Information held on computer can now very quickly be copied and distributed or sent via the Internet within seconds to anywhere in the world. We all expect our details to be kept private by organisations that hold our details. Organisations have both a moral duty but also a legal obligation to keep our details safe - the Data Protection Act 1998 seeks to ensure this.An organisation can take a number of practical steps to keep our information private and confidential.
It can ensure that a named person is responsible for ensuring that the organisation's DPA policy is enforced efficiently. This would ensure that employees are very clear about their responsibilities.
The Data Protection Act should be followed to the letter. This means, for example, that data should be deleted when it isn't needed anymore and shouldn't be sent to countries that don't have data protection legislation comparable to the DPA 1998.
The organisation should ensure that access to the hardware that holds the data is restricted. This could be done by ensuring the hardware is in locked, secure rooms that can only be accessed by authorised users.
The organisation could ensure that data files are password-protected, to ensure that unauthorised people who gain access to the files can't open them.
Data could be encrypted using a software encryption tool such as PGP (Pretty Good Privacy). This means that even if the data is accessed or intercepted whilst being emailed, it can't actually be read.
The organisation can ensure that the back-up policy in the organisation is being followed and that the back-up copies of data are themselves held securely and in encrypted form.
While most people would agree that the legislation is useful, there are some drawbacks. Some people would argue that while it sounds good in practice, it is very difficult to enforce. For example, if you are running a small club and store members' details on the computer, you are supposed to be registered - but how many are? The DPA legislation means extra administration and expense for an organisation. For example, somebody has to be responsible and take the time to ensure that data is kept accurate and up-to-date. Somebody has to administer the system that allows somebody to see their details. Somebody has to be responsible for making sure a company follows the DPA. Whenever somebody has to do something, it involves that person being away from the core activities of the organisation and involves an expense for the company. Some might argue that the last principle of the Act described above is impossible and impractical to enforce.
As computers have become more widespread, so the need for legislation has grown. There now exists legislation that seeks to protect our health and safety while working with computers, to protect our privacy, to ensure that those who seek to carry out criminal acts using computer technology are punished and to ensure that intellectual rights to material are protected. One major problem with any country's legislation, however, is that it is difficult to enforce those laws if the 'crime' is carried out in another country. The Internet is a worldwide phenomenon that crosses the boundary of every country. What is illegal in one country may be perfectly legal in another country, or may simply be impossible to enforce. There are lots of good sources that deal with this issue on the Internet. Search Google using keywords like privacy, legislation, Data Protection Act, European privacy legislation, SPAM, junk mail, cookies and so on.
Organisations collect data and store information about individuals. It is important, however, for each organisation to recognise that the information collected about an individual is private and that the individual has a right to expect that it stays private. Each organisation should only collect the information that it actually needs and should be up-front about what it needs it for.
In 1984 DPA was brought up-to-date with European legislation and also included extra safeguards, such as including data sent over the Internet.
When an organisation wants to keep data about individuals, it must register with the Data Protection Commissioner. They have to fill in a form that
Gives details of their organisation.
Says what data they want to collect.
Says what they want to do with it.
Says who will have access to the data.
The organisation must then use the data in the way they said they would. If it doesn't register, or uses the data in a way that it hasn't declared, then it may be subject to legal sanctions. The DPA 1998 lays down eight principles of good practise, supported legally, which organisations must follow.
"Personal data shall be processed fairly and lawfully". This means that a company must be up-front about collecting personal data. It must seek permission from individuals to collect and process their personal details before they actually do it.
"Personal data shall be obtained only for one or more specified and lawful purposes". In other words, an organisation has to use the data they collect in the way that they said they would use the data when they registered with the Commissioner.
"Personal data shall be adequate, relevant and not excessive". We have already said that an organisation must declare to the Commissioner that it intends to collect data for one or more reasons. It must then collect only the information it actually needs and not collect any data that it doesn't really need.
"Personal data shall be accurate and, where necessary, kept up-to-date". An organisation must make attempts to ensure the information is accurate and up-to-date. For example, a school may, once a year, print off the personal details it holds about you, send them home and get someone to check, sign and return it. Any data can then be changed as necessary.
"Personal data ... shall not be kept for longer than is necessary". Companies must remove data if they do not need it any more. They should have a procedure in place to ensure that data kept on file is regularly reviewed.
"Personal data shall be processed in accordance with the rights of data subjects". An organisation must have in place a procedure to allow anyone who has data kept about them to see that data. This usually means having a form available so that any individual can request to see their data in writing. There is sometimes a small fee payable as well. The organisation must then provide the data within a fixed time.
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss" An organisation must take practical steps to ensure the data is safe and secure. These can include restricting access to files using password protection and encryption, restricting access to the hardware that can access files and having a procedure to back-up files daily and storing the back-ups in a fire safe or securely off-site.
"Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection".In other words, data cannot be sent or accessed from another country outside of the EEA unless they have similar legislation to the DPA. If you have a web site that holds personal details that can be accessed by someone from another country, then this law applies to you!
Some disadvantages of the DPA
How can you monitor who accesses data from an online database via a web site from another country?
How can you enforce regulations?
Conviction rates are low.
We have already said that there is a problem when one country tries to impose its values and laws on people in other countries. One approach is to have legislation that crosses national boundaries. Directive 95/46/EC is European legislation that lays down rules designed to protect the rights and privacy of individuals with regard to data kept about them across Europe. Directive 97/66/EC is another piece of legislation concerned with provisions for data privacy and protection in the telecom industry.SPAM, cookies and Directive on Privacy and Electronic Communication (2002/58/EC)
From August 2003, it became illegal to send unsolicited emails to people, commonly known as SPAM. Emails can be sent if the recipient actually 'opts in' - they have agreed in advance to receive email promotions and adverts. In addition, 'cookies' will be controlled.
A cookie is a small program that is placed on your computer by a web page. It collects information about you and what you look at and then sends this information back to the web page. This information can then be used for marketing purposes.
You must be clearly told that a cookie is to be placed on your computer and must have the ability to decline them.