You may recall my raising ...
> A question ...
>
> Manager A emails manager B with information (taken from electronic or
> manual records) about job applicants C, D, E, ... and employees J, K, L
> ...
> Given the insecurity of email, is there a breach of the 1998 Data
> Protection Act?
The replies I received are below.
>From my non-legal IT perspective, I'd expect that there would be a breach of the act unless
EITHER the email goes no further than the organization's own email server
OR the email is encrypted.
Regarding encryption, Charles Christacopoulos below mentions PGP ["pretty good privacy"], which is widely
recommended. For email sent in clear text, the advice generally is, "Don't write anything that you'd be unhappy to
become public." Note Karen Mitchell's reference to BS7799.
John MacNeill
_____________________________________________________________________________
Breach of the Act would only occur if inappropriate measures were
taken to protect the data, for example the seventh principle was not
complied with.
Jody Bhoot
Business consultant
Leicestershire County Council
_____________________________________________________________________________
John
I would say that you have to take into consideration the operating
environment within the company concerned - if email is always sent
unencrypted due to lack of resources etc then maybe you'd have a case for
defending the practice if there are other controls/guidelines in place ...
on the other hand, it's not a situation I'd be happy to defend given the
small amount of cost and time involved in putting in encryption software
these days!
As BS7799 is being recommended as the standard for information security
management I'd always feel on firmer ground working within its guidance
for email transfers of personal data
Not very helpful I know, but I think a lot of this legislation is open to
case by case interpretation
Regards.
Karen Jane Mitchell
Group Records & Data Protection Manager
The BOC Group plc
*01276 477222
[log in to unmask]
_____________________________________________________________________________
Priority: Normal
Date sent: Thu, 16 Mar 2000 14:18:57 GMT
Send reply to: [log in to unmask]
Subject: Re: DPA & email security
From: Charles Christacopoulos <[log in to unmask]>
To: [log in to unmask]
** Reply to note from "John MacNeill" <[log in to unmask]>
Thu, 16 Mar 2000 09:33:40 +0000 (GMT)
> A question ...
>
> Manager A emails manager B with information (taken from electronic or
> manual records) about job applicants C, D, E, ... and employees J, K, L
> ...
>
> Given the insecurity of email, is there a breach of the 1998 Data
> Protection Act?
Under the previous Act (I see no reason why it should still not be the
case) you had to take adequate precautions to safeguard the data. Don't
ask for any reference, I read it or found it and the ref. is inside my
head.
That is you should use PGP and not EMail disclaimers. I woudl say if you
used PGP you'll be covered. As far as disclaimers go, check:
http://somis.ais.dundee.ac.uk/dataprotect/emaildis/emaildis.htm
If anyone wishes to donate their disclaimer to stick on my page you shall
get listed there.
Charles
==============================================
Charles Christacopoulos, Secretary's Office, University of Dundee,
Dundee DD1 4HN, (Scotland) United Kingdom.
Tel: +44+(0)1382-344891. Fax: +44+(0)1382-201604.
http://somis.ais.dundee.ac.uk/
Scottish Search Maestro http://somis2.ais.dundee.ac.uk
_____________________________________________________________________________
Date sent: Sat, 18 Mar 2000 17:34:27 -0000
Subject: Re: DPA & email security
From: "Ian Welton" <[log in to unmask]>
To: <[log in to unmask]>
Copies to: <[log in to unmask]>, <[log in to unmask]>
Send reply to: "Ian Welton" <[log in to unmask]>
The references come out of principle eight of the 1984 act and associated
guidance.
One area you should look at carefully is you e-mail policy. Does it
clearly state what e-mail can/cannot be used for.
Ian
_____________________________________________________________________________
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|