Laying down the law
- Posted:
- 17:51 13 Sep 2004
- Topics:
- e-mail | Regulatory Compliance
What are the legal and regulatory issues that could affect the running of your company? What are their ramifications both in terms of process and technology? How do you best deal with issues such as piracy and spam? And what’s the best way to devise usage policies for internet and e-mail? Joe O'Halloran looks at the issues and the potential pitfalls.
There are over 100 pieces of legislation that affect the IT
industry and you may ask why you should care how many?
The very significant riposte is that it cannot be overstated just
how important it is for companies such as yours to be aware of
legalisation regarding IT.
Your company needs to know the ramifications of issues - both in
terms of process and technology - such as government legislation
and industry best practice protocols. Where does your company stand
in terms of privacy? Usage policies for e-mail and the internet?
Spam - not just in combating it, but inadvertently generating it?
Then there is the basic issue of software piracy: are you using,
however inadvertently, pirated software? How can you ensure that
your company isn’t charged for misuse?
You may think of these as someone else’s issues. However, due
to the nature of companies such as yours, as highlighted in the SME
Audit, it is highly likely that you are either legally liable for
breaches of the legislation or that you will be charged with
implementing them. Failing to understand and/or act upon them could
have the most profound consequences for your company’s future
profitability.
Mandatory compliance
So what are the most basic laws that you should be aware of?
Principally, there is the Data Protection Act (DPA) 1998, and its
redrafting that will become law very soon, the Regulations of
Investigatory Powers Act 2000, commonly known as RIPA; The Human
Rights Act 1988; general UK employment Law; The European Convention
on Human Rights; The Telecommunications Lawful Business Practice
(interception of Communications) Regulations 2000; the European
Union directive on Privacy; and Electronic Communications
(2002/58/EC); and there’s many more.
Giving his view on the issue at large, Graham Smith, a partner at
Bird & Bird, advises that even though companies such as yours
have had a "history of non-compliance" with regulations, attitudes
must change. He adds, “Big companies take such matters
seriously and this [attitude] has to trickle down.”
Such compliance is mandatory in some areas. Your business has to
comply with the scope of the DPA in terms of holding information
about your employees and customers and the Act outlines your
firm’s responsibilities to use properly any personal data you
hold on them. The DPA and the Freedom of Information Act are
overseen in the UK by the Information Commissioner.
The commissioner, a UK independent supervisory authority
reporting directly to the UK parliament, has a range of duties
including the promotion of good information handling and the
encouragement of codes of practice for data controllers; that is,
anyone who decides how and why personal data, (information about
identifiable, living individuals) are processed. If your company
holds personal information on computer, it may need to notify the
commissioner.
Such rules are the bedrock of privacy and email and internet usage
practices. Misuse of these can have enormous financial consequences
for companies. Put simply, your business, no matter how small it
is, has to have clear guidelines as to the use of electronic
communications and to communicate this clearly to workers.
Ian Tranter, a partner in the employment practice of law firm
Hammonds, is well versed in having to deal with such problems. He
explains, “The common questions we get fall into two
categories: one is down time, where the employees are using the
bandwidth in the system for private use, which is clogging up the
system meaning it can’t process business-related data.
Sometimes systems work very slowly even after upgrades and
management wonders why they are having problems, and customers are
complaining about not getting stuff. When [managers] investigate
they find that some staff are permanently logged on to holiday
websites [or] employees are trading on the Intranet and publishing
things using the works resources.
“The more salacious issue is pornography which is a criminal
offence if it is child pornography. If it is adult material, it can
be offensive and lead to a hostile office environment, which, if
not properly dealt with, can precipitate claims for sexual
harassment, where there is no limit on the amount of damages a
court could award.”
Acceptable use policy
Tranter knows from experience that problems start by companies
not having an acceptable usage policy for internet and e-mail.
These can simply be part of terms and conditions of employment. He
says, “If you have an acceptable use policy it’s likely
to say that accessing unsavoury websites or passing on unsavoury
emails from internal or external sources can be regarded as a
disciplinary matter, and then you tie that to the disciplinary
policy and procedure.”
A number of technologies exist to control illegal and offensive
material and these are now very sophisticated. In addition to
blocking out sensitive words, the latest systems can also detect
images with greater than usual percentages of naked skin in them.
These are smart to the point whereby a lingerie advert would not be
rejected – say for a clothes retailer – but a picture
of a topless woman would be.
Your company is liable for any employees who cause harassment
through sending or downloading offensive material. As Tranter says,
the key is the acceptable usage policy. If one is set up,
publicised and enforced in your company, then you stand a good
chance of protecting your company from possible expensive lawsuits
by employees. Your company will have been seen as having taken
reasonable steps to prevent such things as misuse from
happening.
Tranter warns that companies like yours may be blasé about the
issues.
“A lot of SMEs think that such matters are for the big
boys and that they’d never get fined: don’t you believe
it. The message is gradually getting home, but it is taking some
time. Businesses tend to regard the sexual dimension of the issue
light-heatedly: they won’t regard the damages so
light-heartedly.”
Spam has long been identified as something that can threaten
businesses of all sizes. Yet spam can be viewed both from an
incoming and outgoing perspective, especially for those firms that
use email marketing techniques. The communications minister
recently introduced to Parliament regulations – to come into
effect on 11 December – which are intended to update existing
legislation in light of new technology to cover unsolicited email,
phone and the internet.
According to Jessica Hendrie Liaño, a partner of law firm
Beachcroft Wansborough and chair of the Internet Services Providers
Association, the two main issues for those involved in electronic
marketing and the provision of services online (and by SMS) are
unsolicited commercial communications and cookies. Companies should
adopt best practice guidelines, she says.
“The considerations are: who are your customers? How do
you get their explicit consent? How do you allow [your] customers
to opt-out and when?” She warns of the dangers of
non-compliance: breaching of enforcement notices from the
Information Commissioner is a criminal offence that can lead to
fines of up to £5,000 in a magistrates court and unlimited
fines in the crown court.
Illegal software
The latter could be the destination for a senior member of your
organisation due to piracy. According to a survey by the Business
Software Alliance (BSA), companies with up to 200 employees are the
most regular offenders of software copyright breaches. The BSA says
nine out of ten companies that settled with it in the UK in 2002/3
had fewer than 200 employees and the companies were typically using
illegal copies of Adobe, Autodesk, Macromedia, Microsoft and
Symantec products. That is to say the leading systems on which you
base your business.
As shown also by the SME Audit, the lack of resources and a
strategy for ICT can mean an absence of effective management of
your ICT resources. “SMEs often come unstuck in managing
their software assets,” explains Mark Floisand, chairman of
BSA. “The pressure involved in setting up a business and
maintaining growth often pushes software licensing down the list of
priorities. Unfortunately, it is only when businesses get caught
that people listen up and address the problem of software piracy
within their own organisation.”
The BSA says that it could be that case that your company, for some
reason, has lost track of its software usage, and has failed to
audit software assets effectively to ensure you are not in breach
of copyright law. Moreover, it suggests that the increasing
availability of illegal software online has made it even harder for
organisations such as yours to track what software is installed on
your PCs.
Furthermore, in the current environment of tighter IT budgets, you
may be tempted to cut corners and turn a blind eye. While
recognising that, in many instances, companies do not realise they
are operating illegally, the BSA warns that your company must
ensure it has established a comprehensive policy on software and
then communicates it to employees.
The bottom line, and that phrase is not used figuratively, is that
you need to know about how the law can affect your business.
Failure to pay for all software used in your business could result
in fines as well as damage to reputation.
Failure to have effective internet and e-mail usage policies could
easily be punished by uncapped compensation. It is incumbent on you
to either implement or drive the use of technology and practices to
protect your company. In the words of Ian Tranter: “Doing
nothing is not an option.”
The Information Commissioner’s Principles of Data
Protection
Anyone processing personal data must comply with the eight
enforceable principles of good practice. They say that data must
be:
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- accurate
- not kept longer than necessary
- processed in accordance with the data subject’s rights
- secure
- not transferred to countries without adequate protection
