Mills & Reeve: Technology Law Update

Enter your email address:

Delivered by FeedBurner

Disclaimer

  • The information on this blog is not legal advice. You should not rely on it and we don't accept liability in connection with it. Please read our full disclaimer and let us know if you would like us to advise on any legal issue.

Main | October 2012 »

September 2012

Navigating the clouds for data outsourcing

The ICO yesterday released new guidance for businesses on outsourcing of data handling to cloud network providers. A copy of the guidance can be found here.

Posted by on 28/09/2012 at 15:14 | | Comments (0)

Technorati Tags: , ,

IT security for small businesses that would prefer to avoid a £500,000 fine

The Information Commissioner’s Office (ICO) has published a short guide on IT security, which is boldly stated to be “ideal for the small business”. It is aimed at helping organisations understand and adhere to the Data Protection Act 1998 (DPA) by developing a suitable IT security policy.

The guide doesn’t have a standard policy, but it does provide a checklist of issues and some practical recommendations. In particular, the guide gives advice on:

  • securing data on the move
  • keeping your systems up to date
  • keeping an eye out for problems
  • knowing what you should be doing, and
  • minimising the data you keep.
As you may be aware, a serious breach of the DPA can result in a fine of up to £500,000, so it is advisable to take heed of the ICO’s guidance!

Posted by on 21/09/2012 at 18:00 | | Comments (1)

Technorati Tags: , , , , ,

Cookies – the road to compliance

You will no doubt have been aware of the 26 May 2012 deadline, which heralded the end of the Information Commissioner's grace period for website owners to comply with the change in law in relation to the use of cookies.

Looking back at our old Naked Law blog, we wrote quite a lot of posts about cookies, the upcoming change in law requiring “explicit consent” from users and what website owners needed to be doing to comply (in fact my very last post dealt with the subject – see here). But where are we now, four months on from the big 'doomsday' deadline?

The main change I have noticed is the use of many different types of banners, roll-over links and cookie policies popping up on websites I visit, which highlight which cookies are being used and how. Many of these aren’t strictly compliant with the letter of the law, because they don’t actually ask a user to consent. Examples of these are where:

  1. there is just a link to the website’s cookie policy;
  2. there is a banner or pop-up saying you are ‘deemed’ to accept the use of cookies by continuing to use the website; or
  3. you can continue to use the website without actually ticking the ‘I consent’ box (unless cookies are automatically switched off until you tick the box, which probably isn’t the case for most websites).

I can’t really be said to have “explicitly” consented to the use of cookies in any of the above examples. However, it does show that website owners are 'taking steps' towards compliance in order to avoid the threat of enforcement action being taken against them by the ICO. Most will also see this as a ‘safety in numbers’ approach.

The problem with where we have got to now is that everyone just seems to be sitting and waiting for someone else to come up with a strictly compliant solution which doesn’t effect user experience, rather than actually working on alternatives themselves. That may be a bit of a generalisation, but I haven’t seen or heard of any new solutions so far. Perhaps, being in the technology sector, one of you can prove me wrong?

In case you have somehow managed to miss the whole debate so far, the ICO's guidance on the new requirements is available through this link.

Posted by on 21/09/2012 at 10:00 | | Comments (0)

New ICO Guidance on Deleting Personal Data: Avoid Total Recall

The fifth principle set out in the Data Protection Act is that "personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes". As personal data can be processed simply by being stored, the fifth principle requires the deletion of personal data (plural) when they no longer need to be held for the purpose for which they were collected. It is important to be aware that if personal data are archived in a standard, retrievable manner, instead of being deleted, the rules of data protection (including subject access rights) will still apply to that data. Readers may recall that Google's failure to comply with the fifth principle hit the headlines this summer when it admitted that it had not deleted certain user's data gathered during surveys for its Street View service, an issue that is currently being examined by the Information Commissioner's Office (ICO).

The ICO has now acknowledged that "deletion" can mean different things in relation to electronic data and published detailed guidance on how organisations can comply with the requirements for deleting electronic data. Notably, the ICO accepts that it is possible to put information "beyond use" and for data protection compliance issues to be suspended if the data controller organisation holding it:

  • is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way
  • does not give any other organisation access to the personal data
  • surrounds the personal data with appropriate technical and organisational security, and
  • commits to permanent deletion of the information if, or when, this becomes possible.
This new guidance will be relevant to all organisations that have to, or wish to, delete personal data and we recommend giving it a read.

Posted by on 20/09/2012 at 17:33 | | Comments (0)

Technorati Tags: , , , , , , , , , ,

Welcome to our new blog

Hello.

This is a new blog, written by UK lawyers and aimed at people in and around the technology sector. It is the latest blog to be launched by UK law firm Mills & Reeve. This blog is worth adding to your aggregator if you are an entrepreneur in the early stages of launching a tech business and want to know about some of the latest legal developments that will affect you. Or if you are a CEO, CFO or head of legal at a tech business and want to know what experienced lawyers who specialise in your sector have to say. Or if you invest in tech businesses and want to understand the legal risks that affect your investments. Or if you are an interested observer wondering what interests tech lawyers who work with cutting edge tech businesses every day.

Our writers come from a range of different legal disciplines. We include commercial, IT and IP specialists, corporate lawyers, HR and employment lawyers - and others we rope in from time to time when we think their views will be relevant to our readers. You can find out more about our writers on the Mills & Reeve homepage here.

This blog replaces our venerable Naked Law blog, which we are putting out to pasture. Readers of that blog may remember that it was the first blog to be written by a UK law firm, launched over seven years ago. It focussed only on what we would call technology law - IT, e-commerce, privacy etc - rather than the full range of laws that are relevant to technology businesses. Eventually, we felt that this was too restrictive and reflected the way we lawyers structure ourselves rather than what our readers would find interesting.

We hope you will enjoy reading this blog. If you have anything to say about any of our posts or about the blog itself, please leave a comment or send us an email. We would love to hear from you.

Posted by on 20/09/2012 at 13:31 | | Comments (0)