My dentist, along with many others in the country, has decided to
finish with NHS treatment and go private.

To this end he has employed what I can only describe as a "marketing
company" to handle the private scheme for him.

This company has now written to me with their sales blurb to get me to
sign up.

To do this, the dentist must have given my personal details from his
records to this third party marketing company.

Is he entitled to do this without first getting my permission, under
the Data Protection Act?

Bob Coates

My dentist, along with many others in the country, has decided to
finish with NHS treatment and go private.

To this end he has employed what I can only describe as a "marketing
company" to handle the private scheme for him.

This company has now written to me with their sales blurb to get me to
sign up.

To do this, the dentist must have given my personal details from his
records to this third party marketing company.

Is he entitled to do this without first getting my permission, under
the Data Protection Act?

Have you looked at his DPA registration to see what uses he has registered
to use data? That should answer your question.

Peter Crosland

"BobC" wrote in message
oups.com...
My dentist, along with many others in the country, has decided to
finish with NHS treatment and go private.

To this end he has employed what I can only describe as a "marketing
company" to handle the private scheme for him.

This company has now written to me with their sales blurb to get me to
sign up.

To do this, the dentist must have given my personal details from his
records to this third party marketing company.

Is he entitled to do this without first getting my permission, under
the Data Protection Act?

See Data Protection Act 1998 Section 1
http://www.opsi.gov.uk/ACTS/acts1998/80029--a.htm

""data processor", in relation to personal data, means any person (other
than an employee of the data controller) who processes the data on behalf of
the data controller"

For instance, Capita process Council Tax on behalf of many Councils. They
will be the data processer but the Council will be the data controller.

See also "Data Protection Act 1998" (Dept of Health)

http://www.dh.gov.uk/PolicyAndGuidan...489&chk=VrXoGe

(http://preview.tinyurl.com/7yo6d)

"PART 4 - NOTIFICATION AND SECURITY

.....

5 Schedule 1, Part II, paragraph 12 requires that where personal data is
processed on behalf of a data controller by a data processor, the processing
must be carried out under a written contractual arrangement which includes
obligations to meet the standards of the 7th principle on data security and
prohibits processing except on the instructions of the data controller."

and http://www.out-law.com/page-435

section on "Security and Data Processors".

Nick

Many thanks for the replies to my post

The conclusion is that I think they most likely are in order in what
they are doing.
I'd forgotten about third parties such as payroll bureaux processing
data on behalf of their clients, which I should have remembered as,
although I'm not a legal person at all, I am involved with payrolls
operated by third party companies!

I've checked the DPA registration and I think the relevant section
is...

Sources (S) and Disclosures (D)(1984 Act). Recipients (1998 Act):

DENTAL PRACTICE BOARD

Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Healthcare, social and welfare advisers or practitioners
Business associates and other professional advisers
Suppliers, providers of goods or services
Survey and research organisations
Central Government

I guess the "providers of goods and services" bit covers it.

So, question answered I think. Many thanks for your assistance.

Bob Coates

Bob said

I don't know much about 'Data Protection' but I found a story at http://www.solicitorsfromhell.com/King_Richard.htm which sums up Richard Thomas the Information Commissioner, who is referred to as 'King Richard'.

Let me quote from that website that sums up King Richard's powers: -

"Failure to comply with the data protection principles is not a criminal offence", "The Information Commissioner has no powers to punish a data controller for a failure to comply with the data protection principles" and "The only action we would been able to take would have been to require the Law Society to take steps to prevent similar future contraventions".

John

"John Carey" wrote in message
...

Bob said

BobC Wrote:


To do this, the dentist must have given my personal details from his
records to this third party marketing company.

Is he entitled to do this without first getting my permission, under
the Data Protection Act?

Bob Coates

I don't know much about 'Data Protection' but I found a story at
http://www.solicitorsfromhell.com/King_Richard.htm which sums up
Richard Thomas the Information Commissioner, who is referred to as
'King Richard'.

Let me quote from that website that sums up King Richard's powers: -

"Failure to comply with the data protection principles is not a
criminal offence", "The Information Commissioner has no powers to
punish a data controller for a failure to comply with the data
protection principles" and "The only action we would been able to take
would have been to require the Law Society to take steps to prevent
similar future contraventions".

Well, this is wrong.

See
http://www.ico.gov.uk/what_we_cover/..._offences.aspx

"Persistent breaches of the Act

A data controller who persistently breaches the Act and has been served with
an enforcement notice can be prosecuted for failing to comply with a notice.
This offence carries a maximum penalty of a £5,000 fine in the magistrates'
court and an unlimited fine in the Crown Court.

Notification offences

A data controller who fails to notify the Information Commissioner's Office
of the processing being undertaken or of any changes to that processing can
be prosecuted. Failure to notify is a strict liability offence. This means
that if a data controller has to notify, they must notify. Being unaware of
the law is not an excuse."

"Unlawful obtaining or disclosing of personal information

It is a criminal offence to knowingly or recklessly obtain, disclose or
procure the disclosure of personal information, without the consent of the
data controller."

See also
http://www.hamiltons-solicitors.co.u...customers3.htm

"3 Copying of Personal Data which has been Gathered by a Business

The scenario where a disgruntled employee copies a customer database
belonging to his or her employers and then sets up in competition is not
uncommon. If the data appropriated by an employee constitutes personal data
within the Data Protection Act 1998 then criminal offences under that Act
may flow from the appropriation. Personal data under the 1998 Act is,
basically, information about living individuals from which those individuals
can be identified – a name and an address being the best example.

Section 55 of the 1998 Act renders it a criminal offence:

to obtain or disclose personal data or the information contained in personal
data or
to procure the disclosure to another person of the information contained in
personal data

without the consent of the data controller."

Nick