M. Scheurer, 2002 CT218 Professional Issues Lecture 7 – 21 st March, 2002 The Data Protection Act...
-
Upload
gabriella-spencer -
Category
Documents
-
view
216 -
download
0
Transcript of M. Scheurer, 2002 CT218 Professional Issues Lecture 7 – 21 st March, 2002 The Data Protection Act...
M. Scheurer, 2002
CT218 Professional Issues
Lecture 7 – 21st March, 2002
The Data Protection Act [1998]
M. Scheurer, 2002 Professional Issues / Lecture 2
European Union Data Protection Directive 95/46/EC of the European
Parliament Set out principles and required
member states’ DP legislation to conform within 3 years Available from European Union
Information Society Website:http://europa.eu.int/comm/
internal_market/en/ media/index.htm
M. Scheurer, 2002 Professional Issues / Lecture 3
The Data Protection Act
The Data Protection Act [1998] (repealed earlier DPA of 1984)
Entered into force on 24th October 2001 (End of Transitional Period)
All computer professionals should know its main provisions
Information on the DPA can be found on the website of the Office of the Information Commission (OIC)
http://www.dataprotection.gov.uk
M. Scheurer, 2002 Professional Issues / Lecture 4
8 Principles of Data Protection
Data must be:1 fairly and lawfully processed2 processed for limited purposes3 adequate, relevant and not excessive4 accurate5 not kept longer than necessary6 processed in accordance with the data
subject's rights7 secure 8 not transferred to countries without adequate
protection
M. Scheurer, 2002 Professional Issues / Lecture 5
Data Protection Act 1998 cont’d
Computer professionals should also know the main definitions of the act e.g.
data subject, data controller, personal data sensitive personal data
the main obligations of any holder of personal data
how the act applies to different stakeholders(e.g. customers, employees)
M. Scheurer, 2002 Professional Issues / Lecture 6
FARSTARS Fair Adequate Rights to know Specific purpose Transfer Accuracy Retention Security
1st Principle of DPA 3rd Principle of DPA 6th Principle of DPA 2nd Principle of
DPA 8th Principle of DPA 4th Principle of DPA 5th Principle of DPA 7th Principle of DPA
M. Scheurer, 2002 Professional Issues / Lecture 7
FFair collection
Personal Data must be obtained Fairly and Lawfully Subject has given consent and/or Processing is necessary
For the performance of a contract to which the DS is a party
For taking steps at request of DS To protect vital interests of DS
Special conditions apply to Sensitive Personal Data
See Conditions in Schedule 2 of the Act
M. Scheurer, 2002 Professional Issues / Lecture 8
AAdequate collection Collect enough personal data for
the purpose Don’t collect more than necessary
for the purpose
M. Scheurer, 2002 Professional Issues / Lecture 9
RRights to know Data subjects can request to see ALL
the information you hold on them
(system must be able to meet this obligation)
Data subjects who have given permission for the Processing or retention of Personal Data may change their mind later(system must be able to meet this obligation)
M. Scheurer, 2002 Professional Issues / Lecture 10
SSpecific purpose Personal Data may only be collected
for a lawful purpose (e.g. a Sale)
Personal Data must not become dissociated from that purpose and used for another purpose (e.g. Direct Marketing) without the consent of the Data Subject (Opt In or Opt Out?)
M. Scheurer, 2002 Professional Issues / Lecture 11
TTransfer of personal data Transfer of Personal Data to a country
outside the EEA* is only permitted if the country in question offers adequate protection
At present only Switzerland meets this requirement
Up to date list at www.dataprotection.org.uk
-----------------------*EEA = 15 countries of the European Union + Liechtenstein, Norway, Iceland
M. Scheurer, 2002 Professional Issues / Lecture 12
AAccuracy of personal data Personal Data must be kept up to
date Accuracy is the responsibility of the
Data Controller, NOT the Data Subject Data Subjects should be contacted
periodically and asked to check that the Personal Data held on them is still valid
Data subjects must have a way of correcting incorrect data
M. Scheurer, 2002 Professional Issues / Lecture 13
RRetention of personal data Personal Data may only be retained for a
limited period Retention period depends on the purpose
for which the Personal Data was collected (e.g. Personal Data relating to a Sale might have to be kept for up to 7 years for Tax or VAT purposes whereas Personal Data collected for a competition only needs to be kept as long as necessary for the running of the competition)
M. Scheurer, 2002 Professional Issues / Lecture 14
SSecurity of personal data Duty of care towards Data Subjects Data in the system must be kept safe +
secure Data must not be corrupted or lost
(protected against viruses, hackers, theft, accidental or malicious damage, etc.)
Data must not be available to non authorised people (including in transit)
Inside the organisation Outside the organisation
See Amazon case http://www.junkbusters.com/ht/en/amazon.html#last
M. Scheurer, 2002 Professional Issues / Lecture 15
Case Study - Amazon
Background documents US case against Amazon
http://www.junkbusters.com/ht/en/amazon.html#last
Request from Privacy International to the Information Commissioner to investigate Amazon.co.uk
http://www.privacyinternational.org/issues/compliance/amazon/pi-dpc-complaint-041200.html
M. Scheurer, 2002 Professional Issues / Lecture 16
Privacy International’s complaint against Amazon.co.ukExtract* from a letter of 4/12/2000 from Simon Davies, Director
of Privacy International, to the Information Commissioner
Quote: “On 14 September I wrote to the Managing Director of Amazon.co.uk 1) requesting access to all information relating to me that Amazon holds,2) declaring my intention to then demand that Amazon then delete that information, and 3) objecting to the transfer of the data to the US
His office acknowledged receipt of the letter on 27 October, but I have to date received no further reply. “
------------------*The full text of the letter + the whole exchange of
correspondence can be found at http://www.junkbusters.com/amazon.html#last
M. Scheurer, 2002 Professional Issues / Lecture 17
Data Protection Issues What are the Data Protection
Issues involved? How should a company respond to
a similar request (in order to comply with its obligations under the DPA)
M. Scheurer, 2002 Professional Issues / Lecture 18
Revising for Exams Lecture Notes and other Material discussed in
the Lectures (as distributed and/or available on I: drive) Text book: “Professional Issues in Software
Engineering” by Frank Bott et al. (available in the Library). More specifically, concentrate on Chapters 1,2, 5, 6, 10 and 11, which deal with the material covered (or to be covered) in the Lectures.
FARSTARS and the Data Protection Act (www.dataprotection.gov.uk)
Material available on the web mentioned in the lectures (e.g. in relation to Case Studies)