The information on this blog is not legal advice. You should not rely on it and we don't accept liability in connection with it. Please read our full disclaimer and let us know if you would like us to advise on any legal issue.
The Information Commissioner’s Office (ICO) has published a short guide on IT security, which is boldly stated to be “ideal for the small business”. It is aimed at helping organisations understand and adhere to the Data Protection Act 1998 (DPA) by developing a suitable IT security policy.
The guide doesn’t have a standard policy, but it does provide a checklist of issues and some practical recommendations. In particular, the guide gives advice on:
securing data on the move
keeping your systems up to date
keeping an eye out for problems
knowing what you should be doing, and
minimising the data you keep.
As you may be aware, a serious breach of the DPA can result in a fine of up to £500,000, so it is advisable to take heed of the ICO’s guidance!
Looking back at our old Naked Law blog, we wrote quite a lot of posts about cookies, the upcoming change in law requiring “explicit consent” from users and what website owners needed to be doing to comply (in fact my very last post dealt with the subject – see here). But where are we now, four months on from the big 'doomsday' deadline?
The main change I have noticed is the use of many different types of banners, roll-over links and cookie policies popping up on websites I visit, which highlight which cookies are being used and how. Many of these aren’t strictly compliant with the letter of the law, because they don’t actually ask a user to consent. Examples of these are where:
you can continue to use the website without actually ticking the ‘I consent’ box (unless cookies are automatically switched off until you tick the box, which probably isn’t the case for most websites).
The problem with where we have got to now is that everyone just seems to be sitting and waiting for someone else to come up with a strictly compliant solution which doesn’t effect user experience, rather than actually working on alternatives themselves. That may be a bit of a generalisation, but I haven’t seen or heard of any new solutions so far. Perhaps, being in the technology sector, one of you can prove me wrong?
In case you have somehow managed to miss the whole debate so far, the ICO's guidance on the new requirements is available through this link.
The fifth principle set out in the Data Protection Act is that "personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes". As personal data can be processed simply by being stored, the fifth principle requires the deletion of personal data (plural) when they no longer need to be held for the purpose for which they were collected. It is important to be aware that if personal data are archived in a standard, retrievable manner, instead of being deleted, the rules of data protection (including subject access rights) will still apply to that data. Readers may recall that Google's failure to comply with the fifth principle hit the headlines this summer when it admitted that it had not deleted certain user's data gathered during surveys for its Street View service, an issue that is currently being examined by the Information Commissioner's Office (ICO).
The ICO has now acknowledged that "deletion" can mean different things in relation to electronic data and published detailed guidance on how organisations can comply with the requirements for deleting electronic data. Notably, the ICO accepts that it is possible to put information "beyond use" and for data protection compliance issues to be suspended if the data controller organisation holding it:
is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way
does not give any other organisation access to the personal data
surrounds the personal data with appropriate technical and organisational security, and
commits to permanent deletion of the information if, or when, this becomes possible.
This new guidance will be relevant to all organisations that have to, or wish to, delete personal data and we recommend giving it a read.
This is a new blog, written by UK lawyers and aimed at people in and around the technology sector. It is the latest blog to be launched by UK law firm Mills & Reeve. This blog is worth adding to your aggregator if you are an entrepreneur in the early stages of launching a tech business and want to know about some of the latest legal developments that will affect you. Or if you are a CEO, CFO or head of legal at a tech business and want to know what experienced lawyers who specialise in your sector have to say. Or if you invest in tech businesses and want to understand the legal risks that affect your investments. Or if you are an interested observer wondering what interests tech lawyers who work with cutting edge tech businesses every day.
Our writers come from a range of different legal disciplines. We include commercial, IT and IP specialists, corporate lawyers, HR and employment lawyers - and others we rope in from time to time when we think their views will be relevant to our readers. You can find out more about our writers on the Mills & Reeve homepage here.
This blog replaces our venerable Naked Law blog, which we are putting out to pasture. Readers of that blog may remember that it was the first blog to be written by a UK law firm, launched over seven years ago. It focussed only on what we would call technology law - IT, e-commerce, privacy etc - rather than the full range of laws that are relevant to technology businesses. Eventually, we felt that this was too restrictive and reflected the way we lawyers structure ourselves rather than what our readers would find interesting.
We hope you will enjoy reading this blog. If you have anything to say about any of our posts or about the blog itself, please leave a comment or send us an email. We would love to hear from you.