Technical implementation of DPA v1.1

1. Introduction

1.1. The Data Protection Act (the DPA) governs how the BBC collects, uses and stores the personal information of individuals, including *.bbc.co.uk users.

1.2. This policy outlines the technical implementation of the DPA requirements, for the submission of personal information to *.bbc.co.uk servers.

1.3. For all services that store personal data of any kind the BBC's Information Policy and Compliance department MUST be notified.

Top of page

2. Personal data

2.1. The DPA differentiates between 'personal data' and 'sensitive personal data'.

2.2. Personal data means data from which you can identify a person, for example name, address, phone number, email address or photograph of the person.

2.3. Sensitive personal data means personal data which relates to:

• racial or ethnic origin (eg. nationality or skin colour);
• political opinions (eg. what political party the person supports or their opinion on the war in Iraq);
• religious beliefs (eg. Muslim or Catholic);
• trade union membership;
• physical or mental health or condition (eg. if person has a disability or illness);
• sexual life;
• commission or alleged commission of an offence;
• any proceedings for an offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court (has the person been involved in any court proceedings?)
• the personal data of children and credit/debit card data is also treated by the BBC as sensitive data (although they are not specifically defined as sensitive data by the DPA).

Top of page

3. Protecting personal data

3.1. Data (including personal data and sensitive personal data) is typically submitted via a form using a 'GET' or 'POST', HTTP request, or hyperlink containing a querystring.

3.2. GET requests and hyperlinks containing querystrings, are very easily logged by servers between *.bbc.co.uk and the user's computer and leave a trail of the user's personal data.

3.3. All personal data, including sensitive personal data, MUST be collected according to the following rules:

3.3.1. It MUST be encrypted via a secure socket layer (https) connection.

3.3.2. It SHOULD be submitted by a POST request, specified in the HTML of the web page from which the data is submitted.

3.3.3. Any application which accepts and processes personal data MUST similarly ensure that the personal data is not re-transmitted via a GET request, as (for example) in a redirect.

3.3.4. Any application which generates and outputs HTML containing a form or hyperlink containing a querystring MUST ensure the appropriate method is specified and used for submission of the relevant data.

3.3.5. If a third party is collecting personal data on behalf of the BBC they MUST ensure that it is transferred to bbc.co.uk using SFTP.

3.4. Note that all personal data will eventually need to be encrypted when stored. The Information Security unit are currently working with the Digital Distribution Group to investigate how this will be implemented.

Top of page

4. Other considerations

4.1. These requirements constitute the minimum level of security required of services that handle information covered by the DPA. There may be additional requirements if the editorial proposition is deemed sensitive or the audience considered a vulnerable one. BBC Editorial Policy and BBC Information Policy and Compliance provides advice on these matters (email Editorial Policy or Data Protection Advice).

Top of page

5. Document history

Date	Version	Change	Author
06/07/2008	v1.1	Section 3 changed to ensure all data is transitted using encryption.	Victoria Jolliffe
05/2006	v1.0	Move definitions of personal and sensitive data to body of document.	Tred Magill
04/2006	v0.03	Rewrite by DPA unit.	Nadia Banno/James Leaton Gray
04/2006	v0.02	Amendment proposed by Technical Forum.	Tred Magill
03/2006	v0.01	Original draft.	Tred Magill

Top of page