The legislature has taken a growing interest in data and network
traffic over the past few years. Lindsay Nicolle finds IT managers
must go back to basics to keep their business within the law.
In the past three years, advances in Internet technologies,
heightened fears of the threat of techno-crimes and the drive
towards freedom of information have spawned new and updated
legislation on the protection, access and retention of data. Wads
of paper have landed on the desks of IT directors, adding another
few unwelcome inches to their already bulging in-trays.
We must all comply with these new laws on pain of cautions, fines
and even prison sentences for company directors, but where to
start? Of the finer details in each piece of legislation, many are
open to interpretation, while others appear to overlap. So what
strategy can businesses adopt to ensure they cover all the bases
outlined in these laws?
Go back to first principles, says the information commissioner
Elizabeth France.
"IT managers aren't snowed under with data legislation, just the
opposite," she argues. "The whole virtue of the European approach
is that there's one framework piece of law relating to data
protection and that's all your starting point needs to be in
relation to processing personal data. Make sure that your
processing is lawful and in doing so you'll interact with other
pieces of legislation that may even allow you to process data where
otherwise you wouldn't be able to. It's certainly not a nightmare
to comply with this type of legislation, it's just common sense."
Nevertheless, France acknowledges in her latest annual report that
there is a need for clear, practical advice spelling out how
employers may meet their legal obligations under the Data
Protection Act.
Accordingly, she has recently published a code of practice for
large employers containing practical advice on interpreting the
many interfaces between the UK's data laws. The Employment
Practices Data Protection Code, available at
www.informationcommissioner.gov.uk, covers recruitment and
selection, employment records, monitoring at work and medical
information about workers.
Similar advice for smaller firms will follow and, in the meantime,
France has published a synopsis in which the complexities of the
data laws that mostly apply to large firms have been stripped out,
leaving a simple explanation of how small businesses can comply
with the law.
"We'd rather create a climate of compliance rather than take
enforcement action," says France.
This approach, along with the lack of sufficient resources to
thoroughly police the data laws, means that only a small number of
companies have been chased for non-compliance so far. However, all
that may soon change. Richard Thomas, director of public policy at
international law firm Clifford Chance, succeeds as France
information commissioner for the UK in December.
He says, "My approach will be very much carrots and sticks, with
carrots first, but if I come across cases of deliberate, wilful or
reckless flouting of the requirements of the law then I won't
hesitate to take appropriate enforcement action.
"Privacy is on the agenda and it's going to stay on the agenda,
it's not going away. Companies should go through a process of risk
assessment and risk management on data protection and take that
very seriously."
Vicky Webster, an associate in the intellectual property and
e-business team of Scottish legal giant Morton Fraser, advises
businesses to conduct a thorough data audit and then work through
the eight data protection principles laid down in the 1998 Act to
get round the thorny issue of ensuring compliance with overlapping
legislation. Treat the Data Protection Act 1998 as the standard
bearer and the rest of your compliance should fall naturally into
line.
She adds, "The most important thing is to be seen to be doing
something about compliance - not just to avoid prosecution but also
because it's good practice from a public relations perspective to
protect the personal data of your staff and customers."
Increasingly, given today's interconnected world, that assessment
should involve looking at international risks to data. Nick
Mansfield, principal consultant for information security at Shell
Information Technology International, and chairman of the CEN/ISSS
Initiative for Privacy Standardisation in Europe, warns that
identity theft and inappropriate data mining are the current main
international threats to data. He cites a business that wanted to
introduce company credit cards for settling travel expenses, but
staff were required to give their full consent for their expense
details to be marketed.
Mansfield has just drafted Shell's first global corporate policy on
data protection. Based on the Organisation for Economic
Co-operation and Development's (OECD) guidelines on data
protection, the policy goes beyond the UK's data laws, and is far
tougher. Mansfield says this is necessary to ensure standards and
consistency on compliance for Shell across the world.
"Compliance with data protection and privacy laws on an
international scale is a growing issue," he says. "It affects rules
on security and using Internet technologies, which means you run
straight into the minefield of the use of cryptography which some
countries closely regulate.
"It's quite a compliance exercise, putting together a global
picture from a patchwork quilt of regulations. In the end you can't
just have a legalistic or a self-regulatory approach, you need
both. You need a corporate policy in place globally, and then local
variations to meet local laws. Compliance with local data laws
means embedding them into the business in practices, procedures and
techniques, so they all interrelate: you can't implement one
without realising the impact on another."
Dealing with international risks to data involves instigating a
constant process of assessment and reassessment, says Orson
Swindle, who heads the US delegation to the OECD's experts group.
He concludes, "No single piece of legislation, new technology or
corporate privacy policy can have enough teeth to remove all
threats to data, whether nationally or internationally. We just
have to keep moving forward, seeking new knowledge on better ways
of doing things.
"With technology changing so rapidly, what we accomplish today to
deal with vulnerabilities may in any case be surpassed tomorrow by
a new vulnerability, so we can never sit back and think we've
legislated against all threats. Tomorrow is another day."
UK Act and the EU directive on data protection
Under
the principles of the Data Protection Act 1998 anyone processing
personal data must comply with the eight enforceable principles of
good practice. They say that data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate
- Not kept longer than necessary
- Processed in accordance with the data subject's rights
- Secure
- Not transferred to countries without adequate
protection.
Both the Data Protection Act and the 1995 European Union Data
Protection Directive on which it is based are under constant
review, but changes are of detail and emphasis rather than
substance, according to information commissioner Elizabeth
France.
The Government has recently submitted to the European Commission
the final part of its response to the commission's questionnaire on
the implementation of the directive, suggesting ways to improve the
directive's flexibility and effectiveness while safeguarding
protection for individuals' personal data. It suggests that the
commission should:
- Review the definitions of "personal data" and "personal data
filing system" in order to make them more precise and capable of
being applied consistently in practice
- Review Article 4 of the directive which determines the member
states' laws that apply to the processing of personal data
- Review the way "sensitive data" is defined in the directive and
the application of the special rules relating to them. The
directive currently defines sensitive data according to particular
categories that do not necessarily reflect in practice the
sensitivity of the data
- Sensitively review the subject access arrangements in the
directive to ensure that they strike the right balance between the
interests of data subjects and those of data controllers
- Review the rules relating to the transfer of personal data to
third countries and bring forward simpler and more flexible
arrangements.
Other UK Acts and their impact on data protection
Freedom of Information Act 2000
The Freedom of
Information Act 2000 applies to public authorities and those
providing services for them. It gives general right of access to
all types of "recorded" information held by public authorities,
sets out exemptions from that right and places a number of
obligations on public authorities.
The Act is about to enter the second wave of the timetable for
adopting "publication schemes" - a means by which a public
authority can make a significant amount of information available
routinely without waiting for someone to specifically request it. A
publication scheme lists the types of information that the public
authority intends to make available and how that information will
be published. Public authorities within the local government sector
must submit their publication schemes to the information
commissioner for approval by 31 December 2002. The deadline
according to legislation for local government members to 'operate'
a publication scheme is the 28 February 2003.
The Government wants this Act to be fully in force by 30 November
2005.
Regulation of Investigatory Powers Act 2000
The
Regulation of Investigatory Powers (RIP) Act was introduced in the
House of Commons on 9 February 2000 and received Royal Assent on 28
July 2000. It brings the law on Web-tapping into line with that of
telephone tapping. It also puts other intrusive investigative
techniques on a statutory footing for the very first time; provides
new powers to help combat the threat posed by rising criminal use
of strong encryption; and ensures that there is independent
judicial oversight of the powers in the Act.
Controversially, RIP Act requires ISPs in the UK to track all data
traffic passing through their computers and to route it to the
Government Technical Assistance Centre at MI5. Under the provisions
of this Act, the home secretary can demand encryption keys to any
and all data communications, with a prison sentence of two years
for those who do not comply with the order.
Anti-Terrorism, Crime and Security Act 2001
Passed in
swift response to the terrorist atrocities in the US last year,
this Act removes barriers to information sharing between official
bodies and seeks to extend the period of retention of data by
telephone, Internet and other communication service providers
beyond their own commercial needs.
During the passage of the legislation there were some welcome
changes to suit civil libertarians, including a limit on the
purposes for which data can be retained to matters of national
security. However, the basis on which law enforcement bodies can
have access to this communications data was not similarly
restricted. This means that data retained by service providers for
the purpose of safeguarding national security can be accessed for
any of the wider law enforcement activities provided for in the RIP
Act.
Telecommunications (Data Protection and Privacy) Regulations
1999
These regulations came into force on 1 March 2000 and impose
special rules for dealing with data in public telecommunications
systems, faxes, telephones and automated calling systems for
unsolicited marketing. Unsolicited marketing faxes must not be sent
to individual subscribers without their prior consent. Corporate
subscribers cannot opt out of telephone sales but have the right to
opt out of unsolicited direct marketing faxes.
The underlying legislation to these regulations is the newly
created Directive on Privacy in Electronic Communications.