The Data Protection Act 1998 came into force in March and
businesses have until October 2001 to become compliant with its
provisions.
The Act introduces new rules to protect personal privacy, the
eight data protection 'principles', that restrict how information
identifying a living person, such as their name and address or a
photograph, can be processed.
The new rules limit information collected for one purpose being
used for another without the consent of the individual concerned
(unfair processing); oblige organisations to take measures to
ensure data quality, and put in place tough new regulations to
safeguard data from security lapses or unauthorised disclosure.
Individuals also have the right to a copy of their information;
and the transfer of data outside the European Economic Area is
restricted unless suitable safeguards have been put in place. (The
EEA consists of the 15 member states of the European Union, plus
Norway, Iceland and Liechtenstein).
The principles have implications not just for the users of
systems that process personal information, but also for those
designing and building them.
Organisations can spend millions training staff and establishing
processes for compliance, but inadequate computer systems can mean
they still find themselves in breach of the law.
Simple procedures
But some simple procedures can help avoid having to correct
potentially expensive problems in the future.
- Make sure the individual responsible for data protection
compliance in your organisation is involved in signing off new IT
projects. This will help your company avoid developing systems
which may not be viable under the Act.
- Systems designed to 'match' or 'share' data originally
collected for different purposes or by different parts of the
business are particularly at risk of processing data 'unfairly'. If
you bring the data protection or compliance officer in too late, it
could result in expensive systems being developed which cannot
achieve their potential. In the worst possible scenario, the Data
Protection Commissioner could serve an enforcement notice demanding
a non-complaint system should not be used at all.
- Some data protection requirements should be built into new
systems as a matter of course, as without certain basic
capabilities systems will never be capable of complying with the
Act.
These requirements are likely to include:
- Making sure systems are able to delete out-of-date or unwanted
information
- Ensuring the system allows inaccuracies to be
corrected
- The ability to restrict internal access using technical
measures
- Creating an audit trail of access and store changes to
data
- Using technical measures such as encryption to protect data
passing outside the EEA (but be aware, encryption may be unlawful
in some countries).
Greater difficulties
Existing systems can present greater difficulties, as attempting
to make the sort of changes detailed above to legacy systems could
prove both difficult and costly.
BSI-DISC, in conjunction with The Data Protection Commissioner
has published Practical Guidance on Managing Databases. BSI-DISC
also provides a data protection update service.
For more information about the guide or update service contact
BSI on 020 8996 9000.
Further information is also available from Nicola Mckilligan
of the data protection consultancy Virtual Privacy. Mckilligan can
be contacted at mail@virtualprivacy.fsnet.co.uk
The eight data protection principles
Personal information must be:
- Processed fairly and lawfully
- Only used for compatible purposes
- Adequate, relevant and not excessive
- Only kept for as long as necessary
- Processed in accordance with the rights of individual
- Protected by appropriate technical and organisational
security
- Only transferred outside the EEA where its can be adequately
protected.