How's your data protection policy doing?

  Forum Editor 15:14 03 Feb 2008

If your business is in the habit of collecting and processing personal data from customers, or potential customers, it's worth thinking about your responsibilities as a data processor.

Broadly speaking, the purpose of the Data Protection Act 1998 is to ensure that individuals and companies who/which process information about living, identified or identifiable individuals do so in a manner that properly safeguards that information from unlawful disclosure to third parties. The kind of personal information that is protected under the act is names and addresses, bank details, and opinions expressed about an individual - perhaps by a senior manager about an individual worker in an internal company assessment document.

There are eight guiding principles as far as Data protection is concerned, and they are that data is/are:

1. processed fairly and lawfully

2. processed for one or more specified and lawful purposes, and not further processed in any way that is incompatible with the original purpose

3. adequate, relevant and not excessive

4. accurate and,where necessary, kept up to date

5. kept for no longer than is necessary for the purpose for which it is being used

6. processed in line with the rights of individuals

7. kept secure with appropriate technical and organisational measures taken to protect the information

8. not transferred outside the European Economic Area (the European Union member states plus Norway, Iceland and Liechtenstein) unless there is adequate protection for the personal information being transferred

Lots more about how to comply with the law here:

click here

  Chris the Ancient 17:59 03 Feb 2008

I do have a database of my customers which I carry on a laptop when I'm working. That laptop never leaves my sight.

If the laptop is opened by anyone other than myself, they have to know the Windows logon password.

Basic details, only, are kept; which includes various personal details - which *could* be of potential use to somebody else (fortunately, no bank or similar details). However, any given customer would only ever see their own personal details.

The database is downloaded to my home pc each evening (as a refresher and back up) and that pc is similarly logon protected. My 'office' is monitored in my absence by a webcam and associated security software recording.

All people actively on the database are aware of what their record contains and the associated protection that is applied to their data.

I just hope to goodness that all that would satisfy the powers that be!


  crosstrainer 06:33 04 Feb 2008

Of Trucrypt has just been released. If you are at all concerned about sensitive data, it's a good place to start. It is (apparently) US military approved.

I too keep data on my laptop (encrypted) but it is never left unattened...EVER!

click here

  Forum Editor 19:35 05 Feb 2008

Do you process the data in any way?

If you are a a small business, and you process data only for:

1. staff administration (including payroll)

2. advertising, marketing and public relations

3. accounts

You're OK, but otherwise, if you retain people's private data, and process it for any purpose within your business you must, by law, register as a data controller with the Information Commissioner. Basically, if you collect and hold personal data on a computer you are processing it, and must notify the Commissioner.

  LastChip 20:27 05 Feb 2008

Do be aware, that IF your laptop were ever stolen, that data could be accessed within a maximum of 10 minutes. I could certainly guarantee doing it in that time if all the protection you have is a Windows password and the laptop was undamaged.

The only reasonably safe way to protect it, is as crosstrainer has already suggested; encryption.

To my mind, there has now been too many data losses via laptops, and legislation demanding encryption on laptops, is long overdue.

  Forum Editor 22:39 05 Feb 2008

"legislation demanding encryption on laptops, is long overdue."


You're not seriously suggesting that there should be a law requiring all laptops to have data-encryption technology, are you? I'm sure you must be joking, but I thought I should check.

  LastChip 23:02 05 Feb 2008

If they hold data that comes under the control of the data protection act, then, having been the victim of a major financial institutions stolen laptop, it seems to me perfectly reasonable to protect that data by all available means.

As you seem to be fond of, you have only used part of my sentence, which in its entirety, referred to data loss, although, on re-reading my post, I have to admit it could be misinterpreted.

I really do not understand the reluctance of institutions to use encryption on mobile equipment. If they wont use best practice and do it voluntarily, then place legislation on the statute book that forces the issue.

If there is some valid reason for not doing it, I'll be happy for you to explain it to me, because I simply do not understand why I and millions of others, should be put at risk.

If you are suggesting laptops used for personal use that hold no such data, then of course not. That's a matter for the individual.

  Chris the Ancient 09:10 06 Feb 2008


Basically, my database is a record of customer names and addresses, record of training and their account status - and that's all. The accounts part of it forms an 'essential' part of my tax return accounting.


The laptop is not left in the car if I'm not in the car. It stays with me. After all, it has my 'life' on it and I wouldn't want to lose that! And if I'm home and the laptop comes in with me, it stays near my desktop which makes them both covered by a security system.

However, Thinking further, I shall use Access's methodology to protect the database as a 2nd-tier security.


  Forum Editor 18:45 06 Feb 2008

The Data Protection Act already requires data controllers to safeguard private data. What we need isn't another law, as you seem to be suggesting, but the injection of some commonsense into those whose work involves holding/moving data from one place to another.

Trying to enforce a law that said company laptops must have data-encryption technology but personal ones need not have it would be a nightmare - think about it for a second and you'll realise that.

So far I haven't heard of anyone who has suffered any kind of loss as a result of the mishandling of their personal details in the recent high-profile cases, but of course that's not a reason for ignoring the lesson - I imagine that civil service and military laptops are all in the process of having data-encryption upgrades.

  Forum Editor 18:50 06 Feb 2008

It might be worth checking the Information Commission's online notification assessor - that will tell you whether or not you need to register:

click here

  Chris the Ancient 19:09 06 Feb 2008

Thanks for that guide, v-e-r-y useful.

Looks as though I'm OK

I'm covered by the third sub-bullet

* Data controllers who only process personal information for:
o staff administration (including payroll);
o advertising, marketing and public relations (in connection with their own business activity); and
o accounts and records. ***This is me!***

* Some not-for-profit organisations. ***Quite a lot of the time, I feel this is me. It's not intended that way, however! ***


This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Samsung Galaxy A8 review: Hands-on

Illustrator Juan Esteban Rodriguez on creating highly detailed official film posters for Star Wars…

iMac Pro review

Meilleurs drones (2018)