Email Data Security:

If your job is to maintain the security and integrity of your organisation’s network, a detailed knowledge of the Data Protection Act and related legislation is a boring but necessary part of the job for many of my clients.

Legislation can really only recommend the basic principles and the world of IT will inevitably develop more quickly than the legislation underpinning it. The challenge for network security specialists developing new systems and solutions is to work within the letter and spirit of the legislative framework.

For most businesses regulatory compliance is inextricably linked to the commercial need to maintain secure networks. For example, if a credit card company failed to maintain network security, it would expose itself to the major fraud and legal claims which could cost millions of pounds.

Storage of Data and Liability:

The importance of backing up data must have been brought home to many of us by the experiences of businesses large and small in New Orleans, many of which no doubt will have suffered a devastating loss of data following Hurricane Katrina.

If anyone has any doubt about the importance of backing up data, it’s worth bearing in mind the following points from a legal perspective:

As a general rule legal actions may be brought within six years of the act or omission complained of. Liability can attract not only to the company itself but to the directors or even in some cases the main share holders.

Under the DPA, ‘personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes of which they are processed’. There’s also an obligation to keep the personal data up to date. In other-words you should have a rigorous system in place to ensure for example that your ancient data files only contain relevant, adequate and up to date personal information.

The DPA states that “appropriate technical and organizational measures shall be taken” to safeguard personal data. This is something that many businesses abjectly fail to do. As a result, credit card numbers, membership lists and other personal data have occasionally become publicly accessible on the web. From a commercial point of view, lose that data, and you may not have a business at all.

Download this article as a PDF

© This article is copyright Simon Halberstam 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

Data Protection – Regulatory Powers and Code of Practice

Please note the Law may have changed since publication of article.

We live in a world where our personal details are beknown to an ever-increasing number of people. Just look at the amount of mailshots that land on your doormat every day. Much of this information is obtained and/or used illegally being contrary to the Data Protection Act 1998 (”the Act”). The data protection regime is administered by the Information Commissioner and based upon 8 principles set out in the Act. Obviously, complete confidentiality is an unrealistic goal but there must be limits on what use can be made of our personal details and by whom. In this article, we will consider employers and regulatory authorities, two categories of entities who, subject to certain limits are entitled to ascertain, retain and use certain personal data.

Employers’ Rights

The Information Commissioner is issuing guidance on the Data Protection Act by way of codes of practice (”the Codes”). Part of the Codes has already been issued and some is in draft format. The Codes regulate employers’ rights and practices in relation to the personal data which they hold relating to their personnel. Employers must ensure that monitoring of employees complies with the principles set out in the Act.
In brief, any surveillance of employees’ activities in the workplace must fall into one of the approved categories and, ideally, should have been accepted, in advance, by the employee by way of signature of an email and internet use policy issued by the employer. Monitoring must be for a specific purpose, be “fair and lawful” and not involve the retention of more data than is appropriate. The employer must not retain the data for a period in excess of that necessary to serve the purpose and must do its best to ensure that the data is accurate.

The fifth Principle of the Data Protection Act 1998 states that “Personal data shall not be kept for longer than is necessary”. Earlier this year, the Information Commissioner published part 1 of her Codes catchily entitled “Information Commissioner’s Employment Practices Data Protection Code Part 1″. The guidance notes considers the question of retention of records in the context of Employment situations but does not specify a fixed period after which data must be destroyed. This, obviously only deals with employee data.

Employers would be well advised to make sure that their internet and email policy closely follows the various codes issued by the Information Commissioner. Any departure from the Act and codes may infringe the employee’s right to privacy (including correspondence in the workplace) under Article 8 of the Human Rights Act or otherwise expose the employer to various claims, the most common of which are usually based on alleged discriminatory conduct or, if the employee is dismissed, unfair dismissal.

Employers should remember that where the activities of their employees are illegal, it is nearly always the case that, as employers, they are responsible for the acts and omissions of their employees even if the employees are not acting in accordance with the specific instructions of their employers.

Regulatory Surveillance

A. S.22(4)of the Regulation of Investigatory Powers Act 2000, empowers “designated persons” to demand communications data from network or postal operators. The fundamental aim of this is to obtain data which may assist to stop organised crime. An important distinction has been drawn between the interception of communications data and communications content. Access to Communications Data is carried out under an exception to the Data Protection Act 1998. “Communications Data” is defined very broadly as “any traffic data comprised in or attached to a communication …..” Access to this data is not limited to law enforcement or intelligence agencies but will also be available, for example, to the Inland Revenue, Customs & Excise, the DSS.

Communications data is also known as “traffic data”. There is no specific definition but it can include information such as:

• senders and addressees of emails
• file size of emails and attachments
• times and duration of phone calls
• location data on mobile phone users
• URL’s of websites visited
• newsgroups accessed; and
• phone no.’s sending and receiving faxes.

Although the National Criminal Intelligence Services wished for up to 7 years of communications data to be retained by Communications Service Providers, the Government’s official position was that mandatory traffic data retention for periods longer than those required for business purposes would not be introduced in the UK. However, the Government’s publicly stated position was belied by its efforts in Brussels to remove privacy protection in the review of the Telecoms Data Protection Directive when the UK government fought against the Directive’s ban on blanket data protection. In any event, the directive effectively allows for long-term retention in cases involving national or public security and the investigation of serious crime. After September 11, the Home Office announced that it would introduce a voluntary code of practice for Communications Service Providers to retain all communications data for up to 12 months with a veiled threat that if this were unsuccessful a mandatory scheme would be introduced.

© This article on data protection is copyright Simon Halberstam  2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice. ]]> http://www.weblaw.co.uk/articles/data-protection-and-the-workplace/feed/ 0 http://www.weblaw.co.uk/articles/financial-marketing-opting-in-or-out/ http://www.weblaw.co.uk/articles/financial-marketing-opting-in-or-out/#comments Sat, 08 Aug 2009 15:33:17 +0000 jonkal http://www.weblaw.co.uk/dev/?p=430 Please note the Law may have changed since the publication of article.

Whilst voluntary codes of conduct may exist, there is no statutory provision for unsolicited mail in the UK. However when it comes to email it’s a different matter. Under UK law (Reg 22 of the ‘The Privacy and Electronic Communications (EC Directive) Regulations 2003’ you can only send unsolicited marketing emails to an individual subscriber unless he has previously consented to receive it, or:

• You have already sold something to the recipient, and
• You are marketing a similar product, and
• You include an ‘unsubscribe’ option in each email.

Emails which conceal the identity of the sender are not permitted under the UK provisions. Similar regulations apply in other EU countries.

Recipients of spam can ‘bring proceedings for compensation’. The Information Commissioner can assist, but unlike provisions in other EU countries such as Italy, these regulations are entirely without teeth.

For most legitimate businesses, the fear of causing ill-will is a stronger incentive than any legislative provision not to spam. ‘Do as you would be done by’ is a good principle on which to proceed. ‘Opt in’ marketing schemes will be much more effective than ‘opt out’ ones. A marketing campaign that alienates consumers is clearly a non-starter.

If you plan to hire an external marketing firm, ask for their Data Protection and Consumer Privacy Policy. If they don’t have one, take a good hard look at whether you still want to work with them.

© This article is copyright Simon Halberstam 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

In this article we give an insight into some of the major issues that arise. However, there are many more and for further information, you may contact us.

Driving and mobiles

This is clearly a major issue, and there is more to it than one might think in terms of what the legal requirements are?

The first thing to note is that where an employer requires its staff to drive as part and parcel of their job, the car becomes part of the workplace and is therefore covered by the UK Health & Safety legislation.

The employer therefore needs to do a risk assessment of the use of the car, and that risk assessment should cover the risk of using the telephone whilst driving as well as all other risks associated with the type of driving which might be required and the type of vehicle used. The risk assessment in relation to use of the telephone should take account of whether that be a hand-held phone or a hands free kit. The risk, whilst considerably higher with hand held devices (and of course now illegal if done whilst driving) is high for both types of use and therefore employers should make it clear in their policies that mobile telephones should not be used AT ALL whilst driving and that drivers will not be required to use the phone at all whilst driving.

If there is an accident where the driver was on the phone and it is proved that the employer required or encouraged this, then the company is likely to be prosecuted alongside the driver; either for breach of Health & Safety or the causing or permitting offence. It might be surprising for employers to realise that prosecution by the Health & Safety Executive in relation to the lack of a risk assessment or the failure to have appropriate policies in place is a far more serious for the employer than the risk of a fine to the employee for falling foul of the new driving regulations. The fines for breach of Health and Safety are unlimited in the Crown Court and directors can face personal liability for fines, imprisonment, and even disqualification from acting as a director. There will also be the civil claim against the company from any victim of such an accident based upon “vicarious liability”.

Data protection

A lot of confidential stuff is now carried around on mobiles, PC and phones.

The 8th Data Protection Act principle deals with restrictions on transferring personal data outside of the EU/areas with equivalent data protection regimes. If one stores personal information legitimately collected within the EU on a mobile device and then that device is taken outside of the EU/areas with equivalent data protection regimes, that might well constitute a breach of the 8th principle. If this is a distinct possibility, the data collector would do well to cover this issue in the data protection privacy policy subject to which it collects the data in the first place and obtain the opt-in approval of the data subject to any such transfers to other jurisdictions.

Working Time Regulations 1998

There is currently a 48 hour limit on the hours employees can be required to work by their employer each week. This is an average which is calculated over a 17 week period. Employees can opt out of this limit but if they don’t, or if they have opted out and then choose to opt back in, the employer is required to monitor hours worked and ensure that the 48 hour a week limit is not exceeded. Clearly the issue of monitoring is complicated if staff are working away from the office. It is therefore vital in circumstances where staff have not opted out that employers have in place an accurate method of time recording – and that includes working time both in and out of the office and includes travel time if travel forms part of the job.

© This article is copyright Simon Halberstam 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

Please note the Law may have changed since the publication of article.

Norwich Union paid out £450,000 several  years ago because of a libellous email sent by one of its employees. Defamation, unintended contract formation, misdirected emails all bring into focus the desirability of email disclaimers. The questions are what form should such disclaimers take and what is their likely effect.

In this article, Simon Halberstam considers these and related issues. The issues are considered more thoroughly in a guide to internet law available from Simon’s firm, details of which appear below.

General

The value of disclaimers is limited, since the courts normally attach more weight to the substantive content of the communication and the circumstances in which it is made than to any disclaimer. Having said that, disclaimers may possibly be helpful if an issue ends up in court in various respects such as those described below and, since disclaimers cost (almost) nothing, it is worthwhile to use them. Even though their effectiveness in court is doubtful, they may provide a useful argument in negotiations to resolve a dispute.

The comments below are based on the position under English law. It is likely that the position under the laws of most other countries is similar on most points, but specific consideration of the relevant laws of other countries would be an extensive exercise. One area where the laws of other countries is different is the compulsory disclosure of documents for legal proceedings. Many countries whose legal system is not derived from English law do not have compulsory disclosure, in which case the issue of exemption from disclosure does not arise.

Confidentiality

Under English law a recipient of a communication is obliged not to disclose its content or use it for a purpose other than the purpose for which it was communicated, if (but only if) the communication was expressly or implicitly confidential. Whether a communication is implicitly confidential depends on whether a reasonable person in the position of the recipient would regard it as confidential. Clearly this leaves room for argument and there have been differing decisions on whether information provided voluntarily for the purpose of interesting the recipient in doing business is confidential.

Therefore an express statement that a communication is confidential may well make the difference between its being treated as confidential or not. It could be argued that such a statement is not effective in certain circumstances, for example if it is in small type and liable to be overlooked, or if it is at the end of the message and only seen by the recipient after he has read the substantive content. A clear and prominent statement of confidentiality is therefore to be recommended. However, even in the absence of such clarity, a disclaimer may be effective in relation to a particular message, particularly if the recipient has received messages from the same sender with the same statement previously.

A practice of expressly stating that Emails are confidential may also make it easier to enforce confidentiality obligations on employees and ex-employees. In deciding whether information disclosed to an employee is implicitly confidential or within the scope of an express confidentiality provision of a contract of employment, one of the factors to be considered is whether information of the kind has been treated by the company as confidential.

A suitable statement might be: “Unless otherwise agreed expressly in writing by a [senior manager] of [company], this communication is to be treated as confidential and the information in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe that you are not the intended recipient of this communication, please contact the sender immediately.”

Legal privilege

In English legal proceedings there is a general obligation to disclose relevant documents to the other party. For this purpose documents include information stored electronically and could include communications which have been erased but can be restored. This is, however, subject now to a requirement that the exercise of reviewing the documents which might be relevant should be proportionate to their likely value and the amount at stake in the litigation. Nevertheless, Emails required to be disclosed may provide significant relevant evidence in a commercial dispute.

Confidential communications passing between a company and its external and internal legal advisers for the purpose of giving or obtaining legal advice and communications which come into existence in preparations for legal proceedings are exempt (”privileged”) from this obligation of disclosure.

A confidentiality statement as discussed above helps to make the communication confidential, but its status as a communication made in circumstances attracting the privilege may be supported by a further indication to this effect and claiming the privilege. Such a statement will also warn a person who subsequently has the task of sorting out documents and deciding whether they should be disclosed or privilege claimed. However, such a statement will not confer privilege on a communication which is not in fact made in the circumstances described above. In addition, the statement would be devalued if it were used on communications not entitled to the privilege.

Subject to the above comments, a suitable statement on privilege might be: “This communication is made for the purpose of obtaining legal advice or preparing for legal proceedings and legal privilege will be claimed accordingly.”

Viruses

Computer viruses can of course be transmitted by Email, particularly in attached files. It is desirable to attempt to place the risk and responsibility for checking on the recipient. Whether this would be wholly effective to avoid or limit liability will depend on the circumstances, but it is worth a try. Suitable wording might be: “WARNING: Computer viruses can be transmitted by Email. The recipient should check this Email and any attachments for the presence of viruses. [Company] accepts no liability for any damage caused by any virus transmitted by this Email. This Email and any attachments may not be copied or forwarded without express written permission of [a senior manager of company]. In the event of any unauthorised copying or forwarding, recipient will be required to indemnify [the company] against any claim for loss or damage caused by any viruses or otherwise.”

Libel, infringement of copyright and other wrongful acts

Under English law a company is liable for wrongful acts (torts) of its employees in the course of employment. The informal but recorded nature of Email has made liability for defamation a real risk, and this has been well-publicised. The ease with which software, data, text, music and graphics can be copied on computers, and the increasing organisation and vigilance of copyright owners, have also made this area one of significant risk.

Adding a disclaimer will probably not make any difference if an Email is sent in the course of employment, and is unnecessary if it is not. Nevertheless, a disclaimer on the following lines might possibly affect whether wrongful acts are characterised as being committed by employees and might also concentrate the minds of the employees: “Employees of [company] are expressly required not to make any defamatory statements and not to infringe or authorise any infringement of copyright or any other legal right by Email communications. Any such communication is contrary to company policy and outside the scope of the employment of the individual concerned. The company will not accept any liability in respect of such a communication, and the employee responsible will be personally liable for any damages or other liability arising.”

Contractual commitments

A binding legal contract can be formed by any exchange of communications passing between individuals who have actual or apparent authority to bind their companies. The communications can include Email, and there is a risk that this may bypass both internal procedures and any standard terms protecting the company. Again, this risk may be greater with Email than conventional procedures because it is both apparently informal, yet fully recorded.

An attempt may be made to limit the apparent authority of individuals to bind their company by wording along the following lines: “No employee or agent is authorised to conclude any binding agreement on behalf of [the company] with another party by Email without express written confirmation by [a director of the company].”

Sexual and racial discrimination and harassment

Nasty or even just careless internal emails may give rise to claims of discrimination and harassment. The importance of avoiding this should be drawn to the attention of all employees and covered in the company’s employment code of practice. It is unlikely that a company could avoid liability in this respect by virtue of a disclaimer.

© This article is copyright Simon Halberstam .2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. The contents are intended for general information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.