Data protection rules for a DBA
Below I’d like to touch on the European Union’s data protection rules in order to encourage database administrators (DBAs) to be careful with sensitive company and individual’s information that you work with.
The data protection rules established by the European Union help give people control of their personal data. They set high standards for businesses that collect and use this data – especially sensitive data like health information, sexual preference, religious, political or ideological views or prior criminal offences.
If your job as a DBA involves working with personal information about individuals, or if you have access to personal information held by the company, you are expected to take all necessary steps to safeguard it. Infringements of the EU data protection rules can lead to very serious consequences for the company and for you.
Every DBA should assume that any information that identifies an individual or can be used to identify, locate or contact them falls under the directive. This includes:
- name, address and phone number
- employment history
- credit history or other financial information
- age, race, religion, ethnic or national origin
- marital status
Even a list of names could be considered private information, since names identify people. Data that does not identify individuals – such as pure statistical data – is not covered by the directive. However, in some European countries, even information that identifies a company is considered as ‘personal data’.
Do not collect personal data unless you are certain that each person has agreed to allow you to do so.
Under EU data protection rules, individuals can refuse to provide personal data. They also have the right to prohibit you from sharing that data with others. As a rule, data should only be collected for a specified reason, and you should obtain an individual’s consent before you use it for any other purpose.
Make sure the customer knows why you are collecting their information and how you plan to use it. Be especially careful when collecting any sensitive information, like health information or religion.
Data Storage and Security
Businesses that collect and store personal information must use appropriate technology and security procedures, including:
- storing the data on secure servers
- protecting it with passwords
- limiting both internal and external access to it
- keeping hard copies in locked filing cabinets
DBAs that collect and/or work with that information must be aware of this legal requirement. They must also be familiar with the technical requirements to ensure data is properly protected.
The IT Department is responsible for the creation and management of the company’s technology infrastructure. In addition to using hardware and installing software designed to prevent the loss, theft or misuse of data entrusted to us, however, IT must establish and follow procedures which are well designed to protect that information. The security of the best hardware and the most hack-proof software are compromised if those who use them fail to follow appropriate procedures.
Transfers of Data
Do not transfer personal data to others unless you are certain that you may do so.
The EU data protection rules severely limit when and how individuals’ personal data can be transmitted or shared. Sometimes, even transfers within a company are not allowed. International data transfers are subject to particularly strict rules.
Individuals’ personal data generally cannot be sent to other organizations or to people outside the company which collected the data, unless the data subjects have consented to the transfer. Even when such a transfer to another organization is permitted under the law, we must make sure that the company has adequate safeguards for that information during and after the transfer.
The European Union’s data protection directive has some complicated rules regarding data transfers between countries. When data is transferred from one EU country to another EU country, the directive specifies which country’s laws apply to that transfer. When data is transferred to a country that is not a member of the EU, the directive requires that either an ‘adequate level of protection’ exist in the recipient country or that ‘adequate safeguards’ are put in place. And note that some countries have laws about international transfers which are even stricter than those in the EU directive.