Information Security and Privacy v1.23
1. Information security
The BBC's complete policy on Information Security is available in the Information Security section of the Delivering Quality site. This purpose of this document is to highlight the Information Security issues that are relevant to Future Media projects.
You should be aware that everyone who interacts with the BBC, other than as a passive viewer or listener, has to comply with the BBC's Information Security Service Frameworks Requirements.
2. Third party hosting and the BBC
The BBC will normally host all bbc.co.uk content and services.
Third party hosting will be considered only if it is not possible or desirable for the BBC to host the data. For example, if the BBC does not have the required software or facilities to complete the required service, then third party hosting may be allowed.
If you are an existing or potential external supplier wanting a summary of the security and service standards for third party hosting of BBC data see Third Party Hosting Requirements.
3. Baseline security standards
3.1 As a BBC supplier, you MUST meet certain baseline standards relating to the security of information that you host or process on behalf of the BBC. For full details of these standards see Baseline Security Standards for Third party suppliers to the BBC.
You should note that the duty of care for implementation of the standards in the above document is placed on you, the supplier. If for any reason you are unable to comply with these standards, you MUST obtain permission to vary from these standards from the Head of Information Security and Quality Assurance. If permission has not been obtained, the BBC will assume that you are fully compliant.
4. Data Protection Act obligations
If you provide any service which involves the processing of users' personal data, you have a legal obligation to process the data in accordance with the Data Protection Act 1998 (DPA). Under the DPA 'processing' includes the collection, holding and disclosure of data.
4.1 What is personal data?
Personal data is information that relates to a living individual which identifies that individual and affects their privacy in some way. It also includes data which relates to a living individual who can be identified from that data combined with any other information which the data controller possesses or is likely to possess,. Not all references to individuals are personal data.
Personal data includes:
- Information that is biographical in that it goes beyond recording an individual's involvement in a matter or event to include their personal or family life, business or professional capacity.
- Any expressions of opinion about an individual and any indication of the intentions of the BBC or any other person or organization in respect of that individual.
- Any information which has the individual as its focus.
Individual email addresses may or may not be personal information depending on what information may be gleaned from the email address and what other information the data controller holds, but a collection of email addresses MUST be processed in a way that complies with the DPA. This is because amongst a collection of emails there will be some email addresses that give personal details and other email addresses which do not. For example, an email address such as jack.russell@king-edwards-school.worcester.org.uk reveals the individual's full name, that he may be of school-age (alternatively he may, of course, be a member of staff at the school), the school that he goes to and provides a means of contacting him; these factors mean that this email address is personal data. An email address such as sunshine@hotmail.com is less likely to be personal data.
For a more detailed discussion on personal data see The Durant Case and its impact on the interpretation of the Data Protection Act 1998 10/04.
Personal data that consists of information about an individual's racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, trade union membership, physical or mental health, sexual life, commission or alleged commission of any offence, or any proceedings for any offence committed or alleged to have been committed by him, is 'sensitive personal data' which is subject to stricter obligations under the DPA (for example, increased security measures).
The Information Commissioner's Office is the body responsible for enforcing the DPA and they have a useful fact sheet at Information Commissioner's Office – Data Protection.
If you have any queries on DPA issues, please contact dpa.officer@bbc.co.uk.
4.2 What are data controllers and data processors?
The DPA distinguishes between the 'data controller' who determines the purposes for which personal data are collected and processed and the 'data processor' who processes the personal data on behalf of the data controller. Data controllers must give the Information Commissioner's Office a general description of the purposes for which it processes personal data (this is called notification). The individual who is the subject of the personal data is called the 'data subject'.
If you are acting as a data processor your contract with the BBC will include a clause which states that you must comply with the DPA, guarantee appropriate technical and organizational security measures for the processing of personal data and act only on the instructions of the BBC.
Your obligation will vary according to the type of information you are hosting. If no personal data is being processed, you will not have any DPA obligations.
4.3 The Data Protection Principles
A data controller must comply with the eight data protection principles:
- Personal data must be processed fairly and lawfully.
- Personal data must be obtained for one or more specified and lawful purposes.
- Personal data must be adequate, relevant and not excessive i.e. only collect data that is relevant for the purpose.
- Personal data must be accurate and, where necessary, up to date.
- Personal data must not be kept for longer than is necessary i.e. there should be a policy of data deletion providing for the secure disposal of data once the purpose for which it has been collected has been fulfilled.
- Personal data must be processed in accordance with the rights of data subjects e.g. data subjects have a right of access under section 7 of DPA to know what personal data relating to them is being processed by or on behalf of a data controller and have a right under section 11 of DPA to be removed from mailing lists.
- If you are acting as a data processor of the BBC and you receive a request for information from a data subject, it must be referred immediately to the BBC's Information Policy & Compliance department to deal with – either to dpa.officer@bbc.co.uk or on 020 800 81118. Likewise, the BBC's permission must be sought before information about an individual can be released to someone outside the BBC.
- Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction to personal data.
- Personal data shall not be transferred to a country outside the European Economic Area unless that country ensures an adequate level of protection. There are a number of ways in which adequate protection can be demonstrated, such as using special EU Commission-approved contract clauses.
The Information Commissioner lists the eight data protection principles at Information Commissioner/DPA/Principles.
4.4 Fair Collection Notices
Any website that collects personal data must include a 'Fair Collection' notice. The notice should describe all the purposes for which the information collected (including information collected via cookies) will be used. If personal data collected is going to be used for promotion, marketing or any other secondary purpose, then the notice must give individuals the opportunity to agree to this by asking them to tick an 'opt-in' box. Where an individual does tick the box they are giving permission for the secondary purpose. The notice should explain whether any information will be disclosed to anyone outside the BBC and whether information will be disclosed to third parties outside the European Economic Area.
Websites aimed at children (16 years and under) are subject to stricter rules.
5. Document history
| Date | Version | Change | Author |
|---|---|---|---|
| 18/03/2008 | v1.23 | Updated links to DQ site | Jonathan Hassell |
| 17/03/2005 | v1.22 | Add definition of personal data & links to other docs on the subject | Sally Underwood |
| 10/03/2005 | v1.21 | Various typos corrected; general tidying; removal of technical info | Jonathan Hassell |
| 08/03/2005 | v1.20 | Various changes to section 3 (technical) needs review by Julia Harris | Mark Hewis / Matt Blakemore |
| 06/03/2005 | v1.19 | Removed policy content and replaced with links to DQ site; general editing and updating of links & email addresses | Sally Underwood |
| 23/02/2005 | v1.04 | Added Narinder's phone comments to top of doc | Sally Underwood |
| 26/07/2002 | v1.02 | Created template and attached it to doc | Jonathan Hassell |
| 24/07/2002 | v1.01 | Took original doc. Added standard header and footer to all pages. Added status page to front of document. | Jonathan Hassell |
Document editor: Editor, Standards & Guidelines. If you have any comments, questions or requests relating to this document, please contact the Editor, Standards & Guidelines.
Like all other Future Media Standards & Guidelines, this page is updated on a regular basis, through the process described on About Standards & Guidelines.
© MMIX