The Data Protection Act [1998] Lecture 7 – 21st March, 2002 The Data Protection Act [1998] CT218 Professional Issues M. Scheurer, 2002
European Union Data Protection Directive 95/46/EC of the European Parliament Set out principles and required member states’ DP legislation to conform within 3 years Available from European Union Information Society Website: http://europa.eu.int/comm/internal_market/en/ media/index.htm M. Scheurer, 2002 Professional Issues / Lecture
The Data Protection Act The Data Protection Act [1998] (repealed earlier DPA of 1984) Entered into force on 24th October 2001 (End of Transitional Period) All computer professionals should know its main provisions Information on the DPA can be found on the website of the Office of the Information Commission (OIC) http://www.dataprotection.gov.uk M. Scheurer, 2002 Professional Issues / Lecture
8 Principles of Data Protection Data must be: 1 fairly and lawfully processed 2 processed for limited purposes 3 adequate, relevant and not excessive 4 accurate 5 not kept longer than necessary 6 processed in accordance with the data subject's rights 7 secure 8 not transferred to countries without adequate protection M. Scheurer, 2002 Professional Issues / Lecture
Data Protection Act 1998 cont’d Computer professionals should also know the main definitions of the act e.g. data subject, data controller, personal data sensitive personal data the main obligations of any holder of personal data how the act applies to different stakeholders (e.g. customers, employees) M. Scheurer, 2002 Professional Issues / Lecture
Professional Issues / Lecture FARSTARS Fair Adequate Rights to know Specific purpose Transfer Accuracy Retention Security 1st Principle of DPA 3rd Principle of DPA 6th Principle of DPA 2nd Principle of DPA 8th Principle of DPA 4th Principle of DPA 5th Principle of DPA 7th Principle of DPA M. Scheurer, 2002 Professional Issues / Lecture
Professional Issues / Lecture Fair collection Personal Data must be obtained Fairly and Lawfully Subject has given consent and/or Processing is necessary For the performance of a contract to which the DS is a party For taking steps at request of DS To protect vital interests of DS Special conditions apply to Sensitive Personal Data See Conditions in Schedule 2 of the Act M. Scheurer, 2002 Professional Issues / Lecture
Professional Issues / Lecture Adequate collection Collect enough personal data for the purpose Don’t collect more than necessary for the purpose M. Scheurer, 2002 Professional Issues / Lecture
Professional Issues / Lecture Rights to know Data subjects can request to see ALL the information you hold on them (system must be able to meet this obligation) Data subjects who have given permission for the Processing or retention of Personal Data may change their mind later M. Scheurer, 2002 Professional Issues / Lecture
Professional Issues / Lecture Specific purpose Personal Data may only be collected for a lawful purpose (e.g. a Sale) Personal Data must not become dissociated from that purpose and used for another purpose (e.g. Direct Marketing) without the consent of the Data Subject (Opt In or Opt Out?) M. Scheurer, 2002 Professional Issues / Lecture
Transfer of personal data Transfer of Personal Data to a country outside the EEA* is only permitted if the country in question offers adequate protection At present only Switzerland meets this requirement Up to date list at www.dataprotection.org.uk ----------------------- *EEA = 15 countries of the European Union + Liechtenstein, Norway, Iceland M. Scheurer, 2002 Professional Issues / Lecture
Accuracy of personal data Personal Data must be kept up to date Accuracy is the responsibility of the Data Controller, NOT the Data Subject Data Subjects should be contacted periodically and asked to check that the Personal Data held on them is still valid Data subjects must have a way of correcting incorrect data M. Scheurer, 2002 Professional Issues / Lecture
Retention of personal data Personal Data may only be retained for a limited period Retention period depends on the purpose for which the Personal Data was collected (e.g. Personal Data relating to a Sale might have to be kept for up to 7 years for Tax or VAT purposes whereas Personal Data collected for a competition only needs to be kept as long as necessary for the running of the competition) M. Scheurer, 2002 Professional Issues / Lecture
Security of personal data Duty of care towards Data Subjects Data in the system must be kept safe + secure Data must not be corrupted or lost (protected against viruses, hackers, theft, accidental or malicious damage, etc.) Data must not be available to non authorised people (including in transit) Inside the organisation Outside the organisation See Amazon case http://www.junkbusters.com/ht/en/amazon.html#last M. Scheurer, 2002 Professional Issues / Lecture
Professional Issues / Lecture Case Study - Amazon Background documents US case against Amazon http://www.junkbusters.com/ht/en/amazon.html#last Request from Privacy International to the Information Commissioner to investigate Amazon.co.uk http://www.privacyinternational.org/issues/compliance/amazon/pi-dpc-complaint-041200.html M. Scheurer, 2002 Professional Issues / Lecture
Privacy International’s complaint against Amazon.co.uk Extract* from a letter of 4/12/2000 from Simon Davies, Director of Privacy International, to the Information Commissioner Quote: “On 14 September I wrote to the Managing Director of Amazon.co.uk 1) requesting access to all information relating to me that Amazon holds, 2) declaring my intention to then demand that Amazon then delete that information, and 3) objecting to the transfer of the data to the US His office acknowledged receipt of the letter on 27 October, but I have to date received no further reply. “ ------------------ *The full text of the letter + the whole exchange of correspondence can be found at http://www.junkbusters.com/amazon.html#last M. Scheurer, 2002 Professional Issues / Lecture
Data Protection Issues What are the Data Protection Issues involved? How should a company respond to a similar request (in order to comply with its obligations under the DPA) M. Scheurer, 2002 Professional Issues / Lecture
Professional Issues / Lecture Revising for Exams Lecture Notes and other Material discussed in the Lectures (as distributed and/or available on I: drive) Text book: “Professional Issues in Software Engineering” by Frank Bott et al. (available in the Library). More specifically, concentrate on Chapters 1,2, 5, 6, 10 and 11, which deal with the material covered (or to be covered) in the Lectures. FARSTARS and the Data Protection Act (www.dataprotection.gov.uk) Material available on the web mentioned in the lectures (e.g. in relation to Case Studies) M. Scheurer, 2002 Professional Issues / Lecture
Professional Issues / Lecture Revision for Exams In relation to Case Studies You should be familiar with the case studies mentioned in the lectures and know: What each case is about The parties involved The issues involved The implications of the case for Systems Designers You are not expected to know minor details (such as dates, specific figures, legal references) M. Scheurer, 2002 Professional Issues / Lecture
Professional Issues / Lecture Exam Format Multiple Choice Questions (with negative marking for incorrect answers) Similar (but not identical) to those provided as sample Covering most of the material studied in the Lectures Please Note: Some questions will require more knowledge than can be acquired just by reading and studying the Lecture Notes. This means that in order to answer them correctly, you will have to have studied the relevant chapters of the Text book and/or other handouts and/or the Cases mentioned) M. Scheurer, 2002 Professional Issues / Lecture