M. Scheurer, 2002 CT218 Professional Issues Lecture 7 – 21 st March, 2002 The Data Protection Act...

M. Scheurer, 2002

CT218 Professional Issues

Lecture 7 – 21st March, 2002

The Data Protection Act [1998]

M. Scheurer, 2002 Professional Issues / Lecture 2

European Union Data Protection Directive 95/46/EC of the European

Parliament Set out principles and required

member states’ DP legislation to conform within 3 years Available from European Union

Information Society Website:http://europa.eu.int/comm/

internal_market/en/ media/index.htm


The Data Protection Act

The Data Protection Act [1998] (repealed earlier DPA of 1984)

Entered into force on 24th October 2001 (End of Transitional Period)

All computer professionals should know its main provisions

Information on the DPA can be found on the website of the Office of the Information Commission (OIC)

http://www.dataprotection.gov.uk


8 Principles of Data Protection

Data must be:1 fairly and lawfully processed2 processed for limited purposes3 adequate, relevant and not excessive4 accurate5 not kept longer than necessary6 processed in accordance with the data

subject's rights7 secure 8 not transferred to countries without adequate

protection


Data Protection Act 1998 cont’d

Computer professionals should also know the main definitions of the act e.g.

data subject, data controller, personal data sensitive personal data

the main obligations of any holder of personal data

how the act applies to different stakeholders(e.g. customers, employees)


FARSTARS Fair Adequate Rights to know Specific purpose Transfer Accuracy Retention Security

1st Principle of DPA 3rd Principle of DPA 6th Principle of DPA 2nd Principle of

DPA 8th Principle of DPA 4th Principle of DPA 5th Principle of DPA 7th Principle of DPA


FFair collection

Personal Data must be obtained Fairly and Lawfully Subject has given consent and/or Processing is necessary

For the performance of a contract to which the DS is a party

For taking steps at request of DS To protect vital interests of DS

Special conditions apply to Sensitive Personal Data

See Conditions in Schedule 2 of the Act


AAdequate collection Collect enough personal data for

the purpose Don’t collect more than necessary

for the purpose


RRights to know Data subjects can request to see ALL

the information you hold on them

(system must be able to meet this obligation)

Data subjects who have given permission for the Processing or retention of Personal Data may change their mind later(system must be able to meet this obligation)


SSpecific purpose Personal Data may only be collected

for a lawful purpose (e.g. a Sale)

Personal Data must not become dissociated from that purpose and used for another purpose (e.g. Direct Marketing) without the consent of the Data Subject (Opt In or Opt Out?)


TTransfer of personal data Transfer of Personal Data to a country

outside the EEA* is only permitted if the country in question offers adequate protection

At present only Switzerland meets this requirement

Up to date list at www.dataprotection.org.uk

-----------------------*EEA = 15 countries of the European Union + Liechtenstein, Norway, Iceland


AAccuracy of personal data Personal Data must be kept up to

date Accuracy is the responsibility of the

Data Controller, NOT the Data Subject Data Subjects should be contacted

periodically and asked to check that the Personal Data held on them is still valid

Data subjects must have a way of correcting incorrect data


RRetention of personal data Personal Data may only be retained for a

limited period Retention period depends on the purpose

for which the Personal Data was collected (e.g. Personal Data relating to a Sale might have to be kept for up to 7 years for Tax or VAT purposes whereas Personal Data collected for a competition only needs to be kept as long as necessary for the running of the competition)


SSecurity of personal data Duty of care towards Data Subjects Data in the system must be kept safe +

secure Data must not be corrupted or lost

(protected against viruses, hackers, theft, accidental or malicious damage, etc.)

Data must not be available to non authorised people (including in transit)

Inside the organisation Outside the organisation

See Amazon case http://www.junkbusters.com/ht/en/amazon.html#last


Case Study - Amazon

Background documents US case against Amazon

http://www.junkbusters.com/ht/en/amazon.html#last

Request from Privacy International to the Information Commissioner to investigate Amazon.co.uk

http://www.privacyinternational.org/issues/compliance/amazon/pi-dpc-complaint-041200.html


Privacy International’s complaint against Amazon.co.ukExtract* from a letter of 4/12/2000 from Simon Davies, Director

of Privacy International, to the Information Commissioner

Quote: “On 14 September I wrote to the Managing Director of Amazon.co.uk 1) requesting access to all information relating to me that Amazon holds,2) declaring my intention to then demand that Amazon then delete that information, and 3) objecting to the transfer of the data to the US

His office acknowledged receipt of the letter on 27 October, but I have to date received no further reply. “

------------------*The full text of the letter + the whole exchange of

correspondence can be found at http://www.junkbusters.com/amazon.html#last


Data Protection Issues What are the Data Protection

Issues involved? How should a company respond to

a similar request (in order to comply with its obligations under the DPA)


Revising for Exams Lecture Notes and other Material discussed in

the Lectures (as distributed and/or available on I: drive) Text book: “Professional Issues in Software

Engineering” by Frank Bott et al. (available in the Library). More specifically, concentrate on Chapters 1,2, 5, 6, 10 and 11, which deal with the material covered (or to be covered) in the Lectures.

FARSTARS and the Data Protection Act (www.dataprotection.gov.uk)

Material available on the web mentioned in the lectures (e.g. in relation to Case Studies)

M. Scheurer, 2002 CT218 Professional Issues Lecture 7 – 21 st March, 2002 The Data Protection Act...

Documents

Transcript of M. Scheurer, 2002 CT218 Professional Issues Lecture 7 – 21 st March, 2002 The Data Protection Act...