Keep on moving

[tinyjo]

Googling for information on using SSL for security and complying with the data protection act is (a) very boring and (b) very difficult because you get zillions of people's privacy policies. All of the official stuff I have found so far is maddeningly unclear, and even my bank just says "Yes, we use SSL, it's the industry standard."

Comments

[celestialweasel.livejournal.com]

This may sound paranoid and/or over cautious and/or unhelpful but if your company and/or your customer needs to rely on something being legal then you should probably be doing more than just googling for the information e.g. talk to a lawyer, the customer's data protection person etc.

However, as it is Friday afternoon, I shall do exactly what I have just said you shouldn't, and look at the act and, not being a lawyer, make a bizarre and arbitrary and probably inaccurate summise that the most relevant bit is Schedule II Section 4 (d) does not involve disclosure of the personal data to a third party without the consent of the data subject.

You could perhaps argue that not using SSL could potentially cause this to be contravened, and that by using SSL you are at least trying, though obviously the Act does not have any helpful exemptions for holes in the operating system etc. etc. :-)

I hope the above is taken in the spirit in which it is meant i.e. I am trying to be vaguely helpful, not sarcastic...

[tinyjo.livejournal.com]

Yeah, that's cool. The thing is that both me and usually the person I am talking to knows that there are no data protection issues here - we're tranferring information online which is already transferred through other media and we're securing that transmission with 128bit ssl. The thing is we need something to show to the users that they understand so they don't get their tiny knickers in a twist.

[celestialweasel.livejournal.com]

Ah, I see. Tricky. I would just quote that section to them and say 'in accordance with section blah blah we secure the transmission with 128 bit SSL'.