The Home of Tape Encryption - Data Protection Act

Data Protection Act (DPA) 1998

The Data Protection Act (DPA) is a United Kingdom Act of Parliament. It defines a legal basis for the handling in the UK of information relating to living people. It is the main piece of legislation that governs protection of personal data in the UK. Although the Act does not mention privacy, in practice it provides a way in which individuals can enforce the control of information about them. Most of the Act does not apply to domestic use, for example keeping a personal address book. This act is used by many companies & organisations in the United Kingdom.

Compliance with the Act is overseen by an independent government authority, the Office of the Information Commissioner (OIC). The OIC maintains Guidance relating to the Act .

The act defines eight principles of information-handling practice.

The UK Data Protection Act is a large Act, and has a reputation for complexity. Whilst the basic principles are honoured for protecting privacy, interpreting the act is not always simple. Many companies, organisations and individuals seem very unsure of the aims, content and principles of the DPA. Some hide behind the Act and refuse to provide even very basic, publicly available material quoting the Act as a restriction.

Overview of Key Principles

This section provides a quick overview of what the Key Principles of information-handling practice mean. The Key Principles themselves are discussed below in the context of their definition in law.

Data may only be used for the specific purposes for which it was collected.
Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
Personal information may be kept for no longer than is necessary.
Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner.
Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).

Data Protection Principles

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

at least one of the conditions in Schedule 2 is met, and
in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Offences

Section 55 - Unlawful obtaining of personal data. This Section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data.
Section 56 - This section makes it a criminal offence to require an individual to make a Subject Access Request relating to cautions or convictions for the purposes or recruitment, continued employment, or the provision of services. As of 2007 this section has not yet been enabled. According to the government, this section will not be enabled until the Criminal Records Bureau is providing a Basic Disclosure service. The provision of a Basic Disclosure service is dependent on s.112 of the Police Act 1997 being enacted, which provides for "Criminal Conviction Certificate".

Paranoia2 is an in-line hardware encryption appliance for SCSI tape drives. This is the straightforward way to encrypt your data during the backup, designed for ease of use. The encryption is completed using the proprietary dual interlaced encryption, developed specifically for the paranoia family.

ParanoiaFF is an in-line hardware encryption appliance for FC tape drives. This is the straightforward way to encrypt your data during the backup, designed for ease of use. The encryption is completed using the proprietary dual interlaced encryption, developed specifically for the paranoia family.

SafeTape is the complete tape solution with built in dual interlaced encryption, unique to the Paranoia Range. SafeTape works with all host systems and will is available with a selection of LTO and DLT drives, offering SCSI, FC or iSCSI interfaces. You will find the right SafeTape for your environment