Green Thumb (UK) (the franchisor) runs a successful franchise business dealing in garden lawn treatments with over 100 franchisees across the UK. A dispute arose when Grow With Us Ltd (the franchisee) sought to extend its existing franchise with the franchisor. It was refused on the grounds of failure to comply with its contractual obligation to provide details of its customers to the franchisor as set down in their franchise agreement. In one of the few cases brought to trial under the Data Protection Act 1998 (DPA), the High Court ruled that the DPA did not prevent a franchisee from supplying customer details to its franchisor, as it had contracted to do so.
Michelle Breen a commercial lawyer at solicitors Morgan Cole specialising in information governance explains the Grow With Us case and considers the impact of relying on DPA as a defence generally for businesses…
The franchisee agreed that it had failed to supply details of its customers however, argued that to have done so would have amounted to a breach of the DPA as it did not have the consent of its customers. It also claimed there was a deficiency in the franchisor’s registration as a data controller.
The High Court held that:
- the franchisee was in breach of the terms of the agreement in failing to provide the names and addresses of the customers and was not entitled to extend the franchise agreement
- the information could have been provided to the franchisor if the franchisee had obtained consent first and it had failed to demonstrate any practical difficulty in doing so. In fact, given the nature of the business meant visiting the customers regularly, such consent could have easily been obtained
- the franchisee had failed to prove sufficient deficiency of registration. Although the relevant registration certificate restricted the franchisor to using personal information for advertising, marketing and PR, this does not have to be an exhaustive list. The judge considered that in broad terms the purpose for which the franchisor wished to receive the details was for ‘marketing’.
There have been relatively few cases on the interpretation of the DPA and therefore this case is of particular interest, especially in terms of the consent issue, as it is often the simplest way to justify the processing of data as required under the DPA.
‘Consent’ is not actually defined in the DPA although it is widely understood to being ‘unambiguous’ and ‘freely given’. It does not need to be in writing but a written consent is the simplest method of proof. In this case, Grow With Us failed to convince the judge that it made any attempts to gain consent or that there were any practical difficulties in doing so. Equally interesting is the consideration of the wording of a data controller’s registration certificate. The judge indicated that the courts were likely to give the certificate a ‘purposive’ rather than a purely literal interpretation.
The DPA’s role is to reinforce common sense rules of information handling and ensure that organisations manage the personal information they hold in a sensible way. Organisations must keep information accurate, current, secure and only keep it for as long as they need it for a specified purpose. Some organisations err on the side of caution and do not release information which they could, but equally, other organisations use the DPA to prevent them having to provide information.
There is a common myth that the DPA means that a company is never allowed to give a customer’s details to a third party. In reality, the DPA does not prevent the transfer of information once the relevant organisation is satisfied that the person requesting the information is authorised to access it. Organisations must have appropriate safeguards in place to ensure that their staff are satisfied that the person to whom they are speaking is either their customer or someone authorised to act on their behalf, and that it is necessary to disclose the information. A practical way of ensuring the authenticity of the customer’s representative is to ask for a password.
Understanding and complying with the DPA need not be expensive. Employees and customers who consider their personal data safe, secure and respected are more likely to invest time and money in an organisation. The Green Thumb case highlights the importance of understanding and complying with the DPA and should be a warning to those continuing to hide behind it to avoid contractual obligations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.