Information protection: the eight commandments

Date: 14/02/02

By Peter Chapman

DATA privacy is a complex business and firms spend a fortune trying to comply with rules aimed at protecting private information.

Member states often have different interpretations of the rules - making it a nightmare for companies doing business across several jurisdictions.

But what, in a nutshell, is the law trying to achieve? EU lawyer Mike Pullen explains the eight main principles behind the Union's key data privacy law: the 1995 'framework directive'.

• Personal data should always be processed fairly and lawfully.

'This means you should only process data for lawful means - like my subscription to a newspaper.

'The newspaper should tell me what it is going to do with my data.'

• Personal data should only be obtained for one or more specific purpose and shall not be further processed in any manner incompatible with that purpose.

'If I subscribe to European Voice and it wants to use my data for direct marketing it should tell me and ask my permission.'

• Personal data should be ade-quate, relevant and not excessive for the purposes for which they are processed.

'If I am subscribing to European Voice the newspaper doesn't need to know what my religion is.

'But if I am applying for a job as a journalist I am going to be sat in front of a screen every day. I should have to tell the paper if [that] would give me an epileptic attack.

'It would not be able to get the information anywhere else. It would have to get it from me.'

• Personal data for any purpose should not be kept for any longer than is necessary for that purpose.

'If you send me a CV for a job and I say sorry, but we will keep it on file, I shouldn't keep it on file unless there is a prospect that I will be giving you a job in the future.'

• Personal data should be accurate and, where necessary, kept up to date.
• Personal data should be processed in accordance with the rights of the data subject. 'That is your right to have access to your data, your right to object to processing, your right to have incorrect data rectified and your right to have data erased.'
• Appropriate technical and organ-isational measures should be taken against unauthorised or unlawful processing of personal data.

Measures should also be employed to guard against accidental loss, destruction or damage of personal data.

'You have to have computer back-up tapes, [in case] your employer's server goes down and wipes all the data and they can't pay you, etc.

'It means all your computers have to be password-protected and it means that you have to have security on the doors of your computer room so someone can't put a white coat on and help themselves to personal data.'

• Personal data must not be trans-ferred to a country or territory outside the European economic area unless that country ensures an 'adequate level of protection' for data subjects.

EU lawyer, Mike Pullen, explains the eight main principles behind the Union's key data privacy law: the 1995 'framework Directive'.