so, how long we keep information and who we share it with, along with a contact point for any queries regarding our processing of this data (the Data Protection Officer mentioned above). All forms will be re-designed to reflect these new requirements.

Privacy by Design

This is a complex area and how we apply the new Data Protection Act is dependent upon how we collect personal data and the information that was given to the individual at that time.

It will mean that we need to introduce what is called a Privacy by Design framework to make sure that personal data held or processed in the future is secure and that we don't capture more personal data than we need to or keep it for longer than required.

What is crucial is that we are required to document all our processes concerning how we handle personal data and that these have been designed and risk assessed with the individual's privacy rights as the main consideration.