Please tick this box if you do not want us to sell your details to the highest bidder. We have all seen this, in more formal and confusing language, often located right at the bottom of a long detailed form. It is designed to look insignificant and most people would glance over it. However, failing to tick the box can have disastrous consequences.
Samuel Rae, an 87 year old retired army colonel who suffers from dementia was targeted by charities and fraudsters and conned out of £35,000 as a result of a charity selling his details. He didn’t tick the box. Does that give the charity the right to release his details to anyone who will take them?
Leaving aside the moral repugnance of a charity selling a donor’s details, companies acting in such a way are in breach of the law. The Data Protection Act 1998 regulates the processing of data which identifies individuals. The act requires an individual’s consent before their data is processed. Consent does not mean the right to opt out if you are switched on enough to find it. The absence of a tick in a box does not provide consent. Consent by an individual must be a ‘freely given, specific, and informed.’ In 2009 the European Data Protection Regulators confirmed that a positive action is required. Whilst much will depend on the circumstances and the information involved companies can not treat an unticked box as a god given right to do what they like with people’s information.
People affected by such a breach, and any other breach of the act can make a complaint to the Information’s Commissioner’s Office. This is the body which is responsible for enforcing the Data Protection Act. They have the power to prosecute, audit and issue fines of up to £500,000. They can also order data controllers to stop certain activities.
An individual may also be able to make a civil claim for damages. If a company breaches the Data Protection principles in relation to personal information which is stored electronically then there is a right to be compensated for any losses which result. This would potentially include Mr Rae’s £35,000. A claim can also be made for distress. Up until this year this could only be made if there was also a financial loss. The English Court of Appeal ruled in Vidal-Hall v Google that compensation could be awarded for distress alone, however, this is subject to an appeal to the Supreme Court.
Mr Rae is not the first to have his rights violated. There have been a number of high profile data protection breaches lately from Ashley Madison to Carphone Warehouse. If those we trust with our data do not take our rights seriously then perhaps a right to compensation for distress will change their views.