Data & The LawTuesday 14th MayTHE BRITISH COMPUTER SOCIETYINFORMATION RISK MANAGEMENT & AUDIT GROUP

Paul GoldingNabarro Nathanson – TMT Sector Groupp.golding@nabarro.com020 7524 6711

2

AgendaData Protection- securing compliance generally- securing adequate usage rights- overseas transfers- data sharing in the public sector- security obligations

Evidential issues (the movement towards the paperless office)- [discovery] disclosure- admissibility- weight- formation of contracts- retention policies

Information Offences- Computer Misuse Act- European Cybercrime Convention

3

Agenda (cont’)

Interception of employee communications- RIPA- Information Commissioner draft Code of Practice

IP Developments- software patents- implementation of Copyright Directive- interpretation of new database right- account aggregation issues

On-line trading- implementation of the E-Commerce Directive

Tax- tax relief- VAT

4

Data ProtectionSecuring compliance generally

Audit - know what data you have; what you use it for and might want to use it for; where you get it from and who you disclose it to; who holds data of your behalf; in which countries data is held.

Appoint a compliance officer.

Develop a corporate compliance/guidance manual.

Information Commissioner’s audit guidance: www.dataprotection.gov.uk/dpaudit

5

Securing adequate usage rightsProcessing must be “fair and lawful” and

either - data subject consents orlegitimate interests without prejudice …

lawful - within limits of legal powers (NB data sharingproposals of the PIU for the public sector)

consistent with European Convention on Human Rights/

Human Rights Act

fair - legitimate expectation

consent - quite limited – cannot be inferred from failure to respond

NB: opt-out not ticked will not amount to consent but may signify legitimate interests condition satisfied.

Commissioner takes broad view of “legitimate interests”.

6

Fair processing notices

- identity of data controller- purpose(s) for which data processed- any further information to render “fair”.

Such notices must be provided to data subjects or

made “readily available”.

7

s11 – right to prevent processing forpurposes of “direct marketing”

Art 7 E-Commerce Directive – senders of unsolicited e-mails must

respect opt-out registers. Not directly transposed in UKRegulations.

E-mail preference service:

www.dma.org.uk/shared/PrefServices.asp

Unsolicited e-mails must be clearly identifiable as such.

The opt-in/opt-out debate – Proposal for Directive concerning

processing of personal data and protection of privacy in electronic

communications. Common Position 28 January 2002.

http://register.consilium.eu.int/pdf/en/01/st15/15396-r2en1/pdf

8

Overseas transfers

external to the European Economic Area

Prohibited unless adequate protection inreceiving territory.

Approved countries:US Safe Harbor Privacy PrinciplesTransfers made subject to approved contractual terms

http://europa.ev.int/comm/internal-market/dataprot/modelcontracts/index

9

Security obligations The Seventh Principle

“Appropriate technical and organisationalmeasures must be taken against unauthorisedor unlawful processing or disclosure ofpersonal data”

“Keeping personal data secure means guardingagainst unauthorised access to, alteration,disclosure or destruction and accidental loss ordestruction”

10

Express reference to both technical and organisational (procedural/non-technical) measures

Regard to:-

• State of technology• Cost• Harm which might result• Nature of data

Data controller must:-

take reasonable steps to ensure reliabilityof employees with access to data

check identity of those seeking access to information

11

Employee IT Code of Practice Access rights Switching off

terminals Personal use Protection of

passwords Virus checking

Objectional material Copyright

infringement Confidentiality Audit Rights Delivery up

12

Security - Processing by Third Parties

Data controller must select data processor providing sufficient guarantees regarding both technical and organisational measures and

must take reasonable steps to ensure measures are complied with.

Data processing contract must be in writing requiring data processor:

• only to act on instructions of data controller• to comply with equivalent security obligations as

imposed on data controller.

Who determines what is ‘appropriate’ from time to time?

13

Evidential issues

In the event of a dispute all electronic documents/e-mails material to the dispute have to be disclosed (what usedto be discovery)

Computerised records are now fully admissible in court proceedings as evidence.

Civil Evidence Act 1995

Criminal Evidence Act 1999

“Weight” afforded to those records a matter for the Judge. Important to be able to demonstrate security of systems.

14

Subject to very limited exceptions (eg. land) valid and binding contracts can and always have been capable of being formed by electronic means of communication such as e-mail.

eg. Shattuck –v- Klotzback (US) 2002

Retention of hard copies/electronic records.No generally applicable requirement to retain.Usual reference point is Limitation Act 1980 – generally 6 years

NB: McCabe –v- BAT (2002) Australia

Sector specific obligationsRules change once litigation becomes possibility.No general requirement for hard copy writing/signaturesAgain specific obligations.

Electronic Communications Act 2000Electronic Signatures Regulations 2002

Formation of Contracts

15

Information OffencesComputer Misuse Act 1990: theft of information not currently an offence

Council of Europe Convention on Cybercrime

9 Offences illegal access

interceptiondata interferencesystem interferencemisuse of devicescomputer related forgerycomputer related fraudchild pornographycopyright infringement

16

Information Offences (cont’)All offences require conduct to be “without right” and “intentional”.

Procedural issues – expedited preservation of data, expedited search and seizure of data.

NB Possible corporate liability where failure to supervise or control facilitates commission of an offence

17

Monitoring e-mails

Human Rights Act 1998 - effective 2 October 2000

European Convention on Human Rights - Halford v United Kingdom - reasonable expectation of privacy Regulation of Investigatory Powers Act 2000

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 - effective 24 October 2000

18

Authorised interceptions

Businesses may monitor or record communications without consent:-

• to establish existence of facts relevant to the business;

• to prevent or detect crime;• investigate or detect unauthorised use;but only where they have made reasonable efforts to inform all users that this may be done.

Reserve contractual right to audit computer and telephone use. Such a reservation of rights may not be effective.

19

Conflict with the Data Protection Act“The right to respect for correspondence creates substantive limitations on employers which cannot be avoided through advance warnings”.

Ensure that information gathering exercises have a legitimate purpose and invade privacy as little as possible. First establish there is a problem. Monitoring only where real business need - proportionality.

Information Commissioner - draft Code of Practice

20

IP Developments

Software patentsDraft Directive on patent protection for computer implemented inventions

Computer implemented invention which makes “technical contribution” patentable

not - computer programs per se - business methods

www.europa.eu.net/comm/internal_market/en/indprop/index.htm

21

Copyright Directivewww.europa.eu.net/comm/internal_market/en/indprop/docs

harmonisation of copyright and related rights in the information society.

to be implemented by December 2002.

clarification of reproduction and distribution rights,introduction of new right of communication to the public.

protection for copy protection devices and other “technical measures”.

protection of rights management information.

draft Statutory Instrument awaited imminently.

22

Database Right

British Horseracing Board –v- William Hill

(2002)

High Court – bookmaker’s publication of racing information extracted from the BHB database infringed database right as constituted “repeatedand substantial extraction and re-utilisation of data”.

Court of Appeal – referred interpretation of Directive to ECJ. Result awaited

23

Account aggregation

Emergence of new personal, finance accountaggregation services

- breach of customer terms - breach of Computer Misuse Act – unauthorised

access to computer material - breach of copyright/database right - breach of s55 Data Protection Act –

obtaining personal data without consent of

data controller.

24

On-line TradingImplementation of e-commerce Directive

Should have been implemented 17 January 2002.

Separate consultations on implementation in financial services and otherwise ended on 2 May.

Specific information requirements

“Country of origin” principle – “fixed establishment”the place where the service provider has the centre of its activities

- protection of consumers is an exception - location of technology not definitiveTax

New regime providing company tax relief for cost of acquisition and development of intangible assets.

www.inlandrevenue.gov.uk/budget2002/revbn10/htm

Directive on application of VAT electronically delivered services. To be implemented by 1 July 2003.

http://europa.eu.int/comm/taxation_customs/whatsnew.htm