THE SEVENTH DATA PROTECTION PRINCIPLE

The seventh data protection principle exists to ensure the security of personal data undergoing processing. It says:

Appropriate technical measures

The interpretation says the following about appropriate technical measures:

There are four issues at the heart of the interpretation on the meaning of appropriate technological measures, namely:

• the state of technological development;

• the cost of implementing technological security measures;

• the harm that might result from unauthorized or unlawful processing and so on;

• the nature of the data to be protected.

Keeping abreast of technological developments

The data controller’s obligation to have regard to the state of technological development effectively requires the data controller to keep up to date with the development of security technologies. This reflects the fact that the threats to electronic data, particularly malicious threats, are constantly developing. It also reflects the fact that flaws in the security features of technology are regularly uncovered. Finally, it reflects the fact that what might now be considered to be new, exciting technology will soon fall in price and become either a standard security requirement or a major security threat.

Thus, the requirement to have regard to the state of technological development has a dual focus:

• The data controller needs to keep abreast of developments in technological security measures.

• The data controller needs to keep abreast of technological threats to personal data.

Keeping abreast of developments in technological security measures

If the example of purely domestic processing is considered, which is actually exempt from the DPA (see section 36), it will soon be appreciated that most new PCs intended for home use come supplied with firewall and anti-virus software as standard. If not, this software can be purchased from reputable vendors at very little cost. The use of email encryption technology and digital signatures are also becoming widely used in the home. Strong passwords can be added to electronic files and changed as a matter of routine. Against this background it must be fair to say that the seventh data protection principle now requires all data controllers to have a firewall and anti-virus software installed, to use passwords and to consider encryption and digital signatures for email. These features serve a definite technological purpose and they are relatively inexpensive.

Although these security features might be adequate for individuals and small-scale computer users, they are unlikely to be sufficient in a networked environment or for public authorities and large organizations, particularly those used to dealing with large volumes of sensitive or confidential information. Advance technological measures that are already on the market include biometric security equipment, such as fingerprint and iris readers. Many large organizations are moving their electronic data into ‘digital safes’.

Keeping abreast of technological threats to personal data

Obvious examples of technological threats to personal data include viruses, worms, Trojan horses, cookies, adware and spyware. A good quality firewall and regularly updated anti-virus software should keep many of these threats at bay, but the data controller needs to keep abreast of new entry points for malicious code and software. Many data controllers will already focus their attentions on the use of email and the internet, while over looking the threats posed by instant messaging, for example.

Hardware and computer peripherals also pose a significant threat to data security. Many different types of portable storage devices are brought into the workplace, such as PDAs, mobile telephones, USB drives and MP3 players, all of which can be used to transport data out of the workplace. Data controllers must implement policies to address the use of these items.

Another major threat to the security of electronic data is the phenomenon of data proliferation, where the same piece of data comes to be stored in many different places and in many different formats. Factors that result in proliferation include the use of portable storage media, teleworking, lack of discipline over file structures and the use of backup tapes and disks. The key problem caused by proliferation is the loss of control over the data, so that data exists outside the parameters of the data controller’s security system.

The use of magnetic backup tapes is now being recognized as posing a threat to electronic data. These tapes degrade over a period of time, which threatens the electronic data contained within them. If degraded data are called into service, perhaps as part of a disaster recovery plan, the data controller risks a charge of non-compliance with the seventh data protection principle and other principles.

Wi-Fi and Bluetooth technologies also pose their own threats. Nowadays it is easy to obtain free wireless internet access in high-street coffee shops, hotels, restaurants, supermarkets and on public transport. Data controllers who allow their workers to take advantage of these new facilities must also pay consideration to the security implications.

The phenomenon of teleworking, where the worker works part or all of their time from their own home, is a major security concern for data controllers, due to the loss of direct control over the worker, the working environment and the data. In addition to causing potential data proliferation problems, mentioned above, the data controller is exposed to risks of unauthorized access to its data, perhaps by family members of the teleworker who are also users of the teleworker’s PC.

Determining what technological measures are appropriate

The second, third and fourth issues at the heart of the interpretation of the meaning of appropriate technological measures effectively oblige the data controller to carry out some form of risk assessment to identify the threats to their personal data and to determine the nature and extent of the harm that might result from unauthorized or unlawful processing, or accidental loss or destruction of, or damage to, personal data.

If the threat of proliferation is considered, one solution might be an IT system that keeps information safe and secure in one place only, the digital safe. While the initial costs of such a system might be many thousands of pounds, the outlay may seem modest when measured against the cost of a security breach, particularly when significant security breaches are likely to result in major reputational damage for the data controller in addition to the settling of fines, damages claims and loss of trade. For data controllers dealing with large volumes of sensitive data, for example public authorities, banks, health care providers, insurance companies, trade unions, political organizations, recruitment consultants and retailers, it is highly likely that compliance with the seventh data protection principle will require significant financial outlay on solutions.

Appropriate organizational measures

Data controllers’ organizational measures will include their technical measures and the measures they put in place to deal with workers and any data processors used. Naturally, all of these measures may be categorized as management measures in the sense that they are within the sphere of management responsibility. The interpretation deals with employees and data processors in a similar fashion, essentially requiring the data controller to be sure of the reliability of these persons.

Organizational measures concerning employees

The interpretation says that a data controller must take ‘reasonable steps to ensure the reliability of any employees of his who have access to personal data’. As with the appropriateness of the technical measures taken, the reasonableness of the steps taken to ensure employee reliability is a fact-sensitive issue that depends upon the nature of the data processed and the processing purpose. Of course, the purpose of the measures is to prevent ‘unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data’.

The interpretation does not provide any assistance with the meaning of the word ‘reliability’ but a common sense approach would suggest that the data controller should do the following:

• Carry out appropriate background checks before hiring the employee. This will often include the taking-up of references. In certain sensitive circumstances, such as the hiring of teachers and persons working with children, the carrying out of background checks with the Criminal Records Bureau will be required. It is worth remembering that confidential references given to the data controller for employment purposes are exempt from the right of access within section 7 of the DPA (section 37 and Schedule 7).

• Insert appropriate data protection clauses in the contract of employment and the company handbook.

• Provide appropriate training for the employee, as part of induction procedures and periodically thereafter.

• Implement a system of monitoring in appropriate cases. This may extend to the interception of electronic communications in defined circumstances.

• Implement a disciplinary procedure for employee breaches of data protection. Such a procedure will be defined in the company handbook and will specify any particular breaches that could lead to dismissal.

The Information Commissioner has introduced a code of practice under section 51 of the DPA, which deals with these issues (and more). The Employment Practices Code¹⁰⁵ is divided into four parts: (1) recruitment and selection; (2) employment records; (3) monitoring at work; and (4) information about workers’ health. Data controllers should consult the Code and its supplementary guidance for a detailed analysis of the Information Commissioner’s position on the processing of employee data. For the purposes of this discussion, ensuring the reliability of employees, the following points should be noted:

• Pre-employment vetting: The Information Commissioner recognizes the importance of pre-employment vetting, but cautions that such activities must be proportionate. It is vital for data controllers to take account of the laws that limit or curtail pre-employment vetting and those that support it. For example, section 55 of the DPA creates offences of unlawful obtaining and unlawful disclosure of personal data, offences that could be committed by an over-zealous data controller performing pre-employment enquiries. In addition, section 56 of the DPA creates an offence commonly known as enforced subject access, which is committed where an employer (or potential employer) wanting more background information about an employee’s (or prospective employee’s) character requires an employee (or prospective employee) to exercise their rights under section 7 of the DPA to obtain records about their convictions and cautions. Similarly, the Rehabilitation of Offenders Act 1974 provides that spent convictions do not have to be declared in response to questions about criminal records. This rule is subject to exceptions contained in the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975, which in limited circumstances allows prospective employers to obtain disclosures directly from the Criminal Records Bureau (or Disclosure Scotland) about spent and unspent convictions, cautions and non-conviction information held by the police. Circumstances covered by this order include the employment of persons working with children and other vulnerable persons.

• Employee monitoring: The Information Commissioner cautions that employees are entitled to respect for their privacy while at work. Thus, data controllers carrying out monitoring should make it clear to workers that they are doing so, how it is being done and why.

• Covert monitoring: The Information Commissioner is very discouraging of covert monitoring for obvious reasons, but does acknowledge that it has its role. In the Supplementary Guidance to the Employment Practices Code¹⁰⁶ the Information Commissioner says:

  covert monitoring will only be justified in a particular case if openness would be likely to prejudice the prevention or detection of crime or equivalent malpractice or the apprehension or prosecution of offenders. There may be cases where one of the other exemptions in the Act could apply, but these are unlikely to arise in the employment context. It is therefore essential that the employer makes a considered and realistic assessment of whether such prejudice is likely. A reliable test of whether covert monitoring is justified is to consider whether the activity being monitored is of sufficient seriousness that it would be reasonable for the police to be involved. This does not mean, though, that the employer need necessarily involve the police. However, the implications of covert monitoring are such that senior management authorisation ought to be a prerequisite.

  
  

• Interception of communications: Within the workplace this is covered by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000,¹⁰⁷ made under the Regulation of Investigatory Powers Act 2000. These regulations permit the monitoring of certain business-related electronic communications (telephone calls, emails, internet access and fax transmissions) provided that the data controller has taken all reasonable steps to notify their employees that interception will take place. Workplace interception that does not comply with the Regulations is an offence.

Organizational measures concerning data processors

A data processor is a person or organization that processes personal data on behalf of a data controller. A data processor cannot be an employee of the data controller. The essence of a data controller–data processor relationship is that the data controller continues to control the purpose and manner of the processing done by the data processor. Of course, it is also the essence of the relationship that the data processor gains access to, or takes possession of, the personal data processed by the data controller. The implications for personal privacy in these relationships are clearly very serious indeed. However, if the data processor starts to determine the purpose or manner of the processing, they will become a data controller in their own right.

The interpretation says the following about data controllers’ use of data processors:

These obligations are designed to protect the data subject’s personal data when they are undergoing processing by the data processor. When this interpretation is distilled down to its key ingredients it becomes apparent that relationships between data controllers and data processors must be governed by contracts. Although these contracts may be ‘evidenced in writing’, the prudent data controller will ensure that they are made in writing. These written contracts will contain provisions dealing with the following:

• The data processor will guarantee that appropriate technical and organizational measures have been taken and/or will be taken.

• The data processor will provide facilities to the data controller to enable the data controller to be sure that the data processor has implemented appropriate technical and organizational measures and to enable periodic verification of continuing compliance.

• The data processor will promise to act only on the data controller’s instructions.

Of course, the interpretation effectively requires the data controller to carry out necessary due diligence on the data processor, hence the phrase ‘choose a data processor providing sufficient guarantees’. This form of words points directly to the need for a pre-contractual process that will enable the data controller to make an informed decision about the data processor’s operations. In respect of this process in many cases it will be sufficient for the data controller to rely upon the data processor’s representations about its technical and organizational measures, but there are also many cases where the data controller will need to carry out a detailed process of review, including auditing and inspection of the data processor’s site, the testing of apparatus and interviews with the data processor’s workers.

The interpretation also requires data controllers to take reasonable steps to ensure that the data processor is complying with the required technical and organizational measures. This implies a continual process of review throughout the lifecycle of the relationship between the data controller and the data processor. If the pre-contractual due diligence process required site visits, audits, interviews of the processor’s staff and similar it is only fair to assume that these processes should be repeated at sufficient intervals.

The content of data controller–data processor contracts

Apart from what is said in the interpretation, the DPA is silent on the necessary content of a data controller–data processor contract. However, the EC has approved model contractual clauses to cover the transfer of personal data to data processors situated outside the EEA.¹⁰⁸ These model clauses, approved also by the Information Commissioner on 18 March 2003,¹⁰⁹ provide a useful template for the creation of general data controller–data processor contracts. In respect of the data processor’s guarantee to process only on the data controller’s instructions these model clauses provide:

If this clause is to be used, it must be adapted so that ‘data importer’ refers to data processor and ‘data exporter’ refers to data controller.

The time for taking the technical and organizational measures

Recital 46 of the Data Protection Directive identifies the time at which the data controller should take the technical and organizational measures required by the seventh data protection principle. Recital 46 provides:

This identifies that the data controller must incorporate security features during the design stage of its processing systems and that the measures must be implemented during the processing operations, supporting the view that periodical verification of the measures is required.

The Information Commissioner’s ‘Legal Guidance’

The Information Commissioner’s ‘Legal Guidance’ provides a very helpful checklist of illustrative issues for data controllers to consider.¹¹⁰ These are listed under five headings, (1) security management, (2) controlling access to information, (3) ensuring business continuity, (4) staff selection and training and (5) detecting and dealing with breaches of security. The checklist is as follows: