The information contained in this article is only intended to be a synopsis. Detailed professional advice should be taken before it is acted upon.

PART I   THE DATA PROTECTION ACT

PART II   WEBSITES – the need for a privacy policy

PART III  NOTIFICATION – under the Data Protection DPA

PART IV  PENALTIES

PART V   THE US AND SAFE HARBOR RULE

PART VI  BRITISH STANDARD on Information Security Management (BS 7799)

 

PART I THE DATA PROTECTION DPA 1998 (the 'DPA')

The DPA came into force in the UK on 1 March 2000 and supersedes previous legislation.  The main aim of the DPA is to protect the privacy of individuals in relation to the 'processing' of their 'personal data'. Organisations must notify the Data Protection Commissioner at the DTI, if they are processing personal data in the capacity of a Data Controller. (See Notification below)  

What is Personal Data?  

The DPA defines 'personal data' as data or information relating to identifiable living individuals (including sole traders and partnerships), in or likely to come into the possession of the data controller.  This could include any of the following: an individuals name, email or postal address, NI Number.

The DPA does not apply to details of Companies although it may apply to the personal data of a contact within a company.

If email is used as a contact facility, the data contained in the email (such as an individual’s home or email address) will be caught by the DPA even if data is not 'used'.  Individuals have the right to know what personal information is being collected and processed and why it is taking place. 

What is Processing?

Processing is widely defined under the DPA and covers almost every activity that relates to personal data.  The types of activity include, but are not limited to: obtaining, recording, holding and retrieving data.  The DPA applies to data in a manual filing system in addition to computer databases.

What are Data Controllers?

Data Controller(s) is a 'person' (individual, company or organisation) who determines the purposes for which and the manner in which any personal data are, or are to be processed.

The 8 key principles under the DPA

When processing personal data, the Data Controller(s) must comply with the 8 key principles set out in the DPA.  They can be summarised as follows:

1) Fairness – personal data must be processed fairly and lawfully.  A key point is that the individual must have given his consent to the data being processed. In the absence of consent, data processing will only be permitted if it falls within the other restricted circumstances as provided under the DPA;

2) Purpose – personal data must be processed only for the purpose(s) for which the data was obtained. It shall not be further processed in any way that is incompatible with that purpose;

3) Relevance – personal data must be adequate, relevant and not excessive in relation to the purpose for which they are processed;

4) Accuracy – personal data must be accurate and up to date;

5) Preservation – personal data must be held only for as long is necessary to complete the purpose for which they are processed;

6) Rights of individuals – personal data shall be processed only in accordance with the rights of the individual;

7) Security – appropriate measures must be taken to keep the personal data secure to prevent unauthorised or unlawful processing or access of personal data and to prevent damage or accidental loss;
(See BS 7799 below)

8) Transfer of personal data – personal data shall not be transferred to a country or territory outside the European Economic Area ('EEA') unless that country ensures an adequate level of protection for the processing of personal data.

(See the US and the Safe Harbor Rule below)

 

PART II WEBSITES  - THE NEED FOR A PRIVACY POLICY

To comply with the DPA, all websites that collect personal data about individuals should have a privacy policy.  

This is a policy that sets out such issues as:

The privacy policy, to be effective, must be brought to the attention of the user.  It is generally thought that the safest route is to include a scroll down window containing the privacy policy or at the very least a hyperlink to the privacy policy before the individual submits their personal data. By clicking the 'submit' button, the user confirms expressly that the privacy policy has been read and that the terms of the privacy policy are accepted.  The privacy policy should form part of the terms and conditions for use of the website.

In accepting the terms of the privacy policy, the user acknowledges the data controller will collect and use their personal information in the ways set out in the privacy policy. This could include transferring the information to 'trusted' third parties or outside the EEA and the use of 'cookies.'   Cookies are used to track information about the user by sending to the user’s computer a string of coded characters, which are then stored on the user’s hard drive.

Opting out

The privacy policy must provide the individual with the option of opting out of the processing of his personal data.

         

PART III NOTIFICATION UNDER THE DPA

If you are processing personal data you must notify the Data Protection Commissioner at the DTI.  The information that must be notified can be summarised as follows:

1) Data Controller’s name and address;

2) Purposes for which data are being held or processed;

3) Whether data are to be disclosed and if so to whom;

4) The countries outside the EEA to which data may be transferred;

5) Information on how the data controller will keep the data secure.

The cost of notification is £35.00 per year and can be submitted at www.dpr.gov.uk using the online form.

If you are already registered you do not need to notify under the new system until the expiry of your current registration or 24 October 2001, whichever is the earlier.

PART IV PENALTIES FOR NON COMPLIANCE WITH THE DPA

Here are some offences you may be committing if you do not comply with the DPA

· Notification offences

It is a criminal offence for a Data Controller not to register with the Data Protection Commissioner.  Fines may be imposed on offenders of up to £5,000 in the magistrates court and maybe unlimited if convicted in the crown court.

· Procuring and selling offences

It is a criminal offence to obtain, disclose, sell or advertise for sale, or bring about the disclosure of personal data or to disclose it without the permission of the Data Controller. It is also a criminal offence to access personal data or to disclose it without proper authorisation. This covers unauthorised access to and disclosure of personal data. There are some exceptions to this.

Personal Liability

The DPA provides that where an offence has been committed by a company and has been committed with the consent or is attributable to any neglect on the part of an officer of the company, he, as well as the company may be prosecuted. A successful prosecution could result in a prison sentence of up to five years.

PART V THE US AND SAFE HARBOR RULE

WHAT IS ‘SAFE HARBOR’?

‘Safe Harbor’ is a framework that provides businesses with a basis for compliance with the European Union’s ('EU') Data Protection Directive. In the UK, this means compliance with the DPA. It provides that personal data can only be transferred to countries outside the European Economic Area ('EEA') if that ‘country ensures an adequate level of protection for the rights and freedoms of a data subject.’

Prior to ‘safe harbor’, there was fear that data transfers to the US might be prevented by the implementation of the EU’s Directive on Data Protection. However, the European Commission ('EC') adopted a ‘Decision’ accepting ‘safe harbor’ as offering ‘adequate protection for personal data transferred from the EU’.

How does it work?

The US Department of Commerce ('DOC') has established a set of data protection principles, which the EC considers to offer adequate protection for data transfer. The ‘safe harbor’ arrangement allows US companies to pledge themselves to these principles. Although membership of this scheme is voluntary, the rules are binding on the US companies who participate. US organisations that commit to the ‘safe harbor’ principles will appear on a public list. 

Who regulates the scheme?

The Federal Trade Commission ('FTC') and the Department of Transportation ('DTC') DPA as law enforcement powers. US organisations will only appear on the list if they are under the authority of FTC and DTC.

What about US companies that don’t join up?

Personal data can still be transferred to US establishments that decide to remain outside ‘safe harbor’ but they will need to fall within one of the exemptions provided by DPA or provide alternative protection such as a contract.

(For more details on Safe Harbor: europa.eu.int/comm/internal_market/en/media/dataprot/news/safeharbor.htm)

Part VI SECURITY - British Standard on Information Security Management (BS 7799)

What is it?

The British Standard for Information Security Management (BS 7799 Part 1 and 2) is a set of non-technical protocols for ensuring safe transmission of information. This framework is intended to be a point of reference for initiating, implementing, maintaining and documenting information security within an organisation.

It was introduced in 1995 and effective from October 1998.

What is the purpose of the BS 7799?

It enables organisations to mitigate threats resulting from physical disaster, fraud, and industrial espionage. It allows enterprises to manage security in an open computing environment, particularly where business is transacted electronically.

The use of BS 7799 could be considered as a means to achieving the security principles outlined in the DPA.  However, adopting BS 7799 cannot make your organisation immune from security breaches.  Nevertheless it should reduce the risk, consequential cost and disruption if they do occur.

Angela Lyons and Janet Morrison are both lawyers at the London based law firm, Kerman & Co , a firm specialising in advising owner managed businesses and start-ups. Janet is head of Kerman & Co's e-business/IT department. They can be contacted at jfm@kermanco.com or Angela Lyons at ajl@kermanco.com

Do you have comments or suggestions or other ideas in this field? Give us your feedback.