Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

How Halifax plc is preparing for the new UK Data Protection Act [1999] PLBIRp 19; (1999) 48 Privacy Laws and Business International Report 14

How Halifax plc is preparing to comply with the new Act

HALIFAX PLC, the UK's largest mortgage lender with over 20 million customers and 35,000 staff, holds data on about every third UK resident. What challenges does the new 1998 Data Protection Act pose to a financial institution of this size?

Halifax plc recently converted from the UK's largest building society (mutual home loan organisation) into a bank. As well as the familiar banking, lending and investment services provided by the Halifax, there are several other companies in the Halifax Group offering a comprehensive range of financial services. Clerical Medical and the Birmingham Midshires also form part of the Halifax Group.

During the application process for Halifax products or services, it is often necessary for people to provide sensitive or confidential information. Consequently, it is vital that first rate Data Protection Act compliance is in place across the organisation to ensure privacy and confidentiality.

At the time of writing, the Halifax data protection compliance team consists of five staff who also have other regulatory and compliance responsibilities. The team supports a telephone help line and offers a project consultancy service to other companies in the Halifax Group.

PL&B: How does Halifax plc ensure that staff are aware of the provisions of the current Act? How will it address this obligation under the new Act when it comes into force?

Trevor Chew, Information Security Compliance Manager: At present most of our 35,000 staff receive annual training on compliance with the 1984 Act. This is achieved using a combination of videos, workshops, induction training and the provision of individual booklets to staff members and managers. Managers are responsible for ensuring that their staff undergo this training each year. Sometimes the training material does not cover the specific situation a staff member is dealing with. In those circumstances, staff are encouraged to ring the help line for guidance. The help line is manned from 7.30 to 17.30 and is supported by voice mail outside those hours.

In order to educate staff about their obligations under the new Act, we intend to introduce on-line computer based training, accessible via our Intranet on each individual staff member's personal computer. As a result, we will know when each member of the staff did the training and how well they performed. The content will be modularised to ensure that it meets the different needs of staff in various parts of the group.

We do not aim for staff to acquire detailed knowledge of the Act. Instead we want to give them practical information to help them handle the situations they face in their jobs. The computer based training material will contain hyper-text links to more detailed on-line user documentation. Complex issues will be referred to the Data Protection help line.

PL&B: How much extra money will be allocated to ensure compliance with the new Act?

Trevor Chew: It is impossible to put a figure on how much extra money will be allocated to meet the costs of compliance with the new Act. Obviously we have to amend all our application forms and data collection systems to reflect our obligations under the new Act. We also have to revise customer publications, and training material. These costs are being borne by the relevant business areas as part of business as usual.

The Halifax takes its obligations under the Data Protection Act very seriously. Compliance with the Data Protection Act is just one element of our new Information Security Policy, which is currently being launched across the Group. We have not experienced any problems in obtaining the necessary funding for compliance with the Data Protection Act, provided that we make a satisfactory business case. Our view is that we will be left behind as a company if we do not take seriously our customers' right to privacy. The number of staff in the DPA Compliance team is currently under review.

PL&B: Many companies find the inclusion of manual data in the new Act a real concern. What is the Halifax view?

Trevor Chew: Over the recent years, the Halifax has been shifting towards a paperless environment, with many paper files being transferred to a purpose built document storage facility. We felt that the definition of a 'Relevant Filing System' in the Act was at best impractical if customerfacing staff were to apply it in deciding whether or not to grant access to a paper based file. Refusing access to paper records would also constitute poor customer service. Consequently, it was a cultural issue for us as opposed to a legal issue. At the Halifax, we already had a culture of openness, and we generally grant access to paper files or computer records free of charge.

There will, of course, be certain items on paper files, such as references, which will be covered by some of the new Act's exemptions. Consequently, before a paper file is made available to the customer, the Data Protection Compliance team will ensure that the relevant subject access exemptions are considered.

Generally speaking, we do not anticipate a great problem in disclosing the contents of paper files. The majority of them are stored centrally, so we should be able to locate them easily at our National Information Centre. In summary, our policy will be to treat paper files in the same way as automated records.

PL&B: Which aspects of the new Act are problematic for Halifax plc?

Trevor Chew: One issue is the data controller's obligation to enforce security provisions on data processors. The new Act obliges data controllers to ensure, through a contract, that technical and organisational security measures are in place and observed by the data processor. The data controller also has the obligation to police these arrangements whilst they operate. These new obligations oblige the data controller to conduct some form of risk assessment on the data processor's installation and vet the integrity of their staff.

Outsourcing is relatively common now, and the Halifax Group has many such relationships. We are currently evaluating how best to address this obligation. Some data processors do not take kindly to what is sometimes seen as unwelcome interference. Developing the new contractual terms for inclusion in new contracts was not difficult. However, the Act also obliges us to review existing contracts with data processors. In an organisation the size of the Halifax Group, it is hard to identify all the data processors which exist. A contract is also required if the data processor is another company within the Halifax Group.

PL&B: What about transfers abroad?

Trevor Chew: Most of our overseas transfers occur with the data subject's consent, e.g. funds transfers or use of a Visa Card. Occasionally we may transfer personal data to a data processor located elsewhere in the European Economic Area (EEA) but the processing is governed contractually under a confidentiality agreement. Generally we do not transfer much personal data to processors outside the EEA, so this is not a major issue for us.

PL&B: Under the new Act, processing sensitive personal data requires explicit consent. How will Halifax seek this consent and how long will it be valid?

Trevor Chew: We are amending the relevant product application materials and systems across the Halifax Group to collect explicit consent. We would expect consent to last as long as the customer requires the product or service. If the customer withdraws consent, it may be impossible for us to continue to provide the product or service.

All new customers receive a leaflet about the Data Protection Act, which describes our uses of personal information, individual's rights, credit referencing and other significant issues. The leaflet is also available to existing customers in all our customerfacing locations. It has now been revised to incorporate the requirements of the new Act. The leaflet attempts to explain these complex issues in plain English.

PL&B: Apart from revising application materials, systems and customer literature, are there any additional issues you have had to include in the compliance programme as a result of the new Act?

Trevor Chew: At present, we are concentrating on staff awareness, customer materials, data collection, contracts with data processors, and consent.

PL&B: How do you deal with subject access requests, and are you expecting many more as a result of the new Act?

Trevor Chew: Naturally, we expect to see a temporary increase whilst the Act receives extra publicity, but then we expect to see subject access levels return to normal. Last year, across the entire Halifax Group, we processed 20 formal subject access requests, which is slightly more than in previous years, but then the Group had increased in size. However, there were many more requests which were processed informally in our branch network. This year we have already had 15 formal requests in February and March alone.

Our policy is to try and give customers access to their information at point of sale free of charge, without any need to resort to formal subject access. We handle all formal subject access requests centrally for the entire Group. Although we reserve the right to charge a fee, we rarely do so because we consider it to be poor customer service and against the spirit of the Act.

When the new Act takes effect we intend to continue our policy of providing access to information at point of sale. We have no problems with releasing information to the data subject. Usually, most of the data has been provided to us by the data subjects themselves. It may take a little longer to provide customers with access to paper-based records because they are stored in our centralised storage facility. Even so, we should have no problems in providing access well within the 40 day time limit.

PL&B: Under the new Act, data controllers also have to provide information about the source of the data in response to a subject access request. Is this an issue for the Halifax?

Trevor Chew: We intend to supply requesters with a copy of our Data Protection Act leaflet, Personal Information And How We Use It, and also a copy of the relevant notification entry lodged with the Data Protection Commissioner. Generally our sources of information are comparatively few e.g. the data subjects themselves, credit reference agencies, solicitors, valuers, employers and statutory bodies. Our disclosures are governed by our common law duty of confidentiality, which allows us to disclose customer information only with consent or with some legal justification.

PL&B: How long does it take to respond to a subject access request?

Trevor Chew: If a customer makes an informal request at point of sale then they could see their current and previous financial year's information immediately. If it was necessary to extract some archive records from our mainframe computer, then an appointment would be necessary to view this kind of information. It usually takes about a week to extract archive information.

If a customer makes a formal written subject access request, they are processed centrally at Head Office. Normally they are processed within a week, but it can vary depending on the number of different relationships the customer has with us. If the customer has been with us many years and has several different relationships, it will take longer. We try to turn round all formal requests in under 20 days. Under the new Act it is likely that all legal entities will have a single data protection notification lodged with the Data Protection Commissioner. This will prevent larger data controllers from subdividing their notifications to make subject access less burdensome. If we have to extract larger amounts of data, the turnaround time for formal data subject access requests will increase. The effect of this could be mitigated by individuals being allowed to limit the extent of their subject access requests.

PL&B: Has Halifax had any claims for compensation?

Trevor Chew: Not under the Data Protection Act. However, people are more inclined to seek compensation these days and have a variety of channels through which to complain. In an organisation the size of the Halifax with over 20 million customers and 35,000 staff, it is inevitable that some complaints arise. On average we handle around 25 complaints each year from the Data Protection Registrar's office. The issues mainly involve credit reference data, marketing issues or disclosure of information. The majority are justifiable complaints.

PL&B: The Data Protection Registrar (Commissioner once the Act is in force) will have new powers to inspect companies' compliance with the Act if she has reason to suspect that the data protection principles are being contravened. How do you see this new power?

Trevor Chew: In the past, we have deliberately sought advice from the Registrar's staff over particularly complex issues or complaints and have often invited the Registrar's staff into our offices. It is Halifax policy to comply with the principles of the Data Protection Act and we regularly consult, and are consulted by the Registrar's staff. Elizabeth France has already said she intends to pursue compliance through dialogue, so I don't believe the enforcement regime will change dramatically. I do not believe that Halifax plc will have any problems with the new powers of the Data Protection Commissioner.

PL&B: Do you conduct internal audits?

Trevor Chew: Yes. Compliance with the Data Protection Act is a formal element of any audit performed by our Group Audit function on all business areas. Audits of customer documentation, data collection channels, databases and new system developments are also performed by the data protection team to ensure that our registrations are up to date and that we remain compliant with the Act.

PL&B: Halifax also uses its website to advertise and sell its products. Are you taking data protection measures on the Internet?

Trevor Chew: Yes. So far as the Internet is concerned, the number one priority for the Halifax and its customers is security. We have a firewall in place to ward off 'unwelcome surprises' from the web and we are looking at various state of the art developments to ensure that no Halifax customer is compromised by transacting their business over the web. Our website is under constant development and not all our products and services are accessible yet via this channel. Our website is the most rapidly developing area of our business but security and confidentiality of customer information remains our first priority.

PL&B: What is the relationship between the marketing and data protection functions in general? Do they consult the data protection function early enough when planning marketing materials and initiatives?

Trevor Chew: Our relationship with the marketing area has developed over the years to the extent that we now work more closely with them than any other part of the business. The level of data protection knowledge in our marketing area is high and they invariably consult us in good time.