data & the law tuesday 14 th may the british computer society information risk management &...
TRANSCRIPT
Data & The LawTuesday 14th MayTHE BRITISH COMPUTER SOCIETYINFORMATION RISK MANAGEMENT & AUDIT GROUP
Paul GoldingNabarro Nathanson – TMT Sector [email protected] 7524 6711
2
AgendaData Protection- securing compliance generally- securing adequate usage rights- overseas transfers- data sharing in the public sector- security obligations
Evidential issues (the movement towards the paperless office)- [discovery] disclosure- admissibility- weight- formation of contracts- retention policies
Information Offences- Computer Misuse Act- European Cybercrime Convention
3
Agenda (cont’)
Interception of employee communications- RIPA- Information Commissioner draft Code of Practice
IP Developments- software patents- implementation of Copyright Directive- interpretation of new database right- account aggregation issues
On-line trading- implementation of the E-Commerce Directive
Tax- tax relief- VAT
4
Data ProtectionSecuring compliance generally
Audit - know what data you have; what you use it for and might want to use it for; where you get it from and who you disclose it to; who holds data of your behalf; in which countries data is held.
Appoint a compliance officer.
Develop a corporate compliance/guidance manual.
Information Commissioner’s audit guidance: www.dataprotection.gov.uk/dpaudit
5
Securing adequate usage rightsProcessing must be “fair and lawful” and
either - data subject consents orlegitimate interests without prejudice …
lawful - within limits of legal powers (NB data sharingproposals of the PIU for the public sector)
consistent with European Convention on Human Rights/
Human Rights Act
fair - legitimate expectation
consent - quite limited – cannot be inferred from failure to respond
NB: opt-out not ticked will not amount to consent but may signify legitimate interests condition satisfied.
Commissioner takes broad view of “legitimate interests”.
6
Fair processing notices
- identity of data controller- purpose(s) for which data processed- any further information to render “fair”.
Such notices must be provided to data subjects or
made “readily available”.
7
s11 – right to prevent processing forpurposes of “direct marketing”
Art 7 E-Commerce Directive – senders of unsolicited e-mails must
respect opt-out registers. Not directly transposed in UKRegulations.
E-mail preference service:
www.dma.org.uk/shared/PrefServices.asp
Unsolicited e-mails must be clearly identifiable as such.
The opt-in/opt-out debate – Proposal for Directive concerning
processing of personal data and protection of privacy in electronic
communications. Common Position 28 January 2002.
http://register.consilium.eu.int/pdf/en/01/st15/15396-r2en1/pdf
8
Overseas transfers
external to the European Economic Area
Prohibited unless adequate protection inreceiving territory.
Approved countries:US Safe Harbor Privacy PrinciplesTransfers made subject to approved contractual terms
http://europa.ev.int/comm/internal-market/dataprot/modelcontracts/index
9
Security obligations The Seventh Principle
“Appropriate technical and organisationalmeasures must be taken against unauthorisedor unlawful processing or disclosure ofpersonal data”
“Keeping personal data secure means guardingagainst unauthorised access to, alteration,disclosure or destruction and accidental loss ordestruction”
10
Express reference to both technical and organisational (procedural/non-technical) measures
Regard to:-
• State of technology• Cost• Harm which might result• Nature of data
Data controller must:-
take reasonable steps to ensure reliabilityof employees with access to data
check identity of those seeking access to information
11
Employee IT Code of Practice Access rights Switching off
terminals Personal use Protection of
passwords Virus checking
Objectional material Copyright
infringement Confidentiality Audit Rights Delivery up
12
Security - Processing by Third Parties
Data controller must select data processor providing sufficient guarantees regarding both technical and organisational measures and
must take reasonable steps to ensure measures are complied with.
Data processing contract must be in writing requiring data processor:
• only to act on instructions of data controller• to comply with equivalent security obligations as
imposed on data controller.
Who determines what is ‘appropriate’ from time to time?
13
Evidential issues
In the event of a dispute all electronic documents/e-mails material to the dispute have to be disclosed (what usedto be discovery)
Computerised records are now fully admissible in court proceedings as evidence.
Civil Evidence Act 1995
Criminal Evidence Act 1999
“Weight” afforded to those records a matter for the Judge. Important to be able to demonstrate security of systems.
14
Subject to very limited exceptions (eg. land) valid and binding contracts can and always have been capable of being formed by electronic means of communication such as e-mail.
eg. Shattuck –v- Klotzback (US) 2002
Retention of hard copies/electronic records.No generally applicable requirement to retain.Usual reference point is Limitation Act 1980 – generally 6 years
NB: McCabe –v- BAT (2002) Australia
Sector specific obligationsRules change once litigation becomes possibility.No general requirement for hard copy writing/signaturesAgain specific obligations.
Electronic Communications Act 2000Electronic Signatures Regulations 2002
Formation of Contracts
15
Information OffencesComputer Misuse Act 1990: theft of information not currently an offence
Council of Europe Convention on Cybercrime
9 Offences illegal access
interceptiondata interferencesystem interferencemisuse of devicescomputer related forgerycomputer related fraudchild pornographycopyright infringement
16
Information Offences (cont’)All offences require conduct to be “without right” and “intentional”.
Procedural issues – expedited preservation of data, expedited search and seizure of data.
NB Possible corporate liability where failure to supervise or control facilitates commission of an offence
17
Monitoring e-mails
Human Rights Act 1998 - effective 2 October 2000
European Convention on Human Rights - Halford v United Kingdom - reasonable expectation of privacy Regulation of Investigatory Powers Act 2000
The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 - effective 24 October 2000
18
Authorised interceptions
Businesses may monitor or record communications without consent:-
• to establish existence of facts relevant to the business;
• to prevent or detect crime;• investigate or detect unauthorised use;but only where they have made reasonable efforts to inform all users that this may be done.
Reserve contractual right to audit computer and telephone use. Such a reservation of rights may not be effective.
19
Conflict with the Data Protection Act“The right to respect for correspondence creates substantive limitations on employers which cannot be avoided through advance warnings”.
Ensure that information gathering exercises have a legitimate purpose and invade privacy as little as possible. First establish there is a problem. Monitoring only where real business need - proportionality.
Information Commissioner - draft Code of Practice
20
IP Developments
Software patentsDraft Directive on patent protection for computer implemented inventions
Computer implemented invention which makes “technical contribution” patentable
not - computer programs per se - business methods
www.europa.eu.net/comm/internal_market/en/indprop/index.htm
21
Copyright Directivewww.europa.eu.net/comm/internal_market/en/indprop/docs
harmonisation of copyright and related rights in the information society.
to be implemented by December 2002.
clarification of reproduction and distribution rights,introduction of new right of communication to the public.
protection for copy protection devices and other “technical measures”.
protection of rights management information.
draft Statutory Instrument awaited imminently.
22
Database Right
British Horseracing Board –v- William Hill
(2002)
High Court – bookmaker’s publication of racing information extracted from the BHB database infringed database right as constituted “repeatedand substantial extraction and re-utilisation of data”.
Court of Appeal – referred interpretation of Directive to ECJ. Result awaited
23
Account aggregation
Emergence of new personal, finance accountaggregation services
- breach of customer terms - breach of Computer Misuse Act – unauthorised
access to computer material - breach of copyright/database right - breach of s55 Data Protection Act –
obtaining personal data without consent of
data controller.
24
On-line TradingImplementation of e-commerce Directive
Should have been implemented 17 January 2002.
Separate consultations on implementation in financial services and otherwise ended on 2 May.
Specific information requirements
“Country of origin” principle – “fixed establishment”the place where the service provider has the centre of its activities
- protection of consumers is an exception - location of technology not definitiveTax
New regime providing company tax relief for cost of acquisition and development of intangible assets.
www.inlandrevenue.gov.uk/budget2002/revbn10/htm
Directive on application of VAT electronically delivered services. To be implemented by 1 July 2003.
http://europa.eu.int/comm/taxation_customs/whatsnew.htm