Page 246 - E-Bussiness and E-Commerce Management Strategy, Implementation, and Practice
P. 246
M04_CHAF9601_04_SE_C04.QXD:D01_CHAF7409_04_SE_C01.QXD 16/4/09 11:11 Page 213
Chapter 4 E-environment 213
Data protection legislation is enacted to protect the individual, to protect their privacy
and to prevent misuse of their personal data. Indeed, the first article of the European Union
directive 95/46/EC (see http://ec.europa.eu/justice_home/fsj/privacy/) on which legislation
in individual European countries is based, specifically refers to personal data. It says:
Member states shall protect the fundamental rights and freedoms of natural persons [i.e.
a named individual at home or at work], and in particular their right to privacy with respect
to the processing of personal data.
In the UK, the enactment of the European legislation is the Data Protection Act 1984,
Personal data 1998 (DPA). It is managed by the ‘Information Commissioner’ and summarized at
Any information about an
individual stored by www.informationcommissioner.gov.uk. This law is typical of what has evolved in many
companies concerning countries to help protect personal information. Any company that holds personal data on
their customers or computers or on file about customers or employees must be registered with the data protec-
employees.
tion registrar (although there are some exceptions which may exclude small businesses).
Notification This process is known as notification.
The process whereby The guidelines on the eight data protection principles are produced by legal requirements
companies register with
the data protection regis- of the 1998 UK Data Protection Act, on which this overview is based. These principles state
trar to inform about their that personal data should be:
data holdings.
1 Fairly and lawfully processed.
In full: ‘Personal data shall be processed fairly and lawfully and, in particular, shall not be
processed unless – at least one of the conditions in Schedule 2 is met; and in the case of sensi-
tive personal data, at least one of the conditions in Schedule 3 is also met.’
The Information Commissioner has produced a ‘fair processing code’ which suggests how
an organization needs to achieve ‘fair and lawful processing’ under the details of schedules
2 and 3 of the Act. This requires:
Data controller Appointment of a data controller who is a person with defined responsibility for data
Each company must have protection within a company.
a defined person respon-
sible for data protection. Clear details in communications such as on a web site or direct mail of how a ‘data
subject’ can contact the data controller or a representative.
Data subject Before data processing ‘the data subject has given his consent’ or the processing must be
The legal term to refer to necessary either for a ‘contract to which the data subject is a party’ (for example as part of
the individual whose data
are held. a sale of a product) or because it is required by other laws. Consent is defined in the
published guidelines as ‘any freely given specific and informed indication of his wishes by
which the data subject signifies his agreement to personal data relating to him being processed’.
Sensitive personal data require particular care, these include
– the racial or ethnic origin of the data subject;
– political opinions;
– religious beliefs or other beliefs of a similar nature;
– membership of a trade union;
– physical or mental health or condition;
– sexual life;
– the commission or alleged commission or proceedings of any offence.
No other laws must be broken in processing the data.
2 Processed for limited purposes.
In full:‘Personal data shall be obtained only for one or more specified and lawful purposes, and
shall not be further processed in any manner incompatible with that purpose or those purposes.’
This implies that the organization must make it clear why and how the data will be
processed at the point of collection. For example, an organization has to explain how your
data will be used if you provide your details on a web site when entering a prize draw. You
would also have to agree (give consent) for further communications from the company.
Figure 4.8 suggests some of the issues that should be considered when a data subject is
informed of how the data will be used. Important issues are:
