Regulatory Mail Compliance in the US and UK
A document is one of the most critical means of communicating with customers and often contains extremely personal information. The term “compliance” refers to the need to meet regulations regarding the handling of such data and correspondence. This ensures the right documents are inserted into the right envelopes and then sent to the right people.
Regulatory Mail Compliance in the US
The Sarbanes-Oxley (SOX) Act
The Enron scandal in 2001 highlighted the need for more stringent compliance and regulations for publicly listedcompanies. Sarbanes-Oxley, enacted in 2002 was developed by two US congressmen, Paul Sarbanes and Michael Oxley. This regulation defined stricter regulations concerning the accuracy of reported financial information.SOX compliance aims to protect financial information from beingleaked or shared with other companies. This means companies have to make sure processes are in place in order to prove they are compliant.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects the privacy of people’s health details. It’s all about confidentiality. For example if someone is planning to have a kidney operation, he will not want a potential employer to find out as he may suffer from discrimination. Not only could one person’s information go to someone else, it could also go to someone he knows. Therefore organizations sending out information such as patients’ letters and billing need to make sure that they are using HIPAA-compliant mailing hardware and software to process data and meet medical compliance regulations.
Regulatory Mail Compliance in the UK
There is a considerable amount of regulation, particularly in the financial services sector in the UK, affecting banks, pension funds, insurance companies and other financerelated activities. What was formerly known as the Financial Services Authority (FSA) – a watchdog for business practices in this sector-has now been replaced by two regulatory bodies (the FCA and the PRA) in order to strengthen the financial system. The role of the Financial Conduct Authority (FCA) is to protect investors, police the markets and promote competition. The Prudential Regulation Authority (PRA) – a part of the Bank of England- supervises investment firms, banks and insurance companies. The Payment Card Industry (PCI) in the UK is also subject to numerous rules and regulations. The biggest issue facing PCI compliance is that of “static” data i.e. data that doesn’t change, for example credit card numbers or data linked to credit card numbers. This means that files containing such data should only be made available while a mailing job is being prepared on the document output management system and processed through the address printer, folder inserter and postage meter. As soon as the job is
finished the data needs to be removed from the mailroom’s computer.
The Data Protection Act
The aim of the Data Protection Act, passed in the UK in 1998, is to control how personal information is used by businesses, organizations or government bodies. It provides individuals with a way to manage information about themselves. The legislation in its current form gives people a right of access to personal data. This includes information held by a company that relates to an individual. A lot of data is considered to be sensitive and if it were to fall into the wrong hands this would be regarded as a breach of civil liberties. The aim of the 1998 legislation was to align UK law with the 1995 European Union (EU) Data Protection Directive, requiring member states to protect individuals’ rights and freedoms - in particular people’s right to privacy when it comes to the processing of personal data. Other European Union countries have passed similar laws as often information is held in more than one country. The European Commission is currently planning to bring together all data protection within the EU with a single law, the General Data Protection Regulation (GDPR). One of the really significant aspects of the proposed regulation is that it will extend EU laws to non-EU companies selling into the EU. The aim is to have the regulation implemented by 2017/2018 in Europe.