Home >
Mind my data Click to visit the homepage
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Data protection overview

The Data Protection Act 1998 is the UK's main data protection legislation. *The Channel Islands have their own version of the Act.

Learn more about the Data Protection Act 1998.

Every UK* organisation that processes personal data must comply with the Data Protection Act and with the eight data principles that govern how personal data should be processed. For example, an organisation must ensure that it processes your personal data fairly.

Learn more about the eight data principles.

The Information Commissioner's Office (ICO) provides guidance on and is responsible for enforcing the Data Protection Act 1998.

Learn more about the Information Commissioner's Office.

Every organisation that processes personal data in the UK must notify the ICO - unless they are exempt. Notification is the process by which a data controller gives the ICO details about their processing of personal information. Unless the organisation is exempt, failure to notify is a criminal offence.

Learn more about notification.

Direct marketing is marketing that is targeted at an individual. Marketing does not necessarily have to be targeted at a named individual though to be deemed direct marketing.

Learn more about direct marketing.

The Privacy and Electronic Communications Regulations 2003 are regulations based on an EC Directive. Any organisation in the UK that wishes to process personal data to send an individual direct marketing by electronic means (e-mail, phone, sms, fax, online) must comply with the Privacy and Electronic Communications Requlations 2003 as well as the Data Protection Act 1998. The ICO provides guidance on and is responsible for enforcing the Privacy and Electronic Communications Requlations 2003.

Learn more about the Privacy and Electronic Communications Regulations 2003.

The Privacy and Electronic Communications Requlations 2003 requires organisations to obtain consent from an individual before sending them electronic marketing. The Data Protection Act 1998 puts a legal obligation for Data Controllers to process personal data fairly. As such, any organisation wishing to send electronic marketing to registered users should make them fully aware of this fact at the point of registration. The best way to do this is to put either a consent statement(s) or opt-out(s) on the form itself so that it is virtually impossible to submit the form without seeing the consent statement(s)/opt-out(s). By hiding the consent statement(s) or opt-out(s) away on another page, the organisation cannot guarantee that the individual was made "fully aware" - because they cannot guarantee that they ever visited that page, yet alone read it.

Learn more about consent.

Section 11 of the Data Protection Act 1998 entitles an individual to contact an organisation (e-mail is acceptable) to ask them to cease processing their personal data for direct marketing purposes. The organisation has a legal obligation to comply with such a request. A Section 11 notice will put a stop to all direct marketing (including electronic marketing) from that organisation. If the company fails to comply then you can report them to the ICO or seek a court order forcing them to comply.

Learn more about Section 11.