0844 244 8080

Online Security - New Guidelines from the Information Commissioner

by Richard Cunliffe

Share |

The online world is developing and changing all the time. Increasing numbers of people depend on the Internet for information, shopping, banking and social interaction with friends.  The gap between the real world and our online world is becoming increasingly blurred and this presents a challenge to our privacy. 

Some of the biggest uses of the Internet also pose the largest threats to our information security and privacy. As our experience of the Internet increases, so does our dependence on its convenience. As the uses of the Internet snowball, the risks we take also increase. We will happily tweet, telling everyone we are going on holiday, yet we leave the lights on in our houses when we're away to pretend we're in. 

Is this an example of our increasingly liberal attitudes to online privacy or do we feel protected behind a keyboard and mouse?

More and more information is captured as our online footprint expands. Everything you click on Amazon is recorded to analyse your browsing and shopping habits. This creates an online profile that allows Amazon to recommend products to us. A cunning marketing strategy or an invasion of privacy? Would you allow someone to shadow you in Tesco with a clipboard, marking which products we looked at? No, but we all carry Tesco Clubcards which record everything we buy, where we bought them and how we paid. 

Companies also face this problem when deciding how to set up online privacy. Currently all companies operating in the UK have to comply with the Data Protection Act (1998). This act, implemented in 2000, provides a set of principles that governs the actions of organisations when processing personal data. 

The Act's application can be poorly applied in the online world and this has led to a new online privacy code being developed.  This code covers all information collected by PCs, mobile phones, computer games consoles, media devices; basically anything connected to the Internet.

The code is a set of guidelines that go above and beyond the DPA requirements. The code only covers the use of information that can be used to identify an individual. This is problematic as many people can use one computer, for example. The difficulty is that non-obvious identifiers such as IP addresses are linked to one particular device; not an individual user. 

Here is what the Online Privacy Code says:


  • Collect personal data at an appropriate time - asking for information too early will discourage people
  • Don't misuse the information you collect and only collect necessary information
  • If you're using a third party, check what information they collect as they may be collecting too much
  • Conduct audits of the data to ensure it remains accurate
  • Use partial data where possible e.g., use the first part of someone's postcode rather than the whole thing if you only require the rough address of that person
  • Do not be secretive about why you're collecting personal data
  • Do not change the reason you're collecting data.
  • If people tell you they don't want to receive any further information, do not contact them again
  • Undertake risk assessments on your system to identify where vulnerabilities may occur
  • Remove all unnecessary access rights where possible
  • Disable auto-complete options on web forms and install good anti-virus software
  • Dispose of data securely
  • Train staff to handle data securely
 
The DPA states that individuals should be able to access all data an organisation holds about them. Individuals also have a duty to keep this data up-to-date and to stop their information being used for direct marketing. This code goes further as is very much an extension of the DPA and states that individuals should have an easy way to access all of their information and be able to delete their account properly; not in the case of Facebook where every piece of information has to be deleted individually!
 
Security has only recently been considered during the design stage of software development. For years it was considered another company's job to make software secure. The software developer just had to hastily release a patch when the going got tough with the media.  Now developers have an obligation under the DPA to control data privacy properly. They must consider their default privacy levels and ensure they match the expectations and wishes of the individuals. There is a balance to strike here between protection of privacy and functionality of the application.
 
The online social-networking site Facebook recently changed the default privacy settings for users after complaints that the default Facebook set didn't actually meet the default expectations that users had. Quite simply, if a large number of individuals alter their privacy settings from the default then the default should be changed.
 
Google failed to consider the privacy of its users when it launched Buzz, their microblogging add-on to Gmail.  It defaulted to allowing those people you regularly e-mail access to your Buzz site. This was against the wishes of most users who wanted granular control over their privacy.
 
The global element of online interactions leads to confusion about which laws a company may need to abide by. The simple answer is all laws need to be considered for the countries the company wishes to operate in. By abiding by these guidelines and the DPA then the company should be fine.  Some general rules can be applied in these situations:

 

  • Encrypt data prior to transferring it overseas
  • Ensure the individual receiving the data is adequately trained to handle data
  • Take copies of the receiver's security policies and ensure they match your expectations

It will take time to see whether adopting this code leads to increase trust and better relationships with individuals online. It may result in fewer breaches of the DPA and therefore fewer fines handed out from the Information Commissioner. The larger question remains whether this will lead to an increase of online services or simply put barriers in place to their use.



Share |

Richard Cunliffe is an Information Security Officer in the IT Health Sector. He has a degree in e-business and now specialises in Data Protection. He also has a background in web development and helped establish a Lancashire-based company as the Number 1 pool table retailer in the UK. He also enjoys PS3 gaming, working out and socialising with friends.

 

Your Comments

CAPTCHA Authorisation Code

Comments are publicly viewable so please don't include any personal data such as your phone number or email address. Submitting a comment indicates acceptance of our Terms & Conditions.

There have not been any comments on this article yet. Post your comment above!

Copyright © caeus.com Ltd. 2010. This article and all its contents are the property of caeus.com Limited and are protected by copyright. You may not distribute, modify, transmit, reuse, repost, or use the content of this article for public or commercial purposes (including text and images) without written permission from caeus.com Limited. The views expressed in this article and sites linked to herein are solely those of the author or individual(s) providing them and do not reflect the opinions of caeus.com Ltd., its parents, affiliates or subsidies. Any trademarks and brands mentioned in this article are the property of their respective owners and their use does not imply any affiliation with, or endorsement by, caeus.com Limited. The content of this article is provided in good faith and for information purposes only; you follow any advice given entirely at your own risk and no responsibility can be taken for any consequences which may arise as a result of following advice given in this article.

Articles & How-To Guides

Related Articles


Sign up to caeus.com
Data Recovery Services... click here

Web Design & Hosting

Photography & Virtual Tours

FREE Useful Utilities

Computer Repairs & Servicing

IT Services & Consultancy

Articles & How-To Guides

 

Connect With Us:

Valid CSS! Valid XHTML 1.1!