E-Business preparing for the new economy – Act on data protection.

The 1998 Data Protection Act, which became law earlier this year, is probably the most widespread piece of IT legislation ever. Organisations that ignore it do so at their peril.

For any business moving more of its functions online the implications are profound.

In February this year, research by data specialist GB Information Management showed that nine out of 10 companies did not know that the Act would come into force on 1 March 2000.

Yet this is an Act that will completely transform the way that personal data is stored in the future – and the way most firms operate. Any ‘new processing’ done after 1 March is covered by the Act. That means that any post-February idea for a, any e-commerce venture undertaken by an existing company and any new ventures all have to be compliant today. Existing processes have a little more time: until 24 October, 2001 for electronic records, and until the same date in 2007 for paper records. But that still gives anyone holding data just over 12 months to rewrite their applications.

The eight principles of the Act form a watertight regime. Here are the points you have to remember, and some problems you may encounter:

1) Personal data must be processed fairly and lawfully

The data subject – the person whose data is being collected – has to know who the data controller is, and why the data is being collected.

Problem: Do the people on your database know exactly for what purpose their data has been collected? They must be informed and give their consent for use of their details

2) Personal data can be obtained only for specified purposes

You have to specify one or more purposes

Problem: Do your databases prevent other employees from ‘dipping in’ to that data? If not, you are in breach of the Act

3) Personal data should be adequate and relevant and not excessive

This was in the 1984 Act, but applied only to electronic records. Now it covers paper records too. Many websites may be in breach if they insist on an excessive registration page.

Problem: Does your contact data have ‘comments’ fields, with subjective comments about the data subject? If this is the case, then you are breaking the law.

4) Personal data must be accurate and up-to-date

If it isn’t accurate, you not only have to put it right, you may have to pay a fine. In a survey carried out by GB Information Management, eight per cent of companies admitted that they have never checked the accuracy of customer information, so this could be a big sticking point

Problem: Applies whether or not your company collected the data; this means you are equally liable for data from trading partners.

5) Information should not be kept for longer than is necessary

Part of the 1984 Act, but it now applies to all companies and all forms of records.

Problem: If you accept records from a trading partner for a specific marketing purpose, will that data be purged afterwards?

6) Data must be processed in accordance with the rights of the subjects

If individuals want to see all of the data you hold on them, they have a right to see it, in a user-friendly format, within 40 days. The law also applies to CCTV images.

Problem: Can you perform the necessary search, and produce a coherent document?

7) Appropriate technological measures must be taken

Information not only has to be kept safe from hackers, it must also be secured from other employees who don’t have rights to it.

Problem: You are also responsible for the security of data when it is in the hands of third parties. Are your partners secure too?

8) Personal data cannot be transferred to countries outside the European Union unless the country provides an adequate level of protection

Problem: Do you know what happens to the data collected from your web page? Personal data cannot be exported without the subject’s consent, or without first making certain that an equivalent data protection regime is in place. This has relevance for all subsidiaries of US organisations; data cannot be transferred for processing to the US, where there are no data processing or privacy laws.

– Based on Computing magazine guide to the Data Protection Act.

Related reading