Tuesday, 26 May 2009

The plot thickens...

Spurred into action by a reader, I've brought forward this epistle, which deals with personal data.

The UK has a fairly tough Data Protection Act, but there's one important thing to remember about it: in the main, it applies only to personal data. Okay, but exactly what does that constitute?

The Data Protection Act 1998 applies only to personal data about a living, identifiable individual. From the Act itself:

Personal data is “… data which relate to a living individual who can be identified - (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”

Perhaps the most important aspect regarding collection and use of personal data via websites is:

“The data subject has given his consent to the processing.“ (Data Protection Act 1998, Schedule 2, paragraph 2)

The definition of personal data is highly complex, so for day to day purposes it's best to assume that all information about a living, identifiable individual is personal data.

There are eight data protection principles, some of which aren't strictly likely to involve the average forum or blog owner. However, the three which do can be tricky:


  • 2nd principle
  • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • 6th principle
  • Personal data shall be processed in accordance with the rights of data subjects under this Act.
  • 8th principle
  • Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

The last one is what should concern any blog or forum owner thinking of publishing personal data on an individual. Essentially, because of the very nature of the internet, anything published on it can be seen world-wide.

Finally, there's what's called 'sensitive' personal data. That's the sort the government loses on an almost daily basis, by the way. It includes

* racial or ethnic origin;
* political opinions;
* religious beliefs;
* trade union membership;
* physical of mental health;
* sexual life;
* commission of offences or alleged offences.


Thus, no blog or forum owner should ever publish sensitive details about individuals if they wish to escape prosecution and it would generally be wise to avoid ever publishing details such as full name, address and telephone number unless the individual concerned has consented to it being published in that way by that website.

No comments: