Cases, case studies and implications

Accidental loss of personal data

Case study A high street dealer once unwittingly sold a refurbished laptop computer containing psychiatric files. A county council recycled PCs containing details of recent child abuse cases. (McLuhan, 1999)

Remember the seventh data protection principle?

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Experts recommend using professional data removal utilities.

Data transfers to other countries

Case study Data can't be transferred outside the European Economic Area (EU Member States together with Iceland, Liechtenstein and Norway), unless they have adequate safeguards. At the time of writing no other countries' safeguards have been recognised as adequate.

Question: What implication does this have for multi-national companies?
(Move your mouse pointer over each icon for suggestions)

Personal data sent to head office?

They'd have to be aware of EU legislation

It might be illegal to send the data


Question: What about local authorities that publish personal details of councillors on their Web server?
(Move your mouse pointer over the icon for suggestions)

May have to gain consent from councillors



Direct marketing

Case study Special clauses apply to direct marketing. Data subjects may opt out of:

Question: What impact would this have on your design for a system holding names and addresses of customers?
(Move your mouse pointer over each icon for suggestions)

You would need a column to store their decision

Any bought in lists would have to cross-checked



Question: Why would you have to cross-check? What's so difficult about this?
(Move your mouse pointer over each icon for the answer)

1. If someone told you not to approach them, don't

2. The bought list might have same person

3. But the name might be slightly different!


Cookies, spyware and adware

Case study On a related note, you can't retain details of people who have visited your Web site, and use that for marketing without their consent. The Privacy and Electronic Communications (ED Directive) Regulations say that if you store information on a subscriber's terminal (e.g. a cookie), the subscriber must be:

  1. provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  2. given the opportunity to refuse the storage of or access to that information.

Case study Some adware identifies when a specific type of web site has been loaded - say, a travel agent - and displays adverts for a direct competitor. Some even display buttons on the tool bar that take the user to "Flights", "Hotels" that are in fact on a competitor site. These potentially breach intellectual property rights, especially if it leads to confusion among consumers. At the time of writing there is no British case law on this.


Important notice

What you read here is only a summary to introduce the concepts. You should not rely on it to build a legal case or safeguard your legal position. The University of Glamorgan and its employees cannot be held responsible for any legal or other redress due to errors in the notes. Seek professional legal advice before acting on what you read here.

UpOther topics Comments please to: © 1999, 2006, University of Glamorgan