e-business basics - Data Protection
In the UK, data protection laws have been passed since 1984, and these regulations have been refined and extended since then, in some instances specifically to deal with issues arising from eBusiness. The relevant legislation is increasingly driven by EU Directives. Any business that gathers personal data is required to register under the Data Protection Act, and to comply with its obligations under the Act.
The regulations can be summarised as follows:
- Processing of data must be fair and lawful, so eBusinesses much must inform individuals how their data will be used and they are likely to require consent to the data being processed. Responsible eBusinesses therefore publish their website privacy policy on use of personal data and may require customers to acknowledge that they have read and understood it and consent to its terms.
- Data must be accurate and, where necessary, up to date.
- Data should only be kept for as long as it is needed for the purposes for which it was obtained.
- Data must be kept secure, suing appropriate techniques and technology to prevent unauthorised or unlawful use of the data, or their accidental loss or destruction.
- Use of data shall be adequate, relevant and non-excessive. In particular, businesses should be wary of gathering ‘sensitive’ data, such as; racial or ethnic origin, political opinions, religious or similar beliefs and so on.
- Firms shall not make unsolicited junk faxes or cold calls when the individual has either notified them to state that they do not wish to receive unsolicited marketing communications, or if they have registered with the Fax or Telephone Preference Service. eBusiness terms and conditions – whether on paper or on a registration web page - should offer a tick box to ‘opt out’ from (or even, to ‘opt in’ to) receiving marketing communications.
- If third parties are used to process the data, they must provide a written undertaking only to use the data as instructed to do so and to meet the security obligations mentioned above.
- Transfers abroad – data can only be transferred from the UK to a non-EU country if that country offers equivalent data protection rights to the UK.
- Notification – the Office of the Information Commissioner (OIC, formerly the Data Protection Registrar) must be notified annually of all purposes for which data are processed.
These regulations apply not only to computerised data, but to any data that could be processed or used to reference a living individual. This could include; written records, film (including images on CTV), tape, microfiche, CD-ROM and so on. The use by a business of information relating to its customers, suppliers, agents, employees or contractors could all be regulated.
Author: Steve Whiteley, January 2007
tutor2u is the leading global publisher of e-learning resources for Economics, Business, Politics, Enterprise, Law, Sociology, Religious Studies and related subjects. Our materials are used by over 3,500 schools and colleges in the UK and in educational institutions in over 85 other countries. tutor2u offers a range of free and subscription-based materials - designed to support teachers and inspire students. The business also runs a popular series of student revision workshops and teacher conferences. tutor2u was named Online Learning Resource of the Year at the prestigious BETT Show - the World's leading educational show.
|
Privacy & terms of Use |
Contact us |
Teacher Newsletters & Subject Blogs |
