[Go-essp-tech] User Privacy and Data Protection
philip.kershaw at stfc.ac.uk
philip.kershaw at stfc.ac.uk
Thu Dec 17 09:40:47 MST 2009
Hi all,
At the telco on Tuesday we talked about privacy of user information and
in particular users' e-mail addresses.
I've talked to our Curation Manager here Sam Pepler to check about the
UK Data Protection Act. Two principles to apply when considering how
best to follow the legislation are:
1) only keep the pieces of personal information that are actually need
by the system
2) tell users what you're going to use the information for
For 2) the statement should not be so vague as to mislead users but at
the same time it should not be so specific as set any organisation up to
break it e.g. stating 'e-mail address will be used to provide
notification of changes to data' but then down the line find that there
is another equally valid use case for the system using e-mail
information.
There is no need to tell the user exactly which individual organisations
you are going to share the information with. It would be sufficient to
say, 'organisations within the ESG federation'.
To some extent this is an exercise in risk management. That may sound
worrying but it would be very difficult to apply measures that would
remove all risk of being sued.
A more difficult problem is the scenario where more than one legislative
system is involved but if we keep to the above principles it should be
OK.
If we wanted to pursue this further we could look for example into the
US Dept. of Commerce Safe Harbour scheme which enables US organisations
to sign up to an agreement to adhere to EU legislation on the transfer
of personal data. I've not looked into legislation for other countries.
For reference:
http://www.privireal.org/content/dp/countries.php
Cheers,
Phil
--
Scanned by iCritical.
More information about the GO-ESSP-TECH
mailing list