Abstract
There are many pieces of legislation and regulation that have some impact on our
security, monitoring and data retention policies.
Some apply only to businesses dealing with consumers, and some are specific to
certain industries.
Much of this legislation is vague or hard to interpret, some
of it doesn’t account for recent changes in technology; some of it even appears
to contradict other legislation and much of it has no current case-law to
clarify how it should be interpreted.
How do we, as professionals, pick our way
through this forest of legislation and implement a practical security,
monitoring and data retention solution that’s likely to keep us, and our
directors, out of jail without bankrupting the company?
One senior figure from the IT industry may have been somewhat sarcastic when he
announced: “The good thing about standards is that there are so many to choose
from.”
But the legal framework within which we operate is rather like that.
Today you can’t choose which laws you want to comply with as the penalty for
getting it wrong can be very high indeed.
Shelagh Gaskill is a Partner at Pinsent Masons Solicitors, specialising in information law.
Mike Hill s
Vice-President of Marketing at data storage specialists, Chronicle Solutions
(UK) Plc
Introduction
The legislation affects many different areas of our business.
In all but the smallest there is more than one person responsible: HR,
accounts, legal, security and compliance managers all bear some responsibility.
They will inevitably end up in the IT department talking to the person
responsible for security.
So what do you advise them to do?
Data protection legislation
Let us consider some of the legislation: the Data Protection Act 1998 (DPA), for
example.
This is primarily concerned with companies that deal with the public and that
hold “personal data” about them in some sort of organised filing system.
If such data is held then the individual has the right to request copies of
such data and this has to be produced within 40 days.
So if you are a B2B company and don’t deal with members of the public you
don’t have to worry about it, right?
Wrong, I’m afraid. The definition of “personal data” applies to any
individual, including your contact lists of your own customers, suppliers,
employees and ex-employees.
So if you keep records of who your contacts are or records of your employee’s
salary details (as you surely must) then the DPA applies.
And it applies to any email or other electronic communication containing such
personal information and to paper files if they are stored in an organised and
retrievable form.
Other legislation
There are other pieces of legislation that may require you to store
electronic communications anyway, such as the Financial Services and Markets
Act, or (if you do business in the USA, or with US companies) the rules of the
Securities and Exchange Commission (SEC).
Following Enron, the Sarbanes Oxley Act in the USA whose equivalent over here
will be new legislation on audit rights over companies, is all about accounting
for revenue accurately.
In order to do this and to show your auditors that you have done this
correctly, you will have to record and keep information.
Roughly what these pieces of legislation require, if they apply to your company,
is that all electronic communications that are in any way related to your
business must be stored for at least three years in a form that cannot be
changed or modified.
They don’t require easy retrieval, but if you are asked to produce a
particular email then you don’t want it to cost a fortune.
EDS didn’t think about that when they were recently required to produce some
emails for a court action in the USA.
They estimated the cost of actually finding and retrieving the particular
emails at $4.7 million.
Investigatory powers
Then there is the issue of what you are entitled to look at and keep.
Under the Regulation of Investigatory Powers Act 2000 monitoring and storing
employee’s private emails (if you allow them reasonable private use of business
systems as most organisations do) is a breach of statutory duty unless you have
their consent and the consent of the sender or recipient to or from your
employees.
This appears to contradict the requirements of some of the legislation we
have already discussed.
Emails
However there are circumstances in which not monitoring and storing emails
may also infringe an employee’s rights.
Suppose one of your employees is sexually harassing another by email, and the
victim takes you to an employment tribunal alleging that you allowed harassment
in the workplace.
If you haven’t recorded the emails then it could be argued that you haven’t
taken steps to protect them.
Of course, the allegation of sexual harassment could itself be malicious, and
if you haven’t recorded email conversations then you won’t be able to produce
evidence to demonstrate that either.
The answer here is to monitor and record, but you must inform your employees
that you are doing so: include this in your communications policy and state that
the first use of business systems for private use will be their deemed consent
to your monitoring.
This allows them to make an informed decision about whether or not they want
to send and receive private emails at work.
This procedure is really easy for your employees but how do you get the
consent of the senders or recipients of their emails?
International and city firms of solicitors put a statement at the end of all
their emails warning that they will monitor emails in serious cases and that
continued email correspondence with their employees in a private capacity will
be deemed consent to the monitoring by the senders and recipients.
Websites
The same holds good for visiting unacceptable internet sites.
For the cost of a few pounds per employee you can implement a monitoring,
alerting and recording system that will help you comply with many of the laws
and regulations, demonstrate that you are taking reasonable steps to protect
your employees, your customers and your business, and hopefully keep your
directors out of jail.
It would be best to choose one that actually examines the content of the
electronic communications, so that you can choose to store what is relevant, and
you can retrieve it cheaply, quickly and easily.
You may even find that the behaviour of your employees changes because they
know they are being monitored, and you get other benefits such as reduced
bandwidth requirements and greater staff productivity.
Source:
Credit Control Journal (Volume 26, No
2,
2005) |
