7062544

Information Management in FSS: A Legal Perspective

Paul Hinton

Ian MasonBarlow Lyde & Gilbert LLP

17 September 2009

Information Management Information is a key asset of every

business

Technology has revolutionised our ability to access, create, store, search and communicate information

Information Management is in its infancy and lagging behind technological development

“the stone age was marked by man's clever use of crude tools; the information age, to date, has been marked by man's crude use of clever tools”

2006 2007 2008 2009 2010 2011

500

1,000

1,500

2,000

2,500

3,000

3,500

0

2012 2013 2014 2015

4,000

4,500

8,000

10,000

6,000

Storing up trouble…

Inside of an IT storage system

Why is this a problem?

The acquisition of and failure to discard, possessions that are useless or of limited value due to a fear of losing things perceived to be important.

=“PATHOLOGICAL HOARDING DISORDER”

Law and Information Management

IPRs

DPA

Others e.g DDA,

Confidence etc

Data Protection Act

Data Protection Act 1998

EC Directive – EEA wide application

Policed in the UK by the ICO

Protects ‘personal data’ – electronic mainly (but also paper in some cases)

‘data controllers’ must ‘process’ in accordance with the DPA

‘data subjects’ get a number of rights under the DPA

Establishes “Principles” to abide by

The Data Protection Principles

Adequate, relevant and not excessive

Accurate and up to date

Rights for Data Subjects under the Act

Specific purpose

Not kept longer than necessary

Technical and organisational measures

EEA

“fairly and lawfully processed”

Consequences of breaching DPA

Reputational damage

Fines

Criminal offences

ICO increasing policing and enforcement and taking a harder line

5 Key Legal Impacts

1. Security/confidentiality obligations

2. What information can/must be stored

3. Exploitation of information

4. Who has a right to access information

5. Dealing with 3rd parties

1. Security/Confidentiality

Common law confidentiality

Contractual – agreed standards

Data Protection Act – Principle 7

Applicable IT standards “keeping up to date” - adequate technical and organisational (= security) measures – e.g. BS 10012

Practical measures and security standards

2. What Can/Must Be Stored

800+ specified retention periods fixed by statute/common law

VAT records 6 years

Contractual claims 6 years (12 years if a deed)

Data Protection Act

Processing fairly and lawfully

Adequate and not excessive

Accurate and up to date

Not for longer than necessary

IPRs

3. Exploitation of Information Copyright

Arising automatically in original works

Lasts for a set number of years

Generally owned by creator – (including ‘employer’)

Database rights

Arises where "substantial investment" in obtaining, verifying or presenting the contents of the database

Owned by the maker

Data Protection

“fairly and lawfully”

4. Who has a right to access?

Confidentiality – who can it be given to?

DPA

Fairly and lawfully processed

EEA

Subject Access Request

Litigation – duty to provide even if detrimental

Regulatory investigation

5. Dealings with 3rd Parties See 1. to 4. above:

Security

Storage

Exploitation

Access

DPA issues need to be dealt with explicitly in contracts

Liability/Indemnity/Insurance

Right to audit/access and have information returned

Information management policies

FSA DOCUMENT RETENTION OBLIGATIONS

Firms are required to take reasonable care to make and retain adequate records of matters and dealings which are the subject of requirements and standards under the regulatory system

No prescribed time period – “should be retained for as long as is relevant for the purposes they were made”

No prescribed format, but must be capable of being reproduced on paper

Destruction of documents during an investigation not a good idea!

FSA Principle 3 – “A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”

FSA INFORMATION GATHERING AND INVESTIGATION POWERS

Very broad powers to obtain documents and interview witnesses

FSA must use its powers proportionately

FSA Enforcement Division has a specialised computer forensic team

Importance of co-operation – FSA Principle II, relations with regulators

Legal privilege may be maintained

Use FSA scoping visit to discuss approach to disclosureof documents

FSA’S INCREASING EMPHASIS ON INFORMATION SECURITY

HSBC companies fined over £3 million for inadequate systems and controls to protect customers’ confidential data

Nationwide Building Society fined £980,000 for information security lapses

Norwich Union fined £1.26m for security breaches

Top Tips

Have you undertaken a documented data security risk assessment?

Have all points/red flags arising from risk assessment, internal audit etc been addressed?

How accessible are procedures and guidance?

Does staff practice in reality reflect these procedures?

Is training adequate?

Information is your greatest asset, but also your biggest risk...

Not just the Data Protection Act 1998

There is no “magic bullet” solution

A multi-faceted approach is needed:

Contractual and legal protections

IT security and solutions

Practical policies and procedures

Policies

Make it an employee issue not a corporate problem:

Written documents that explains practical day-to-day procedures and rules for use of the data (including communications, storage, passwords, access, home working etc etc)

Provided to all employees who have to sign and comply with them (part of employment / outsourcing contract)

Will reduce the real risk of a leak occurring

Will increase chances of compliance with law and regulation

Will reduce liability

Significantly improves PR damage

Spot the difference if lost…..

and

A B

Questions?

Follow us @ioduk and use our hashtag #ioduk

Simply search for the Information on Demand UK group

Subscribe to the IOD UK blog at iodukblog.com