Can anyone advise if I've got the DPC guidance right regarding e-mail.
It suggests that data controllers and users should use available
technology (e.g. encryption) to protect personal details sent via e-
mail, (see extract below)
It is also recommended best practice for organisations to monitor use of
e-mail for cases of mis-use. (this mail list discussed the need for
emplloyees' consent etc..)
There seems to be a potential problem here:
If an organisation is to monitor e-mail does this imply whoever monitors
the e-mail needs to have the keys so they can inspect encrypted mail to
see if it is appropriate use of the system?
Can employers legitimately de-crypt staff mail, or if it contained
personal sensitive information would doing so be a breach of Data
Protection Act?
......... has anyone considered this and set an appropriate policy?
Terry Street (mailed as [log in to unmask])
------------------------------------------------------------------
I have highlighted one point from the page for Data Controllers titled
Protection of Privacy on the Internet - Jan 2000 Version 4
"In using the Internet for their business dealings, data controllers
must take into account the privacy rights of individuals and their own
responsibilities under privacy and data protection legislation. The
following points should be considered by data controllers in planning
their Internet strategies........
· Use the most up to date technologies to protect the personal data
collected or stored on your site. Especially sensitive or valuable
information, such as financial details should be protected by reliable
encryption technologies."
This seems pretty explicit and by extension sensitive data being
transmitted e.g. in e-mail should be encrypted at least with PGP which
is available fairly generally.
This is reinforced in the guidance to data subjects Protection of
Privacy on the Internet Jan 2000 Version 4
"It is easy to see and understand the benefits the Internet offers
individuals, allowing immediate access to global information and markets
and facilitating direct global communications. It is however worth
remembering a few points...........:
· Consider using reliable encryption techniques for confidential e-mail
· Try and keep up to date with the latest privacy and security risks on
the Internet. Try the Internet search engine facilities using the words
'privacy' and 'security'."
Terry Street
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|