The Data Protection Act
Principles & Safe Storage Of Your Data
There are eight enforceable principles of good practice when it comes to storing data. These are related to the processing of personal data.
The 8 principles of the Data Protection Act state that the data must be:
- Fair and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept for longer than necessary
- Processed in accordance with the data subject’s rights
- Not transferred to countries without adequate protection
The agreement itself is a compromise stemming from US-EU wrangles over the European Directive on Data Privacy. This requires that companies exporting data on EU citizens meet EU privacy protection standards.
Safe Harbour allows US companies to register and get certified as clean, without it being necessary for the US itself to change it’s current approach to privacy protection. But the most important thing to remember is this ‘Safe Harbour’ is self regulated, so if something was to happen to the integrity of your data while it is stored in the US, it is the responsibility of the data owner and not your supplier.
Here is a summary of the checklists your data will go through when it is stored in the US under the Safe Harbour scheme. Please note that most of these break the UK Data Protection Act:
Enforcement: The enforcement mechanism requires the existence of a readily available and affordable independent recourse for individuals, as well as consequences for the organisation when the principles are not followed.
Data integrity: Data integrity means that personal information collected must be relevant to the purposes stated in the notice, and that reasonable steps should be taken to ensure that the data is reliable, accurate, complete and current.
The main areas where you will find yourself in breach of the Data Protection Act:
Data Privacy Law: Under Data Protection Principle 7 of the Directive, the person supplying the information to you can rightfully assume that you, the data owner, will look after their information in line with the DPA. Unless you specifically informed the individual that their data will be stored outside of the EU and have a written agreement from them, then the data MUST be stored within the DPA regulations, such as with a company who fully complies with the Safe Harbour process. It is your responsibility to ensure that the company who are managing your data have suitable security measures in place.
- The importing state has “adequate” data protection laws. US laws are not regarded as “Adequate“.
- The data subject has given “unambiguous consent” to export “any freely given, specific and informed indication of the data subject’s wishes by which he/she signifies his/her agreement to his/her data being processed“.
- The export is “necessary” for the fulfillment of contract between the data subject and data controller… Commercial convenience will NOT qualify.
- The importing entity is in the US and has signed up to “safe harbour“.
- The exporting and importing companies are members of the same group of companies and the group has opted for the “Binding Corporate Rules” gateway.
- The import is governed by a contract between exporter and importer which includes EU approved model clauses.
In summary, it is a political minefield to store your data outside of the European Union. Even if your data is B2B, should you have anything stored which reflects the individual as a person then you could be breaching the laws of the DPA. This does not just apply to your Email Marketing data lists, but all of your company’s data storage, such as your CRM system.
For those of you who feel faint now, there is one bit of good news – Microsoft has adopted the European Union guidelines and as such are fully compliant with the European Data Protection Act.
See www.ico.gov.uk for more information.