The Data Protection Act

Principles & Safe Storage Of Your Data

There are eight enforceable principles of good practice when it comes to storing data. These are related to the processing of personal data.

The 8 principles of the Data Protection Act state that the data must be:

  • Fair and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Not kept for longer than necessary
  • Processed in accordance with the data subject’s rights
  • Secure
  • Not transferred to countries without adequate protection

The dangers of storing your data in the US

Safe Harbour is the data protection agreement between the US and European Union, which allows the data owner to store their company data off shore and outside of the EU.

It is based around a company’s privacy policy which needs to be consistent with the EU principles for data protection.

The agreement itself is a compromise stemming from US-EU wrangles over the European Directive on Data Privacy.

This requires that companies exporting data on EU citizens meet EU privacy protection standards.

Safe Harbour allows US companies to register and get certified as clean, without it being necessary for the US itself to change it’s current approach to privacy protection.

But the most important thing to remember is this ‘Safe Harbour’ is self regulated, so if something was to happen to the integrity of your data while it is stored in the US, it is the responsibility of the data owner and not your supplier.

Here is a summary of the checklists your data will go through when it is stored in the US under the Safe Harbour scheme. Please note that most of these break the UK Data Protection Act:

Notice:

Notice involves informing online and offline users, in a clear and conspicuous manner, about the purpose(s) for which information about them is collected and used; the choice mechanism(s) available for limiting use and transfer; the types of third parties to which data is transferred; and how to contact the organisation for enquiries or complaints.

Choice:

Choice involves offering users a clear and conspicuous opt-out mechanism for any secondary uses of data and for disclosures to third parties.

Opt-in choice must be available for sensitive information such as medical or health conditions, race or ethnic origins, political opinions, or religious or philosophical beliefs.

Access:

Access involves ensuring that individuals can obtain reasonable access to personal information about them held by the organisation.

With some exceptions, organisations must provide consumers with the ability to correct, amend or delete information that is inaccurate.

Security:

Security ensures that an organisation takes reasonable precautions to protect personal information from loss, misuse, unauthorised access, unauthorised disclosure, unauthorised alteration and unauthorised destruction.

This involves technologies such as encryption, access controls and physical security of the data.

Enforcement:

The enforcement mechanism requires the existence of a readily available and affordable independent recourse for individuals, as well as consequences for the organisation when the principles are not followed.

Onward transfer:

Onward transfer dictates that an organisation disclosing personal data to a third party must adhere to the Notice and Choice principles, unless the third party is acting as an agent of the company; and either the third party specifies, by way of a contract, that it provides at least the same level of protection as is required by the relevant principles, or the third party subscribes to the Safe Harbour Principles or is subject to the EU directive or another adequacy finding by the EU.

Data integrity:

Data integrity means that personal information collected must be relevant to the purposes stated in the notice, and that reasonable steps should be taken to ensure that the data is reliable, accurate, complete and current.

The main areas where you will find yourself in breach of the Data Protection Act:

Data Privacy Law:

Under Data Protection Principle 7 of the Directive, the person supplying the information to you can rightfully assume that you, the data owner, will look after their information in line with the DPA.

Unless you specifically informed the individual that their data will be stored outside of the EU and have a written agreement from them, then the data MUST be stored within the DPA regulations, such as with a company who fully complies with the Safe Harbour process.

It is your responsibility to ensure that the company who are managing your data have suitable security measures in place.

EU Data Privacy Law:

Data Protection Principle 8 prohibits any export of personal data from the EEA (European Union, plus Iceland, Liechenstein and Norway), unless one of six complaint “gateways” is available:

The importing state has “adequate” data protection laws. US laws are not regarded as “Adequate”.

The data subject has given “unambiguous consent” to export “any freely given, specific and informed indication of the data subject’s wishes by which he/she signifies his/her agreement to his/her data being processed”.

The export is “necessary” for the fulfillment of contract between the data subject and data controller… Commercial convenience will NOT qualify.

The importing entity is in the US and has signed up to “safe harbour”.

The exporting and importing companies are members of the same group of companies and the group has opted for the “Binding Corporate Rules” gateway.

The import is governed by a contract between exporter and importer which includes EU approved model clauses.

In summary, it is a political minefield to store your data outside of the European Union.

Even if your data is B2B, should you have anything stored which reflects the individual as a person then you could be breaching the laws of the DPA.

This does not just apply to your Email Marketing data lists, but all of your company’s data storage, such as your CRM system.

For those of you who feel faint now, there is one bit of good news – Microsoft has adopted the European Union guidelines and as such are fully compliant with the European Data Protection Act.

See www.ico.gov.uk for more information.