Laying down the law

What are the legal and regulatory issues that could affect the running of your company? What are their ramifications both in...

What are the legal and regulatory issues that could affect the running of your company? What are their ramifications both in terms of process and technology? How do you best deal with issues such as piracy and spam? And what’s the best way to devise usage policies for internet and e-mail? Joe O'Halloran looks at the issues and the potential pitfalls.

There are over 100 pieces of legislation that affect the IT industry and you may ask why you should care how many?
The very significant riposte is that it cannot be overstated just how important it is for companies such as yours to be aware of legalisation regarding IT.
Your company needs to know the ramifications of issues - both in terms of process and technology - such as government legislation and industry best practice protocols. Where does your company stand in terms of privacy? Usage policies for e-mail and the internet? Spam - not just in combating it, but inadvertently generating it? Then there is the basic issue of software piracy: are you using, however inadvertently, pirated software? How can you ensure that your company isn’t charged for misuse?
You may think of these as someone else’s issues. However, due to the nature of companies such as yours, as highlighted in the SME Audit, it is highly likely that you are either legally liable for breaches of the legislation or that you will be charged with implementing them. Failing to understand and/or act upon them could have the most profound consequences for your company’s future profitability.
Mandatory compliance

So what are the most basic laws that you should be aware of? Principally, there is the Data Protection Act (DPA) 1998, and its redrafting that will become law very soon, the Regulations of Investigatory Powers Act 2000, commonly known as RIPA; The Human Rights Act 1988; general UK employment Law; The European Convention on Human Rights; The Telecommunications Lawful Business Practice (interception of Communications) Regulations 2000; the European Union directive on Privacy; and Electronic Communications (2002/58/EC); and there’s many more.
Giving his view on the issue at large, Graham Smith, a partner at Bird & Bird, advises that even though companies such as yours have had a "history of non-compliance" with regulations, attitudes must change. He adds, “Big companies take such matters seriously and this [attitude] has to trickle down.”
Such compliance is mandatory in some areas. Your business has to comply with the scope of the DPA in terms of holding information about your employees and customers and the Act outlines your firm’s responsibilities to use properly any personal data you hold on them. The DPA and the Freedom of Information Act are overseen in the UK by the Information Commissioner.

The commissioner, a UK independent supervisory authority reporting directly to the UK parliament, has a range of duties including the promotion of good information handling and the encouragement of codes of practice for data controllers; that is, anyone who decides how and why personal data, (information about identifiable, living individuals) are processed. If your company holds personal information on computer, it may need to notify the commissioner.
Such rules are the bedrock of privacy and email and internet usage practices. Misuse of these can have enormous financial consequences for companies. Put simply, your business, no matter how small it is, has to have clear guidelines as to the use of electronic communications and to communicate this clearly to workers.
Ian Tranter, a partner in the employment practice of law firm Hammonds, is well versed in having to deal with such problems. He explains, “The common questions we get fall into two categories: one is down time, where the employees are using the bandwidth in the system for private use, which is clogging up the system meaning it can’t process business-related data. Sometimes systems work very slowly even after upgrades and management wonders why they are having problems, and customers are complaining about not getting stuff. When [managers] investigate they find that some staff are permanently logged on to holiday websites [or] employees are trading on the Intranet and publishing things using the works resources.
“The more salacious issue is pornography which is a criminal offence if it is child pornography. If it is adult material, it can be offensive and lead to a hostile office environment, which, if not properly dealt with, can precipitate claims for sexual harassment, where there is no limit on the amount of damages a court could award.”
Acceptable use policy

Tranter knows from experience that problems start by companies not having an acceptable usage policy for internet and e-mail. These can simply be part of terms and conditions of employment. He says, “If you have an acceptable use policy it’s likely to say that accessing unsavoury websites or passing on unsavoury emails from internal or external sources can be regarded as a disciplinary matter, and then you tie that to the disciplinary policy and procedure.”
A number of technologies exist to control illegal and offensive material and these are now very sophisticated. In addition to blocking out sensitive words, the latest systems can also detect images with greater than usual percentages of naked skin in them. These are smart to the point whereby a lingerie advert would not be rejected – say for a clothes retailer – but a picture of a topless woman would be.
Your company is liable for any employees who cause harassment through sending or downloading offensive material. As Tranter says, the key is the acceptable usage policy. If one is set up, publicised and enforced in your company, then you stand a good chance of protecting your company from possible expensive lawsuits by employees. Your company will have been seen as having taken reasonable steps to prevent such things as misuse from happening.
Tranter warns that companies like yours may be blasé about the issues.

“A lot of SMEs think that such matters are for the big boys and that they’d never get fined: don’t you believe it. The message is gradually getting home, but it is taking some time. Businesses tend to regard the sexual dimension of the issue light-heatedly: they won’t regard the damages so light-heartedly.”
Spam has long been identified as something that can threaten businesses of all sizes. Yet spam can be viewed both from an incoming and outgoing perspective, especially for those firms that use email marketing techniques. The communications minister recently introduced to Parliament regulations – to come into effect on 11 December – which are intended to update existing legislation in light of new technology to cover unsolicited email, phone and the internet.
According to Jessica Hendrie Liaño, a partner of law firm Beachcroft Wansborough and chair of the Internet Services Providers Association, the two main issues for those involved in electronic marketing and the provision of services online (and by SMS) are unsolicited commercial communications and cookies. Companies should adopt best practice guidelines, she says.

“The considerations are: who are your customers? How do you get their explicit consent? How do you allow [your] customers to opt-out and when?” She warns of the dangers of non-compliance: breaching of enforcement notices from the Information Commissioner is a criminal offence that can lead to fines of up to £5,000 in a magistrates court and unlimited fines in the crown court.
Illegal software

The latter could be the destination for a senior member of your organisation due to piracy. According to a survey by the Business Software Alliance (BSA), companies with up to 200 employees are the most regular offenders of software copyright breaches. The BSA says nine out of ten companies that settled with it in the UK in 2002/3 had fewer than 200 employees and the companies were typically using illegal copies of Adobe, Autodesk, Macromedia, Microsoft and Symantec products. That is to say the leading systems on which you base your business.
As shown also by the SME Audit, the lack of resources and a strategy for ICT can mean an absence of effective management of your ICT resources. “SMEs often come unstuck in managing their software assets,” explains Mark Floisand, chairman of BSA. “The pressure involved in setting up a business and maintaining growth often pushes software licensing down the list of priorities. Unfortunately, it is only when businesses get caught that people listen up and address the problem of software piracy within their own organisation.”
The BSA says that it could be that case that your company, for some reason, has lost track of its software usage, and has failed to audit software assets effectively to ensure you are not in breach of copyright law. Moreover, it suggests that the increasing availability of illegal software online has made it even harder for organisations such as yours to track what software is installed on your PCs.
Furthermore, in the current environment of tighter IT budgets, you may be tempted to cut corners and turn a blind eye. While recognising that, in many instances, companies do not realise they are operating illegally, the BSA warns that your company must ensure it has established a comprehensive policy on software and then communicates it to employees.
The bottom line, and that phrase is not used figuratively, is that you need to know about how the law can affect your business. Failure to pay for all software used in your business could result in fines as well as damage to reputation.
Failure to have effective internet and e-mail usage policies could easily be punished by uncapped compensation. It is incumbent on you to either implement or drive the use of technology and practices to protect your company. In the words of Ian Tranter: “Doing nothing is not an option.”
The Information Commissioner’s Principles of Data Protection
Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:

  • fairly and lawfully processed 
  • processed for limited purposes 
  • adequate, relevant and not excessive
  • accurate 
  • not kept longer than necessary 
  • processed in accordance with the data subject’s rights 
  • secure 
  • not transferred to countries without adequate protection


Read more on IT risk management