10 replies to this topic

[rolf]

Someone has asked me to make a pretty simple customer database for them.

It seems as though some of the data they want to store may break the Data Protection Act, although I'm no expert on this particular issue. I have told them my concern and they've said that these customers have asked them to store this info for convenience so they don't think it's a problem.

If I build the database as they want, do I have any liability if it turns out they are breaking the DPA? how could I find out if they're breaking the DPA without too much hassle? This is a small job and it doesn't justify hours of research, but obviously I don't want to shoot myself in the foot either.

Thanks in advance.

[NASA]

The company collecting the data and storing the data, MUST apply for a Data Protection Certificate.

It identifies them as data custodians and that they will adhere the DPA 1984/1998 act and the data priciples.

Your obligations require you to store the data in a safe place, to ensure the acuracy of the data, to make the data avaiablable to the relevant person who the data relates to and allow them to alert you of inaccuracies and changes to the data held.

Just because you wrote the DB system, does not hold you liable for the use of the data nor does it make you in any way liable as data custodian.

That's like saying Smith & Western are responsible / liable for the people that get shot with their guns!

Also only the company needs to hold a DPA certificate NOT an individual!

However, if you keep electronic data records of your own clients, your company needs to hold a DPA certificate and adhere to the DPA principles of data security and integrity.

At the end of the day, it's about £25.00 per year, so for any profitable company, there is no reason to not just get one and be done with it.

for reference visit the Information Commisioners Office http://www.ico.gov.uk/

[rolf]

Thanks for clearing that up NASA.

That's like saying Smith & Western are responsible / liable for the people that get shot with their guns!

I entirely agree, but there are some people who really do think that. Considering that, plus logic doesn't always enter UK law, I just wanted to be sure before taking on a small job that ends up coming back to bite me.

Thanks again.

[Randy]

Obviously I don't know the ins and outs of the DPA since it's a UK thing, but as the constructor of the DB I would make darned sure of two things to eliminate any liability issues.

1. Make darned sure you're storing and sending it in a secure manner while you're working on the project. eg I wouldn't under any circumstance email the db back and forth since email is notoriously UNsecure. Either deliver it via cd or upload it directly to a secure location on a server.

2. Once the project is done and over make sure you wipe out the personal data contained in the database from your computer.

FWIW, I'd treat it with kid gloves since technically the company who hired you should have included some sort of statement in your contract with them before they handed over the data. It doesn't sound like they did that, so I'd like you I'd want to make sure I took every step to protect myself. No need in getting caught up in someone elses mess.

[NASA]

Either deliver it via cd

NOOOOOO don't do that!

I'll forgive you Randy as you may not be aware of the UK government balls up regarding data loss via cd's in the post... on more than one occasion

http://news.bbc.co.u...ics/7935210.stm

http://news.bbc.co.u...ics/7103566.stm

http://www.publictec...h...e&sid=13190

If you must send in post on CD, encrypt it, password protect it and send it recorded, special, it better bloody get there parcel force post!

Also if you are going to FTP , ensure you use sFTP just to be sure! or if like me you have an encrypted VPN connection to the server use that.

When it comes to DPA, it never hurts to cover your ass and then some!

[Randy]

I didn't say post it or mail it. I said deliver it. As in by hand or insured courier.

Sorry, should have been more clear on that.

But in any case I'd password protect it to make sure the data didn't end up in the wrong hands via someone else's screw up. Before, during or after delivery. Not because some regulation might say you should, but because it's the right thing to do.

[NASA]

I didn't say post it or mail it. I said deliver it. As in by hand or insured courier.

Sorry, should have been more clear on that.

touche!

But it's good we cleared that up

Not because some regulation might say you should, but because it's the right thing to do.

spot on, I'm forever battling with my employers over this, and we have regulations to adhere to, but they still cannot see the plain and simple point of it just being the right, sensible thing to do regardless.

We have the technology to encrypt the data and store it on an SSL encrypted , password protected area of the website, I can then ring the recipient, and tell them the pword over the phone, once downloaded , delete the file from the server.

But no, my employer still emails an entire DB in spreadsheet format. There's no helping some peope!

Edited by NASA, 17 April 2009 - 08:53 AM.

[rolf]

good advice, thanks, I'll definitely be careful with the data.

I think (hope) the way it will work in practice is that I'll build the db at my office with a sample set of fake data and then will install the full set when I set it all up on their premises - but I'll be sure to move it manually on a CD if that's not possible for some reason. Their place is only a 2 minute drive from here so it's no problem.

Cheers

[NASA]

Their place is only a 2 minute drive from here so it's no problem.

well why didn't you say so, that makes it a 10 minute walk!

crickey you could send it by pigeon!

[MaKa]

Have to ensure it's a secure pigeon though, don't Google offer those?

[rolf]

crickey you could send it by pigeon!

now you're being ridiculous - I'm not going to use my carrier pigeons on any journey less that 10 miles!