Why I hate the DPA and why it is unworkable

The Data Protection Act 1998 has been with us for ten years now, which in my opinion is eleven years too many.

This unworkable, unenforceable act has become the bane of most professional marketers, the justification to be lazy for most data services departments and the excuse to be unhelpful for seemingly every major UK company's customer service department.

A quick scan through recent prosecutions under the DPA and you'll find the majority relate to companies not registering themselves correctly with the Information Commission. Well, whoopdedoo, what a victory for Mr Average that a Bolton solicitor is fined over £3,000 for not sending in a piece of paper to the Information Commission. No doubt the solicitor in question is in all other respects a highly professional operator who protects the business of his clients with care - oh, but he hasn't filled in a form for the IC so let's slap him with a big fine.

Where are the prosecutions for the real abuses of data - the constant telephone calls from Asian call centres on behalf of UK based companies where our personal data is being sent across national boundaries without our approval or knowledge? Banks putting our information in the hands of people who are not employees of the bank - and are in many cases not even employees of the call centres they work for, but are casual hired help.

Where are the prosecutions of government and military departments for losses of huge amounts of personal data that put our children's identity and safety at risk?

In the last two days I have had two separate reasons to bemoan the total failure of this Act to do what it is supposed to do. Sadly these failures are virtually daily occurrences, in an Act that permeates our every day lives but serves virtually no purpose.

The first was when my son returned from school with a note regarding his forthcoming school trip, which contained details of the "telephone cascade" for when he would return from said trip. The purpose of the cascade is that the teacher on the coach calls the two numbers at the top, tells them that the coach will be back in 30 minutes, then the people called call the next two on the list, etc until everyone is informed, and each person only has to make a couple of calls. In practice a very sensible thing (and in the days before the DPA, totally legal). However, the problem is that the phone number (including in many cases the mobile phone number) of every parent of every child was listed on the page. The school has distributed personal information it has collected, without the permission of the people supplying the information. Some of those numbers may well be ex-directory, and personal information may have been supplied to people who will abuse it.

Some may take the view that "It's a small community [it is a rural village], everyone knows everyone else, so what is the big deal?" and yes, common sense may say that is so. But, imagine this scenario (sadly all too common in a small village). Husband checks telephone bill and notices repeated calls to number he doesn't recognise. Husband thinks nothing of it until little Johnny hands him piece of paper from school which has number on it showing it to be mobile number of single male living 2 miles away. Husband starts to put 2 + 2 together and gets 4 (or 5 depending on whether calls were innocent or not) and "has it out" with wife... matrimonial chaos ensues.

OK, I might be over-elaborating or choosing a particularly nasty scenario, but there are plenty of petty arguments and unpleasantness in small villages where having the telephone number of an individual could be used to harass, bully or stalk someone. My point is the school should not have given out numbers without permission.

The other DPA waste of time is when Financial Services institutions call you to sell you a product and begin by saying "For Data protection reasons, can I take you through security?". Well hang on just one minute...YOU CALLED ME. Therefore, I have no idea who you are, so NO, I'm not going to give you my name, address, date of birth, password, inside leg measurement or anything else, because I don't know who the hell you are. Click - brrrrrrrrrrr. As we all become more and more obsessed by data theft banks are really going to have to find a better way of establishing who we are.

There are so many things I hate about the DPA I could spend all day writing this - especially the power it gives small minded process-driven data services people to stop creative marketers from doing their job properly - but enough for now. We'll save that to another day.