Future Media Standards & Guidelines

Technical implementation of DPA v1.1

1. Introduction

1.1. The Data Protection Act (the DPA) governs how the BBC collects, uses and stores the personal information of individuals, including *.bbc.co.uk users.

1.2. This policy outlines the technical implementation of the DPA requirements, for the submission of personal information to *.bbc.co.uk servers.

1.3. For all services that store personal data of any kind the BBC's Information Policy and Compliance department MUST be notified.

Top of page

2. Personal data

2.1. The DPA differentiates between 'personal data' and 'sensitive personal data'.

2.2. Personal data means data from which you can identify a person, for example name, address, phone number, email address or photograph of the person.

2.3. Sensitive personal data means personal data which relates to:

  • racial or ethnic origin (eg. nationality or skin colour);
  • political opinions (eg. what political party the person supports or their opinion on the war in Iraq);
  • religious beliefs (eg. Muslim or Catholic);
  • trade union membership;
  • physical or mental health or condition (eg. if person has a disability or illness);
  • sexual life;
  • commission or alleged commission of an offence;
  • any proceedings for an offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court (has the person been involved in any court proceedings?)
  • the personal data of children and credit/debit card data is also treated by the BBC as sensitive data (although they are not specifically defined as sensitive data by the DPA).

Top of page

3. Protecting personal data

3.1. Data (including personal data and sensitive personal data) is typically submitted via a form using a 'GET' or 'POST', HTTP request, or hyperlink containing a querystring.

3.2. GET requests and hyperlinks containing querystrings, are very easily logged by servers between *.bbc.co.uk and the user's computer and leave a trail of the user's personal data.

3.3. All personal data, including sensitive personal data, MUST be collected according to the following rules:

3.3.1. It MUST be encrypted via a secure socket layer (https) connection.

3.3.2. It SHOULD be submitted by a POST request, specified in the HTML of the web page from which the data is submitted.

3.3.3. Any application which accepts and processes personal data MUST similarly ensure that the personal data is not re-transmitted via a GET request, as (for example) in a redirect.

3.3.4. Any application which generates and outputs HTML containing a form or hyperlink containing a querystring MUST ensure the appropriate method is specified and used for submission of the relevant data.

3.3.5. If a third party is collecting personal data on behalf of the BBC they MUST ensure that it is transferred to bbc.co.uk using SFTP.

3.4. Note that all personal data will eventually need to be encrypted when stored. The Information Security unit are currently working with the Digital Distribution Group to investigate how this will be implemented.

Top of page

4. Other considerations

4.1. These requirements constitute the minimum level of security required of services that handle information covered by the DPA. There may be additional requirements if the editorial proposition is deemed sensitive or the audience considered a vulnerable one. BBC Editorial Policy and BBC Information Policy and Compliance provides advice on these matters (email Editorial Policy or Data Protection Advice).

Top of page

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.