Recent Home Office consultation on the Regulation of Investigatory
Powers (RIP) Act, due to become law in October this year, has
brought into sharp focus the legal burden such legislation imposes
on SMEs.
Dai Davis, an IT lawyer at legal firm Nabarro Nathanson, believes
SMEs are disproportionately affected by the RIP Act which will
extend the investigatory powers of policing authorities by allowing
them to obtain private employee keys and passwords.
"In the case of intranets, companies have a got a real headache
sorting out what they should and should not be doing. This is
obviously the same problem for all businesses regardless of size,
but SMEs with fewer staff and less money will be hit much harder,"
said Davis.
"A policing authority must go to the individual employee in charge
of the keys and passwords to obtain them and not the company as a
whole. Therefore, companies must be on the lookout for authorities
asking for keys and passwords that they are not entitled to,
because the legal fall-out would then land back on the company," he
added.
Davis recommends that SMEs put a system in place to deal with such
situations if they arise. But he points out that the process of
planning would incur high legal costs.
"I think it would be an excellent idea to have advice on the Act
readily available for all employees, maybe even included in any new
employee manuals or contracts," said Davis.
Forged warrants pose liability danger to SMEs
The Legal
Advisory Group at e.centre, the association for standards and
practice in electronic trade, has also devised a scheme to protect
SMEs which act as communications service providers (CSPs) from
legal liability, should they act on a forged warrant for obtaining
access to employee keys or passwords.
Will Roebuck, a legal affairs executive at e.centre said: "We
suggest that the interception should take place within one working
day of the CSP being able to verify the authentication of the
warrant."
To avoid delays in securing authentication, Roebuck recommends that
one person acts as a single point of contact to serve all
interception warrants on a CSP.
The e.centre legal team has also proposed that the chain of
liability be severed at a reasonable point for firms. It is
particularly concerned that SMEs should not be made liable for any
failure of the transmission link or the process of handing over
intercepted traffic.
"We advise that the responsibilities of the CSP should terminate at
a point of hand-over of the intercepted traffic which will be
previously agreed with the interception authority," said
Roebuck.
RIP Act not the only legal problem SMEs
The RIP Act is
potentially just the tip of a legal iceberg as the online economy
takes off and the government seeks to police and regulate Internet
trading. One legal quagmire threatening to drag down small firms is
the emergence of apparent contradictions between the RIP Act and
other legislation, such as the Human Rights Act.
Article Eight of the Human Rights Act is a case in point. It
specifies that individuals have the right to respect for their
"private life and correspondence". This clause could come into
conflict with the monitoring and interception required by the RIP
Act. Codes of surveillance issued by the Data Protection Commission
also appear to contradict those in the RIP Act.
The confusion is further compounded by ongoing problems with the
Data Protection Act (1998), which requires departments and agencies
to process personal data "fairly" and "lawfully".
Data protection standards in this area will be set out in the
Information Commissioner's forthcoming Code of Practice on the use
of personal data in employer/employee relationships, due for
publication towards the end of 2001.
Dai Davis advises SMEs to keep a low profile and hope for the best
when dealing with this cumbersome legislation.
"I would advise them to keep their heads down, avoid drawing
attention to themselves and hope the spotlight does not fall on
them," he said. "That is what everyone else will be doing.
"It is very expensive for SMEs to comply fully to the DPA and 99.9%
of the time you will be able to breach it with impunity. The worst
that can happen is that you will get sued but this would be far
less expensive than the cost of fully complying with the
legislation."
Are you prepared for RIP legislation?
Do you feel the
proposed RIP Act places too much responsibility on businesses? What
changes would you like to see included in the final
legislation?
E-mail CW360.com and let us know what you think about the RIP
Act >>