The spectre of data protection legislation has haunted IT departments for years. Fearful of breaching UK and European data protection laws governing the sharing of individuals' records, agencies have, in extreme cases, failed to pass information to police that could have prevented murder, and pensioners have frozen to death in their homes. Yet in truth, such legislation is far more benign than its reputation portrays; and forthcoming changes in the rules on data transfer promise to make it considerably more business-friendly.
The current restrictions on the transfer of personal information first took root in the European Union's efforts to standardise data protection across its member states. The directive issued in 1996 was then left to individual governments to interpret and enact in their own legal systems.
In the case of the UK, the Data Protection Act 1998 (DPA) gave organisations two routes through which they could legally share data. First, to get the agreement from the individual to transfer the information; or second, to enter into a strict transfer agreement with the recipient of the data. (The situation is slightly more complex when it comes to transferring ‘sensitive' personal data, such as medical records, where consent must be sought.)
Clearly this is a complex area. In one high-profile case in August 2004, Lloyds TSB faced a barrage of criticism from trade union Amicus, which claimed that the bank's plans to outsource 1,000 call centre jobs to India would break data protection laws because individual customers had not been asked for their consent. For its part, Lloyds claimed it had the necessary measures in place that ensured the protection of customer data at both the UK and India ends.
But aside from the legal niceties of what constitutes ‘sensitive' data, Lloyds should have been well aware that the idea of transporting personal data overseas is one of the most contentious issues facing business and public sector organisations. In April of 2004, Lloyds itself had commissioned research which found that 45% of bank customers would consider leaving if their accounts were managed in India.
Trying to circumnavigate such problems, European legislators originally drew up standard clauses that they said should be included in transfer agreements in order to ensure that data could be passed outside of the European Economic Area (EEA) without fear of breaching data protection laws. These were intended to make the process of safely and legally transferring data much easier.
"It hasn't happened," says Shelagh Gaskill, partner at law firm Pinsent Masons. Most companies have avoided using these clauses, which were written by legislators not business professionals, because that aspect of the agreement could potentially expose the business to too much risk. The model clauses impose liability on both the exporter and importer for the other's breaches.
Having watched for four years as these standard contract terms failed to win over businesses, the European Commission is set to act. From 1 April 2005 new, more business-friendly clauses come into effect. But while these new clauses are welcomed – they were drawn up by the business group, the International Chambers of Commerce – there existence underlines how impenetrable the legislation has been for most businesses, creating a climate of uncertainty, says Emlyn Everitt, senior security consultant at Logicalis. "My impression is that most businesses don't understand data protection at all," he adds.
Under the EC changes, organisations will have a third option to use the new standard contract clauses to ensure the data importer abides by the data protection rules. Broadly speaking, the new clauses are similar to the original ones, but they have additional provisions aimed at making them more useful for business (see box, ‘European contract clauses').
Additionally the new clauses are more practical, setting out the processes that the parties need to follow. Clauses relating to litigation, allocation of responsibilities or auditing requirements are set out clearly, whereas the previous ones relied much more heavily on describing the principles that needed to be followed.
For many European businesses, national laws dictate that they will have to use either the original or updated contract clauses when entering into data transfer arrangements. British firms have more flexibility in that they can decide to develop their own criteria, providing these meet the stipulations laid down in the DPA.
"But the big advantage of the new model clauses is that they provide a guarantee of adequacy [ie they meet European requirements]. That means businesses can save themselves a great deal of time and effort by not having to write their own terms," says Pinsent Masons' Gaskill.
Given the current lack of understanding, CIOs should consider following examples of good IT governance, says Everitt. Standards such as BS7799 provide a framework to ensure that appropriate systems are put in place to manage infrastructure and data. "With the DPA you understand you have to comply with something, but it's a bit woolly. BS7799 gives a you a foundation."
The approach of using standards to develop policies for data protections has won favour amongst outsourcers (see box, ‘The data importers'), but it remains an unpopular choice for many IT organisations. Standards such as BS7799 are simply seen as IT issues, says the CIO of a UK-based building society. "If the Financial Services Authority mandated it, it would become a business issue. Otherwise it's too much trouble seeking accreditation."
For some companies, the options are so complex that the easiest solution is to ignore it, says Carsten Casper, research analyst at Meta Group. "While this is one approach for dealing with risk – identify, evaluate and remedy or accept the risk – it is certainly not advisable," he adds.
A paper tiger
In the UK, responsibility for enforcing data protection legislation falls to the Information Commissioner's Office Alongside overseeing data protection, the Commissioner is also charged with enforcing the new Freedom of Information Act and anti-spam legislation.
And while the consequences of breaching data protection laws are severe – in December 2004, the Information Commissioner instigated legal action that resulted in combined jail sentences of six and a half years for two men convicted of running data protection scams – the enormity of the task facing his department is such that it has become largely a responsive rather than proactive role.
The Commissioner will investigate complaints and issue compliance notices when a problem is perceived. Notices are then followed up to check on whether organisations have complied, but legal action is unlikely to result as long as companies are making efforts to comply. It is still rare for companies to be convicted of violating international data transfer rules, says Meta's Caspen. "Companies often do not have sufficient incentives to address the problem of cross-border transfer of personal data."
So while in theory company directors can face prison terms for failing to comply, in practice the worst offenders – such as those deliberately trying to profit out of breaking the laws – only receive fines.
Despite this pragmatic approach by the body tasked with overseeing the legislation, organisations – often provoked by apocryphal tales – have built up data protection legislation in their collective minds as some terrible imposition.
Within the public sector, it is a situation that the UK government's CIO, Ian Watmore is determined to tackle. "I find a lot of people believe they cannot do things under data protection which they can do. I think it's often perceived to be a problem when it isn't, or used as an excuse," he says. His comments reflect the sentiments of the Information Commissioner. On taking office in 2002, Richard Thomas said: "I want companies to see data protection as sound business practice, not a burden."
In effect, the authorities do not want businesses to be paralysed by the data laws; they want to see them use the legislation as a springboard for introducing sound privacy procedures. And the incremental changes to the rules can only encourage that.