3 of 10

 

Protection of Privacy

Processing of personal data is strictly regulated by European Union legislation, legally binding treaties of the Council of Europe, and by individual national laws. These laws and regulations guide those who collect personal data on the kind of file security required, the appropriate duration to store files, informing concerned persons that their information is being stored, if authorization is required from a national authority, what purposes are permissible for data processing, and maintaining data confidentiality when disseminated internally and externally.

The E-Privacy European Union Directive of 2002 defines sensitive data to include data "revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life". The processing of such information is in principle prohibited, except in specific circumstances. It is possible to process sensitive data for instance if the processing is necessary for the purpose of medical diagnosis, or with specific safeguards in the field of employment law, or with explicit consent of the data subject.

When companies collect data from their customers or the general public, the level of care should be suitably high to prevent the identification of particular individuals. At a certain level of information collected, customers and the public should expressly opt-in to the collection of data, which can be withdrawn at any time.

Figure 1: Physical shredding of electronic data is not possible; but withdrawing of permission should have the same effect

There is a slightly different relationship between a company that collects information and their employees, as there is a more implicit permission for collection and dissemination of personal data that is related to the working environment. Although there is a lower standard that is understood to be met for explicit opting in, there are limits that should be applied. For example, private correspondence conducted while at work is still considered as a fundamental right, and employment contracts does not allow the employer to ignore their employees’ privacy, even when using company-owned equipment.

In addition, a lack of security in ICT may cause directors or other legal persons to be held liable, in case of forgeries, personal data leaks, violations of data storage undertakings, and other damaging incidents.

As a result, a service provider providing services and data processing to customers and employees should of course obey the law, but also create a business culture which protects data which they collect, store and process. This responsibility of companies towards their end-users should always be maintained, even if part of the technical infrastructure and processes are outsourced or hosted by a third party.

3 of 10

SAFETRIP.eu is a project co-funded by the European Commission, DG Research

© Copyright 2012 SafeTRIP