Data Protection and Web Based Applications
By Paul Ticher
Using hosted web applications or hosting your website outside the UK could cause your organisation to breach the UK Data Protection Act. This article explains how and provides some useful pointers for consideration.
There are many reasons for using web-based applications: cost savings, accessibility from wherever you happen to be, automated online backup, to name but three. But there are legal and practical implications, especially if your data includes personal information about your clients or staff, or even about yourself.
The issues arise because you are trusting someone else to look after your data. Of course many people do this all the time with hardly a second thought, by having a web site hosted externally for example. However, there are an increasing number of applications provided over the web which were traditionally kept in house, ranging from cut-down office suites to heavyweight personnel systems or contact management systems.
The bottom line…
The bottom line is that your organisation is responsible for its data, regardless of whether it is held on site or externally. The more confidential the data, the more careful you have to be, and the more you need to know about how the data will be handled when it is out of your control.
The main legal requirements are in the Data Protection Act. This only applies to information about people, of course, but is a good starting point. The seventh Data Protection Principle says that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
If you are relying on someone else to handle your data for you, that makes them, according to the Data Protection Act, a ‘Data Processor’, and you have a legal duty to satisfy yourself that their security precautions are up to scratch.
Data security, accuracy, and access
If you are using a system where you have an individual contract with the service provider – a hosted contact management system, for example – we will assume that you have checked out their security provisions. You will also have read the contract properly to satisfy yourself that all is in order, including compensation for you if the supplier lets you down.
But what about ‘consumer’ services – Google Docs, Zoho, Microsoft Office Online and the rest? You don’t negotiate a contract, you accept the provider’s terms and conditions. Are they sufficient to give you the confidence that you can store personal data securely in their systems?
The terms and conditions for Google Docs run to over 4,000 words (four times the length of this article). They are full of responsibilities on the user, but don’t promise much in return. Section 14.2 is especially relevant. It says:
“In particular, Google, its Subsidiaries and Affiliates, and licensors do not represent or warrant to you that:
(A) your use of the Services will meet your requirements,
(B) your use of the Services will be uninterrupted, timely, secure or free from error,
(C) any information obtained by you as a result of your use of the Services will be accurate or reliable, and
(D) that defects in the operation or functionality of any Software provided to you as part of the Services will be corrected.”
Microsoft takes 7,000 words to say much the same, while Zoho’s terms and conditions are more modest, at 2,000 words, but no more encouraging:
“The services are provided on an as-is-and-as-available basis. AdventNet expressly disclaims all warranties of any kind, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. AdventNet makes no warranty that the services will be uninterrupted, timely, secure, or virus free.”
So none of the on-line service providers take any responsibility for security, functionality or continuity of service. This does not provide you with much protection against ‘unauthorised access’ or ‘accidental loss or damage’, and it could be argued that it is an automatic breach.
There are questions not only relating to the seventh Data Protection Principle, but also to the third and fourth which, together say that:
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed [as well as] accurate and, where necessary, kept up to date.”
How can you keep your data up to date, for example, if you can’t access the service?
The risk to your organisation is that if any of your Data Subjects (such as clients, staff or members) lose out because you have breached one of the Principles, you are liable to pay them compensation. Say you have a spreadsheet holding the details of the people attending an event which you have to cancel at the last minute. If your on-line service isn’t available at the crucial time, so that you can’t contact them, they may incur costs which they could claim back from you – and you would have no recourse to the service provider.
Storing your data abroad
Another fly in the ointment is that many web application (and website hosting services) are provided from abroad, often the USA, and store your data abroad. This could lead you to breach the eighth Data Protection Principle, which imposes conditions before you can transfer information abroad. The USA does not have legislation which would facilitate transfers, relying instead on the voluntary ‘Safe Harbor’ arrangement. Microsoft refers to this in its terms and conditions, but Google and AdventNet do not. Even then, Microsoft’s entry in the list of companies which have signed up to Safe Harbors is not clear about whether it covers data processed on behalf of organisations outside the USA.
Finally, there is the surveillance concern. In the USA the government can, in effect, have ready access to any data held in the USA, regardless of its origin, under the US Patriot Act. A Canadian university has already come under fire from its staff, with concerns about this, when it decided to switch to using Google for its e-mail.
At present the UK government does not have such powers, but there are indications that they want to introduce something similar. Of course, it has always been possible for the authorities to gain access if they really want it, but these new provisions make it much easier to do it without your knowledge, and with much less oversight by the courts.
Are web based applications right for us?
How much these things concern your organisation depends partly on your views on surveillance and the like, and partly on the nature of the data you want to store. So it doesn’t mean that you should never use web-based applications. Although they don’t guarantee reliability, they must be pretty reliable, or they wouldn’t have many users. And would the US government really be interested in the details of who is attending your next training course?
You do, however, have to answer a few questions:
- Do we know what terms and conditions we are signing up to?
- How much would it matter if the service was unreliable, or if the data was corrupted, lost or inaccessible? What would our liability be if things went wrong?
- Given that even our own internal systems cannot guarantee reliability, are the risks of using web-based applications at an acceptable level?
- How much would our Data Subjects mind – or be put at risk – if their data was accessible by governments, here or abroad? Can we justify our approach to them?
- Have You Got Your Act Together?
- Introduction to the Data Protection Act
- Make sure your Data Protection compliance is in order
Published: 28th August 2008
Copyright © 2008 Paul Ticher