Domain: dpr.gov.uk
Stories and comments across the archive that link to dpr.gov.uk.
Comments · 21
-
We had this 16 years ago
In the uk we have the Data Protection Act (of 1984 and redone in '98 AFAIK) which lays down rules about how your data is handled. Companies etc that collect data on you must be registered and must keep your data secure from others. Also you have the right to view all the data that anyone holds on you and ensure its accurate (except in a few situations such as police investigation), you can even see emails/memos about you and cctv tapes (again AFIAK). Even my old school is registered. There are afew other things which i forget but you can read about here
-
Re:Mostly Ethics, Seldom Legality
(Sure, they mostly pretend they wouldn't do that to regular citizens, only businesses, but it's pretty much a selective enforcement thing.
No, it's a law thing. Individuals are exempt from notification if the only data processed
are for personal, domestic and household affairs (including recreational
purposes).
Sounds like some libertarian yanks have been filling you with FUD. Data protection laws regulate business and public data, not private, personal data. If regular householders had to register their christmas card lists, address books, etc, the entire system would collapse. DPR is there to protect citizens from businesses who'd say "i'm private property so you can't do anything about my lies on file against you! it's my freedom of speech! freedom to FUCK YOU OVER yeah baby!" -
They track more than that: official
Since personal data held in the UK must in general be held for specified purposes and not used otherwise, under the data protection legislation, you can look up what information they are actually allowed to keep.
Now, please do your homework and read what they really store and why, as officially notified to the Office of the Information Commissioner (who oversees UK data protection issues).
And then come back, and be scared.
Why, exactly, do they need to record information about:
- the sexual life of their customers
- the family, lifestyle and social circumstances of relatives of their employees
- the academic records of students and pupils
- the political opinions of complainants...
Yes, those are all real examples, lifted straight out of the entries for several purposes for which they are registered with the Information Commissioner.
Hell, their entry basically says they may keep pretty much any really personal information about anyone. Oh, and they can transfer most of it worldwide, too (i.e., they can take it to places with much less strict data protction legislation than we've got -- if they can find anywhere like that, anyway.
-
Data Protection Act
You can search the data protection register to see what sort of information organisations keep, "Transport for London" gives you a pretty long list but i cant find anything that says they would store the journey?
-
Data Protection Act
You can search the data protection register to see what sort of information organisations keep, "Transport for London" gives you a pretty long list but i cant find anything that says they would store the journey?
-
data protection
I was looking up my old school on the data protection register (uk) they have so much info on the students!
In the uk (as far as i remember from IT class) we have laws protecting our data and ensuring its stored securely, i dont know what would happen if it got out (my school used wifi too) - i.e who i could sue/prosecute to get that lovely lovely free money.. hmm what if i hacked it and stole my own data just to demonstrate? - i could maybe pay off the hacking charges with the money from suing the same people! (if only i wasnt such a lame script kiddie)
The data protection act has to be my favourite uk law, leading to the tv show where mark thomas snoops around dodgy politicians and bosses and then uses the data protection act to demand a copy of all the data they have on him including memos about how they hate him:)
So yeah if your in the uk, just go and demand that companys/schools etc give you your data (i think they can charge a fixed amount for it though) -
Trading standards department degoogled
A friend in York, England was asked to pay £95 to the "Crown Data Collection Enforcement Agency". The UK Goverment's Data Protection Registry has a note on their website warning against such "individuals posing as 'collectors on behalf of data protection'".
My friend looked up their address on Google and found 46 web pages, including an adoption agency a glamour model agency and somebody selling hardcore porn videos. He emailed York's trading standards department.
He got a phone call back saying York Council policy bans Google so his complaint could not be investigated. How the f*** can they find anything out?
-
Trading standards department degoogled
A friend in York, England was asked to pay £95 to the "Crown Data Collection Enforcement Agency". The UK Goverment's Data Protection Registry has a note on their website warning against such "individuals posing as 'collectors on behalf of data protection'".
My friend looked up their address on Google and found 46 web pages, including an adoption agency a glamour model agency and somebody selling hardcore porn videos. He emailed York's trading standards department.
He got a phone call back saying York Council policy bans Google so his complaint could not be investigated. How the f*** can they find anything out?
-
Re:Please explain
-
Re:Please explain
Microsoft are not listed in the Data Protection register. So they are breaking the law by storing any UK citizen's name every time that citizen does an ego search.
This is especially true if the software was baught through a UK subciduary. -
Re:No waySave for th UK, which appears to be in the process of killing off any form of privacy, all European countries have similar or comparable data protection laws.
There are many fucked up laws in the UK at the mo (Regulation of Investigory Powers act, Criminal Justice act, etc.) and the whole CCTV big brother thing sucks. But data protection regulation is very good, and now applies to non digital data too. The data protection act is very useful for getting information out of people who collect data on you for a living and also as a stick to wield against stupid people. Example: the finance department of my University put an Excel file contianing the home addresses of all students in a shared directory on the campus LAN. Once I notified the Uni data protection oficer it was removed in about 10 minutes!
There are rules about government departments not sharing data unless neccesary, but everyone knows that it still goes on. The way to combat this is to make it hard for them to share the data, e.g. NOT by putting it all in the same place.
-
Re:Data Protection Act
Under the terms of the data protection act, they have to register all the information they hold about you.
This data protection register is online. This is what a search for Tesco turned up.
-
Re:Data Protection Act
Under the terms of the data protection act, they have to register all the information they hold about you.
This data protection register is online. This is what a search for Tesco turned up.
-
Illegal in the UK.
Anyone thinking of using this service in the UK (or anywhere in the EU for that matter) should think again. It's (potentially) a criminal offence to collect any data on a person without telling them you're doing it (Data Protection Act 1998, generally and Schedule 1 part I in particular). The fact that you're using a third party based abroad to dig the dirt on your site visitors will avail you nothing with the Data Protection Commissioner if she decides to land on you with both hobnailed boots.
Those privacy statements, whose status in the US I cannot comment on (IAAL but NAUSQL) are binding in the UK and breach of them potentially sounds in damages (section 13 of the Act isn't in force yet, but soon, soon) as well as criminal liability and all manner of interesting and exciting regulatory action.
For the rights of data subjects generally, see Part II of the Act generally and the register of Data Controllers is maintaned at the Data Protection Commissioner's site and is fully searchable. Go on, look up your favourite corporation and dob them in if they aren't playing by the rules. (Non-UK readers may be amused to know that an assortment of pranksters make a point of doing this with political party membership lists when they use them for mailshotting purposes.)
-
Re:Misleading Figues
I hope they don't map the UK internet topology, that information is the property of the companies that set it up, and would be covered by the Data Protection Act 1998. Possibly.
Or possibly not. The DPA '98 covers information held by data controllers about data subjects or from which data subjects might be identified, where:
- Data controllers are any persons or corporations who handle data, defined as any organised body of information whether held on a computer or not held other than for purely private purposes, and
- Data subjects are, basically, anything with two arms, two legs, a pulse and a current or future right to vote. And, er, given current law on the franchise, the royal family and people currently sectioned under the Mental Health Act.
(The foregoing definitions are rather more colloquial than the ones the Act uses, but they'll do for present purposes).
Basically, mapping information on
.uk net topology will not come within the Act unless information about individuals forms part of that (eg. as a result of copying scads and scads of whois info.)For further info, see The Data Protection Registry Site generally.
For the record, I am a lawyer, and the foregoing is not offered as specific advice for your specific circumstances. This is: don't base decisions that could cost you money or liberty on
/. postings. Take advice from a lawyer who's acting specifically for you. -
Meanwhile, over in Europe...
We don't have that problem. Other problems, maybe, but not that one.
-
Re:Need a Data Protection Act
Not just electronic data; gradually, all data held about you will have to be transparent.
Incidentally, you can search the Data Protection Register online. Eye-opening.
-
Additional info on EU Data Protection
Just to pick up a few points, working from the UK implementation of the EU directive, the Data Protection Act 1998:
- The Data Protection legislation covers paper records as well as computer records.
- It doesn't extend to anything done other than in the course of a business, so your phone numbers stored in your mobile aren't covered. Incidentally, some of mine are, since they're client's numbers.
- The data has to be personal data - data from which a person could be identified, however tangentially.
- The data has to relate to a "data subject", a term which is defined in the legislation to mean more or less anything capable of passing as human. (Yes, that is flippant. No, it's not inaccurate.)
- Sensitive personal data is a subset of personal data, and it's defined by reference to a list of subject matters: race, religion, political afdfiliation, membership of trade union, mental and physical health and sexual orientation being the ones I can remember without making the thirty-yard trek to the shelf where my copy of the Act is.
- Sensitive Personal data cannot be collected without the explicit consent of the subject without committing an offence, subject to some tightly-drawn exceptions.
- The restrictions on processing personal and sensitive personal data when you get it are governed by the Data Protection Principles. See Schedule 1 to the Act for details. Interpretation of the Principles is in Part II to Schedule 1 and further supporting material appears in Schedules 2 and onward.
- The Data Protection Registrar has already indicated that "opt-outs" for mailing lists do not amount to fair data processing. That's right, spam just became a criminal offence again. Enforcement is another matter, I shouldn't wonder.
- This item deliberately left blank.
- Data Controllers (the people who actually carry the can for data processing) have to register as such, disclosing publicly on this register what sort of data they collect, from what kind of people and what they do with it.
- Part of the registration, which must be renewed annually, is a statement of the security precautions the data controller has taken. They aren't onerous - indeed, I'd regard them as the minimum necessary. However, the actual implementation in practice among my clients - honourable exceptions apart - is woeful at best.
Essentially, the standards may be set higher over this side of the Atlantic, but the actual performance means that the practical difference for the time being is nil.
Anyone in the UK with an expertise in basic computer security has a prime opportunity to make some money selling advice to just about every commercial concern on mainland Britain. And, no doubt, the same goes for the rest of the EU.
AndrewD
Slight disclaimer: don't rely on the above as legal advice for your particular circumstances. I'm only qualified to advise in the UK on English law, and what appears here is only a broad outline statement of that law. In short, relying on comment postings on
/. to take business decisions that might cost you money is your own affair and don't come crying to me if it all goes horribly wrong. -
UK Data Protection
Y'see, *this* is why the EU has been unhappy about data transfers to the US - we have stringent data protection legislation.
In the UK (whose implementation I know best), data holders *must*
- Be registered to hold and process identifying data and only do so for a proper length of time
- Obtain data fairly (ie from you with your permission or from a reputable (ie registered)) source
- Ensure that that data is up to date
- Ensure that the data is only disclosed to proper persons or bodies
- Give you the right to view your own data
- Only use it for proper purposes
Therefore, you can view your credit history as disclosed to financial companies by writing to Equifax or Experian (the 2 big credit reference agencies) with a £2 cheque, and challenge any erroneous info they hold about you.
-
Re:Data Protection Act
There are a number of problems with the Data Protection Act.
Firstly, to sign up with the ISP, you have given them name, address, date of birth and probably your phone number, as condition of using them.
Since most of them require your e-mail address and password when you sign on, they effectively have, via their logs, who you are, demographics (unless you lied), phone number (because you are phoning them) and everywhere you went. All of this is quite legitimate within the terms of the Data Protection Act. Indeed, under the Regulation of Investigtory Powers Act, it will probably become mandatory.
The trick is to check the Data Protection registration of the ISP. If they are not registered to use this data for marketing purposes, you have them by the short and curlies. You can search for this on the Data Protection Registrar web site . For instance, here is the registration made by the UKs favourite ISP, Freeserve. Note the first purpose is marketing to individuals. I also saw an article in Computing magazine where Freeserve stated that they intend to do exactly that.
Note on the Freeserve new user registration page, you have the normal 'opt out' boxes (jury is out on their legality in the UK AFAIK). It mentions 'Terms and Conditions' too, but this link doesn't work (ha ha ha ROFL). When it works, I bet it mentions that the data they collect will be processed in accordance with the Data Protection Act.
In short, I don't believe that the Data Protection Act will offer much of a defence to ISPs using their logs to market at you, as you will have to give them this right under the Data Protection Act when you sign up with them in the first place.
-
Re:Data Protection Act
There are a number of problems with the Data Protection Act.
Firstly, to sign up with the ISP, you have given them name, address, date of birth and probably your phone number, as condition of using them.
Since most of them require your e-mail address and password when you sign on, they effectively have, via their logs, who you are, demographics (unless you lied), phone number (because you are phoning them) and everywhere you went. All of this is quite legitimate within the terms of the Data Protection Act. Indeed, under the Regulation of Investigtory Powers Act, it will probably become mandatory.
The trick is to check the Data Protection registration of the ISP. If they are not registered to use this data for marketing purposes, you have them by the short and curlies. You can search for this on the Data Protection Registrar web site . For instance, here is the registration made by the UKs favourite ISP, Freeserve. Note the first purpose is marketing to individuals. I also saw an article in Computing magazine where Freeserve stated that they intend to do exactly that.
Note on the Freeserve new user registration page, you have the normal 'opt out' boxes (jury is out on their legality in the UK AFAIK). It mentions 'Terms and Conditions' too, but this link doesn't work (ha ha ha ROFL). When it works, I bet it mentions that the data they collect will be processed in accordance with the Data Protection Act.
In short, I don't believe that the Data Protection Act will offer much of a defence to ISPs using their logs to market at you, as you will have to give them this right under the Data Protection Act when you sign up with them in the first place.