What is our attitude to privacy?

A potential customer contacted us recently and, in amongst their technical questions, asked very directly:

What is your attitude to privacy as a company?

It’s a simple question, but also potentially loaded. What do you mean, attitude as a company? Is it your personal data privacy you’re concerned about or the data on your server? And can we really have one policy for the whole company? I think it’s the responsibility of any company that’s handling sensitive customer data to be honest about its approach to privacy.

Ultimately, I believe there are only two things you should consider when selecting a company on this basis:

  • what the law says, and
  • how much you trust that company to respect your privacy.

Firstly, the legal bit: our services to customers are governed by our terms and conditions. These are contractual obligations on top of our “statutory duties“: the laws we’re required to obey. That means, we are required by law to comply with the orders of a court in England and Wales, whatever those orders might say. In practice, that usually means extracting specific data on one of more of our customer’s servers.

On that topic, our MD, Matthew Bloch has said in the past:

“Bytemark don’t have any choice about compliance with court orders, but we have never been keen on them.

“We follow the letter of each order, painstakingly extracting and filtering the information ordered, accessing the bare minimum, even if that takes much more time.”

And that’s absolutely true – we spend much more time complying with the letter of a court order where it would be easier to simply copy all the data off and let the police filter it.

But as I say above, unless there’s been a court order requiring disclosure to the police, Bytemark will never disclose your data to any third party.

With that out of the way, I’ve written up some of the specific ways that we respect your privacy, which I’ve grouped into three areas:

  • how we keep your personal data private
  • how we help secure the data on your servers and
  • how we contribute to the protection of privacy for everyone.

Keeping your personal data private

  • We don’t share your personal details with any third party for marketing purposes.
  • We are based in the UK so are not bound by (often spurious) DMCA takedown notices.
  • At the same time, we are bound by the Data Protection Act and related regulations which means that any compromises of your personal data must be reported to the Information Commissioner.

Helping secure the data on your servers

However, we do offer a ‘back door’ to your servers through a network boot environment. This is for your convenience (and ours, if you asked us to reset your passwords). Using full disk encryption on your server – where only you know the password – is the only way to mitigate any risk you might perceive from this tool.

Protecting and improving privacy principles for everyone

Whilst the best response to our customer might have been to hastily pull together a bland, boilerplate privacy policy, this is something we care about. Being honest about our beliefs on privacy, as well as the practical steps we take, is something that I hope will build your trust in our approach to privacy.

What other things could we do or show that would help us bolster your confidence that we are a company that respects your privacy? Drop us a comment below.