Friday, May 18, 2007

Private use of public information - using public records for marketing

Suppose you are a direct marketer. You learn that all sorts of interesting and lucrative personal data must be made public by State bodies. (For example, the Companies Registration Office must provide details of company directors.) Can you use that information for marketing purposes? Can you package and resell that information to others?

The 2006 Annual Report of the Data Protection Commissioner includes a guidance note which goes into this in detail. The crucial point is that although the Data Protection Acts don't apply to disclosure by state bodies of information which must be made available to the public, they do apply once that information passes into the hands of a third party (such as a marketer). Consequently, if you wish to reuse that information, you must notify the individuals concerned in advance and you must give them a cost free opportunity to opt-out from having that information used for direct marketing.

Full guidance note:

Guidance Note on the Use of Publicly Available Data for Direct Marketing

Last year my Office was contacted by a number of people who had received direct marketing material by post as a result of the publication of their names and addresses on various lists and registers. The authors of these lists and registers were obliged to make them available to the public under law. For example, the Companies Registration Office must make its Register publicly available. Similarly, planning authorities must publish a weekly list of planning applications and planning decisions. All of these documents contain personal data. Section 1(4)(b) of the Data Protection Acts provides that the Acts do not apply to personal data consisting of information that the person keeping the data is required by law to make available to the public. A key point here is that the exemption from data protection requirements only relates to the information in the hands of those public bodies that are obliged to make it available. Any other entity seeking to use such information once in the public domain must comply with the standard requirements of data protection.This is a point that my Office needed to highlight on a number of occasions and I am glad to say it was readily accepted in all instances by those entities in receipt of the advice.

As a result of the level of complaints made to my Office on this issue, I was asked to provide guidance on the re-use of personal data contained in publicly available documents. Set out below, as an example, is the text of an information note which I provided as guidance to the Companies Registration Office:

This information note sets out the position of the Office of the Data Protection Commissioner on the re-use of personal data contained in information in the CRO Register which the CRO is obliged by law to make available to the public. The published information contains "personal data" and each living individual is a "data subject" within the meaning of the Data Protection Acts, 1988 & 2003. Accordingly, the recipients of this information are "data controllers" within the meaning of those Acts. If those data controllers intend to use or further process this personal data in any way, they should be aware of the following Data Protection requirements:

Personal data must be processed fairly. Section 2D (1) (b) of the Data Protection Acts obliges a data controller to ensure, as far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the following information not later than the time when the data controller first processes the data or, if disclosure of the data to a third party is envisaged, no later than the time of such disclosure:

● the identity of the data controller
● if he/she has nominated a representative for the purposes of the Act, the identity of the representative
● the purpose(s) for which the data are intended to be processed
● any other information which is necessary to enable processing in respect of the data to be fair to the data subject
● the categories of data concerned
● the name of the original data controller.

The Office of the Data Protection Commissioner considers that it would be reasonable for data controllers to meet these requirements as the information in their possession contains the contact addresses of the data subjects concerned.

In addition, in accordance with Section 2(8) of the Data Protection Acts, a data controller who anticipates that the personal data within the CRO published information, for which they are now the data controller, will be processed for the purposes of direct marketing must offer those persons whose data will be so processed a cost free opportunity to object in advance to receiving direct marketing. This applies both to data controllers who intend to use the personal data for direct marketing potential customers and to data controllers who intend to process the personal data for distribution to third parties for direct marketing by the third parties.

The Office of the Data Protection Commissioner considers that there is no scope for data controllers to target for direct marketing purposes those individuals whose personal data has come into their possession in this way without first having applied this procedure.

Furthermore, data controllers who may have intentions of processing the personal data by placing it on a website (in any format) should be aware that such processing does not meet any of the conditions set down in Section 2A of the Data Protection Acts (processing of personal data) as there is no consent from the data subjects for such processing of their personal data.

The Office of the Data Protection Commissioner holds a strong position on this matter. The Office cannot envisage any case where the processing of personal data obtained in this way is necessary for the purposes of the legitimate interests pursued by the data controller. Such legitimate interests must be balanced with the fundamental rights and freedoms of the data subjects themselves. The Office considers that this balance is not reflected in the posting of such personal information on a website.

Data Controllers who fail to comply with all of the requirements set out above may be deemed to have breached the Data Protection Acts. Breaches of Data Protection legislation may be reported to, and investigated by, the Data Protection Commissioner. Where the Commissioner forms the opinion that a data controller has contravened or is contravening a provision of the Acts, he may use the enforcement powers conferred on him under the Acts. This includes the power to require a data controller to destroy the database concerned.

2 comments:

  1. Anonymous02 July, 2007

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. Excellent and informative article TJ. I registered a company with CRO recently. I am amazed at the amount of unsolicited direct marketing communications I have been receiveing since. I am currently in contact with the CRO about this as I cannot understand how they are not aware that this is happening. All marketing communications are addressed to me personally which indicates that company submissions are being requested for every single registration or the information is being provided directly to a Direct Marketing company. Please PM me if this interests you further.

    ReplyDelete