BMJ - PKI and signinng slight confusion

[John R T Brazier]

David Howe said:

I must admit to not being entirely familiar with the DPA (98) - but can't
find any provision that requires you to protect the data adequately in
transit. Principle 7 gives:

7. Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data.

  Which seems to make it a duty to prevent anyone using YOUR system to
access the data, but doesn't seem to require you to protect it in transit.
I would also be interested in the contractual requirements (I assume we can
take the ethical obligations as a given for qualified doctors)

True, but only in so far as it goes. The key bit is to looks at the
definition of the word 'processing', which is what the 'data controller'
does with the data (Section 1(1)):

Begin Quote --

"processing", in relation to information or data, means obtaining, recording
or holding the information or data or carrying out any operation or set of
operations on the information or data, including-

(a) organisation, adaptation or alteration of the information or data,

(b) retrieval, consultation or use of the information or data,

(c) disclosure of the information or data by transmission, dissemination or
otherwise making available, or

(d) alignment, combination, blocking, erasure or destruction of the
information or data;
End Quote --

Without getting into a war of words, I think you can see that the
Commissioner has purposely used the widest possible meaning for the word
'processing'. In effect, if you do anything with the data you are
responsible for it (if you are the data controller), and Principle 7 is
active.


All the best,

John B