The rules of reporting of data disclosures
28 November 2011
The days of businesses being able to brush data protection breaches under the carpet are numbered.
A new version of the European Commission’s Data Protection Directive will be published in mid-November. This is a kind of updated version of the Data Protection Act for safeguarding all kinds of personal data. This act previously only applied to government departments.The main effect of these changes will be that all businesses, public bodies, charities and other organisations will be liable for any data breaches that occur and penalties for misuse of confidential information will be enforced.
Stringent measures will govern how information is to be managed. This will include new instructions on data processing whereby every sector will be included in mandatory beach-disclosure rules.
Data protection – the law
For the technically minded the EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU. Directive 95/46/EC encompasses all key elements from article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life and in personal correspondence.
There are seven broad principles within the Data Protection Directive. These include:
1. Security
2. Purpose
3. Disclosure
4. Notice
5. Accountability
6. Consent
7. Access
Once a directive comes into force any entity which holds personal data for some set purpose or reason becomes legally liable for the consequences of it being misused. Data is categorized as ‘personal’ when it allows a connection to be made between the data and the named person to whom it refers. Personal data can be anything from phone numbers, credit card details, home addresses, date of birth, bank account details and many other items.
The new Directive will go through a process of consultation over the next 12 months but is expected to be adopted and in force in the UK by early 2013. All sectors will be required to report breaches to the Information Commissioner's Office. It stipulates that seriously affected individuals are also to be informed.
Re-think
From an operational perspective, this will present a major task for many organisations. Management and training will need to be updated to reflect the re-engineering of mechanisms to detect breaches and report them to responsible internal officers. It will then fall to these managers to inform the Information Commissioner and individuals who may have been significantly affected by the breach.
Processing is also broadly defined. It relates to any manual or automatic operation involving personal data, including its collection, recording, organisation, storage, modification, retrieval, use, transmission, dissemination or publication, and even blocking, erasure or destruction (Article 2b).
Storm clouds
Many data compilers have been concerned about third-party responsibility and safety for data in an information cloud. However, the Data Protection Directive will include a ‘binding safe processor rule', whereby data owners will not be liable for loss at the hands of a third party cloud provider
Under the new rules, when use of data is outsourced to a certified business, the provider will not be liable for subsequent breaches involving their data from this source. This will be a very positive step toward the adoption of internet cloud services by businesses.
These data protection rules apply when the responsible party (called the controller in this EU Directive) is established, operates within the EU or uses equipment located inside the EU to process personal data from elsewhere. Controllers from outside the EU, who process personal data inside the EU, must nevertheless comply with this directive.
Notification
EU member states have supervisory authorities to monitor data protection levels in their state and to advise the government about related rules and regulations. It is their responsibility to initiate legal proceedings when data protection regulations are infringed.
Controllers must notify their governing authority before processing any personal information and such notification prescribes in detail what kinds of detailed notice is expected, namely;
1. Name and address of the controller or representative
2. Purpose(s) of the processing
3. Descriptions of the categories of data subjects
4. The data or categories of data to be collected
5. Recipients to whom such data might be disclosed
6. Any proposed transfers of data to third countries
7. General description of protective measures taken to ensure safety and security of processing and related data.
In short, the data protection screw is tightening and the scope is extending from three sectors to the whole of society.
Organisations of all sizes and complexions are advised to begin planning their response now. Data management is a serious issue and all businesses have a responsibility to guard confidential information.
Other Press Releases By This Company
- 05/09/2012 - PHS Datashred awarded prestigious customer service accreditation
- 05/09/2012 - PHS Datashred on track for Whizz Kidz
- 03/09/2012 - PHS Datashred scoop national recycling award
- 07/02/2012 - Datashred warns data dumping businesses
- 07/02/2012 - Datashred halts Jigsaw fraudsters - do you?
- 07/02/2012 - Datashred predict shredding boom for 2012
- 07/02/2012 - Employee annoyances
- 13/12/2011 - PHS Datashred’s expansion plans
- 08/12/2011 - Ward Hadaway looks to PHS Datashred for confidential waste disposal
- 28/11/2011 - London businesses must clean up data dumping act
- 02/06/2011 - PAS 141 gets warm welcome from confidential data experts
- 02/06/2011 - Datashred can help public sector in wake of data protection warning
- 02/06/2011 - Datashred asks, are you sure your data is secure?