In the e-economy personal data can be a valuable commodity. But a
new law threatens big penalties for those who misuse it. David
Bicknell reports
What is the Data Protection Act, and how does it apply to me?
The Data Protection Act 1998 became law on 1 March and replaces the
original Data Protection Act passed in 1994. Effectively, it brings
European data protection legislation into UK law, and imposes
obligations on "data controllers" who determine the way personal
data is processed.
Anyone who processes data must adhere to eight principles. The
data must be:
- fairly and lawfully processed
- processed for limited purposes
- be adequate, relevant, and not excessive
- not be kept longer than necessary
- should be processed in accordance with data subjects'
rights
- not transferred to countries without adequate
protection
What difference will e-commerce make to data protection?
Although the application of technologies involved in e-commerce is
new, the data protection issues arising are not. The provisions of
the 1984 Data Protection Act already apply to the obtaining and
processing of personal data over the Internet. Where information is
collected in traditional ways, this usually means that a clear
notification should be provided - either on an application form, or
orally - explaining the uses that the data gatherer intends to make
of the individual's personal data. On the Web, this is usually
tackled by a Web site privacy statement. E-commerce should make it
easier for organisations collecting information through Web sites
to provide effective notifications to the individual. Site owners
can build-in screens explaining to consumers what is happening to
their information.
Who is the Act aimed at? The Data Protection Act works in two
ways. It gives individuals certain rights. It also says that those
who record and use personal information must be open about how the
information is used and must follow the eight principles of "good
information handling".
Why is it important to protect personal data? Many people and
organisations (data controllers) have details about people (data
subjects) on computer or in paper files. This growth in the use of
personal information (data) has many benefits, like better medical
care or helping fight crime. But there are also worries. It could
cause problems if information is entered wrongly, is out of date,
or confused with someone else's. A customer could find themselves
unfairly refused a job, housing, benefits, credit or a place at
college. They could be overcharged for goods or services or they
might even find themselves wrongly arrested, just because there is
a mistake in the information held about them.
What sort of e-business data will the Act cover?
Informationcollected by electronic transactions is subject to the
same rules as the collection of information by traditional methods,
but at present individuals are often unaware that they can leave
electronic footprints when visiting Web sites and using online
services. Internet software can process personal data in an
invisible and unfair way, and marketing companies can use software
to collect information such as tracing Web surfing activity.
What should customers expect from the e-business gathering their
data? The Data Protection Act allows everyone to find out what
information is held about themselves on computer and in some manual
records. This is known as the "right of subject access". They also
have the right to have certain information that isn't correct
altered or deleted. Anyone who wants to know whether information is
held about them and if so what, will need to write to the person or
organisation that they believe holds the information. They should
ask for a copy of all the information held about them to which the
Data Protection Act applies and they should generally address
enquiries to the company secretary or chief executive.
How is the Data Protection Act enforced? Offences committed
under the Act carry fines of upto £5,000 in magistrates courts, and
unlimited fines in the Crown Court, while directors and officers of
businesses and organisations which do not comply can be personally
liable. There is a Data Protection Commissioner - formerly
Registrar - who can bring enforcement action against a data
controller who has breached any of the principles.
What do you have to do to comply? IT staff, or those responsible
for privacy, will have to assess compliance with data principles,
as well as a security principle. This covers issues such as
- how passwords are used and how often they are changed
- the level of access to personal data given to users. For
example, employees should not be given full access to a database
holding personal data when they only need access to part of
it
- ensuring that when media holding data are disposed of, the data
is sufficiently deleted
- back up and data recovery systems so that lost personal data
can be retrieved
- reliability of staff with access to data.
Web sites
Visit the Data Protection Commissioner's website
Contact the International Commerce Exchange which is
developing a code of conduct for privacy.
Other useful privacy sites
TrustUK
Truste