I have had now been sent copies of two pieces of guidance on the
Internet from the DCP - as this mail list does not allow attachments
I've not attached them but I will forward them to Sally Justice.
(They should be on DPC's website soon).

The relevance to the recent mailings is that they advise 

"data subjects" to ..

 
· Consider using reliable encryption techniques for confidential e-mail 
 
· Try and keep up to date with the latest privacy and security risks on
the Internet. Try the Internet search engine facilities using the words
'privacy' and 'security'.

"Data controllers" to ................
· Use the most up to date technologies to protect the personal data
collected or stored on your site.  Especially sensitive or valuable
information, such as financial details should be protected by reliable
encryption technologies......

This seems to reinforce what  
Charles Christacopoulos said about use of PGP



Terry Street



In message <[log in to unmask]>, John MacNeill <J.N.MacNei
[log in to unmask]> writes
>You may recall my raising ...
>
>> A question ... 
>>    
>> Manager A emails manager B with information (taken from electronic or
>> manual records)  about job applicants C, D, E, ... and employees J, K, L
>> ... 
>> Given the insecurity of email, is there a breach of the 1998 Data
>> Protection Act?
>
>The replies I received are below.
>
>From my non-legal IT perspective, I'd expect that there would be a breach of the 
>act unless
>
>EITHER the email goes no further than the organization's own email server
>
>OR the email is encrypted.
>
>Regarding encryption, Charles Christacopoulos below mentions PGP ["pretty good 
>privacy"], which is widely 
>recommended.  For email sent in clear text, the advice generally is, "Don't 
>write anything that you'd be unhappy to 
>become public."  Note Karen Mitchell's reference to BS7799.
>
>
>John MacNeill
>_____________________________________________________________________________
>Breach of the Act would only occur if inappropriate measures were
>     taken to protect the data, for example the seventh principle was not
>     complied with. 
>
>     Jody Bhoot
>     Business consultant
>     Leicestershire County Council
>_____________________________________________________________________________
>
>John
>I would say that you have to take into consideration the operating
>environment within the company concerned - if email is always sent
>unencrypted due to lack of resources etc then maybe you'd have a case for
>defending the practice if there are other controls/guidelines in place ...
>on the other hand, it's not a situation I'd be happy to defend given the
>small amount of cost and time involved in putting in encryption software
>these days!
>
>As BS7799 is being recommended as the standard for information security
>management I'd always feel on firmer ground working within its guidance
>for email transfers of personal data 
>
>Not very helpful I know, but I think a lot of this legislation is open to
>case by case interpretation
>
>Regards.
>
>Karen Jane Mitchell
>Group Records & Data Protection Manager
>The BOC Group plc
>
>*01276 477222
>[log in to unmask]
>_____________________________________________________________________________
>
>Priority:              Normal
>Date sent:             Thu, 16 Mar 2000 14:18:57 GMT
>Send reply to:         [log in to unmask]
>Subject:               Re: DPA & email security
>From:                  Charles Christacopoulos <[log in to unmask]
>k>
>To:                    [log in to unmask]
>
>** Reply to note from "John MacNeill" <[log in to unmask]>
>Thu, 16 Mar 2000 09:33:40 +0000 (GMT)
>
>
>> A question ... 
>>    
>> Manager A emails manager B with information (taken from electronic or
>> manual records)  about job applicants C, D, E, ... and employees J, K, L
>> ... 
>>    
>> Given the insecurity of email, is there a breach of the 1998 Data
>> Protection Act?
>
>Under the previous Act (I see no reason why it should still not be the
>case) you had to take adequate precautions to safeguard the data.  Don't
>ask for any reference, I read it or found it and the ref. is inside my
>head.
>
>That is you should use PGP and not EMail disclaimers.  I woudl say if you
>used PGP you'll be covered.  As far as disclaimers go, check:
>
>http://somis.ais.dundee.ac.uk/dataprotect/emaildis/emaildis.htm
>
>If anyone wishes to donate their disclaimer to stick on my page you shall
>get listed there.
>
>Charles
>
>==============================================
>Charles Christacopoulos, Secretary's Office, University of Dundee, 
>Dundee DD1 4HN, (Scotland) United Kingdom.
>Tel: +44+(0)1382-344891. Fax: +44+(0)1382-201604.
>http://somis.ais.dundee.ac.uk/
>Scottish Search Maestro http://somis2.ais.dundee.ac.uk
>
>_____________________________________________________________________________
>
>Date sent:             Sat, 18 Mar 2000 17:34:27 -0000
>Subject:               Re: DPA & email security
>From:                  "Ian Welton" <[log in to unmask]>
>To:                    <[log in to unmask]>
>Copies to:             <[log in to unmask]>, <[log in to unmask]
>rwick.ac.uk>
>Send reply to:         "Ian Welton" <[log in to unmask]>
>
>The references come out of principle eight of the 1984 act and associated
>guidance.
>
>One area you should look at carefully is you e-mail policy.  Does it
>clearly state what e-mail can/cannot be used for.
>
>Ian
>_____________________________________________________________________________
>

Terry Street - Consultant - Specialist in Legislation and IT 
Email mailto:[log in to unmask] Tel. 024 76417574 Mobile 07785 916060
....."Ignorance is no defence in a court of Law" 
Visit my web site http://www.tstreet.demon.co.uk 


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%