Basically the Act protects "data subjects". Basically data subjects will all be living individuals.
Data subjects will not include the following:-

• Limited companies
• Partnerships
• Businesses

The Data Protection Act 1998 protects living individuals from data users who "knowingly or recklessly":

• Hold personal data or any description other than that specified in the registration
• Hold any such data, or use any such data for any purpose other than the purpose or purposes as registered.
• Obtain such data from any source not defined in the registration.

Data users (also known as data controllers) must use and obtain the data as well as process it fairly and lawfully. The data held must be adequate, relevant, accurate and where necessary be kept up to date.

If you wish check against a company director, sole trader or partner you will be processing information in which case you will require the data subject's consent and the following will apply:-

• You will have to go through a general registration procedure with the Data Protection Commissioner.
• You must advise the data subject of the purposes for which you are gathering information and how it will be use, which must be within the purposes and uses registered.
• If you pass the information harvested to a third party such as a credit reference agency then the data subject has to consent to this. Consent can be taken in various forms such as the data subject completing a standard application for a credit account or consent over the telephone. If done over the telephone you should have internal means of monitoring and auditing when such consent was taken (See credit account application form for wording)
• Data subjects are entitled to make "subject access requests." Effectively this means you will be required to tell them what information you hold against them. This is why it is important such information is kept accurate and up to date. If you receive a subject access request you should respond to this within 40 days. You are entitled, but not obliged, to charge a fee of £10.00. In addition should you be holding trade references given to you, you will be required to provide a copy to the date subject on their request notwithstanding such reference has been given in confidence.
• Following upon your requirement to disclose information held against a creditor if you carry out a credit search the data subject should be told you are going to do this and consent to the search should be made. The search information should be disclosed to the date subject should this be requested. In addition information that you hold must be obtained lawfully and kept up to date. Basically what this means is that you should not, either yourself or through and agent (such as a tracing agency) use deceptive means to gather information. If you receive a subject access request you should respond to this within 40 days. You are entitled, but not obliged, to charge a fee of £10.00.

Grey areas

It is clear a data subject will not apply to a business. For example, Mr. James Brown and Mr. James Smith trading as Joe Soap & Company will not be a data subject in terms of the Act. Accordingly a creditor will be able to make a credit search against that business without consent. However, if the creditor wishes to make a credit search against M Smith and Mr Brown to discover personal data relating to those individuals then the creditor should get the consent of both of them before carrying out the search.

Let us suppose one of your sales persons contacts a potential customer, being a limited company. The Act does not apply to a limited company but it is thought sensible to take personal guarantees. You will wish to establish the credit worthiness of the director granting the personal guarantee. Before you are able to gather any information relating to the director his consent should be taken. However, you do not ask the director personally for his consent but simply rely upon word of mouth confirmation from the company's office manager that the director does consent to the information being gathered. Are you able to assume that the office manager has the necessary authority to give the consent to be made? As the Act is currently drafted the position is probably not.

Data protection is a complex area of law. If you would like further information please contact Stephen Cowan at scowan@yuill-kyle.co.uk