Data Protection Issues – Compliance Within Computing Organisations
1. Introduction to the data protection bill 1998
We’ve probably all heard of it, but just what is it – ‘The Data Protection Act’? The much maligned and often misquoted and even misunderstood. Well, naturally it’s about data, and according to Websters Online Dictionary – data is: a collection of facts from which conclusions may be drawn, and so we are looking at the aspect of it’s protection and it’s associated issues.
Data Protection is not merely something with which large companies have to comply; “Data Protection affects a huge range of individuals and organisations, both in the public and private sectors” Rt. Hon Jack Straw MP, Home Secretary (British Computer Society, Conference 2000)
Our chief concerns are the issues governing computing businesses or organisations that store and retrieve data in any way shape or form and the challenges, threats and implications this may pose to the successful deployment of technical resources. Since the introduction of the Data Protection Act in the United Kingdom in 1984, this enforceable piece of legislation has carried with it severe penalties for being in default of it. Recently repealed by the latest Act of 1998 (implemented 1st March 2000), and accessible for viewing at the following online internet location: http://www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm.
1.1 The Eight Principles of The Data Protection Act
It is said in the latest Act to be introduced, that the eight principles of good practice must be adhered to and that data must therefore be:
i. Fairly and lawfully processed
Indicates that data shall only be used for the purpose that the organisation is registered for. Regard is to be had for the method by which data is obtained, including in particular whether any person from whom it is obtained from is deceived or misled as to the purpose for which the details are to be processed.
ii. Processed for one or more limited lawful purposes
Within the business organisation’s registration will be an outline of the specific purpose for which data will be used. The broadness of these purposes will usually be competently crafted to account for all its daily activities. These limited purposes are to also prevent the use of data for any other usage, which is incompatible. Read the answer on what is not a physical security measure for your home?
iii. Adequate, relevant and not excessive
Very similar to the points outlined in Principle number 2 above, in that data hording must not take place, essentially through the use of computer systems and shall not be used for other purposes other than purposes intended for.
iv. Accurate and valid and where necessary kept up to date
Throughout the data’s life its usefulness will naturally deteriorate, by the very nature of it being of a dynamic substance, this factor alone should deem the data to have a limited life span. After its effectiveness over a period of time has reduced, it should be removed or amended.
v. Personal data processed for any purpose shall not be kept longer than deemed necessary
Although a relatively sensible Principle to behold, its practicality is essentially difficult to determine and implement. It begs the question of how long is ‘necessary’? Should it be voiced through the legal process it is generally regarded that normal industry procedures would be taken into account, depending on previous precedence’s set out before it.
vi. Processed in accordance with the data subject’s rights under this Act
The belief attached to this somewhat key Principle is that the person of whom data is being kept shall have access to the specific data. With a reasonable duration of time and monitory fee attached to the disclosure of the request. More shall be said of this later in the employment section.
vii. Securely protected by appropriate technical and organisational measures
To defeat unauthorised access to sensitive data, appropriate suitable and sustainable security measures must be in place at all times. The unlawful access or theft of private and personal data or statistics must at no times be allowed to compromise the ethics of business through accidental loss, destruction, damage or amendment to personal data.
viii. Personal data will not be transferred to Countries without adequate protection
In particular, Countries outside the European Economic Community must provide adequate levels of protection for the employee guardians of the data concerned with it’s processing.
“Personal data covers both facts and opinions about the individual. It also covers information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply.” http://www.dataprotection.gov.uk/principl.htm
2 . Registration For Data Protection Act
The extent of the rigidity of the eight Principles leaves us in no doubt that data should be morally correct, ethically gained, legally stored, decent and truthful to the purpose it was intended to meet. When considering registration it is advisable to contemplate all of the possible usages the business will have for the manipulation of the stored, customer extracted data. By enlarge, it is wiser to tick the majority of check boxes on the application form covering the types of data and how you intend to put it to use. In one action, all aspects and angles will then have been accounted for and an update will not then be necessary at a point later defined in the operating life of the Company.
It is perhaps a wise course of action to permit the system managers and software engineers to engage in the task of defining the Company data protection policy, to assess and govern the manipulation of its bare commodity – data. Ways must be employed that allow the compliance of the Acts Principles regarding the validation of data and the methods used in creating lists and direct mail databases etc. and at the same time providing systems robust enough to deny unauthorised access as discussed later in this documentation.
3. Exclusions and Exceptions
There exists within the Act certain clauses and exclusions, such as the fact that word-processed documents are exempt from the limitations of the Data Protection Act, and deemed to be not a true form of data processing. The complete set of exemptions covered are:-
* National Security – As defined at the time by the Home Office minister at the time.
* Crime, taxation payroll and accounts – This category is exempt, to assist in the detection of and apprehension or prosecution of offenders.
* Health, education, medical and social work – Believed to protect patients from misinterpreting their own medical records without professional guidance.
Information and data contained within medical and nursing records is of a highly confidential nature. The staff having access to this material face disciplinary action for breaching the regulations governing confidentiality, it is also unlawful for these records to be made available for untrained and unsupervised staff.
(Adapted From Community Health Sheffield NHS Trust. Document C8 1/3 October 2000)
* Research, history and statistics – With a view to promoting secrecy of potentially sensitive material such as medical research and educational examination pass/fail details prior to being made public.
* Legal disclosures and proceedings – To facilitate disclosures being made in pursuit of upholding other laws in accordance also to the assessing of any person suitable for a judicial appointment or Queen’s Counsel.
* Domestic purposes – Covers diverse matters such as individual personal bank account details, small clubs or societies, church administrations with their own records and accounts, and smaller trivial details such as personal Christmas card lists. Just about any other area that is not used for business or professional purposes, including ‘Not For Profit’ organisations which are mainly charities.
It is believed that the above exclusions should eradicate basic simplicities from having to register under the Act and likewise prevent ‘specialised’ subsets that require competent professionals to interpret results to medical patients and such like, not forgetting also sensitive data likely to prejudice the combat effectiveness of armed forces of the National services.
4. Typical Example Of Active Data Protection Environments
In organisations with a number of employees there are individuals about which data is stored. Both past, present and prospective persons all have references stored detailing their identification name and unique employee numbers, and other attributes concerning physical, physiological, mental economic, cultural or social identity. Generally speaking this information is obtained from the individual worker and processed on the basis of informed consent. Every effort should be made by data controllers to ensure that employee data processed is accurate, valid and does not exceed the time restrictions required to satisfy requirements, once this has been satisfied the data should be securely deleted. It is understood that employees should have the right to gain a copy of the data being kept about them, which is held by their employer. There may be a fee of up to ten pounds for this service and there could also be a delay in its provision by up to 40 days, in which the stored data could be cleaned before presentation.