Data Protection: Act now to protect your firm

The Data Protection Act 1998 came into force in March and businesses have until October 2001 to become compliant with its...

The Data Protection Act 1998 came into force in March and businesses have until October 2001 to become compliant with its provisions.

The Act introduces new rules to protect personal privacy, the eight data protection 'principles', that restrict how information identifying a living person, such as their name and address or a photograph, can be processed.

The new rules limit information collected for one purpose being used for another without the consent of the individual concerned (unfair processing); oblige organisations to take measures to ensure data quality, and put in place tough new regulations to safeguard data from security lapses or unauthorised disclosure.

Individuals also have the right to a copy of their information; and the transfer of data outside the European Economic Area is restricted unless suitable safeguards have been put in place. (The EEA consists of the 15 member states of the European Union, plus Norway, Iceland and Liechtenstein).

The principles have implications not just for the users of systems that process personal information, but also for those designing and building them.

Organisations can spend millions training staff and establishing processes for compliance, but inadequate computer systems can mean they still find themselves in breach of the law.

Simple procedures

But some simple procedures can help avoid having to correct potentially expensive problems in the future.

  • Make sure the individual responsible for data protection compliance in your organisation is involved in signing off new IT projects. This will help your company avoid developing systems which may not be viable under the Act.

  • Systems designed to 'match' or 'share' data originally collected for different purposes or by different parts of the business are particularly at risk of processing data 'unfairly'. If you bring the data protection or compliance officer in too late, it could result in expensive systems being developed which cannot achieve their potential. In the worst possible scenario, the Data Protection Commissioner could serve an enforcement notice demanding a non-complaint system should not be used at all.

  • Some data protection requirements should be built into new systems as a matter of course, as without certain basic capabilities systems will never be capable of complying with the Act.

    These requirements are likely to include:

  • Making sure systems are able to delete out-of-date or unwanted information

  • Ensuring the system allows inaccuracies to be corrected

  • The ability to restrict internal access using technical measures

  • Creating an audit trail of access and store changes to data

  • Using technical measures such as encryption to protect data passing outside the EEA (but be aware, encryption may be unlawful in some countries).

    Greater difficulties

    Existing systems can present greater difficulties, as attempting to make the sort of changes detailed above to legacy systems could prove both difficult and costly.

    BSI-DISC, in conjunction with The Data Protection Commissioner has published Practical Guidance on Managing Databases. BSI-DISC also provides a data protection update service.

    For more information about the guide or update service contact BSI on 020 8996 9000.

    Further information is also available from Nicola Mckilligan of the data protection consultancy Virtual Privacy. Mckilligan can be contacted at [email protected]

    The eight data protection principles

    Personal information must be:

  • Processed fairly and lawfully

  • Only used for compatible purposes

  • Adequate, relevant and not excessive

  • Accurate and up to date

  • Only kept for as long as necessary

  • Processed in accordance with the rights of individual

  • Protected by appropriate technical and organisational security

  • Only transferred outside the EEA where its can be adequately protected.

  • Read more on IT risk management