7062544 information management in fss: a legal perspective paul hinton ian mason barlow lyde &...
TRANSCRIPT
7062544
Information Management in FSS: A Legal Perspective
Paul Hinton
Ian MasonBarlow Lyde & Gilbert LLP
17 September 2009
Information Management Information is a key asset of every
business
Technology has revolutionised our ability to access, create, store, search and communicate information
Information Management is in its infancy and lagging behind technological development
“the stone age was marked by man's clever use of crude tools; the information age, to date, has been marked by man's crude use of clever tools”
2006 2007 2008 2009 2010 2011
500
1,000
1,500
2,000
2,500
3,000
3,500
0
2012 2013 2014 2015
4,000
4,500
8,000
10,000
6,000
Storing up trouble…
Inside of an IT storage system
Why is this a problem?
The acquisition of and failure to discard, possessions that are useless or of limited value due to a fear of losing things perceived to be important.
=“PATHOLOGICAL HOARDING DISORDER”
Law and Information Management
IPRs
DPA
Others e.g DDA,
Confidence etc
Data Protection Act
Data Protection Act 1998
EC Directive – EEA wide application
Policed in the UK by the ICO
Protects ‘personal data’ – electronic mainly (but also paper in some cases)
‘data controllers’ must ‘process’ in accordance with the DPA
‘data subjects’ get a number of rights under the DPA
Establishes “Principles” to abide by
The Data Protection Principles
Adequate, relevant and not excessive
Accurate and up to date
Rights for Data Subjects under the Act
Specific purpose
Not kept longer than necessary
Technical and organisational measures
EEA
“fairly and lawfully processed”
Consequences of breaching DPA
Reputational damage
Fines
Criminal offences
ICO increasing policing and enforcement and taking a harder line
5 Key Legal Impacts
1. Security/confidentiality obligations
2. What information can/must be stored
3. Exploitation of information
4. Who has a right to access information
5. Dealing with 3rd parties
1. Security/Confidentiality
Common law confidentiality
Contractual – agreed standards
Data Protection Act – Principle 7
Applicable IT standards “keeping up to date” - adequate technical and organisational (= security) measures – e.g. BS 10012
Practical measures and security standards
2. What Can/Must Be Stored
800+ specified retention periods fixed by statute/common law
VAT records 6 years
Contractual claims 6 years (12 years if a deed)
Data Protection Act
Processing fairly and lawfully
Adequate and not excessive
Accurate and up to date
Not for longer than necessary
IPRs
3. Exploitation of Information Copyright
Arising automatically in original works
Lasts for a set number of years
Generally owned by creator – (including ‘employer’)
Database rights
Arises where "substantial investment" in obtaining, verifying or presenting the contents of the database
Owned by the maker
Data Protection
“fairly and lawfully”
4. Who has a right to access?
Confidentiality – who can it be given to?
DPA
Fairly and lawfully processed
EEA
Subject Access Request
Litigation – duty to provide even if detrimental
Regulatory investigation
5. Dealings with 3rd Parties See 1. to 4. above:
Security
Storage
Exploitation
Access
DPA issues need to be dealt with explicitly in contracts
Liability/Indemnity/Insurance
Right to audit/access and have information returned
Information management policies
FSA DOCUMENT RETENTION OBLIGATIONS
Firms are required to take reasonable care to make and retain adequate records of matters and dealings which are the subject of requirements and standards under the regulatory system
No prescribed time period – “should be retained for as long as is relevant for the purposes they were made”
No prescribed format, but must be capable of being reproduced on paper
Destruction of documents during an investigation not a good idea!
FSA Principle 3 – “A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”
FSA INFORMATION GATHERING AND INVESTIGATION POWERS
Very broad powers to obtain documents and interview witnesses
FSA must use its powers proportionately
FSA Enforcement Division has a specialised computer forensic team
Importance of co-operation – FSA Principle II, relations with regulators
Legal privilege may be maintained
Use FSA scoping visit to discuss approach to disclosureof documents
FSA’S INCREASING EMPHASIS ON INFORMATION SECURITY
HSBC companies fined over £3 million for inadequate systems and controls to protect customers’ confidential data
Nationwide Building Society fined £980,000 for information security lapses
Norwich Union fined £1.26m for security breaches
Top Tips
Have you undertaken a documented data security risk assessment?
Have all points/red flags arising from risk assessment, internal audit etc been addressed?
How accessible are procedures and guidance?
Does staff practice in reality reflect these procedures?
Is training adequate?
Information is your greatest asset, but also your biggest risk...
Not just the Data Protection Act 1998
There is no “magic bullet” solution
A multi-faceted approach is needed:
Contractual and legal protections
IT security and solutions
Practical policies and procedures
Policies
Make it an employee issue not a corporate problem:
Written documents that explains practical day-to-day procedures and rules for use of the data (including communications, storage, passwords, access, home working etc etc)
Provided to all employees who have to sign and comply with them (part of employment / outsourcing contract)
Will reduce the real risk of a leak occurring
Will increase chances of compliance with law and regulation
Will reduce liability
Significantly improves PR damage
Spot the difference if lost…..
and
A B
Questions?
Follow us @ioduk and use our hashtag #ioduk
Simply search for the Information on Demand UK group
Subscribe to the IOD UK blog at iodukblog.com