Open-access content Tuesday 25th October 2011
Data protection laws are about to change as the European Commission’s updated legislation come into force next month. Anthony Pearlgood explains the implications
27 October 2011
The days of businesses being able to brush data protection breaches under the carpet are numbered.
A new version of the European Commission’s Data Protection Directive will be published in mid-November. This is a kind of updated version of the Data Protection Act for safeguarding all kinds of personal data. This act previously only applied to government departments.
The main effect of these changes will be that all businesses, public bodies, charities and other organisations will be liable for any data breaches that occur and penalties for misuse of confidential information will be enforced.
Stringent measures will govern how information is to be managed. This will include new instructions on data processing, whereby every sector will be included in mandatory breach-disclosure rules.
Data protection – the law
For the technically minded, the EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU. Directive 95/46/EC encompasses all key elements from article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life and in personal correspondence.
There are seven broad principles within the Data Protection Directive. These include security, purpose, disclosure, notice, accountability and access.
Once a directive comes into force, any entity that holds personal data for some set purpose or reason becomes legally liable for the consequences of it being misused. Data is categorised as ‘personal’ when it allows a connection to be made between the data and the named person to whom it refers. Personal data can be anything from phone numbers, credit card details, home addresses, date of birth, bank account details and many other items.
The new directive will go through a process of consultation over the next 12 months, but is expected to be adopted and in force in the UK by early 2013. All sectors will be required to report breaches to the Information Commissioner’s Office. It stipulates that seriously affected individuals are also to be informed.
Taking a re-think
From an operational perspective, this will present a major task for many organisations. Management and training will need to be updated to reflect the re-engineering of mechanisms to detect breaches and report them to responsible internal officers. It will then fall to these managers to inform the Information Commissioner and individuals who may have been significantly affected by the breach.
Processing is also broadly defined. It relates to any manual or automatic operation involving personal data, including its collection, recording, organisation, storage, modification, retrieval, use, transmission, dissemination or publication and even blocking, erasure or destruction (Article 2b).
Many data compilers have been concerned about third-party responsibility and safety for data in an information cloud. However, the Data Protection Directive will include a ‘binding safe processor rule’, whereby data owners will not be liable for loss at the hands of a third party cloud provider.
Under the new rules, when use-of-data is outsourced to a certified business, the provider will not be liable for subsequent breaches involving their data from this source. This will be a very positive step toward the adoption of internet cloud services by businesses.
These data protection rules apply when the responsible party (called the controller in this EU Directive) is established, operates within the EU or uses equipment located inside the EU to process personal data from elsewhere. Controllers from outside the EU, who process personal data inside the EU, must nevertheless comply with this directive.
EU member states have supervisory authorities to monitor data protection levels in their state and to advise the government about related rules and regulations. It is their responsibility to initiate legal proceedings when data protection regulations are infringed. Controllers must notify their governing authority before processing any personal information and such notification prescribes in detail what kinds of detailed notice is expected, namely:
1. Name and address of the controller or representative
2. Purpose(s) of the processing
3. Descriptions of the categories of data subjects
4. The data or categories of data to be collected
5. Recipients to whom such data might be disclosed
6. Any proposed transfers of data to third countries
7. General description of protective measures taken to ensure safety and security of processing and related data.
In short, the data protection screw is tightening and the scope is extending from three sectors to the whole of society.
Organisations of all sizes and complexions are advised to begin planning their response now. Data management is a serious issue and all businesses have a responsibility to guard confidential information.
Anthony Pearlgood is commercial director at PHS Datashred