Internet Security

The public's lack of faith in the internet as a secure place for commerce has been one of the most limiting factors for e-commerce growth. Sites need to feel secure to end-users to allow them to trade on line. There are also however legal considerations, which should not be overlooked.

The first starting point should be the Data Protection Act 1998 which came into force in UK law on the 31st March 2000. Most people will be familiar with the Act and the 8 principles of good practice which form the cornerstones of a data protection policy. Of particular relevance is the 7th data protection principle which says:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

Most readers will be aware that the definition of 'processing' is a wide one as defined by s.1 of the Act:

""processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-

(a) organisation, adaptation or alteration of the information or data,

(b) retrieval, consultation or use of the information or data,

(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or

(d) alignment, combination, blocking, erasure or destruction of the information or data;"

s.4 of the Act makes it a duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.

As well as the Data Protection Act 1998 there may also be additional regulation for certain types of internet activity which will be relevant to a business's e-commerce security policy. As an example in the UK it has been reported that the FSA have said that they intend to keep a close eye on the security practices of e-banking sites and they will call e-banks to account for any breaches.

All of this means that every organisation must have regard to the state of the art in technology and consider on a regular basis whether, given the nature of the data held, additional security measures should be brought into place. A data controller must also take reasonable steps to ensure the reliability and compliance of employees who have access to personal data and, as a result, an employee policy, properly policed, is likely to be...