In the past three years, advances in Internet technologies, heightened fears of the threat of techno-crimes and the drive towards freedom of information have spawned new and updated legislation on the protection, access and retention of data. Wads of paper have landed on the desks of IT directors, adding another few unwelcome inches to their already bulging in-trays.
We must all comply with these new laws on pain of cautions, fines and even prison sentences for company directors, but where to start? Of the finer details in each piece of legislation, many are open to interpretation, while others appear to overlap. So what strategy can businesses adopt to ensure they cover all the bases outlined in these laws?
Go back to first principles, says the information commissioner Elizabeth France.
"IT managers aren't snowed under with data legislation, just the opposite," she argues. "The whole virtue of the European approach is that there's one framework piece of law relating to data protection and that's all your starting point needs to be in relation to processing personal data. Make sure that your processing is lawful and in doing so you'll interact with other pieces of legislation that may even allow you to process data where otherwise you wouldn't be able to. It's certainly not a nightmare to comply with this type of legislation, it's just common sense."
Nevertheless, France acknowledges in her latest annual report that there is a need for clear, practical advice spelling out how employers may meet their legal obligations under the Data Protection Act.
Accordingly, she has recently published a code of practice for large employers containing practical advice on interpreting the many interfaces between the UK's data laws. The Employment Practices Data Protection Code, available at www.informationcommissioner.gov.uk, covers recruitment and selection, employment records, monitoring at work and medical information about workers.
Similar advice for smaller firms will follow and, in the meantime, France has published a synopsis in which the complexities of the data laws that mostly apply to large firms have been stripped out, leaving a simple explanation of how small businesses can comply with the law.
"We'd rather create a climate of compliance rather than take enforcement action," says France.
This approach, along with the lack of sufficient resources to thoroughly police the data laws, means that only a small number of companies have been chased for non-compliance so far. However, all that may soon change. Richard Thomas, director of public policy at international law firm Clifford Chance, succeeds as France information commissioner for the UK in December.
He says, "My approach will be very much carrots and sticks, with carrots first, but if I come across cases of deliberate, wilful or reckless flouting of the requirements of the law then I won't hesitate to take appropriate enforcement action.
"Privacy is on the agenda and it's going to stay on the agenda, it's not going away. Companies should go through a process of risk assessment and risk management on data protection and take that very seriously."
Vicky Webster, an associate in the intellectual property and e-business team of Scottish legal giant Morton Fraser, advises businesses to conduct a thorough data audit and then work through the eight data protection principles laid down in the 1998 Act to get round the thorny issue of ensuring compliance with overlapping legislation. Treat the Data Protection Act 1998 as the standard bearer and the rest of your compliance should fall naturally into line.
She adds, "The most important thing is to be seen to be doing something about compliance - not just to avoid prosecution but also because it's good practice from a public relations perspective to protect the personal data of your staff and customers."
Increasingly, given today's interconnected world, that assessment should involve looking at international risks to data. Nick Mansfield, principal consultant for information security at Shell Information Technology International, and chairman of the CEN/ISSS Initiative for Privacy Standardisation in Europe, warns that identity theft and inappropriate data mining are the current main international threats to data. He cites a business that wanted to introduce company credit cards for settling travel expenses, but staff were required to give their full consent for their expense details to be marketed.
Mansfield has just drafted Shell's first global corporate policy on data protection. Based on the Organisation for Economic Co-operation and Development's (OECD) guidelines on data protection, the policy goes beyond the UK's data laws, and is far tougher. Mansfield says this is necessary to ensure standards and consistency on compliance for Shell across the world.
"Compliance with data protection and privacy laws on an international scale is a growing issue," he says. "It affects rules on security and using Internet technologies, which means you run straight into the minefield of the use of cryptography which some countries closely regulate.
"It's quite a compliance exercise, putting together a global picture from a patchwork quilt of regulations. In the end you can't just have a legalistic or a self-regulatory approach, you need both. You need a corporate policy in place globally, and then local variations to meet local laws. Compliance with local data laws means embedding them into the business in practices, procedures and techniques, so they all interrelate: you can't implement one without realising the impact on another."
Dealing with international risks to data involves instigating a constant process of assessment and reassessment, says Orson Swindle, who heads the US delegation to the OECD's experts group.
"With technology changing so rapidly, what we accomplish today to deal with vulnerabilities may in any case be surpassed tomorrow by a new vulnerability, so we can never sit back and think we've legislated against all threats. Tomorrow is another day."
UK Act and the EU directive on data protection
Under the principles of the Data Protection Act 1998 anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept longer than necessary
- Processed in accordance with the data subject's rights
- Not transferred to countries without adequate protection.
Both the Data Protection Act and the 1995 European Union Data Protection Directive on which it is based are under constant review, but changes are of detail and emphasis rather than substance, according to information commissioner Elizabeth France.
The Government has recently submitted to the European Commission the final part of its response to the commission's questionnaire on the implementation of the directive, suggesting ways to improve the directive's flexibility and effectiveness while safeguarding protection for individuals' personal data. It suggests that the commission should:
- Review the definitions of "personal data" and "personal data filing system" in order to make them more precise and capable of being applied consistently in practice
- Review Article 4 of the directive which determines the member states' laws that apply to the processing of personal data
- Review the way "sensitive data" is defined in the directive and the application of the special rules relating to them. The directive currently defines sensitive data according to particular categories that do not necessarily reflect in practice the sensitivity of the data
- Sensitively review the subject access arrangements in the directive to ensure that they strike the right balance between the interests of data subjects and those of data controllers
- Review the rules relating to the transfer of personal data to third countries and bring forward simpler and more flexible arrangements.
Other UK Acts and their impact on data protection
Freedom of Information Act 2000
The Freedom of Information Act 2000 applies to public authorities and those providing services for them. It gives general right of access to all types of "recorded" information held by public authorities, sets out exemptions from that right and places a number of obligations on public authorities.
The Act is about to enter the second wave of the timetable for adopting "publication schemes" - a means by which a public authority can make a significant amount of information available routinely without waiting for someone to specifically request it. A publication scheme lists the types of information that the public authority intends to make available and how that information will be published. Public authorities within the local government sector must submit their publication schemes to the information commissioner for approval by 31 December 2002. The deadline according to legislation for local government members to 'operate' a publication scheme is the 28 February 2003.
The Government wants this Act to be fully in force by 30 November 2005.
Regulation of Investigatory Powers Act 2000
The Regulation of Investigatory Powers (RIP) Act was introduced in the House of Commons on 9 February 2000 and received Royal Assent on 28 July 2000. It brings the law on Web-tapping into line with that of telephone tapping. It also puts other intrusive investigative techniques on a statutory footing for the very first time; provides new powers to help combat the threat posed by rising criminal use of strong encryption; and ensures that there is independent judicial oversight of the powers in the Act.
Controversially, RIP Act requires ISPs in the UK to track all data traffic passing through their computers and to route it to the Government Technical Assistance Centre at MI5. Under the provisions of this Act, the home secretary can demand encryption keys to any and all data communications, with a prison sentence of two years for those who do not comply with the order.
Anti-Terrorism, Crime and Security Act 2001
Passed in swift response to the terrorist atrocities in the US last year, this Act removes barriers to information sharing between official bodies and seeks to extend the period of retention of data by telephone, Internet and other communication service providers beyond their own commercial needs.
During the passage of the legislation there were some welcome changes to suit civil libertarians, including a limit on the purposes for which data can be retained to matters of national security. However, the basis on which law enforcement bodies can have access to this communications data was not similarly restricted. This means that data retained by service providers for the purpose of safeguarding national security can be accessed for any of the wider law enforcement activities provided for in the RIP Act.
Telecommunications (Data Protection and Privacy) Regulations 1999
These regulations came into force on 1 March 2000 and impose special rules for dealing with data in public telecommunications systems, faxes, telephones and automated calling systems for unsolicited marketing. Unsolicited marketing faxes must not be sent to individual subscribers without their prior consent. Corporate subscribers cannot opt out of telephone sales but have the right to opt out of unsolicited direct marketing faxes.
The underlying legislation to these regulations is the newly created Directive on Privacy in Electronic Communications.