Data Protection Act 1998/2006
If you hold and process personal details of anyone you are obliged by law to register the fact with the data protection commissioner and detail; what data is being held and how it is to be processed, failure to do so is a criminal offence.
What constitutes personal details?
Any information, which can be uniquely identified to an individual, for example. Name, Address, Phone Number, Credit Card Details, Bank Account details, Phone call logs, E-mail addresses, Emails, CV data, purchase history. etc..etc… this list could go on forever.
There are exceptions.
You do not have to register if:
You process data
- Solely for staff administration and payroll
- Advertising, marketing and public relations
- In connection with their own business activity
- Some Not for profit organisations
- Organisations that process personal data for maintaining a public register
- Organisations that do not process personal information on a computer
- Individuals who process personal data for domestic purposes
Once you have registered with the data commissioner you are obliged to protect the data in accordance with the act.
Key principals of the act (for more detail see www.ico.gov.uk)
- You must process data fairly and lawfully
Broadly speaking this means that you:
- Must have a legitimate reason for collecting and processing the data
- Must not use the data in such a way that it adversely affects the individuals concerned
- Must be transparent on the place the data is intended to be put and deliver privacy notices when collecting the personal data
- Must handle data only in ways the data subject would reasonably expect
- Must make sure you do not do anything unlawful with the data.
You must specify the use of which the data is to be put, the methods for collection and how the processing of this information is to be done. Also detailing any third party’s that may be involved with the viewing of, storage of or processing of the data.
Make sure the information you collect is sufficient, relevant and not excessive for the purpose it is to be put.
Make sure that the information is kept up to date and accurate.
You should define the retention time for the data and no personal data should be retained for longer than is necessary for the purpose it was collected.
The subject of the data has a right of access and can request a copy of any and all information comprising their personal data.
- A right to object to the processing that is likely to cause or is causing damage or distress
- A right to prevent processing for direct marketing
- A right to object to decisions being taken by automated means
- A right in certain circumstances to have inaccurate personal data, rectified, blocked, erased or destroyed
- A right to claim compensation for damages caused by the breach of the act
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. Practically this means that all reasonable measures have to be taken to protect the DPA data you hold.
Whilst the Act itself does not pronounce on the actual technical measures you should take it does say that adequate measures should be used, what is adequate today may not be adequate next year, the threat landscape is a constantly changing environment.
But practically this means that as a bare minimum,
Data at rest:
- Should be encrypted.
- Extensive logging should be enabled
- Strong access controls applied
The data residing on the server should be routinely Encrypted as loss of or theft of the server would expose the DPA data.
Backups of the data should be routinely encrypted so as to prevent accidental loss or disclosure should backup tapes or drives go missing or retired at end of life
Data in transit should be
- Logging should also be enabled.
Laptops and any other devices containing information (PDA’s, USB keys, CD Roms, etc) collected under the act should be encrypted.
- Dedicated Network boundary firewalls should be used (the nat firewall on your router is NOT ENOUGH)
- Data segregation should be applied (store DPA data separately from operational data)
- Physical access to DPA data should be strictly controlled and logged
Access to the data should be strictly controlled to persons who need access to process the data in accordance with the process disclosed in principal 2, and those who need direct access to ensure the smooth running of the processing of the data (IT admin staff).
Depending on the size of the company and number of employees accessing the data, it may be necessary to include a broader spread of security technologies including Endpoint security, de-dupe technologies, Data Discovery or Data Leakage Prevention products.
No data processed under the data protection act should be transferred outside of the EEA (European Economic Area) unless that territory ensures an adequate level of protection for the rights and freedoms of the data subjects.
Remember from April 2010 the fine for non-compliance with the Act will be £500,000 per incident and a criminal record for the data controller!