Cooking up a recipe for data protection

Computerisation saw the emergence of basic needs for privacy protection to address concerns over the creation of 'womb-to-tomb' dossiers on individuals.

Users of digital technology produce an abundance of personal information that is inclined to be detailed, individualised and computer-processable.

Simply accessing a Web site makes certain header information available to the Web site host computer; including e-mail addresses, the operating and hardware platform, the time and date of the visit, and the Web page viewed immediately prior to accessing the current page.

In the haste to deploy technology, on-line businesses often get distracted from the legal risks, such as exposure to a raft of data protection and privacy laws introduced to address such concerns.

Heralded as a robust way for protecting one's personal and sensitive data, the Data Protection Act 1998, implementing the European Union's Data Protection Directive 95/46/EC, appears to be rather scantly applied by on-line businesses.

While more than 97% of dot-coms recently surveyed by Landwell claim that they are compliant with data protection, 20% admit they have not even taken advice in this area.

Other reports, claiming both off-line and on-line businesses' lack of concern towards data protection issues, have put this figure even higher.

Examining frequent methods of data collection, it is easy to see how infringements can occur.

Cookies - a text file placed on a user's computer by Web sites they visit to enable the site to recognise the user when they visit again, and often associated with ad-banners - can lead to users potentially losing their anonymity and reveal sensitive data, such as reading material indirectly implying sexual, political or religious inclinations.

Where cookies remain on a user's computer after leaving a Web site, the situation, and the potential problems associated with them, can continue.

Another method of collection is via voluntary disclosure by the data subject where sensitive information may also be collected.

Airlines operating loyalty schemes, in noting a customer's dietary habits, for example, may by implication be collating certain sensitive data.

While generally in accordance with established principles, the amount of detailed personal data elicited voluntarily is astounding.

But have data controllers (that is, the collectors) sought individual's consent or merely implied it? By failing to consider such requirements, on-line businesses are likely to be infringing legislative safeguards.

The application of software with a 'phone-home' capability will have even greater implication for privacy and data protection.

By marrying such technology with cookies, it could be possible to monitor who, where and when images and documents are received and how they subsequently spread.

Whether on-line businesses will properly address the developing data protection and privacy legislation remains to be seen; there is a growing body of evidence indicating that it has not so far.

Adapting and incorporating what amount to basic practices of good-housekeeping when dealing with personal data is something such businesses need to entrench in their daily conduct; at the very least, such compliance will enhance their reputation in the market.

James Catchpole is a member of the IP, IT and digital business group, and Simon Walker is head of e-business, at Landwell UK