What are the legal and regulatory issues that could affect
the running of your company? What are the ramifications of the Data
Protection Act – both in terms of process and technology? How do
you best deal with issues such as piracy and spam? And what’s the
best way to devise usage policies for internet and email? Joe
O'Halloran looks at the issues and the potential
pitfalls.
Question: how many
pieces of legislation relating to IT do you think affect your
business? Answer: there are over 100 pieces of legislation that
affect the IT industry. A supplementary question that you may
rhetorically throw back is why should I care how many?
The very
significant riposte is that it cannot be overstated just how
important it is for companies such as yours to be aware of
legalisation regarding IT.
Your company needs
to know the ramifications of issues – both in terms of process and
technology – such as government legislation and industry best
practice protocols. Where does your company stand in terms of
privacy? Usage policies for email and the Internet? Spam – not just
in combating it, but inadvertently generating it? Then there is the
basic issue of software piracy: are you using, however
inadvertently, pirated software? How can you ensure that your
company isn’t charged for misuse?
You may think of
these as someone else’s issues. However, due to the nature of
companies such as yours, as highlighted in the SME Audit, it is
highly likely that you are either legally liable for breaches of
the legislation or that you will be charged with implementing them.
Failing to understand and/or act upon them could have the most
profound consequences for your company’s future profitability.
Mandatory
compliance
So what are the
most basic laws that you should be aware of? Principally, there is
the Data Protection Act (DPA) 1998, and its redrafting that will
become law very soon, the Regulations of Investigatory Powers Act
2000, commonly known as RIPA; The Human Rights Act 1988; general UK
employment Law; The European Convention on Hunan Rights; The
Telecommunications Lawful Business Practice (interception of
Communications) Regulations 2000; the European Union directive on
Privacy; and Electronic Communications (2002/58/EC); and there’s
many more.
Giving his view on
the issue at large, Graham Smith, a partner at Bird & Bird,
advises that even though companies such as yours have had a
‘history of non-compliance’ with regulations, attitudes must
change. He adds: “Big companies take such matters seriously and
this [attitude] has to trickle down.”
Such compliance is
mandatory in some areas. Your business has to comply with the scope
of the DPA in terms of holding information about your employees and
customers and the Act outlines your firm’s responsibilities to use
properly any personal data you hold on them. The DPA and the
Freedom of Information Act are overseen in the UK by the
Information Commissioner. The Commissioner, a UK independent
supervisory authority reporting directly to the UK parliament, has
a range of duties including the promotion of good information
handling and the encouragement of codes of practice for data
controllers; that is, anyone who decides how and why personal data,
(information about identifiable, living individuals) are processed.
If your company holds personal information on computer, it may need
to notify the Commissioner.
Such rules are the
bedrock of privacy and email and internet usage practices. Misuse
of these can have enormous financial consequences for companies.
Put simply, your business, no matter how small it is, has to have
clear guidelines as to the use of electronic communications and to
communicate this clearly to workers.
Ian Tranter, a
partner in the employment practice of law firm Hammonds, is well
versed in having to deal with such problems. He explains:
“The common questions we get fall into two categories: one is down
time, where the employees are using the bandwidth in the system for
private use, which is clogging up the system meaning it can’t
process business-related data. Sometimes systems work very slowly
even after upgrades and management wonders why they are having
problems, and customers are complaining about not getting stuff.
When [managers] investigate they find that some staff are
permanently logged on to holiday websites [or] employees are
trading on the Intranet and publishing things using the works
resources.
“The more
salacious issue is pornography which is a criminal offence if it is
child pornography. If it is adult material, it can be offensive and
lead to a hostile office environment, which, if not properly dealt
with, can precipitate claims for sexual harassment, where there is
no limit on the amount of damages a court could award.”
Acceptable
use policy
Tranter knows from
experience that problems start by companies not having an
acceptable usage policy for internet and email. These can simply be
part of terms and conditions of employment. He says: “If you have
an acceptable use policy it’s likely to say that accessing
unsavoury websites or passing on unsavoury emails from internal or
external sources can be regarded as a disciplinary matter, and then
you tie that to the disciplinary policy and procedure.”
A number of
technologies exist to control illegal and offensive material and
these are now very sophisticated. In addition to blocking out
sensitive words, the latest systems can also detect images with
greater than usual percentages of naked skin in them. These are
smart to the point whereby a lingerie advert would not be rejected
– say for a clothes retailer – but a picture of a topless woman
would be.
Your company is
liable for any employees who cause harassment through sending or
downloading offensive material. As Tranter says, the key is the
acceptable usage policy. If one is set up, publicised and enforced
in your company, then you stand a good chance of protecting your
company from possible expensive lawsuits by employees. Your company
will have been seen as having taken reasonable steps to prevent
such things as misuse from happening.
Tranter warns that
companies like yours may be blasé about the issues: “A lot of SMEs
think that such matters are for the big boys and that they’d never
get fined: don’t you believe it. The message is gradually getting
home, but it is taking some time. Businesses tend to regard the
sexual dimension of the issue light-heatedly: they won’t regard the
damages so light-heartedly.”
Spam has long been
identified as something that can threaten businesses of all sizes.
Yet spam can be viewed both from an incoming and outgoing
perspective, especially for those firms that use email marketing
techniques. The communications minister recently introduced to
Parliament regulations – to come into effect on 11 December – which
are intended to update existing legislation in light of new
technology to cover unsolicited email, phone and the internet.
According to
Jessica Hendrie Liaño, a partner of law firm Beachcroft Wansborough
and chair of the Internet Services Providers Association, the two
main issues for those involved in electronic marketing and the
provision of services online (and by SMS) are unsolicited
commercial communications and cookies. Companies should adopt best
practice guidelines, she says. “The considerations are: who are
your customers? How do you get their explicit consent? How do you
allow [your] customers to opt-out and when?” She warns of the
dangers of non-compliance: breaching of enforcement notices from
the Information Commissioner is a criminal offence that can lead to
fines of up to £5,000 in a magistrates court and unlimited fines in
the crown court.
Illegal
software
The latter could
be the destination for a senior member of your organisation due to
piracy. According to a survey by the Business Software Alliance
(BSA), companies with up to 200 employees are the most regular
offenders of software copyright breaches. The BSA says nine out of
ten companies that settled with it in the UK in 2002/3 had fewer
than 200 employees and the companies were typically using illegal
copies of Adobe, Autodesk, Macromedia, Microsoft and Symantec
products. That is to say the leading systems on which you base your
business.
As shown also by
the SME Audit, the lack of resources and a strategy for ICT can
mean an absence of effective management of your ICT resources.
“SMEs often come unstuck in managing their software assets,”
explains Mark Floisand, Chairman of BSA. “The pressure involved in
setting up a business and maintaining growth often pushes software
licensing down the list of priorities. Unfortunately, it is only
when businesses get caught that people listen up and address the
problem of software piracy within their own organisation.”
The BSA says that
it could be that case that your company, for some reason, has lost
track of its software usage, and has failed to audit software
assets effectively to ensure you are not in breach of copyright
law. Moreover, it suggests that the increasing availability of
illegal software online has made it even harder for organisations
such as yours to track what software is installed on your PCs.
Furthermore, in
the current environment of tighter IT budgets, you may be tempted
to cut corners and turn a blind eye. While recognising that, in
many instances, companies do not realise they are operating
illegally, the BSA warns that your company must ensure it has
established a comprehensive policy on software and then
communicates it to employees.
The bottom line,
and that phrase is not used figuratively, is that you need to know
about how the law can affect your business. Failure to pay for all
software used in your business could result in fines as well as
damage to reputation.
Failure to have
effective internet and email usage policies could easily be
punished by uncapped compensation. It is incumbent on you to either
implement or drive the use of technology and practices to protect
your company. In the words of Ian Tranter: “Doing nothing is not an
option.”
The
Information Commissioner’s Principles of Data
Protection
Anyone processing
personal data must comply with the eight enforceable principles of
good practice. They say that data must be:
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- accurate
- not kept longer than necessary
- processed in accordance with the data subject’s rights
- secure
- not transferred to countries without adequate
protection
Click here for SME supplement homepage Part Three >>
Click here for SME supplement homepage Part Two >>
Click here for SME supplement homepage Part One >>
Click here for Part Three of the SME supplement
>>
BT SME Month >>