e-business basics - Data Protection
In the UK, data protection laws have been passed since 1984, and these regulations have been refined and extended since then, in some instances specifically to deal with issues arising from eBusiness. The relevant legislation is increasingly driven by EU Directives. Any business that gathers personal data is required to register under the Data Protection Act, and to comply with its obligations under the Act.
The regulations can be summarised as follows:
- Processing of data must be fair and lawful, so eBusinesses much must inform individuals how their data will be used and they are likely to require consent to the data being processed. Responsible eBusinesses therefore publish their website privacy policy on use of personal data and may require customers to acknowledge that they have read and understood it and consent to its terms.
- Data must be accurate and, where necessary, up to date.
- Data should only be kept for as long as it is needed for the purposes for which it was obtained.
- Data must be kept secure, suing appropriate techniques and technology to prevent unauthorised or unlawful use of the data, or their accidental loss or destruction.
- Use of data shall be adequate, relevant and non-excessive. In particular, businesses should be wary of gathering ‘sensitive’ data, such as; racial or ethnic origin, political opinions, religious or similar beliefs and so on.
- Firms shall not make unsolicited junk faxes or cold calls when the individual has either notified them to state that they do not wish to receive unsolicited marketing communications, or if they have registered with the Fax or Telephone Preference Service. eBusiness terms and conditions – whether on paper or on a registration web page - should offer a tick box to ‘opt out’ from (or even, to ‘opt in’ to) receiving marketing communications.
- If third parties are used to process the data, they must provide a written undertaking only to use the data as instructed to do so and to meet the security obligations mentioned above.
- Transfers abroad – data can only be transferred from the UK to a non-EU country if that country offers equivalent data protection rights to the UK.
- Notification – the Office of the Information Commissioner (OIC, formerly the Data Protection Registrar) must be notified annually of all purposes for which data are processed.
These regulations apply not only to computerised data, but to any data that could be processed or used to reference a living individual. This could include; written records, film (including images on CTV), tape, microfiche, CD-ROM and so on. The use by a business of information relating to its customers, suppliers, agents, employees or contractors could all be regulated.
Author: Steve Whiteley, January 2007
tutor2u Home Page | Online Store | Contact Us | About tutor2u | Copyright Info | Your Privacy | Terms of Use
Working with Our Partners Sapphire Education | Learning Curve | Vue Cinemas | Moneypenny | Nexcess | Really Simple Systems | Actinic | Bickster Boston House | 214 High Street | Boston Spa | West Yorkshire | LS23 6AD | Tel +44 0844 800 0085 | Fax +44 01937 529236 Company Registration Number: 04489574 | VAT Reg No 816865400 tutor2u is proud to sponsor TABS Cricket Club and Collingham JFC as part of its programme of investment in local junior sport |
