There has been debate about how far the law is going in introducing a right to privacy in the UK. The government has stated that it has no wish to introduce a statutory right to privacy and the courts are reluctant to create a new tort of invasion of privacy. In Naomi Campbell v. Daily Mirror,² the decision in Ms Campbell's favour was decided partly on the fact that the information being made public related to her health and publication of that information might be detrimental to her health in future. In Douglas v. Hello!,³ the Court of Appeal noted that it was being put under pressure by human rights legislation and recent European cases to protect individuals from invasion of privacy and turned to breach of confidence to find in favour of the Douglases, although OK! magazine, the co-complainants, did not have the same right of confidence. Statutes such as the Human Rights Act 2000⁴ and the Data Protection Act 1998⁵ (the Act) introduce a number of individual rights which collectively start to add up to a right to privacy.

A widespread myth is that business in the UK is subject to more regulation and higher compliance standards than elsewhere. Member states of the European Union (EU) have mandated to operate as a single market. The corollary to that mandate is that many laws have been harmonised to reduce the differences between the member states and to give effect to the free flow of goods, persons, services and capital within the EU. This harmonisation includes data protection law, so not only is the law based on standards set out in the European Commission (EC) Directive,⁶ its provisions are largely the same as those that apply in France, Italy, Spain, Germany, the Netherlands and so on.

Another myth is that there is no need to comply with data protection law unless you are registered for data protection. Like the 1984 Act, the 1998 Act requires organisations involved in certain, specified, activities to have their details recorded on the public data protection register. However, a quirk of the 1984 Act meant that unless an organisation was registered for data protection, there was no requirement to comply with the other provisions of the Act. That anomaly has been swept away by the 1998 Act. Specifically, all organisations that use personal information must comply with the Act,⁷ regardless of the need to notify (the term for 'registration' adopted from the European Commission (EC) Directive). Since all businesses utilise some personal information, for example information relating to employees, agents and directors, it follows that all businesses must comply with the Act.

The most recent myth, especially among small businesses, is that regulated businesses need only comply with the regulator's handbook (the regulator is currently the Financial Services Authority (FSA)). This is not the case; the FSA Handbook⁸ supplements UK legislation; it does not replace it. Member firms must adhere to the provisions of all relevant UK laws.

The myths about financial services arise from the complexity of its products and services; many products have been designed to maximise tax advantages available from time to time, and this does not lend itself to simplicity. Another factor is the ever-present bundling of products to 'make it simpler for the customer' and to maximise revenue from new customers; for example, general insurance products are usually offered with legal expenses insurance, motor insurance with breakdown cover, and so on.

The bundling of products leads some organisations to specialise in key competences. Legal expenses insurance tends to be provided by one or two insurance companies and other general insurance companies outsource the administration of legal expenses cover to those companies. Broking and other intermediary organisations specialise in simply advising on products and services available from a variety of product providers. Other organisations support sales networks by providing financial and regulatory administration and monitoring. Organisations with high-profile brand names, especially outside the financial services sectors, might allow the brand name and their distribution channel to be used to promote branded financial products while outsourcing the product design and administration to financial services specialists.

Specialisation may be driven by regulation; many financial products and services can only be supplied by appropriately authorised organisations; for example, deposit taking is restricted to banks and building societies and insurance to insurance companies authorised by the FSA, Authorisation involves compliance with minimum capital and liquidity requirements, which may act as a barrier to new entrants to the market; therefore an alternative solution is to outsource to those organisations that are already established and that already have authorisation.

There are a variety of distributors for financial products and services, which adds another level of complexity. Most product providers undertake direct sales as well as sales via intermediaries. The level of involvement of an intermediary may vary from simple referrals, for example, solicitors or estate agents making referrals to a specific mortgage or insurance product provider, to fully informed, independent advice and guidance on the appropriate product and product provider. A relatively new channel is the affinity marketing operation. This involves a brand owner with a high-profile brand and a valuable customer database that can be used to promote products or services not currently provided by the brand and database owner. In such circumstances, the product provider supplies products and services under the brand name to the prospective customers on the database on an outsourced basis. The involvement of the brand owner in the product sales and administration will vary according to its own key skills and regulatory requirements.

Many distribution channels are available to promote financial products and services. There are examples of direct and indirect marketing, traditional and e-commerce promotional methods from each category of distributor, product provider, intermediary and affinity operation. What they have in common is their use of personal data to create prospect and customer databases. Such databases are a key asset in any industry; they must be protected and their value maximised by the owner. The use of prospect and customer databases is regulated by data protection law.

A strength of the financial services industry is that it is a largely professional sector, which means that many people who work in the industry will have undergone training with professional bodies such as the Institute of Bankers or the Institute of Actuaries, There are also many professional and industry codes of conduct such as the Banking Code and the Association of British Insurers Code of Practice. Many colleges and universities now offer degrees and other courses in financial services adding a further layer of professionalism which does not rely on, although it might be influenced by, individual employers.

Another strength is that one of the key underlying principles of data protection, confidentiality of personal information, is an acknowledged and familiar concept in the financial services sector. It is a business requirement as well as a legal one and it provides a solid foundation for further training for employees at even the lowest administrative levels about data protection and subject rights.

In Part I of this book each of the data protection principles is considered from the technical aspect. It provides a thorough introduction to the requirements of the Act for those who are unfamiliar with its provisions. It is also a useful reference for those who are already familiar with it and who wish to explore key areas in depth to find solutions to particular problems or to identify the technical requirements behind risk management strategies suggested elsewhere in the book.

In Part II of the book the principles are applied to common aspects of financial services. The key stages in a typical customer life cycle and the data protection issues they raise are considered, starting with advertising messages and working through elements of customer administration and relationship management. Each chapter incorporates suggested risk management strategies for the compliance issue identified and provides a checklist of other principles that apply but that have not been covered in depth.

Part III of the book describes the regulatory environment, describing the role of the Information Commissioner, the regulator for data protection, and the FSA. It concludes with a chapter on the potential for conflict between laws and regulations and how these are accommodated.

The principles are set out in Schedule 1 to the Act. The schedule is divided into two parts. Part I contains the bare text of the principles. Part II is entitled'Interpretation of the Principles in Part I' and sets out additional requirements for compliance with the principles as well as providing interpretation and guidance on compliance standards.

Schedule 1 is incorporated into the Act by section 4(4) of the Act. Section 4 also provides that it is the duty of a data controller to comply with the principles in relation to all personal data of which it is the data controller. There is no duty on data processors to comply with the principles. As a result, the distinction between data controllers and data processors is critical and a significant part of Chapter 11 is devoted to identifying and analysing the relationship between data controllers and data processors.

Each chapter on the principles starts with a short introduction, and goes on to consider the actual wording of the principle or subject right; this is followed by an analysis of the meaning. The interpretive provisions are also explored and any relevant guidance from the Information Commissioner on meeting the compliance standard is given and explained. Relevant examples are provided where these are appropriate.

Guidance published by the Information Commissioner that assists in understanding the legal requirements is included. As the data protection principles are largely unchanged from their introduction under the Data Protection Act 1984, reference is made to guidance issued in relation to the 1984 Act where it is thought to be still relevant and helpful in interpreting current law.