2

Preamble: I'm being reference-checked by a company. This company has asked me to send them my personal details (like NI numbers) via email (unsecured; unencrypted: big no-no). (To avoid side-tracking the question, I contacted the company and we came up with a different method).

I'm aware that the data protection act requires the data to be kept safe. But who's job is it to ensure that it gets there safe? Especially that the information is being requested by them, but the onus is on me to send it? Who's at fault if the data is intercepted?

Is the data my responsibility until it arrives at their system (I think so?), or is it their responsibility to make sure that the data is transferred in a secure manner?

Under my understanding, if I were a company sending someone else's details in this manner, I'm liable. But if I were a company taking bank details over HTTP, it's also on me and not the customer, right?

Short version: If someone asks me for my information, do they have to ensure it is sent to them securely, or do I?

(Again, to avoid derailing the question: I'm looking for the interpretation of people with a stronger background in this issue than me. I'm not looking for legal advice. Future-people reading the question shouldn't interpret answers as legal advice).

KidneyChris
  • 685
  • 1
  • 5
  • 7
  • I'm not sure this question belongs on this site. Perhaps https://legal.stackexchange.com would be better? – Neil Smithline Jan 15 '16 at 18:17
  • @NeilSmithline I wasn't sure either way (Information Security struck me as being a bit more tightly bound to "legalities of security of information"). If it is better there, is there a "move" button, or would I just close here and re-write there? – KidneyChris Jan 15 '16 at 18:25
  • (it's also [law.stackexchange.com](http://law.stackexchange.com) if anyone's trying to follow the link) – KidneyChris Jan 15 '16 at 18:28
  • I'm really not sure it should be there either. If people start upvoting my comment to move it, you can `flag` the question and ask a mod to move it. We can just wait and see. – Neil Smithline Jan 15 '16 at 18:36
  • 1
    (I don't have more background); [Data Protection Act sect. 1](http://www.legislation.gov.uk/ukpga/1998/29/section/1) says a "data controller" is whoever determines the purposes for which data is processed, and [section 4](http://www.legislation.gov.uk/ukpga/1998/29/section/4) says - *"it shall be the duty of a data controller to comply with the data protection principles in relation to all [data he controls]"*. Seems to me that you are a data controller because you have the data, and they are a data controller because they determine they need the data, so it's on both of you (2x not .5 each). – TessellatingHeckler Jan 15 '16 at 21:07
  • 1
    i.e. it's on you to make sure the data you control doesn't leave insecurely, and it's on them to make sure they data they are getting doesn't arrive insecurely, and they overlap in a way that makes you both responsible if data is lost. And that since you had it first, it's on you to guard that you aren't giving the data to an organisation that will process it unsafely. All my layman's reading though. – TessellatingHeckler Jan 15 '16 at 21:18
  • @TessellatingHeckler Sounds like something that could form the beginnings of an answer. I didn't actually consider the possibility of both parties being responsible (and "more background" can include "can make sense of dense legalese"). – KidneyChris Jan 15 '16 at 22:06
  • Though I am curious if I count as a data controller for my own data? This somewhat implies I can be liable for mishandling of my own personal information... – KidneyChris Jan 15 '16 at 22:10
  • No, you cannot be a DC for your own information - that's your lookout! You can only be DC for other people's information (though that might include your own of course). – Julian Knight Sep 15 '16 at 20:42
  • The company who collects and processes the data is responsible. However you cannot make anybody else liable if you scream your details out the window (however even that data can only be processed compliant with the law). – eckes Dec 31 '16 at 01:04

1 Answers1

1

Please let me start by saying that I am an IT person not a lawyer. As such, this is my opinion on the matter and cannot be taken as definitive.

As in the comments, the Data Controller is responsible for the data over all. The DC may pass data to others to process and Data Processors have their own responsibilities but the Data Controller cannot devolve their responsibility.

However, in this case, none of that really applies. You are choosing to send your personal data to someone. Once it is with them, they will be Data Controllers not you.

For transmission, the issues are somewhat complex. If the recipient is providing the mechanism for transfer then they have a responsibility to ensure that it is secure and doesn't leak your personal data since they are the DC.

Anyone claiming to keep your data secure who then asks you to transmit it unsecured would already be breaking at least the spirit of the legislation. However, if you are foolish enough not to think about this and you agree to send it anyway, I rather suspect that this would be taken into account if there was a breach.

Thankfully, you clearly have thought about it!

So there is something of a shared responsibility to begin with and then the organisation holding your data becomes a Data Controller and has responsibility.

For banking, there is a lot more than the DP act to take into account as that is a far more regulated industry. If a bank creates a financial system for you as a customer and fails to secure it properly, the responsibility in the UK at least will certainly fall on them not you. As a customer, you cannot be expected to understand the technical issues around cyber security. Customer protections in banking are excellent in the UK and you would most certainly get back any money lost & could expect to have expenses covered for any identity theft.

Julian Knight
  • 7,092
  • 17
  • 23