Data & The Law
Tuesday 14th May
THE BRITISH COMPUTER SOCIETY
INFORMATION RISK MANAGEMENT & AUDIT GROUP
Paul Golding
Nabarro Nathanson – TMT Sector Group
p.golding@nabarro.com
020 7524 6711
Agenda
Data Protection
- securing compliance generally
- securing adequate usage rights
- overseas transfers
- data sharing in the public sector
- security obligations
Evidential issues (the movement towards the paperless office)
- [discovery] disclosure
- admissibility
- weight
- formation of contracts
- retention policies
Information Offences
- Computer Misuse Act
- European Cybercrime Convention
2
Agenda (cont’)
Interception of employee communications
- RIPA
- Information Commissioner draft Code of Practice
IP Developments
- software patents
- implementation of Copyright Directive
- interpretation of new database right
- account aggregation issues
On-line trading
- implementation of the E-Commerce Directive
Tax
- tax relief
- VAT
3
Data Protection
Securing compliance generally
Audit - know what data you have; what you use it for and might want
to use it for; where you get it from and who you disclose it to; who
holds data of your behalf; in which countries data is held.
Appoint a compliance officer.
Develop a corporate compliance/guidance manual.
Information Commissioner’s audit guidance:
www.dataprotection.gov.uk/dpaudit
4
Securing adequate usage rights
Processing must be “fair and lawful” and
either -
data subject consents or
legitimate interests without prejudice …
lawful -
within limits of legal powers (NB data sharing
proposals of the PIU for the public sector)
consistent with European Convention on Human Rights/
Human Rights Act
fair -
legitimate expectation
consent -
quite limited – cannot be inferred from failure to respond
NB: opt-out not ticked will not amount to consent but may signify
legitimate interests condition satisfied.
Commissioner takes broad view of “legitimate interests”.
5
Fair processing notices
- identity of data controller
- purpose(s) for which data processed
- any further information to render “fair”.
Such notices must be provided to data subjects or
made “readily available”.
6
s11 – right to prevent processing for
purposes of “direct marketing”
Art 7 E-Commerce Directive – senders of unsolicited e-mails must
respect opt-out registers. Not directly transposed in UK
Regulations.
E-mail preference service:
www.dma.org.uk/shared/PrefServices.asp
Unsolicited e-mails must be clearly identifiable as such.
The opt-in/opt-out debate – Proposal for Directive concerning
processing of personal data and protection of privacy in electronic
communications. Common Position 28 January 2002.
http://register.consilium.eu.int/pdf/en/01/st15/15396-r2en1/pdf
7
Overseas transfers
external to the European Economic Area
Prohibited unless adequate protection in
receiving territory.
Approved countries:
US Safe Harbor Privacy Principles
Transfers made subject to approved
contractual terms
http://europa.ev.int/comm/internalmarket/dataprot/modelcontracts/index
8
Security obligations
The Seventh Principle
“Appropriate technical and organisational
measures must be taken against unauthorised
or unlawful processing or disclosure of
personal data”
“Keeping personal data secure means guarding
against unauthorised access to, alteration,
disclosure or destruction and accidental loss or
destruction”
9
Express reference to both technical and
organisational (procedural/non-technical) measures
Regard to:•
•
•
•
State of technology
Cost
Harm which might result
Nature of data
Data controller must:take reasonable steps to ensure reliability
of employees with access to data
check identity of those seeking access
to information
10
Employee IT Code of Practice





Access rights
Switching off terminals
Personal use
Protection of passwords
Virus checking





Objectional material
Copyright infringement
Confidentiality
Audit Rights
Delivery up
11
Security - Processing by Third Parties
Data controller must select data processor providing
sufficient guarantees regarding both technical and
organisational measures and
must take reasonable steps to ensure measures are
complied with.
Data processing contract must be in writing requiring
data processor:
• only to act on instructions of data controller
• to comply with equivalent security obligations as
imposed on data controller.
Who determines what is ‘appropriate’ from time to time?
12
Evidential issues
In the event of a dispute all electronic documents/e-mails
material to the dispute have to be disclosed (what used
to be discovery)
Computerised records are now fully admissible in court
proceedings as evidence.
Civil Evidence Act 1995
Criminal Evidence Act 1999
“Weight” afforded to those records a matter for the Judge.
Important to be able to demonstrate security of systems.
13
Formation of Contracts
Subject to very limited exceptions (eg. land) valid and binding contracts
can and always have been capable of being formed by electronic
means of communication such as e-mail.
eg. Shattuck –v- Klotzback (US) 2002
Retention of hard copies/electronic records.
No generally applicable requirement to retain.
Usual reference point is Limitation Act 1980 – generally 6 years
NB: McCabe –v- BAT (2002) Australia
Sector specific obligations
Rules change once litigation becomes possibility.
No general requirement for hard copy writing/signatures
Again specific obligations.
Electronic Communications Act 2000
Electronic Signatures Regulations 2002
14
Information Offences
Computer Misuse Act 1990:
theft of information not currently an offence
Council of Europe Convention on Cybercrime
9 Offences
illegal access
interception
data interference
system interference
misuse of devices
computer related forgery
computer related fraud
child pornography
copyright infringement
15
Information Offences (cont’)
All offences require conduct to be “without right” and
“intentional”.
Procedural issues – expedited preservation of data,
expedited search and seizure of data.
NB Possible corporate liability where failure to
supervise or control facilitates commission of an
offence
16
Monitoring e-mails
Human Rights Act 1998 - effective 2 October 2000
European Convention on Human Rights Halford v United Kingdom - reasonable
expectation of privacy
Regulation of Investigatory Powers Act 2000
The Telecommunications (Lawful Business Practice)
(Interception of Communications) Regulations 2000 effective 24 October 2000
17
Authorised interceptions
Businesses may monitor or record communications
without consent:•
•
•
to establish existence of facts relevant to the business;
to prevent or detect crime;
investigate or detect unauthorised use;
but only where they have made reasonable efforts to inform all
users that this may be done.
Reserve contractual right to audit computer and telephone use.
Such a reservation of rights may not be effective.
18
Conflict with the Data
Protection Act
“The right to respect for correspondence creates
substantive limitations on employers which cannot be
avoided through advance warnings”.
Information Commissioner - draft Code of Practice
Ensure that information gathering exercises have a
legitimate purpose and invade privacy as little as
possible. First establish there is a problem. Monitoring
only where real business need - proportionality.
19
IP Developments
Software patents
Draft Directive on patent protection for computer
implemented inventions
Computer implemented invention which makes
“technical contribution” patentable
not -
computer programs per se
business methods
www.europa.eu.net/comm/internal_market/en/
indprop/index.htm
20
Copyright Directive
www.europa.eu.net/comm/internal_market/en/indprop/docs
harmonisation of copyright and related rights in the information
society.
to be implemented by December 2002.
clarification of reproduction and distribution rights,
introduction of new right of communication to the public.
protection for copy protection devices and other “technical
measures”.
protection of rights management information.
draft Statutory Instrument awaited imminently.
21
Database Right
British Horseracing Board –v- William Hill (2002)
High Court – bookmaker’s publication of racing
information extracted from the BHB database
infringed database right as constituted “repeated
and substantial extraction and re-utilisation of data”.
Court of Appeal – referred interpretation of Directive
to ECJ. Result awaited
22
Account aggregation
Emergence of new personal, finance account
aggregation services
-
-
breach of customer terms
breach of Computer Misuse Act – unauthorised
access to computer material
breach of copyright/database right
breach of s55 Data Protection Act –
obtaining personal data without consent of
data controller.
23
On-line Trading
Implementation of e-commerce Directive
Should have been implemented 17 January 2002.
Separate consultations on implementation in financial services and
otherwise ended on 2 May.
Specific information requirements
“Country of origin” principle – “fixed establishment”
the place where the service provider has the centre of its activities
- protection of consumers is an exception
- location of technology not definitive
Tax
New regime providing company tax relief for cost of acquisition and
development of intangible assets.
www.inlandrevenue.gov.uk/budget2002/revbn10/htm
Directive on application of VAT electronically delivered services. To be
implemented by 1 July 2003.
http://europa.eu.int/comm/taxation_customs/whatsnew.htm
24