Data protection rules for a DBA

January 22, 2010 by Leave a comment 

Below I’d like to touch on the European Union’s data protection rules in order to encourage database administrators (DBAs) to be careful with sensitive company and individual’s information that you work with.

The data protection rules established by the European Union help give people control of their personal data. They set high standards for businesses that collect and use this data – especially sensitive data like health information, sexual preference, religious, political or ideological views or prior criminal offences.

Privacy Rights

If your job as a DBA involves working with personal information about individuals, or if you have access to personal information held by the company, you are expected to take all necessary steps to safeguard it. Infringements of the EU data protection rules can lead to very serious consequences for the company and for you.

Every DBA should assume that any information that identifies an individual or can be used to identify, locate or contact them falls under the directive. This includes:

  • name, address and phone number
  • employment history
  • credit history or other financial information
  • age, race, religion, ethnic or national origin
  • marital status

Even a list of names could be considered private information, since names identify people. Data that does not identify individuals – such as pure statistical data – is not covered by the directive. However, in some European countries, even information that identifies a company is considered as ‘personal data’.

Collecting Data

Do not collect personal data unless you are certain that each person has agreed to allow you to do so.

Under EU data protection rules, individuals can refuse to provide personal data. They also have the right to prohibit you from sharing that data with others. As a rule, data should only be collected for a specified reason, and you should obtain an individual’s consent before you use it for any other purpose.

Make sure the customer knows why you are collecting their information and how you plan to use it. Be especially careful when collecting any sensitive information, like health information or religion.

Data Storage and Security

Businesses that collect and store personal information must use appropriate technology and security procedures, including:

  • storing the data on secure servers
  • protecting it with passwords
  • limiting both internal and external access to it
  • keeping hard copies in locked filing cabinets

DBAs that collect and/or work with that information must be aware of this legal requirement. They must also be familiar with the technical requirements to ensure data is properly protected.

The IT Department is responsible for the creation and management of the company’s technology infrastructure. In addition to using hardware and installing software designed to prevent the loss, theft or misuse of data entrusted to us, however, IT must establish and follow procedures which are well designed to protect that information. The security of the best hardware and the most hack-proof software are compromised if those who use them fail to follow appropriate procedures.

Transfers of Data

Do not transfer personal data to others unless you are certain that you may do so.

The EU data protection rules severely limit when and how individuals’ personal data can be transmitted or shared. Sometimes, even transfers within a company are not allowed. International data transfers are subject to particularly strict rules.

Individuals’ personal data generally cannot be sent to other organizations or to people outside the company which collected the data, unless the data subjects have consented to the transfer. Even when such a transfer to another organization is permitted under the law, we must make sure that the company has adequate safeguards for that information during and after the transfer.

The European Union’s data protection directive has some complicated rules regarding data transfers between countries. When data is transferred from one EU country to another EU country, the directive specifies which country’s laws apply to that transfer. When data is transferred to a country that is not a member of the EU, the directive requires that either an ‘adequate level of protection’ exist in the recipient country or that ‘adequate safeguards’ are put in place. And note that some countries have laws about international transfers which are even stricter than those in the EU directive.

Enjoyed this article? Please share it with others using the social site of your choice:

Add a Comment

We welcome thoughtful and constructive comments from readers.
If you want your own picture to show with your comment?
Go get a Globally Recognized Avatar!

DBMS Blog Updates : Subscribe RSS RSS: Subscribe to Articles · Subscribe to Comments Subscribe RSS Receive site updates via email