Transfer & Transit and the 8th Data Protection Principle
The 8th data protection principle of the UK's Data Protection Act states that personal information should not be:
...
transferred to other countries without adequate protection.
Organisations with websites and web applications often ask how this affects their web content, when they don't know where an end user could be or what route data might travel over the internet. Firstly of course, it's only relevant if you have personal information in the content. The Information Commissioner's Office (ICO) has published guidance in its data protection guidelines on International transfers of Personal Information on the difference between transfers (the 8th principle) and transit where information passes through, but does not move to, a country outside the European Economic Area (EEA).
To comply with the 8th principle you must not transfer personal information to a country or territory outside the EEA unless there is an adequate level of protection for the information and for the rights of individuals.
So you don't need to worry about the routing (data in transit), but do consider the effects of proxies and caches and how encryption in transit can protect the information that could be stored, even transiently, at intermediate locations. Also, if your users can access personal information in content from your website, and they are located outside the EEA, the data has been transferred and you do need to consider the affects of the eighth principle.
Posted on: 01 September 2009 at 11:15 hrs
Comments are filtered automatically and should appear shortly after they been checked.