UK data protection regulations and data privacy laws are getting more stringent. In this interview, Paul Gershlick, partner at law firm Matthew Arnold & Baldwin LLP, explains what organisations need to know to meet data protection and privacy regulations in the UK.
What are the most important regulations affecting networks and communications in the UK now?
Gershlick: The Data Protection Act (DPA) is a big one. RIPA (Regulation of Investigatory Powers Act) is also important. The DPA and RIPA actually regulate how data is treated on networks. There is also the Directive on Privacy and Electronic Communications 2002, known as the E-Privacy Directive.
How have enterprises secured their networks to meet UK data protection regulations?
Gershlick: If you look at the stories that come out almost on a daily basis, there are so many cases of people not taking appropriate measures. The Independent Parliamentary Standards Authority data leak [that occurred] during IT maintenance because of failure to implement sophisticated access rights is a classic case. [The IPSA] is meant to enhance standards in public life and [it has] been guilty of poor standards.
The Data Protection Act says that data controllers have to take appropriate technological and organisational measures against unauthorised or unlawful processing or against accidental loss or damage to personal data. What are appropriate technological and organisational measures? There are always more measures you can take. You have to weigh up what is the level of security appropriate to the harm that could be caused and the data that is being protected.
Recently the penalties for serious breaches of the Data Protection Act changed. Instead of the ICO (Information Commissioner’s Office) having to issue a warning notice first and then issue fines, now it can issue fines up to £500,000.
The European Commission (EC) is taking the UK to the European Court of Justice for failure to properly implement European Union rules for data protection and privacy. What has the UK done wrong? How is the EU’s action likely to change English law regarding the interception of communications?
Gershlick: The Commission alleges the UK is failing to meet its obligations under the EU Data Protection Directive and the E-Privacy Directive. Communications can be intercepted in the UK where an interceptor has reasonable grounds to believe that consent has been given. At EU level you can only do it if you know you have got consent. Anyone who is to be sanctioned under the law regarding interceptions in the UK can only be sanctioned if an interception is committed intentionally; whereas at EU level it applies to anyone whether it was an intentional interception or not. The UK is going to have to tighten its position. I suspect there will be a new law in the next few months to bring the UK into line with the rest of the EU.
Are enterprises vulnerable to prosecution for losing data via wireless networks, particularly resulting from employee remote access?
Gershlick: This is a massive and growing area that has not yet been fully tested. Theoretically any organisation is in charge of what is done on their network, but you have to say "what is the network?" When you start looking at wireless networks, when people are logging on to corporate systems remotely, are corporates responsible for that? I am not aware of any case that says that they are. It is an area to watch.
The European Commission has published a proposal for a new directive on attacks against information systems. Might this cut down on the number of attacks on networks?
Gershlick: There is the Computer Misuse Act in the UK addressing unauthorised access and modification of systems that was also changed in the past few years to specifically deal with DDOS attacks, so UK law is very much up to date on that. If you are caught under the Computer Misuse Act you can end up going to jail for years so if that is not doing much good, what would? The attack may not come from the UK though; it may come from outside of the EU. Anything like this has to be worldwide-led, not just European.
How might UK communications services providers be affected by plans to implement the EU E-Privacy Directive by May 2011?
Gershlick: The main impact on communications providers is they will have to let consumers know if there has been a personal data breach. At the moment there is no requirement for them to tell anyone if data has been compromised.
--Tracey Caldwell is a professional freelance business technology writer.