THE DATA PROTECTION ACT

by Malcolm Reid

Intersection is now registered for the Data Protection Act. This limits what data we can collect , who can collect it, where we obtain it from, what we actually record about members, and who we are allowed to disclose that information to. If any infringement occurs outside our stated mandate to the Data Protection Registrar the company could be prosecuted.

The principles of good practice we adhere to are:

1. obtained and processed properly and lawfully
2. held only for the lawful purposes described in the data user's register entry
3. used only for those purposes. and disclosed only to those people. described in the register 5 accurate and where necessary, kept up-to-date
6. held no longer than is necessary for the registered purpose
7. accessible to the individual concerned who, where appropriate, has the right to have information about themselves corrected or erased
8. surrounded by proper security mechanisms to ensure disclosures are only made to authorised persons

Below are the details of what has been sent to the Data Protection Registrar:

Membership Administration:

Purposes covered: Electronic data for Membership Services Division
Who we record the information about: Client members.
What data is recorded: Name, contact details, money received for membership, cross reference to manual records, and if (but not who) they vote for the 1998 site selection
Source of Data: From the subject (member)
Disclosures con he made to: The subject (member), our Employees and Agents (Staff and Committee), persons making a complaint, voluntary organisations (the winner of the 1998 WSFS site selection bid)
Overseas transfers can go to the following countries only: USA, Oman, Netherlands

Customer/Client Administration:

Purposes covered: Electronic Data for Fan Fair Division, Art Show, Fixed Exhibits Area and Dealers Room Area
Who we record the information about: Customers or Clients Dealers. Artists etc
What data is recorded: Name. contact details, goods and services provided or obtained (including financial details of transactions), business activity i.e. book dealer, professional artist etc. , Agreements or contracts, cross references to manual records.
Source of Data :From the subject (member)
Disclosures can be made to: The subject (member), our Employees and Agents (Staff and Committee), persons making a complaint, voluntary organisations (the winner of the 1998 WSFS site selection bid)
Overseas Transfers can go to the following countries only: USA only.

Work Planning and Management:

Purposes covered: Electronic Data for Programming (including Programme and Extravaganza Divisions) and Volunteers Area
Who we record the information about: Employees, trainees and voluntary workers (Staff, Committee, gophers, programme participants etc) ;
What data is recorded: Name. contact details. Personality, Character. Travel and movement details, membership of voluntary or charitable bodies, licences or permits held, qualifications and skills. professional expertise, disabilities, cross references to manual records.
Source of Data: From the subject (member), Employers - past, current, prospective (other conventions), Employees and Agents (Staff and Committee)
Disclosures can he made to: The subject (member), our Employees and Agents (Staff and Committee). persons making a complaint, voluntary organisations (the winner of the 1998 WSFS site selection bid), employers - past current or prospective (other conventions)
Overseas Transfers can go to the following countries only: USA only.

Marketing and Selling (including Direct Marketing)

Purposes covered: Electronic Data for Promotional Activities
Who we record the information about: Recipients. customers or clients for goods or services (current, past and potential), Members
What data is recorded: Name. contact details, goods and services supplied to and obtained from the data subject. cross references to manual records.
Source of Data: From the subject (member), Employees and Agents (Staff and Committee). Recipients. customers and suppliers of goods or services. persons making a complaint, Voluntary organisations (the winner of the 1998 WSFS site selection bid),
Disclosures can be made to: Employees and Agents (Staff and Committee), persons making a complaint. voluntary organisations (the winner of the 1998 WSFS site selection bid)
Overseas Transfers can go to the following countries only: USA only

Management of Agents and Intermediaries

Purposes covered: Electronic Data relating to Agents and their activities on Intersections behalf
Who we record the information about: Agents
What data is recorded.' Name. contact details, goods and services supplied to and obtained from the Agent subject. cross references to manual records, financial information.
Source of Data : From the Subject (Agent)
Disclosures can be made to: The Agent. Employees and Agents (Staff and Committee), persons making a complaint
Overeas Transfers can go to the following countries only: USA

The Registration covers all Divisions. Committee, Staff. Agents, Volunteers and persons authorised to act on behalf of WorldCon (Scotland) Ltd. The above information has been paraphrased from documentation received from the Data Protection Registrar.

If you are going to hold information which is not covered by our Registration you are to inform Malcolm Reid and copy the information to the Chairmen in writing.

The following do not need to be covered for the purposes of our Registration:
Email
Accounting Records
General word processing other than mailing lists

You may not distribute the data to anyone we are not registered for. If a person makes a complaint through the Data Protection Registrar all correspondence and communications should be directed to Malcolm Reid in the first instance. If you are unsure about who is allowed to receive the information you should again contact Malcolm Reid.

Malcom Reid should be informed by Division Heads of the existence of all electronic data saved on behalf of Intersection, and Division Heads arc responsible for the recording of any copies made and who actually holds them.

Any queries regarding our responsibility under the Act should be directed to your Division Head who is then to contact Malcolm Reid for clarification.


COMMENTS ON THE DATA PROTECTION ACT

By Martin Easterbrook

The amount of attention given to the Data Protection Act along with the number of misunderstandings about it seem to be enormous.

I don't know anything about the new legislation, but here are a few comments about the existing act:

1. The notice on the ballot and/or membership form has no legal significance whatsoever (nil, nada, *zippo*). As far as I have been able to find out Steve Davies introduced this practice into the UK just to warn people that their details would be held on computer, and thus prevent any possible complaints based on misunderstandings. Since then it has been used as a magic talisman by almost all UK conventions, all of which may technically have been committing an offence by not registering under the act.

2. The important thing is what you say you will do with the data when you register your database. As far as I can see (and Margaret agrees with my interpretation) it is legal (under the act) to register your database as being used "for the purposes of blackmail". If you then used it for that purpose, you would not be committing an offence under the act (you would still be guilty of blackmail of course). The fun question is whether you would be committing an offence if you did *not* use the database for the purposes of blackmail. I repeat: the important thing is to declare what you will do with your database at the time of registration and then stick to that usage (including presumably passing it to future Worldcons).

3. Far from being a tough law, the UK data rotection act is close to being the weakest possible legislation the UK could enact to allow data from countries with real privacy legislation (like Sweden) to be sent here. The most demanding requirement of the law is that people in your database can demand that you send a copy of your information to them.