INFO 2 CH 19 - Protecting Data in ICT Systems

Many organisations now store people’s details electronically. For example your doctor stores details about your health and the bank stores information’s about your financial transaction. 

This increase of storing people’s details on a computer has begun to worry people.  Their main concerns are:

•Who would be able to access this information? There is a fear that personal data could be accessed by unauthorised people who could use it to defraud an individual.

•Is the data stored accurate? If it is stored, processed and transmitted by computer, who will check that it is accurate? Inaccurate personal data that is stored could have an adverse effect on an individual

•Will the data be sold to another company? 

•How long will this data be kept for? As it is very easy to store vast amounts of data, will data about the person be stored even if it is not needed?

Personla Data

Personal data covers both facts and opinions about a living person. Facts are pieces of information, such as name and address. Personal opinions such as political or religious views are also deemed to be personal data.

Data Protection Legislation

The 1984 Act is a law that set outs regulations for storing personal data that is automatically processed. The Data Protection Act 1998 strengthened the 1984 Act and enshrined the European Union directive on data protection into UK law. This means that UK law is in line with the Data Protection laws inn all the other countries in the European Union.

The data protection act 1998 sets rules for the electronic processing of personal information. The law refers to:

•Data subjects – people whose personal data is being processed.

•Data controllers – people or organisations who process personal data

The law works in two ways:

•Data subjects have certain rights

•Data controllers must follow good information- handling practise. 

Data Controllers must follow 8 data protection principles. They must register the fact that they are storing personal data with a government official called the Information Commissioner. The following must be registered:

•The data controller’s name and address

•A description of the data being processed

•The purpose of which the information will be used

•From whom the information was obtained

•To whom the information will be disclosed and countries to which the data may be transferred. 

The data protection principles say that data must be:

1. Fairly and lawfully processed - means you can’t collect data from one purpose and then use it for another purpose without the permission of the data subject

2. Processed for registered purpose - means that if a company intend to sell data on to another company it must register this with the Information Commissioner.

3. Adequate, relevant and not excessive - means that any irrelevant data should be deleted

4. Accurate and up to date - means that the organisation must take steps to ensure that its data is accurate

5. Not kept for longer than necessary 

6. Processed in line with your rights - means that data subjects have the right to inspect the data held on them.

7.Secure - means that appropriate technological security measures must be taken to prevent unauthorised access. 

8. Not transferred to countries without adequate protection - means that personal data can’t be transferred to countries outside the EU unless the country provides an adequate level of protection. 

Suppose you apply for a supermarket loyalty card. The supermarket needs to store and process your personal details as part of thier normal work. They do not need your consent to do this - you have agreed to this when you applied for the card. However, the supermarket cannot pass your details on to another company without your consent. 

At any time you can write to an organisation that is sending you junk mail asking them to stop processing any data about you. 

Exemptions from the Act

Information is exempt from the principles of the Data Protection Act if it is used:

• To safeguard national security
• To prevent and detect crime
• To collect taxes

Personal data relating to someone’s family or household affairs does not need to be registered.

The commissioner has the responsibility of ensuring that the data protection legislation is enforced.

They keep a public register of data controllers. Each register entry must include the name and address of the data controllers as well as a description of the processing of personal data carried out under the control of the data controller. An individual can consult the register to find out what processing of personal data is being carried out by a particular data controller.

The Data Protection Act 1998 required every data controller who is processing personal data to notify the commission unless one of the exemptions. At the commission office, a complete copy of the public register is kept and it is updated every week. 

Other duties of the Commissiner include promoting good information handling. As well as keeping the register of data controllers, the Information Commissioner also gives advice handling practice and encourages data controllers to develop suitable codes of practice. 

It is hard to put a monetary value on most data that is stored in an ICT system. However, this does not mean that the data has no value to the organisation. The availability and flow of data will affect the performance of a company. In extreme cases, the loss or corruption of data could cause the business to fail. 

Data has an intrinsic value - a value in its own right. It is easiest to understand this by looking at the consequences that arise if data is lost. Value is often determined by demand and supply. The information in its own right is valuable. 

Commercial data value – it has a value of financial value. It value might be determined by how much time and effort it takes to collect the data.

Data can have a financial value. In many wasy, it is a commondity like oil, gold or wheat. An organisation may build up a database consisting of names and addresses of customers or contacts that would be valuable to another organisation.

The organisation could collect the name and address data for itself, rather than purchase it from the charity, perhaps by undertaking a survey. However this method of obtaining the data would be more expensive and time consuming than purchasing it from a charity. 

Whenever goods are purchased by telephone, mail order or online via the Internet, data about the customer is gathered; whenever a form requesting a "special offer" for goods or information is sent to a newspaper or magazine, whenever a person enters a competition, the consumer's details are likely to be stored electronically. 

Organisations have a legal requirements to ask customers if their data can be passed on to others. This is often done by using a tick box with a message. 

Much data is freely available to the public. The electronical register is compiled by local councils and lists the names and addresses of people entitled to vote in elections. There are a number of things that can be deduced from this information which businesses might find valuable. 

Data is valuable and there are costs involved in collecting it. Even when data is available free, there are labour costs in entering the data and converting it into a suitable electronic format. The electoral register on paper is not very convenient. 

Companies resell the electoral roll in electronic format. They say this electronic format is useful for:

• Direct marketing campaigns
• Political campaigns
• Data analysis, capture and validation
• Software development