Hep with the Data Protection Act

toastyman · 26 Nov 2006 at 21:25

Hey to all!

I'm developing a new feature on my website, but before I really get stuck in, I want to check that it complies with the Data Protection Act etc.. just after some general advice really.

It's a hiking website, which allows users to create routecards etc..

Hike Assessor
The hiking assessor will be able to login, and view and edit hikes for any of his/her groups. To be a group assigned to an assessor, the group has to login and enter the username of the assessor before the assessor has access. The assessor also has to accept this invitation from the group.

The idea is that the assessor will be able to view and edit the hikes for each of the groups, and, if the group have a GPS receiver, the assessor will be able to track their position.

Assessors need to be vetted accurately as they will have access to user's names, addresses, medical information, and their planned position at a date/time. Because the user has invited the assessor, does the assessor need to agree to anything? Does this scenario comply with the DPA?

Emergency Services
The idea here is that when a user is on a hike, and there is an injury or they are lost, the relevant emergency services can logon to the website and access all the information for that hike. This includes contact details, names, medical details and their position on the hike at a date/time. They will also be able to view the current position of the hiker(s) if they have a GPS receiver.

The user agrees to give the emergency services access to their details when they first register on the website, providing they are only used in an emergency. Does this comply with the DPA?

Last off, do I need to amend the legal statement and privacy policy to suit?

Hope someone out there will be able to give me some advice!
If you need any further details please ask.

Cheers,
Rich

benneh · 26 Nov 2006 at 21:39

Excellent idea, fraid I can't help you with the DPA, but it's a good idea

.

toastyman · 27 Nov 2006 at 09:55

Thanks! Hopefully it will help to make hiking a bit safer.

Has no one got any advice with the Data Protection Act? I would have thought that there were some legal boffins out there!

leaskovski · 27 Nov 2006 at 10:02

I smell uni project

toastyman · 27 Nov 2006 at 10:03

Tisn't! I created this over a year ago and I only started at uni earlier this year.

leaskovski · 27 Nov 2006 at 10:04

I'll let you off then

Edit: Good idea though! <thumbs>

Vixen · 27 Nov 2006 at 10:25

Sounds like a really good idea! As far as the DPA is concerned, I'd think you need 2 disclaimers - one for the hikers entering their details to say that they agree to their details being passed on to screened assessors who they invite, and the emergency services, and it will not be passed on any further. The second for the assessors to say that they will not pass on any information regarding hikers obtained from the service.

Have you considered how you are going to screen the assessors? It might be worth contacting your local police station to find out if they can help with this, if you've not already done so.

I don't know if that's any use at all, I only know a little about the DPA from working for a bank, so I might be way off.

Good luck with your project

.

Jono · 27 Nov 2006 at 11:04

How secure does personal information need to be when you store it? Does your system fulfill the requirements?

Whitestar · 27 Nov 2006 at 11:08

If your going to be storing any personal data whatsoever, you need to register with the data protection registra and you'll have to comply with minimum security standards.

toastyman · 27 Nov 2006 at 11:37

Vixen said:
Sounds like a really good idea! As far as the DPA is concerned, I'd think you need 2 disclaimers - one for the hikers entering their details to say that they agree to their details being passed on to screened assessors who they invite, and the emergency services, and it will not be passed on any further. The second for the assessors to say that they will not pass on any information regarding hikers obtained from the service.

Have you considered how you are going to screen the assessors? It might be worth contacting your local police station to find out if they can help with this, if you've not already done so.

I don't know if that's any use at all, I only know a little about the DPA from working for a bank, so I might be way off.

Good luck with your project .

Very useful thanks

I'm currently in discussion on Escouts as to how to screen the assessors.. I was trying to find out if all assessors hold a generic document of some sort, that could be photocopied and posted to me. Someone else suggested that the council may hold records of assessors etc.

To verify the emergency services, a simple phonecall to their place of work and asking if the person who registered on Route Hiker actually works there should do the job.

I'll probably be coming back here at some point for people to check over the disclaimers to make sure I haven't got any loopholes

Jono said:
How secure does personal information need to be when you store it? Does your system fulfill the requirements?

I'm currently planning to encrypt all the personal information in the database, not sure on the method of doing so yet so will research this. As Whitestar has pointed out, I need to comply with the standards, so these will be my next point of research.

Thanks to all for your help so far!

Slime101 · 27 Nov 2006 at 11:44

toastyman said:
Tisn't! I created this over a year ago and I only started at uni earlier this year.

I'll give you some free advice then - run, run like the wind, Cos when the uni get a sniff of it they will claim all rights to it, which is totally illegal, but they will do it and then try and shaft you forever.

toastyman · 27 Nov 2006 at 11:46

Slime101 said:
I'll give you some free advice then - run, run like the wind, Cos when the uni get a sniff of it they will claim all rights to it, which is totally illegal, but they will do it and then try and shaft you forever.

How do they do this if it's a completely external project and nothing related to the university? I'm set to register it as a company in January 2007, so surely that would be a deterrant?

Slime101 · 27 Nov 2006 at 11:48

If any of the hikers are minors (uner 16, possibly 18) then you might need to comply with child protection act...and therefore have things like CRB checks done.

Slime101 · 27 Nov 2006 at 11:50

toastyman said:
How do they do this if it's a completely external project and nothing related to the university? I'm set to register it as a company in January 2007, so surely that would be a deterrant?

Nothing deters a uni when thy sniff an oppertunity to gain somthing they really shouldnt. Its all to do with the "agreement" when you signed up, basically they think it gives them rights to everthing created (software, products, ideas) when you are attending their uni, they usually dont care if it was internally or not.

I have a pet hate of uni claiming stuff that students do especially as they contribute naff all most of the time. Just a word of warning, thats all - keep it under your hat as far as they are concerned.

toastyman · 27 Nov 2006 at 11:53

Slime101 said:
Nothing deters a uni when thy sniff an oppertunity to gain somthing they really shouldnt. Its all to do with the "agreement" when you signed up, basically they think it gives them rights to everthing created (software, products, ideas) when you are attending their uni, they usually dont care if it was internally or not.

I have a pet hate of uni claiming stuff that students do especially as they contribute naff all most of the time. Just a word of warning, thats all - keep it under your hat as far as they are concerned.

Fair enough will do! One of my lecturers is giving me some brilliant ideas for it, but I know he's sound and won't talk!

Thanks for the word of warning!

FreeStream · 27 Nov 2006 at 12:03

OT:

Wow never knew Unis shafted people like that! :eek:

Can they still do it even if the project was started before entering the agreement?

Slinwagh · 27 Nov 2006 at 12:34

Whitestar said:
If your going to be storing any personal data whatsoever, you need to register with the data protection registra and you'll have to comply with minimum security standards.

Im not sure that is correct, from my expierience you only have to register with the DPA if you are exchanging details with 3rd parties. If the data you collect is for your use only then there is no need to register.

That is what the DPA people told me.

toastyman · 27 Nov 2006 at 12:36

Slinwagh said:
Im not sure that is correct, from my expierience you only have to register with the DPA if you are exchanging details with 3rd parties. If the data you collect is for your use only then there is no need to register.

That is what the DPA people told me.

I'm guessing the emergency services and the hiking assessors would be counted as 3rd parties?

Vixen · 27 Nov 2006 at 12:39

Concorde Rules said:
OT:

Wow never knew Unis shafted people like that!

Can they still do it even if the project was started before entering the agreement?

I don't know if Unis will be the same, but most companies (especially IT) will have a similar policy, and it's just anything that is being developed while working for them. So basically, yes.

toastyman · 27 Nov 2006 at 14:17

These minimum security guidelines...I rang up the appropriate gov department and they basically said that they don't exist. What kind of precautions should I take to ensure the privacy of the data being stored?

It is a PHP enabled Apache RedHat server, with the database as MySQL. The server has had plenty of security precautions applied to it including kernel hardening.

Would it be necessary to encrypt the user's personal information in the database?