Data protection law

Data protection law and data encryption

The chances are that you would want your business to stay legal and avoid any unnecessary legal action which will distract you from building your company. Adhering to the data protection act is something that you will need to do if you store data on clients, employees or suppliers.

By taking action now you are hopefully going to avoid problems later should your business be investigated. This will save you money and time in the long run, and will only cost you a small registration fee of £35 per annum.

RIPA (Regulation of Investigatory Powers Act) has implications for those using encrypted data.

This guide does not constitute legal advice. It is strongly suggested that you receive qualified legal advice to help you if you have any Data Protection Act or RIPA questions or issues.

Understanding the Data Protection Act

We all like to protect our privacy, and the Data Protection Act provides a legal framework to which we all need to adhere if we are to stay above board. By protecting this information you will retain your reputation and prevent time consuming and costly investigations later.

There are other regulations that apply to anyone considering a telephone or email marketing campaign called the Privacy and Electronics Communications Regulations.

For further detail visit this link Privacy and Electronic Communications Guide

The Data Protection Act allows each of us to know what information is being held about us. Any information that is held must be handled appropriately, and there are 8 guiding principles. Data must be:

Fairly and lawfully processed

Processed for limited purposes

Adequate, relevant and not excessive

Accurate and up to date

Not kept for longer than is necessary

Processed in line with an individual’s rights

Secure

Not transferred to other countries without adequate protection

If someone should feel that their data is not being managed according to these principles then they can contact the Information Commissioners Office for assistance. At this point your small business may be investigated with possible subsequent enforcement action.

Regulation of Investigatory Powers Act (RIPA Part III)

RIPA is normally associated with investigations into criminals and criminal behaviour using surveillance, not the running of small businesses, but recent changes in legislation may impact your use of IT.

Data encryption is the process of taking normal computer data and files and scrambling them so that they become unreadable to unauthorised users. This process of scrambling or encrypting data uses advanced mathematics, which we won’t bother you with. What you do need to understand is the how to handle the “keys” (or passwords) which unlock encrypted data. It is important to keep these keys secure from unauthorised persons, to protect the encrypted data from improper use.

Legislation was activated in October 2007 (RIPA Pt.3) which may require a copy of a key which unlocks specified encrypted data to be provided to law enforcement authorities. However the legislation does not require that all keys are kept indefinitely in case this circumstance arises. It is good security practice to establish a procedure for deleting old keys, when the data which the key protects is no longer needed for normal business purposes, as part of planning a finite lifecycle for any business data. In particular, the Data Protection Act 1998 requires deletion of personal data which is no longer needed for specified and legitimate purposes.

However, it is important to keep records of when you delete keys, and a description of the data which the key was used to protect. In the event that a key is demanded under RIPA Pt.3, you may need to explain to the authorities why a key is no longer available.

Data encryption is covered in more detail here.

What you need to do

It is strongly advised that you visit the websites below which carry up to date and accurate information on the Data Protection Act and RIPA as it relates to small businesses. The Data Protection Act site also carries information on how to register your business, which is highly recommended.

Data Protection Act for Small Businesses

Regulation of Investigatory Powers Act

Commercial suppliers

We do not recommend specific products or suppliers; instead we provide you with a representative sample which covers the range of suppliers/products available. You may choose to look at these suppliers or products but this is entirely at your discretion.


Reproduced with kind permission from the Business IT Guide . The original version of this article can be viewed here.

About the Business IT Guide
The Business IT Guide is a free online tool, developed by e-skills UK alongside over 200 small businesses. The Guide can be used by anybody within a small business to explore how IT can help their business make money, save time, save money and avoid problems. It only takes a few moments to register to access 100s of high quality, independent guides, tips and facts covering a wide range of topics.

Business IT Guide