Personal Data Privacy and the Internet - A Guide for Data Users

Making secure transmission of personal data on the Internet

DPP4 requires all practical steps to be taken by a data user to implement security precautions the level of which should reflect the seriousness of potential harm resulting from a security breach. Security is generally weak on the Internet and special care is needed to ensure that adequate security measures are implemented for the storage and transmission of personal data.

Use encryption when transmitting sensitive personal data.

=>Use encryption when transmitting sensitive personal data. To satisfy the requirements of DPP4, it would be necessary for organisations to carry out a "harm test" on the personal data they seek and transmit on the Internet so as to implement the appropriate level of security measures. For example, organisations seeking detailed resumes from job applicants for vacant posts or credit card/bank account information for service payments would normally require a more stringent level of security measures in the transmission of such data than say, names or office addresses. Similar considerations should also be applied when sending e-mails that contain sensitive personal data over the Internet. The use of encrypted data transfer is one practical means of transmitting such data on the Internet and should be seriously considered.

Provide a privacy warnign message.

=>Provide a privacy warning message. If un-encrypted data transfer is used for the transmission by users of sensitive personal data, the web site should alert users about the risks in transmission or offer alternative secure means to the users in supplying the data. However, this does not lessen the obligations on organisations as regards the other requirements of DPP4. For example, an organisation that operates its own web server should take practicable steps to ensure that its server is protected against security attacks over the Internet and that a well organised and safe system of backups is in place.