Thread: Data Protection Act

I admin an online community and we may at sometime be collecting information such as names, addresses and phone numbers as the community turns into an official organization. All of the membership management could be handled on the website where members submit this information. Any access to this information would be through a password protected admin panell

A point was raised during discussion in respect to being in complyance with the Data Protection Acts. Information on the Data Protection Comissioners website seems to pertin to storage and inputing of information on a local server and not a remote server where a website is hosted.
A Guide for Data Contollers - Data Protection Commissioner - Ireland

A minimum standard of security would include the following:

• access to central IT servers to be restricted in a secure location to a limited number of staff with appropriate procedures for the accompaniment of any non-authorised staff or contractors;
• access to any personal data within an organisation to be restricted to authorised staff on a ‘need-to-know’ basis in accordance with a defined policy;
• access to computer systems should be password protected with other factors of authentication as appropriate to the sensitivity of the information;
• information on computer screens and manual files to be kept hidden from callers to your offices;
• back-up procedure in operation for computer held data, including off-site back-up;
• all reasonable measures to be taken to ensure that staff are made aware of the organisation’s security measures, and comply with them;
• all waste papers, printouts, etc. to be disposed of carefully;
• a designated person should be responsible for security and for periodic reviews of the measures and practices in place.

They also say that appropriate security measures must be taken depending on the sensitivity of the information being collected. We wont be collecting anything like credit card numbers so can anyone comment on whether what I'm describing (password protected folders on a remote server) might be compliant?

The simplest thing to do is ring them and ask. They're very helpful and if you need to register with them they'll walk you through the entire process

Once your site collects the minimum information required to function, and doesn't request more information than actually required. And that only a limited number, preferably one person can access such information, you should be grand.

The one problem I recall is that one site was requested, to remove personal information of people from the public's view.

Also, by the term 'off-site'. That also includes your own personal computer. So just download the odd backup and password protect on your PC, that is seen as okay.

I had to contact them before in relation to a different matter, sound people to talk to.