What price privacy?

In the e-economy personal data can be a valuable commodity. But a new law threatens big penalties for those who misuse it. David...

In the e-economy personal data can be a valuable commodity. But a new law threatens big penalties for those who misuse it. David Bicknell reports

What is the Data Protection Act, and how does it apply to me? The Data Protection Act 1998 became law on 1 March and replaces the original Data Protection Act passed in 1994. Effectively, it brings European data protection legislation into UK law, and imposes obligations on "data controllers" who determine the way personal data is processed.

Anyone who processes data must adhere to eight principles. The data must be:

  • fairly and lawfully processed

  • processed for limited purposes

  • be adequate, relevant, and not excessive

  • accurate

  • not be kept longer than necessary

  • should be processed in accordance with data subjects' rights

  • secure

  • not transferred to countries without adequate protection

    What difference will e-commerce make to data protection? Although the application of technologies involved in e-commerce is new, the data protection issues arising are not. The provisions of the 1984 Data Protection Act already apply to the obtaining and processing of personal data over the Internet. Where information is collected in traditional ways, this usually means that a clear notification should be provided - either on an application form, or orally - explaining the uses that the data gatherer intends to make of the individual's personal data. On the Web, this is usually tackled by a Web site privacy statement. E-commerce should make it easier for organisations collecting information through Web sites to provide effective notifications to the individual. Site owners can build-in screens explaining to consumers what is happening to their information.

    Who is the Act aimed at? The Data Protection Act works in two ways. It gives individuals certain rights. It also says that those who record and use personal information must be open about how the information is used and must follow the eight principles of "good information handling".

    Why is it important to protect personal data? Many people and organisations (data controllers) have details about people (data subjects) on computer or in paper files. This growth in the use of personal information (data) has many benefits, like better medical care or helping fight crime. But there are also worries. It could cause problems if information is entered wrongly, is out of date, or confused with someone else's. A customer could find themselves unfairly refused a job, housing, benefits, credit or a place at college. They could be overcharged for goods or services or they might even find themselves wrongly arrested, just because there is a mistake in the information held about them.

    What sort of e-business data will the Act cover? Informationcollected by electronic transactions is subject to the same rules as the collection of information by traditional methods, but at present individuals are often unaware that they can leave electronic footprints when visiting Web sites and using online services. Internet software can process personal data in an invisible and unfair way, and marketing companies can use software to collect information such as tracing Web surfing activity.

    What should customers expect from the e-business gathering their data? The Data Protection Act allows everyone to find out what information is held about themselves on computer and in some manual records. This is known as the "right of subject access". They also have the right to have certain information that isn't correct altered or deleted. Anyone who wants to know whether information is held about them and if so what, will need to write to the person or organisation that they believe holds the information. They should ask for a copy of all the information held about them to which the Data Protection Act applies and they should generally address enquiries to the company secretary or chief executive.

    How is the Data Protection Act enforced? Offences committed under the Act carry fines of upto £5,000 in magistrates courts, and unlimited fines in the Crown Court, while directors and officers of businesses and organisations which do not comply can be personally liable. There is a Data Protection Commissioner - formerly Registrar - who can bring enforcement action against a data controller who has breached any of the principles.

    What do you have to do to comply? IT staff, or those responsible for privacy, will have to assess compliance with data principles, as well as a security principle. This covers issues such as

  • how passwords are used and how often they are changed

  • the level of access to personal data given to users. For example, employees should not be given full access to a database holding personal data when they only need access to part of it

  • ensuring that when media holding data are disposed of, the data is sufficiently deleted

  • back up and data recovery systems so that lost personal data can be retrieved

  • reliability of staff with access to data.

    Web sites

    Visit the Data Protection Commissioner's website

    Contact the International Commerce Exchange which is developing a code of conduct for privacy.

    Other useful privacy sites



  • Read more on IT risk management