A decade of data confusion

The Data Protection Act reached its 10th birthday this week amid some controversy.

The law has had a rocky history, confounding regulators, businesses and the public sector as being difficult to interpret, hard to comply with and harder still to enforce.

The Act was conceived to protect the public’s information, and to make sure businesses
do not lose or misuse that information.

But last week the Information Commissioner’s Office (ICO) called for a review of the law, saying that it was fast becoming out-of-date in an age of such rapid technological development.

“European data protection law is showing its age and is failing to meet new challenges to privacy, such as the transfer of personal details across international borders and the huge growth in personal information online,” said information commissioner Richard Thomas.

“It is high time the law is reviewed and updated for the modern world.”

The UK Data Protection Act is based on the European Data Protection Directive.

Both the European Commission and the ICO have commissioned research into the law to examine its efficacy.

Future lawmakers face one main problem: they are trying to govern an area of rapid technological innovation.

“The ways information is used have changed out of all proportion in the past 10 years,” said Annabel Lyell, a lawyer with Morgan Cole. “One of the Data Protection Act’s chief virtues is that it is not prescriptive on actual technologies or measures that need to be taken.”

This principles-based approach allows the law to age well, but it also means businesses are unsure about exactly what they have to do to comply.

The government’s data sharing review, also published last week, found that data controllers faced a “fog of confusion” over compliance.

The ICO has issued much guidance. But guidance is just that, and isn’t legally binding ­ – see Marks and Spencer case, below.

In some cases it has added to the confusion, as data controllers must wade through reams of technical material which may or may not apply specifically to their business.

But rewriting the law is not going to solve this problem, according to John Meakin, chief information security officer (CISO) at Standard Chartered Bank.

“They run the risk of tying the hands of both the corporate and the individual in implementation, discouraging a common-sense approach,” he said.

Meakin said the ICO could move faster in clarifying guidance, but that new powers will be a welcome step forward.

Others favour self-regulation.

Paul Dorey, of the Institute of Information Security Professionals, said such an approach makes much more sense for global organisations that may have to comply with a number of different laws.

“Regulators have shown their will to harmonise requirements across different countries through the binding corporate rules approach,” he said.

“They have opened the door to responsible procedural self-regulation rather than more draconian regulatory powers; wise companies will step up to this.”

Binding corporate rules essentially allow companies to make a commitment to respect EU data protection principles in international operations.

Richard Hackworth, former CISO at HSBC, says European researchers could also consider a data breach notification law.

“Such a law would introduce a great business incentive to protect information, because companies hate the bad publicity associated with a breach,” he said.

Four cases that have defined the law
Because it is principles-based, interpreting the Data Protection Act can be difficult. Below are four major cases that set a precedent over the way the law is interpreted.

Nationwide vs Financial Services Authority 2004
Nationwide Building Society was fined £980,000 by the Financial Services Authority after a laptop containing confidential customer information was stolen from an employee’s house. The case is significant because a large fine was levied ­ – until this case the act had mostly been policed by the ICO, which at the time could only issue enforcement notices, though recent legislation allows the office to issue fines.

Durant vs Financial Services Authority 2006
Under sections 7 and 8 of the Data Protection Act subjects have a right of access to personal data an organisation may have about them. The Court of Appeal decided that this right should not be granted as Durant is not the focus of the data. The decision severely limits the amount of information businesses have to hand over when receiving similar requests.

Orange vs ICO 2007
An ICO investigation into Orange Personal Communications Services finds that Orange had breached the Data Protection Act because staff were sharing user names and passwords to
access IT systems. The case set a precedent by which companies must have secure digital
identities for staff.

M&S vs ICO 2008
Marks and Spencer was hit with an enforcement notice by the ICO after it lost an unencrypted
laptop containing the pension details of 26,000 M&S staff. M&S is currently appealing the
decision to the Information Tribunal. If it loses, lawyers believe that “appropriate technical measures” described in the Data Protection Act can be taken to mean that information should be encrypted.

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!