If you deal with personal and financial data, you may be
familiar with the apparent contradiction that
various data laws create. On the one hand, personal data can
only be collected and used for the purpose it was originally
collected for, and must be disposed of if it is surplus to
requirements. But on the other hand, commercial and financial data
must be retained to protect the organisation or its customers,
usually for the purpose of law enforcement.
Managing data can be tricky, and in some cases organisations
have found themselves in situations where they have been required
to produce information which they have, as a matter of policy,
destroyed.
Lee Richards, network manager at housing provider Twin Valley
Homes, said, "This is an issue simply because you have data
protection and human rights laws on one hand, and things like the
Regulation of Investigatory Powers (RIP) Act on the other,
where companies are under pressure to keep records for a certain
number of years. It will come to a point where you will have to
pull up information that has been destroyed."
According to Richards, a core issue that organisations face is
the way that employees often include personal information in their
business e-mails, even when negotiating contracts, for example.
This might mean that an e-mail comes under more than one data law -
for example, laws that govern commercial and financial data, as
well as data protection legislation.
It is challenging to ensure that all employees adhere to a
policy that requires them to keep their business e-mails strictly
business all the time, said Richards. "How can you differentiate
between business and personal information? You cannot separate them
effectively unless you have two e-mail addresses, but how do you
monitor that?"
Another issue is that e-mails could be forwarded unchecked
outside the organisation, making it hard to guarantee to the
relevant body that an e-mail has been destroyed completely. "If
people forward an e-mail it becomes harder to control. One click of
a button could create multiple issues," Richards said.
The onus often falls on IT staff to
outline and enforce the e-mail and web policies and advise the
organisation and HR department, said Richards.
Kiran Sandford, partner and IT law expert at law firm Mishcon de
Reya, said it is essential for organisations to ensure that staff
keep
personal information out of their business e-mails if they want
to survive the various data laws.
"You should be very careful about what you put in your e-mail
and who you send it to, particularly commercially sensitive
information. If you have a requirement to keep e-mails, you should
have a list of all the people you sent them to," she said.
"E-mails can become evidence in court, and are required to be
kept for certain periods by laws like the Companies Act, as they
could include commercial records and contracts."
The UK Data Protection Act 1998, on the other hand, only
applies to personal data for living individuals and not commercial
data, but the act will apply to any organisations that hold
information on members of the public.
The act contains eight principles of data protection, including
that all data must be accurate and where necessary up to date, and
that it is kept secure and for no longer than is necessary.
Sandford said that there are cases where personal information
must be kept along with commercial information, such as for tax
reasons, and in these cases, organisations must ensure the amount
of personal data is not excessive.
Contracts are also a tricky area, and Sandford said that there
are statutory requirements to keep most contracts for six years.
She advised organisations to think about the length of time records
and documents need to be maintained on an individual basis.
Phil Higgins, CEO of secure networking supplier Brookcourt
Solutions, said that some of the firm's customers, such as
investment banks and mortgage companies, are required to keep
transactional data for 25 years or more. The data often includes
personal information such as age, address and marital status, he
said.
"Data shredding techniques are relatively simple, but pulling
out the personal data is extremely difficult. We are often asked by
banks about how best to achieve this.
"You could have a policy to lock down users and portable
devices, but socially it turns us into drones. We live in a mobile
environment and use mobile data devices. We work harder and longer
hours," he added.
Nigel Horncastle, a data management expert and a consultant at
systems integrator Morse, said that many organisations are turning
to electronic content management systems to ensure they comply with
the range of data laws. The Data Protection Act made a lot of
organisations look for the first time at the issue of holding and
disclosing information, he said.
Also, in 1999, public sector bodies were required to adopt
document management systems that adhered to The National Archives
specifications, which "set a benchmark for functionality".
Laws like the
Markets in Financial Instruments Directive (Mifid) are creating
another boom in the demand for document management, said
Horncastle, as the financial services sector is required to retain
and store more and more data. "For example, brokers have to keep
pre-trade data for a year and the actual trade data itself for five
to seven years for litigation purposes. This used to be about two
years. Tick data was never kept in the past. This is very much
driven by consumer protection."
Meanwhile, organisations must live with the "double-edged sword"
of data storage and data disposal, said Horncastle. "There are some
cases where people have destroyed data that is then required. What
is more, if you retain information that should have been destroyed
you have to disclose it - it is a juggling act to a degree."
In situations like this, firms that offer computer forensics and
electronic disclosure services can help by extracting or
reassembling documents, or testing document archival processes.
Computer forensics analyses and reviews documents held on a
large range of media such as storage tapes, laptops, USB keys, PCs
and servers, and can even read documents that have been overwritten
multiple times.
Andrew Szczech, electronic evidence consultant at computer
forensics firm Kroll Ontrack, said there are services available
that can help companies ensure they store their documents in a way
that would make forensic examination as painless as possible.
"These kinds of review exercises can be quite costly, so some of
our users are looking to put more focus on the internal document
management process," he said.
"If their on-going record management procedures are in order it
can make the process simpler - though it will never be simple - and
this particularly benefits organisations that know they will be
subject to litigation," said Szczech.
With the introduction of more and more data laws, there has been
a shift in the way that organisations store and back up their
information, he said.
Ten years ago, the IT department may have driven these policies
based around particular technologies or disaster recovery - perhaps
the need to have monthly rotating back-ups of all of the
organisation's data.
Legislation has made the situation significantly more
complicated, said Szczech, and he advised organisations to plan
their storage carefully.
"When you are putting your policies in place, make sure you have
all the relevant parties in place and you are involving third-party
suppliers, in-house counsel and third-party law firms, as well as
key end-users, the auditing department and business sponsors.
"Think about the legal aspect of storage," said Szczech.
Storage Decisions
2007 conference >>
Read more on
storage >>
Twin Valley Homes website >>
FSA: the Markets in Financial Services Directive >>
The Data
Protection Act >>
The Regulation
of Investigatory Powers >>
Comment on this article:
computer.weekly@rbi.co.uk