The information contained in this article is only intended to be a synopsis
and relates to the legal position in the United Kingdom as at June 2001.
Detailed professional advice should be taken before it is acted upon.
|
|
|
PART I |
THE DATA PROTECTION ACT (THE 'DPA') |
|
|
PART II |
WEBSITES - THE NEED FOR A PRIVACY POLICY |
|
PART III |
NOTIFICATION UNDER THE DPA |
|
PART IV |
PENALTIES FOR NON COMPLIANCE WITH THE DPA |
|
PART V |
THE US AND SAFE HARBOR RULE |
|
PART VI |
SECURITY - BRITISH STANDARD ON INFORMATION SECURITY
MANAGEMENT (BS 7799) |
|
|
|
|
PART I - THE DATA PROTECTION DPA 1998 |
Back |
|
The DPA came into force in the UK on 1 March 2000 and supersedes previous
legislation. The main aim of the DPA is to protect the privacy of individuals
in relation to the 'processing' of their 'personal
data'. Organisations must notify the Information Commissioner at the
Department of Trade and Industry ("DTI"), if they are processing
personal data in the capacity of a Data Controller.
(See Notification below)
What is Personal Data?
The DPA defines 'personal data' as data or information relating to identifiable living individuals (including sole traders and partnerships), in or likely to come into the possession of the Data Controller. This could include any of the following: an individuals name, email or postal address, NI Number.
The DPA does not apply to details of companies although it may apply to
the personal data of a contact within a company. It does apply to the
personal data of employees.
If email is used as a contact facility, the data contained in the email (such as an individual's home or email address) will be caught by the DPA even if data is not 'used'. Individuals have the right to know what personal information is being collected and processed and why it is taking place.
What is Processing?
Processing is widely defined under the DPA and covers almost every activity that relates to personal data. The types of activity include, but are not limited to: obtaining, recording, holding and retrieving data. The DPA applies to data in a manual filing system in addition to computer databases.
What are Data Controllers?
Data Controller(s) is a 'person' (individual company or organisation) who determines the purposes for which and the manner in which any personal data are, or are to be processed.
The 8 key principles under the DPA
When processing personal data, the Data Controller(s) must comply with the 8 key
principles set out in the DPA. They can be summarised as follows:
1) Fairness - personal data must be processed fairly and lawfully. A key point is that the individual must have given his consent to the data being processed. In the absence of consent, data processing will only be permitted if it falls within the other restricted circumstances as provided for under the DPA;
2) Purpose - personal data must be processed only for the purpose(s) for which the data was obtained. It shall not be further processed in any way that is incompatible with that purpose;
3) Relevance - personal data must be adequate, relevant and not excessive in relation to the purpose for which they are processed;
4) Accuracy - personal data must be accurate and up to date;
5) Preservation - personal data must be held only for as long is necessary to complete the purpose for which they are processed;
6) Rights of individuals - personal data shall be processed only in accordance with the rights of the individual;
7) Security - appropriate measures must be taken to keep the personal
data secure to prevent unauthorised or unlawful processing or access of
personal data and to prevent damage or accidental loss (See BS
7799 below); and
8) Transfer of personal data - personal data shall not be transferred
to a country or territory outside the European Economic Area ('EEA') unless
that country ensures an adequate level of protection for the processing
of personal data. (See the US and the Safe Harbor Rule
below).
|
|
PART II WEBSITES - THE NEED FOR A PRIVACY POLICY |
Back |
|
To comply with the DPA, all websites that collect personal data about individuals should have a privacy policy. This is a policy that sets out such issues as:
- What will be done with the personal data;
- Who is collecting the personal data;
- What personal data is being collected;
- Whether the personal data will be transferred
out of the EEA; and
- The identity of third parties to whom personal
data may be disclosed.
The privacy policy, to be effective, must be brought to the attention
of the user. It is generally thought that the safest route is to include
a scroll down window containing the privacy policy or at the very least
a hyperlink to the privacy policy before the individual submits their
personal data. By clicking the 'submit' button, the user confirms expressly
that the privacy policy has been read and that the terms of the privacy
policy are accepted. The privacy policy should form part of the terms
and conditions for use of the website.
In accepting the terms of the privacy policy, the user acknowledges the
data controller will collect and use their personal information in the
ways set out in the privacy policy. This could include transferring the
information to 'trusted' third parties or outside the EEA and the use
of 'cookies.' Cookies are used to track information about the user by
sending to the user's computer a string of coded characters, which are
then stored on the user's hard drive.
'Opting out'
The privacy policy must provide the individual with the option to 'opt
out' of the processing of his personal
data (for example, from direct marketing or having personal
data transferred to a third party or outside the EEA).
However, it should be noted that under forthcoming European e-commerce
directives, it may be a requirement to allow individuals to 'opt in' to
having their
personal data processed, rather than having
them opt out.
|
|
PART III NOTIFICATION UNDER THE DPA |
Back |
|
If personal data is being processed it is necessary, subject to certain
exemptions, to notify the Information Commissioner at the DTI (a list
of the exemptions can be found at www.dpr.gov.uk)
The information that must be notified can be summarised as follows:
1) Data Controller's name and address;
2) Purposes for which data are being held or processed;
3) Whether data are to be disclosed and if so to whom;
4) The countries outside the EEA to which data may be transferred; and
5) Information on how the data controller will keep the data secure.
The cost of notification is £35.00 per year and can be submitted
at www.dpr.gov.uk
using the online form.
If the Data Controller is already registered with the DTI, it is not necessary to notify under the new system until the expiry of the Data Controller's current registration or 24 October 2001, whichever is the earlier.
|
|
PART IV PENALTIES FOR NON COMPLIANCE WITH THE DPA |
Back |
|
Offences for failing to comply with the DPA include:
Notification offences
It is a criminal offence for a Data Controller
not to register with the Information Commissioner, unless covered by one
of the exemptions. Fines may be imposed on offenders of up to £5,000
in the magistrates court and may be unlimited in the crown court.
Procuring and selling offences
It is a criminal offence to obtain, disclose, sell or advertise for sale,
or bring about the disclosure of personal data or to disclose it without
the permission of the relevant Data Controller.
This includes unauthorised access to personal data. (There are exceptions
to this).
Personal Liability
The DPA provides that where an offence has been committed by a company
and has been committed with the consent or is attributable to any neglect
on the part of an officer of the company, the officer as well as the company
may be prosecuted.
For more information on the DPA please visit www.dataprotection.gov.uk.
|
|
PART V THE US AND SAFE HARBOR RULE |
Back |
|
What is 'Safe Harbor'?
'Safe Harbor' is a framework that provides businesses with a basis for compliance with the European Union's ('EU') Data Protection Directive. In the UK, this means compliance with the DPA. It provides that personal data can only be transferred to countries outside the EEA if 'that country ensures an adequate level of protection for the rights and freedoms of a data subject.'
Prior to 'safe harbor', there was fear that data transfers to the United States ('US') might be prevented by the implementation of the EU's Directive on Data Protection. However, the European Commission ('EC') adopted a 'Decision' accepting 'safe harbor' as offering 'adequate protection for personal data transferred from the EU'.
How does it work?
The US Department of Commerce ('DOC') has established a set of data protection principles, which the EC considers to offer adequate protection for data transfer. The 'safe harbor' arrangement allows US companies to pledge themselves to these principles. Although membership of this scheme is voluntary, the rules are binding on the US companies who participate. US organisations that commit to the 'safe harbor' principles will appear on a public list.
Who regulates the scheme?
The Federal Trade Commission ('FTC') and the Department of Transportation
('DTC') act as law enforcement powers. US organisations will only appear
on the list if they are under the authority of FTC and DTC.
(For more details on Safe Harbor :
europa.eu.int/comm/internal_market/en/media/dataprot/news/safeharbor.htm)
|
|
PART VI SECURITY - BRITISH STANDARD ON INFORMATION SECURITY MANAGEMENT (BS 7799) |
Back |
|
What is it?
The British Standard for Information Security Management (BS 7799 Part
1 and 2) is a set of non-technical protocols for ensuring safe transmission
of information. This framework is intended to be a point of reference
for initiating, implementing, maintaining and documenting information
security within an organisation.
It was introduced in 1995 and effective from October 1998. BS 7799 was
last published in May 1999.
In December of 2000 BS 7799 was adopted by the International Standards
Organisation. A revised version of BS 7799 was drafted and renamed ISO
17799. It is expected that it will become the international reference
document to ensure secure and trustworthy e-commerce. ISO 17799 can be
found at www.iso.ch/iso/en/ISOOnline.
What is the purpose of the ISO 17799
It enables organisations to mitigate threats resulting from physical
disaster, fraud, and industrial espionage. It allows enterprises to manage
security in an open computing environment, particularly where business
is transacted electronically. The use of ISO 17799 could be considered
as a means to achieving the security principles outlined in the DPA. However,
adopting ISO 17799 cannot make your organisation immune from security
breaches. Nevertheless it should reduce the risk, consequential cost and
disruption if they do occur.
For further advice or assistance, please contact Richard
Stanton-Reid on (020) 7539 7081 at Kerman
& Co LLP. |