DPA compliance: Tracking changes to Data Protection Act guidelines

Can organisations expect a more prescriptive Data Protection Act in the future? UK Bureau Chief Ron Condon examines the law's prospects.

This article can also be found in the Premium Editorial Download: IT in Europe: Navigating the maze of data protection compliance

For a piece of legislation that first hit the statute book in 1984, the Data Protection Act (DPA) has weathered remarkably well. By sticking to broad principles and avoiding any reference to specific technologies from the start, it has managed to stay relevant for nearly 30 years, despite huge social and technological changes.

The underlying guidelines, embodied in eight simple principles, are easy to understand and remain a model of clear-sighted lawmaking. Although it was updated in 1998 to bring it into line with EU legislation (which it had influenced), the act has remained essentially the same.

So why has the act caused so much confusion and been the subject of so much misinterpretation over the years? Some organisations appear to use it as a convenient veil to avoid releasing any information at all, while others still treat personal information with reckless abandon.

Even the police got it wrong, most notably in the Soham murders investigation of 2002 where an overly strict interpretation of the act’s requirements caused vital information to be missed.

Part of the problem lies in the principles-based approach, which leaves DPA compliance open to interpretation. Unlike other compliance regimes, it is not a regulation for which an organisation can tick all the boxes and declare itself safe. 

“The principles are written in a way that they can be applied equally across a range of organisations, from a major bank or government department to a local corner shop,” said Phil Jones, a former assistant commissioner with the Information Commissioner’s Office (ICO), and now a consultant with the Promontory Finance Group LLC. “The trick is that they have to be applied and interpreted in context. If you get stuck, just behave decently – treat other people’s information in a way you’d like your own information to be treated.”

That is a good guiding principle, but doing the decent thing will only take you so far. For most organisations, data protection is complicated by a whole range of other factors -- from operating in different countries with different laws, to outsourcing and using new technologies, such as social networking and geo-location.  All these factors add new dimensions and raise new questions about exactly what is required by the law

Help is at hand, of course. The ICO, for all its new powers to punish, is primarily motivated to encourage and enable good practice. Its website carries a fund of advice and guidance, both on how to protect data and what to do in case of a breach. There is also no shortage of consultants willing to take companies through the rules.

The soft approach appears to be bearing fruit. In a recent speech at the 2011 Infosecurity conference in London, Deputy Information Commissioner David Smith said that, although breaches still occur, few are in the same league as big breaches of the recent past – the lost CDs at HMRC, the loss of an MoD laptop containing details of army recruits, and the loss of 84,000 prisoner records by PA Consulting – which were marked by a lack of care and poorly defined responsibilities.

Those events, plus some breaches at financial institutions that drew heavy fines by the Financial Services Authority, appear to have marked a turning point in how we view data protection. Before those breaches, the DPA was a bit of an irrelevance; since then, the public sector has been given a huge shake-up as part of the government’s Data Handling Review, and the ICO has been granted new powers to levy fines of up to £500,000 for serious breaches.

With these developments has come a broader awareness of the law across industry and the public sector, and a new-found respect for the ICO. Once regarded as a paper tiger, its new powers have made it a force to be reckoned with.

Any data loss in the public sector now has to be reported, and (for the moment at least) a regime of voluntary disclosure operates in the private sector. According to Smith, the ICO has received around 1,500 breach notifications since Nov 2007, and, in the year ending March 2011, 186 came from the private sector, 165 from health authorities and 146 from local government.

Although the ICO has had the power to levy fines since April 2010, only four fines have been handed out so far, three of them against local authorities, and all well below the £500,000 maximum.

In most cases, however, the ICO has taken a more lenient line, allowing the organisations in question to make a public statement of guilt, and commence an undertaking to rectify their operating methods in order to avoid a future breach.

Data Protection Act changes
The next major changes in the DPA regime come into place in May with an extension of the Privacy and Electronic Communications Regulations (PECR), which govern how companies carry out marketing campaigns.

Included in the changes is a new obligation on telecommunications companies and Internet service providers (ISPs) to disclose serious data breaches, and some new mandatory auditing rights for the ICO.

But, the aspect that is likely to affect most companies applies to the use of cookies on websites. The new rules say that organisations should seek explicit consent from site visitors to use cookies, and they should explain what the cookies do. For most companies, this will come as a bit of a surprise, and, so far, there is no guidance from the ICO on how the new rules should be implemented, although guidance has been promised.

Under the circumstances, Smith said, the ICO will take a relaxed approach to the new rules, at least in the short term, to allow companies to make any changes they need.

Some experts have greeted this new regulation with scepticism, bordering on derision. Alan Calder, managing director of IT Governance Ltd, described the law as “unworkable” and said that, where authorities in other EU countries have tried to introduce it, they have met with “huge anger from advertising companies and Web commerce companies.”

Calder predicts a few organisations will try to implement it, while the rest will ignore it on the basis that most consumers don’t understand cookies anyway and will not notice.

Chris Barling, CEO of Actinic Ltd, which supplies e-commerce website software to small companies, was even more scathing. “"I've generally been pro the EU over the years, but the sheer stupidity of the latest ruling on cookies has left me breathless. It's hard enough already for small companies to compete when selling online, but this will make it even harder,” he said. “The impact of this ruling will be to increase confusion and reduce choice. The chaos that ensues is likely to make it harder to protect privacy.”

Nonetheless, the European Commission is pushing along with yet more plans for stronger data protection laws. In November 2010 it issued a communication -- “a comprehensive approach on personal data protection in the European Union” (.pdf) -- wherein it outlined plans to update its 1995 Data Protection Directive to take account of new technological changes and an increasingly globalised world.

It is a broad-ranging document, but buried in the text is a clear indication that mandatory disclosure for all breaches is on the agenda. “The Commission will examine the modalities for extending the obligation to notify personal data breaches to other sectors,” it says.

Smith believes that broader obligation could be in law within the next three years, although he said it should only apply to serious breaches where damage could occur to individuals.

The Commission will pursue the idea of “the right to be forgotten,” so individuals can have all record of themselves removed (with notable exceptions, such a prison records) if they so wish.

Most experts welcome the move to mandatory breach disclosure, mainly because it will force companies to take data protection more seriously. “I am in favour of a universal breach declaration requirement,” said Alan Calder. “You need compulsion to get organisations to pay attention to data protection. Take the recent Sony breach, for instance. If there were a breach law saying you had to own up in 24 hours and inform customers, then Sony would be in serious trouble. Companies will have to put in place procedures for telling people of a breach. Then maybe they’ll make more of an effort to protect data.”

George Thompson, a director at KPMG, also believes mandatory disclosure will be of  benefit and should be included in Data Protection Act guidelines. He said that, with few exceptions, many companies still go through the motions of having a data protection policy and appointing a chief privacy officer, but they fail to connect the policy with procedures and controls in any meaningful way. “Some organisations are mature, and have privacy and management systems, but not many,” he said. “Mandatory disclosure would be a good thing, not least because organisations will need to work out how to respond should a breach occur.  We’ve seen examples where the time taken to notify has been excessive, and the quality of information provided to customers has been quite poor.”

Thompson goes even further, and suggests that a more prescriptive regime – along the lines of the US-based Sarbanes-Oxley Act – could be applied to personal information. “Sarbanes-Oxley is fairly prescriptive about the controls you need in place to protect the integrity of the financial statement. If we had something similar that covered confidentiality of customer data and external audit in the same way as Sarbanes-Oxley, that would be a big driver for organisations.”

Some others suggest that the Payment Card Industry Data Security Standard (PCI DSS) could be extended to cover personal information, so organisations would be obliged to get themselves audited and certified compliant. A couple of American states have already taken that route.

But Calder is a strong defender of the DPA in its current form. “One of the weaknesses of detailed tick-box legislation is that one size doesn’t fit all,” he said. “The fact that you’ve ticked all the boxes doesn’t necessarily mean you’ve set out to protect information properly. Threats change so quickly. The principles-based approach, while difficult at one level because it’s not obvious when you’ve complied, is better because it forces you into a continual evaluation of risk and appropriate mitigation.”

Lessons learned from earlier breaches
The ICO recognises that accidents will happen, and that security can never be absolute. The best any organisation can do is to take all appropriate steps to protect personal data in its care. If a breach occurs despite the company's best efforts, and the company can prove it took appropriate measures and had proper procedures in place, then it has a good chance of avoiding punishment.

But, as Deputy Information Commissioner David Smith explained, some of the lessons from earlier breaches indicate just how easy it is for companies to lose focus and suffer a breach. Smith gave the following examples:

* Data retention
The DPA stipulates a company should only store the information it needs, and only for as long as it is needed. Companies therefore need to focus more on weeding out old and redundant data. The less companies keep, the less chance they have of losing it.

* Training and awareness
Getting employees to sign a policy is not enough. Security needs to become part of everyday business, with staff fully conversant with the reasons why security is important. Policies and procedures also need to be related to the jobs that people do.

* Outsourcing
Responsibility for security cannot be outsourced, so organisations need to monitor and check the state of information security at their contractors, outsourcers and offshore processors.

* Fax and email
One of the fines handed out by the ICO was against a local authority that faxed sensitive personal details to the wrong number. Email messages can also go to the wrong recipient, particularly when the user types in the first few characters of the intended recipient’s name and the email software offers a list of potential candidates. Unless the user is alert, it is easy to click on the wrong name.

* Shared services
In projects where a number of users (possibly some in other companies) share information, the potential risks need to be assessed and controls put in place.

* Movers and leavers
Have policies to ensure users only have rights associated with their jobs, and do not accumulate rights as they move around an organisation. When people leave the organisation, have a process to ensure they lose access to systems.

* Physical security
An unmonitored intruder can look at papers and screens, and even steal documents and computer hardware.

Read more on Regulatory compliance and standard requirements