Components of the Data Protection Act
By Cloud Direct • 01 Dec 2009
Many small business make the assumption that they do not need to worry about the Data Protection Act (DPA). They are wrong. All companies and organisations, no matter how large or small are subject to the compliance of the DPA and negligence can result in personal liability for directors and damages claims against companies. This is particularly worrying because the Information Commissioners Office (ICO) latest report indicates that just under half of all small-medium businesses are unaware of these implications - meaning they may or may not be compliant.
Incidents of data exposure have started to become more prominent in the media. Last week I blogged about how this coverage has finally prompted the ICO into taking stronger action against non-compliance. But while there has been plenty huff and puff messaging about the consequences, little information has been available about how the DPA might actually affect the small-medium business.
Essentially, the Data Protection Act applies to all organisations that 'process' information about other people for business purposes. This information relates to anybody from customers, suppliers and staff. A couple of weeks ago I talked about PCI compliance which is a particularly important part of the DPA. PCI compliance relates to customer credit card information and how organisations still hold details for future reference even after the initial transaction has taken place. That data needs to be kept secure and encrypted because it's exposure is a serious breach of confidentiality. But while PCI compliance is a big part of the Data Protection Act but it is not just credit data that needs protecting.
According to the DPA, information is sensitive if it covers any of the following areas:
- Racial or ethnic origin
- Political opinions
- Religious beliefs or other beliefs of a similar nature
- Trade union membership
- Physical or mental health or condition
- Sexual orientation
- Commission (or alleged commission) of criminal offences
- Proceeding being brought in connection with the commission or alleged commission of any offence
...and there are eight data protection principles:
- Information must be processed fairly and lawfully
- It must be processed for limited purposes
- It must be adequate, relevant and not excessive
- It must be accurate and up to date
- It should be held for no longer than necessary
- It should be processed in accordance with the subject's rights
- It must be kept securely
- If you are transferring data to other countries, ensure there is adequate protection for an individual's rights.
The last two points are of particular importance. Some companies in the UK might think that they are compliant under the current measures they use, but they are not. For example, data backed up to tape or hard-drive is rarely encrypted leaving it vulnerable to theft and misuse. And companies who think they are doing the right thing by using online backup companies in the US are in direct breach of principle 8. Data protection laws differ across the pond because the US government can, on a whim, search through data stored on private data centres without consent due to The Patriot Act.
The reality is that effective data management in small-medium companies has become more difficult because data is growing at a rapid rate. To maintain reputable as a compliant company, SMEs need to start adopting a long term vision towards data protection. They need data protection solutions that can easily scale and comply at the same time. For more information on the requirements of the Data Protection Act (1998) visit http://www.ico.gov.uk/what_we_cover/data_protection.aspx.
Share this post