Location: Home » News & Views » Consultation » The Toolkit » Data Protection Guidance

GUIDANCE 5.1 – DATA PROTECTION ACT

Word Version  (47.50 KB) for you to save, edit & print ()

5.1.1 SUMMARY Data Protection and Consultation What do we need to tell individuals? Can individuals access personal data held about them? What do we need to tell our consultants? What if we want to start consultation with an existing group? What if we have existing information about users of our services? How do we make information anonymous? Can we use photographs? And Finally......

5.1.2 DATA PROTECTION AND CONSULTATION

Whenever consultation is carried out and personal data is used, the Data Protection Act 1998 (DPA) must be followed. The Act says that personal data must always be:

1. Fairly and lawfully processed

2. Obtained and processed for specified and lawful purposes

3. Adequate, relevant and not excessive

4. Accurate and kept up to date

5. Kept no longer than necessary

6. Processed in accordance with data subject rights

7. Processed securely

8. Not transferred to non-EEA countries without adequate protection

The Act uses new terminology such as Data Controller, Data Processor and Data Subject.

Although we must comply with the DPA, we should not see it as a barrier to sharing and joining up consultation exercises – these practical guidelines can ensure that we meet our legal obligations – and also are able to use and share existing data appropriately.

5.1.2 WHAT DO WE NEED TO TELL INDIVIDUALS?

Under Principle 1, all processing of personal data must be fair. This means telling the individual, at the point of collecting their information

• Who is processing their personal data
• The purposes of the processing

For the purposes of consultation the following wording is recommended:

‘The information you provide to us will be held by [name of body]. It will only be used for the purposes of consultation and research, in order to improve our services. We may send you a written reminder(s) or contact you in order to award any associated prizes, you may also be sent feedback of the results. Sometimes, we share consultation results with our partners [list, or footnote and list at bottom or state that a list can be provided upon request]. Anonymous results will be published on the Council's Ask Me! Consultation Planner & Finder web database.Survey results will never contain your name or anything that could identify you.’

'Our partners may want to contact you to carry out similar research in the future. This would mean that we would pass your details on to our partners. If you do not wish us to do this, please write to/phone '.to let us know.

If an individual does object to contact details being passed on, then you will need to ensure that this individuals name is not passed on – or if this is already the case then the partner agency should be contacted to tell them to remove the name.

To aid compliance with Principle 4, we could add the following line:

'If you are happy for us to contact you but you change address, please let us know so that our details can be kept up to date.'

We should communicate any changes of address to relevant partners.

Although this seems like a lot of information to include in consultation exercises, putting it all in at the outset helps prevent problems which may otherwise occur later. As a general principle we should only pass on contact details to partners where this is to be used for the purpose of consultation to improve services and for no other purpose (e.g. general marketing).

Case Study Fair Processing Notice- We should let people know at the beginning of a public consultation exercise, what the information they give us will be used for, otherwise we will be restricted in our use of that data later on.  Prevention is always best - we don't want to incur a cost of re-contacting people time after time   Example Case Study: Consultation respondents are not told what the information they supply us with will be used for. Information in relation to their personal details is then published on the web site without consent. Worse case scenario - someone’s life may be endanger/at risk if there was a domestic violence issue. Accuracy (Principle 4 of the Data Protection Act (DPA) - Writing to people who may have died or moved on. If we cannot keep our information up to date then people may not be forthcoming in participating in consultation if they are not confident about us keeping our records up to date. Example Case Study: Mrs Jones wrote to the Council to inform them that her husband had recently died and to ask them to take his name off a consultation database. The records were not updated, so when Social Carer Mr Cox wrote to Mr. Jones to consult with him about his medication, upset was caused for Mrs Jones.  It is important to keep data up to date - if we ask someone to notify us of changes and they do, we must then follow their instructions- damage or distress may be caused to family/friends by writing to a deceased person

5.1.3 CAN INDIVIDUALS ACCESS PERSONAL DATA HELD ABOUT THEM?

Individuals have rights of access to personal data held about them. Subject access requests should be forwarded to your organisation’s Data Protection Officer. WCC’s DPO can be contacted here -  Dataprotection@worcestershire.gov.uk

5.1.4 WHAT DO WE NEED TO TELL OUR CONSULTANTS?

Any consultants/market research agencies carrying out consultation exercises on our behalf must also comply with Data Protection.  

Use the following checklist to ensure compliance:

Ensure that our contract with consultants includes a Data Protection clause. Recommended wording:

‘Under the Data Protection Act 1998 (DPA), [name of consultant body] is a Data Processor on behalf of [name of your body], the Data Controller. At all times, processing of personal data shall be carried out in accordance with the DPA and the Data Processor shall only act upon the instructions of the Data Controller’

The instructions we provide must include

Use of the Fairness statement (see above)
Personal data only to be used for purposes outlined by the Data Controller
Return of all personal data from the consultant to us upon termination of the contract/destruction of the personal data after specified time period.

It is recommended that before enlisting market research companies, we should ensure that they are members of the Market Research Society (http://www.mrs.org.uk/index.htm) and that we make enquiries as to the accreditation of the Company and their experience and past projects. You can access the Market Research Society Code of Conduct . (http://www.mrs.org.uk/code.htm) There is also guidance on ‘How to write a Market Research Brief  (35.50 KB)’

Case Study When we ask an external consultation company to undertake a consultation exercise on our behalf, they may need to access our databases etc.  We may give them this data - but the responsibility for the information still lies with us.  We must make it clear in our contract with the external company that they should only use the data in respect of this consultation exercise and they should return it at the end of the period.    Example Case Study: Company X consult with people on our library users database about their lifestyle habits and preferences for opening hours.  At the end of the consultation, we thank the company and carry on.  Three months later, an article in the local Press says 'I agreed to one piece of consultation about our libraries and I am now getting junk mail by the day and am being asked to take part in 20 more consultations every week - I never agreed to this!' - The fault lies with the Council because they did not specify to the company that they needed the database back at the end of the contract and that it couldn't be used for another purpose. This is a breach of principle 2

5.1.5 WHAT IF WE WANT TO START CONSULTATION WITH AN EXISTING GROUP?

Many focus groups, support groups and other bodies already exist, which would form a useful basis for consultation. However, the DPA requires us to be careful in our use of information about individuals. Just because a group exists, such as a luncheon club, does not mean we can automatically contact them for consultation purposes, if this was not their understanding when they joined the Group. The following steps should be taken:

• Approach the Groups organiser and ask if (s)he feels that their Group would be amenable to being contacted for consultation purposes.  
• If the response is positive, organise a visit to one of the Group’s meetings, or prepare some wording which can be issued by the Organiser at the next meeting
• The visit/wording should inform the Group members what your organisation does and that you wish to carry out research to improve services and would like to consult with them. Explain what has been recommended in the fair processing wording above, so that the members are fully informed as to what their involvement would entail. Ask Group members to opt in to consultation.
• Those who opt in can be added to your consultation list
• Alternatively, you may just wish to ask people to opt out, i.e.: if you have any objections to being involved please let me know. The only risk here is that you have no proof that they have opted in. Think about the kind of consultation you are carrying out. If it is potentially sensitive, you may wish to always go for opt in rather than opt out.

If an existing Group wants to make use of your consultation, they must be added to your list of Partners/included in your generic list (see the recommended wording under ‘what do we need to tell individuals?’

5.1.6 WHAT IF WE HAVE EXISTING INFORMATION ABOUT USERS OF OUR SERVICES?

We may have data-sets or lists of names of people who have used our services. However, we should not assume that because our organisation has collected someone’s contact details for one purpose, they would be happy for it to be used for another purpose (i.e.: consultation). You should ask the service provider’s view on this before making any contact.

There are preventative measures we can take. At the point their details are first collected for the service they are using, tell the individual that your organisation likes to consult with its service users and may well contact them in future to do this. If they are not happy with this, they should say so (and a stop-list should be created, see above for details). If the service is particularly sensitive, it may be appropriate to have an opt in rather than an opt out of consultation. Common sense and discretion should always be used, particularly when considering consulting with users in sensitive circumstances.

Some information cannot be used for any other purpose, legally. This includes Council Tax information. Contact your Data Protection officer for more information. WCC’s DPO can be contacted here -  Dataprotection@worcestershire.gov.uk

Case Study If we don't keep our information accurate and if we start to use it for other purposes, existing users may not work with us again and may end up informing others that we cannot be trusted to use information in line with the DPA. This may result in a complaint to the Information Commissioner and an investigation. Example Case Study: The Worcestershire Tree Preservation Society are consulted about Tree Preservation Orders (TPO) and agree to give their information, which will be held by the Countryside Service. Changes to the organisation lead to changes on the Board of the Society and they inform WCC to this effect. WCC doesn’t amend its records and some 2 years later decides to share the original details from the Tree Preservation Society with the district council who wish to mail shot for planning purposes. Subsequently complaints are received from many of the parties to say that they are no longer part of the Society and they hadn’t agreed to their information being disclosed to 3rd parties for unrelated matters. This leads to lack of trust in the existing members of the society and current work connected with WCC. This is a breach of Principles 2 and 4.

5.1.7 HOW DO WE MAKE INFORMATION ANONYMOUS?

It is difficult to completely anonymise personal data. Before you publish/share any results of research that you have promised will be made anonymous, you should do the following:

• Remove all names and addresses
• If postcodes are needed, use the Postcode, Sector, and District. This is the first part of the postcode then the first number of the last part e.g. WR14 2.
• Ensure there is no way the results could be easily traced back to an individual
• See also our Guidance on Analysing Qualitative Data

Sometimes during a consultation you may need to track peoples responses. For example you may wish to send a reminder to those who have failed to complete and return your survey, or select and award a prize to one lucky respondent. In order to do this you must allocate ID numbers to respondents’ details held in your database. This ID number is then printed or written onto the survey before it is administered or mailed out. This simple ID number allows you to identify respondents without linking personal information to their responses, which would be in breech of Data Protection.

Case Study If we don't anonymise data and we publish it, it may cause damage or distress. It may also cause health and safety issues, lack of trust and result in views being restricted Example Case Study: Some data is published on the web which has not been anonymised. This leads to some details about a family living in a domestic violence refuge being made publicly available- the former partner now knows where to locate the family and causes them physical and mental damage. As a result a compensation claim could be made against WCC as the data controller. There are no caps on the compensation and there would be a £5,000 fine to the organisation.

5.1.8 CAN WE USE PHOTOGRAPHS?

Some consultation exercises may involve taking photographs for reports, websites or other publications. Photographs that identify individuals are personal data and are therefore covered by the DPA. Whenever an event involves photos, individuals should be told that cameras are being used and where it is intended the photos will be placed (web-site, newsletter etc). If anyone is unhappy with this, they should have the chance to not be in the picture.

Where children under 16 are being photographed, it is recommended that consent of the parent/guardian should be obtained before the photos are taken.

5.1.9 AND FINALLY....

Here are some points to remember when ensuring DPA compliance:

• Only ask for information that you need. If you don’t need someone’s contact details and the information is purely statistical, don’t ask for them. Similarly, don’t ask personal, perhaps sensitive questions if this isn’t relevant to your survey.
• Only keep personal data for as long as is truly necessary. Once a survey has been collated and the statistics produced, if you don’t need to contact the respondent again, destroy the survey form.
• Keep responses secure and ensure the only people to access them are those who have duties in that particular consultation area. If the responses are particularly sensitive (e.g. a health consultation exercise) consider what extra security measures could be taken.
• If you have declared only two Partners will receive the results, don’t pass them to another Partner (see recommended wording under ‘What do we need to tell individuals?’)
• Ensure that your Data Protection Officer has included your consultation activities in your organisation’s Notification to the Office of the Information Commissioner.
• WCC’s Information Access Officer responsible for advice on Data Protection is Sarah Lewis, who can be contacted on 01905 728544 or Dataprotection@worcestershire.gov.uk

Case Study Make sure data is kept secure. You should keep a clear desk policy, and remove data when it is no longer required- conforms to Principle 5- not kept longer than necessary. Retention and disposal issue. Example Case Study: Consultation data is left in car. The car is is stolen or contents taken. Breach of principle 7. Example Case Study: A worker who is responsible for the disposal of confidential data is throwing the data into a skip which is in a non secure area, the papers are being blown out of the area by the wind making them accessible to anyone passing by.