Lifting the data blockadeUncategorized

The spectre of data protection legislation has haunted IT departments for years. Fearful of breaching UK and European data protection laws governing the sharing of individuals' records, agencies have, in extreme cases, failed to pass information to police that could have prevented murder, and pensioners have frozen to death in their homes. Yet in truth, such legislation is far more benign than its reputation portrays; and forthcoming changes in the rules on data transfer promise to make it considerably more business-friendly.

The current restrictions on the transfer of personal information first took root in the European Union's efforts to standardise data protection across its member states. The directive issued in 1996 was then left to individual governments to interpret and enact in their own legal systems.

In the case of the UK, the Data Protection Act 1998 (DPA) gave organisations two routes through which they could legally share data. First, to get the agreement from the individual to transfer the information; or second, to enter into a strict transfer agreement with the recipient of the data. (The situation is slightly more complex when it comes to transferring ‘sensitive' personal data, such as medical records, where consent must be sought.)


The data importers

Indian IT services firm Wipro knows all about data protection. It also has to contend with a raft of different global privacy standards. Ensuring that it adheres to the legal requirements that bind its customers is simply part of running its business, says Pazhamalai Jayaraman, information security manager at Wipro.

The multitude of laws that may affect the management of data, as part of some outsourcing agreement, means that Wipro has to take account of numerous different requirements. The most effective way to do this has been to seek accreditation for BS7799, explains Jayaraman. "Different vertical industries may have different requirements; if so, we can tailor our practices to suit. BS7799 gives us a baseline."

BS7799 and its linked international standard ISO17799 are information security standards. In seeking accreditation companies are forced to clearly demonstrate that they have the systems and procedures in place to ensure business data is properly safeguarded. Through following its standards, businesses are forced into adopting practices that fall in line with the data protection requirements, in that way acting as a surrogate compliance measure.

Where customers decide that they do not wish to or cannot follow this baseline standard, Wipro will carry out risk assessments, incorporating that risk into the service contract. "If customers want to follow some other path, we can develop an action plan to mitigate risk," he says.

The new European contract clauses will help the process of negotiating with customers, as they help clearly understand this risk-based approach, says Jayaraman.



Clearly this is a complex area. In one high-profile case in August 2004, Lloyds TSB faced a barrage of criticism from trade union Amicus, which claimed that the bank's plans to outsource 1,000 call centre jobs to India would break data protection laws because individual customers had not been asked for their consent. For its part, Lloyds claimed it had the necessary measures in place that ensured the protection of customer data at both the UK and India ends.

But aside from the legal niceties of what constitutes ‘sensitive' data, Lloyds should have been well aware that the idea of transporting personal data overseas is one of the most contentious issues facing business and public sector organisations. In April of 2004, Lloyds itself had commissioned research which found that 45% of bank customers would consider leaving if their accounts were managed in India.

Model clauses

Trying to circumnavigate such problems, European legislators originally drew up standard clauses that they said should be included in transfer agreements in order to ensure that data could be passed outside of the European Economic Area (EEA) without fear of breaching data protection laws. These were intended to make the process of safely and legally transferring data much easier.

"It hasn't happened," says Shelagh Gaskill, partner at law firm Pinsent Masons. Most companies have avoided using these clauses, which were written by legislators not business professionals, because that aspect of the agreement could potentially expose the business to too much risk. The model clauses impose liability on both the exporter and importer for the other's breaches.

Having watched for four years as these standard contract terms failed to win over businesses, the European Commission is set to act. From 1 April 2005 new, more business-friendly clauses come into effect. But while these new clauses are welcomed – they were drawn up by the business group, the International Chambers of Commerce – there existence underlines how impenetrable the legislation has been for most businesses, creating a climate of uncertainty, says Emlyn Everitt, senior security consultant at Logicalis. "My impression is that most businesses don't understand data protection at all," he adds.

Under the EC changes, organisations will have a third option to use the new standard contract clauses to ensure the data importer abides by the data protection rules. Broadly speaking, the new clauses are similar to the original ones, but they have additional provisions aimed at making them more useful for business (see box, ‘European contract clauses').


European contract clauses


  • More flexibility
  • Give consideration to commercial realities
  • Allow more control over the data importer
  • Make data importer more accountable
  • In case of a breach, parties only liable for damage suffered, not punitive damages
  • Have right to terminate transfer agreement in certain circumstances


  • Place more obligations on exporter
  • Individuals entitled to proceed directly against you in case of DPA breach

Source: Tarlo Lyons



Additionally the new clauses are more practical, setting out the processes that the parties need to follow. Clauses relating to litigation, allocation of responsibilities or auditing requirements are set out clearly, whereas the previous ones relied much more heavily on describing the principles that needed to be followed.

For many European businesses, national laws dictate that they will have to use either the original or updated contract clauses when entering into data transfer arrangements. British firms have more flexibility in that they can decide to develop their own criteria, providing these meet the stipulations laid down in the DPA.

"But the big advantage of the new model clauses is that they provide a guarantee of adequacy [ie they meet European requirements]. That means businesses can save themselves a great deal of time and effort by not having to write their own terms," says Pinsent Masons' Gaskill.

Falling standards

Given the current lack of understanding, CIOs should consider following examples of good IT governance, says Everitt. Standards such as BS7799 provide a framework to ensure that appropriate systems are put in place to manage infrastructure and data. "With the DPA you understand you have to comply with something, but it's a bit woolly. BS7799 gives a you a foundation."

The approach of using standards to develop policies for data protections has won favour amongst outsourcers (see box, ‘The data importers'), but it remains an unpopular choice for many IT organisations. Standards such as BS7799 are simply seen as IT issues, says the CIO of a UK-based building society. "If the Financial Services Authority mandated it, it would become a business issue. Otherwise it's too much trouble seeking accreditation."

For some companies, the options are so complex that the easiest solution is to ignore it, says Carsten Casper, research analyst at Meta Group. "While this is one approach for dealing with risk – identify, evaluate and remedy or accept the risk – it is certainly not advisable," he adds.


The principles of data protection

  • Personal data should be collected only for specified, explicit and legitimate purposes
  • The persons concerned should be informed about such purposes and the identity of the data controller
  • Any person concerned should have a right of access to his/her data and the opportunity to change or delete data which is incorrect
  • If something goes wrong, appropriate remedies must be available to put things right, including compensation or damages through the competent courts.

Source: EU Directive 95/46/EC



A paper tiger

In the UK, responsibility for enforcing data protection legislation falls to the Information Commissioner's Office Alongside overseeing data protection, the Commissioner is also charged with enforcing the new Freedom of Information Act and anti-spam legislation.

And while the consequences of breaching data protection laws are severe – in December 2004, the Information Commissioner instigated legal action that resulted in combined jail sentences of six and a half years for two men convicted of running data protection scams – the enormity of the task facing his department is such that it has become largely a responsive rather than proactive role.

The Commissioner will investigate complaints and issue compliance notices when a problem is perceived. Notices are then followed up to check on whether organisations have complied, but legal action is unlikely to result as long as companies are making efforts to comply. It is still rare for companies to be convicted of violating international data transfer rules, says Meta's Caspen. "Companies often do not have sufficient incentives to address the problem of cross-border transfer of personal data."

So while in theory company directors can face prison terms for failing to comply, in practice the worst offenders – such as those deliberately trying to profit out of breaking the laws – only receive fines.

Despite this pragmatic approach by the body tasked with overseeing the legislation, organisations – often provoked by apocryphal tales – have built up data protection legislation in their collective minds as some terrible imposition.

Within the public sector, it is a situation that the UK government's CIO, Ian Watmore is determined to tackle. "I find a lot of people believe they cannot do things under data protection which they can do. I think it's often perceived to be a problem when it isn't, or used as an excuse," he says. His comments reflect the sentiments of the Information Commissioner. On taking office in 2002, Richard Thomas said: "I want companies to see data protection as sound business practice, not a burden."

In effect, the authorities do not want businesses to be paralysed by the data laws; they want to see them use the legislation as a springboard for introducing sound privacy procedures. And the incremental changes to the rules can only encourage that.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics