1.1. The Data Protection Act (the DPA) governs how the BBC collects, uses and stores the personal information of individuals, including *.bbc.co.uk users.
1.2. This policy outlines the technical implementation of the DPA requirements, for the submission of personal information to *.bbc.co.uk servers.
1.3. For all services that store personal data of any kind the BBC's Information Policy and Compliance department MUST be notified.
2.1. The DPA differentiates between 'personal data' and 'sensitive personal data'.
2.2. Personal data means data from which you can identify a person, for example name, address, phone number, email address or photograph of the person.
2.3. Sensitive personal data means personal data which relates to:
3.1. Data (including personal data and sensitive personal data) is typically submitted via a form using a '
GET' or '
POST', HTTP request, or hyperlink containing a querystring.
GET requests and hyperlinks containing querystrings, are very easily logged by servers between *.bbc.co.uk and the user's computer and leave a trail of the user's personal data.
3.3. All personal data, including sensitive personal data, MUST be collected according to the following rules:
3.3.1. It MUST be encrypted via a secure socket layer (https) connection.
3.3.2. It SHOULD be submitted by a
POST request, specified in the HTML of the web page from which the data is submitted.
3.3.3. Any application which accepts and processes personal data MUST similarly ensure that the personal data is not re-transmitted via a
GET request, as (for example) in a redirect.
3.3.4. Any application which generates and outputs HTML containing a form or hyperlink containing a querystring MUST ensure the appropriate method is specified and used for submission of the relevant data.
3.3.5. If a third party is collecting personal data on behalf of the BBC they MUST ensure that it is transferred to bbc.co.uk using SFTP.
3.4. Note that all personal data will eventually need to be encrypted when stored. The Information Security unit are currently working with the Digital Distribution Group to investigate how this will be implemented.
4.1. These requirements constitute the minimum level of security required of services that handle information covered by the DPA. There may be additional requirements if the editorial proposition is deemed sensitive or the audience considered a vulnerable one. BBC Editorial Policy and BBC Information Policy and Compliance provides advice on these matters (email Editorial Policy or Data Protection Advice).
This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.