in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

What Offences Exist Under the UK Data Protection Act?

The United Kingdom's Data Protection Act (DPA) has three sections that deal with offences: Section 21, Section 55, and Section 56.  Of these, Sections 21 and 55 are linked in the sense that violation of Section 21 means an automatic violation of Section 55 (but not necessarily the other way around).

Section 21 - Offences

Section 21 of the DPA:

(1) If section 17(1) is contravened, the data controller is guilty of an offence.
(2) Any person who fails to comply with the duty imposed by notification regulations made by virtue of section 20(1) is guilty of an offence.
(3) It shall be a defence for a person charged with an offence under subsection (2) to show that he exercised all due diligence to comply with the duty.

Naturally, a look at section 17(1) is required:

Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under section 19 (or is treated by notification regulations made by virtue of section 19(3) as being so included)

In other words, if you are processing any personal data, you must first register this fact with the Information Commissioner's Office.  If you process information without submitting the proper paperwork, you are committing a criminal offence.  Avoid making this most elementary of mistakes by visiting the ICO's registration page and paying an annual fee of (as the term "annual fee" suggests, you have to register every year).

Of course, you might be asking, what does "processing" mean in this situation?  Well, among other things, it means collecting information:

Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including – 

a) organisation, adaptation or alteration of the information or data,
b) retrieval, consultation or use of the information or data,
c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
d) alignment, combination, blocking, erasure or destruction of the information or data.

If you feel that the definition is overly broad, you are not alone: even the ICO admits that it's meant to be broad.  Essentially, if you are using personal data in some form or other, you are processing personal data, and must register with the ICO as a data processor.  It does not matter if your organization is big or small: this requirement is blind to the size of the organization that processes data.  Even if you're a one-man operation, you are required to register.

If this is news to you, you're in good company: Research shows that up to 80% of businesses and other organisations have not registered with the ICO, probably because they are unaware of this requirement (as of 2007).

But, there is a caveat.  Notifying the ICO is not enough; you must remember that information collected under one particular objective cannot be extended to some other purpose.  For example, lets say that as a retailer you've collected customers' information, including zip codes, to issue them membership cards that keep track of points only; marketing to them was not part of the objective.

Sometime later, you decide to use this information to send coupons to customers as part of a marketing initiative.  In this example, the intention behind the data collection has shifted, and authorization must be acquired again from customers to send these coupons.

Section 55 - Unlawful Obtaining etc. of Personal Data

The previous section is geared towards data controllers (which is tantamount to saying "an organisation").  What about penalties assessed on individuals?

Naturally, not all breaches of the Data Protection Act are caused by data controllers.  Or, rather, data controllers are not the only variables in a data breach.  Individuals, be they outsiders or otherwise, could steal information from data controllers.  Section 55 of the DPA covers such instances.

Section 55 of the Data Protection Act begins thus:

Unlawful obtaining etc. of personal data.
(1) A person must not knowingly or recklessly, without the consent of the data controller—
   (a) obtain or disclose personal data or the information contained in personal data, or
   (b) procure the disclosure to another person of the information contained in personal data.

There is broad consensus that this section is meant to apply, for example, to hackers and less-than-ethical employees who acquire personal information and offer it for resale (and personal gain).  For example, subsections 5 and 6 of the same note that putting forth an advertisement for the sale of unlawfully obtained data is a criminal offence.

It appears that the penalties associated with this section are limited to £5,000.  The entirety of Section 55 of the DPA can be found here.

Section 56 - Prohibition of requirement as to Production of Certain Records

This section makes it illegal to force an individual from making a Subject Access Request for "the purposes of recruitment, continued employment, or the provision of services", as described in Wikipedia.

A better explanation is that Section 56 prohibits the compulsory production of "relevant records".  Relevant records include:

  • Criminal records from the police
  • Records from the Secretary of State
  • Records from the Department of Health and Social Services

One cannot make the production of said relevant records a term in the offer for employment or services.

The entirety of Section 56 of the DPA can be found here.

 
<Previous Next>

No Custodial Sentences for UK DPA Breaches

UK Data Breach Notification: Not Required

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.