Seb Bacon wrote:
I asserted recently on a different mailing list that legally (under data protection provisions) it seems safe to use Google Docs for storing personal data, as they are signed up to the Safe Habor agreement. You might have a view on if that adequately protects privacy, but aside from that, it looks to me like people probably can't sue you for storing their data on Google Docs, if you're following the ICO's own advice (http://is.gd/jwMW)
The biggest point there (linked from that page, general compliance advice) being that you had to get consent from the user that their data could be so transferred. If you did not get that consent, then I'm not sure.
But someone responded, "There are several court cases in progres where invividuals are suing companies for storing their data on google, yahoo etc.. Even the microsoft safe harbour statement isn't clear. The big isue is that the various patriot acts over-ride any safe harbour statement meaning the us gov can get any of the data. Technicaly breaching the dpa." As Google Docs is used a fair bit here to bandy about data, does anyone else have any views on this?
Vaguely different issue there, about the government. The Safe Harbor principles - http://www.export.gov/safeharbor/eu/sh_en_privacy1.asp - are about keeping your data safe, and being clear what could happen to it. Here is Google's privacy policy on sharing personal data:
"Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances: [...] We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law."
So if an "enforceable governmental request" came in, or if "any applicable law" or "legal process" was used by an individual - and I have no idea whether there is such a law that individuals could use, that's not the point - then you have been informed that your data could be handed over. I don't see that as a breach of the DPA, which has a clear exemption (section 35) for disclosures "required by law or made in connection with legal proceedings etc." - so the same principle would presumably apply if Google were hosted in the UK. I guess the difference is that it's a different government theoretically gaining access to the data - but as I said above, you should have gained consent from the user first.
ATB, Matthew _______________________________________________ Mailing list [email protected] Archive, settings, or unsubscribe: https://secure.mysociety.org/admin/lists/mailman/listinfo/developers-public
