November 28th, 2013
Phone-tapping. Espionage. Whistleblowing. You could be forgiven for thinking this was the pitch for an Ian Fleming novel. However, these are not the headlines of 007’s next mission, but the backdrop to the EU’s ongoing attempts to overhaul its outdated Data Protection legislation.
The 1995 Data Protection Directive established data protection law in the EU, and was implemented into UK law in 1998 by the Data Protection Act. However, since then, technological progress and globalisation have fundamentally changed the way data is collected, accessed and used, leaving the law limping behind. Additionally, each of the EU’s 28 Member States has implemented the directive in a different way, making cross-border enforcement complicated to say the least.
The recent allegations of snooping by the US on the phone calls of EU leaders, and the disclosures of whistleblower Edward Snowden about US and UK spy programmes, have given this issue a new urgency.
The Proposed Legislation
Data protection legislation ensures that individuals’ personal data is processed within a legal framework of rights and duties which recognises the sensitivity of that data. The proposed, draft Data Protection Regulation has been designed to strengthen those safeguards particularly in relation to the online privacy rights of Europe’s 500 million citizens. Significantly, under current legislation, data controllers are responsible for ensuring that any data processors working for them are legally compliant; the draft law, for the first time, also places direct statutory liability on the data processors themselves for failure to comply.
Other key outcomes of the proposed Regulation are:
- Under the current proposals, companies in Europe will be subject to one law, a single Regulation, replacing the current fragmentation of laws;
- The territorial scope of the law has expanded: non-EU companies who control or are processing (i.e. data controllers and data processors) the personal data of EU citizens will now be subject to the new law;
- Restrictions have been on the ability to transfer to third countries: companies such as Google and Microsoft would no longer be able to pass data on a European citizen to a third country;
- New definitions have been inserted such as “encrypted data”, “profiling”, and “genetic data”, reflecting new concerns and concepts. “Sensitive Data” is newly defined in Article 9 and expanded to cover “gender identity” and a variety of sanctions;
- Processing personal data remains lawful if done for ‘legitimate interests’;
- A new Article on Data Subjects’ Rights proposes that data controllers provide data subjects with direct access to their personal data via a secure system. Controllers are given 40 days to respond to requests from data subjects;
- Data subjects have been provided with a number of new ‘rights to know’ such as, if there are joint controllers, the “essence of the arrangement” should be made available to them, and whether personal data has been disclosed to a public authority.
- If more than 5,000 data subjects in any 12 month consecutive period are being processed by a company, it must appoint a Data Protection Officer (DPO). This is also the threshold for a Data Protection Impact Assessment (PIA). Further, where special categories of data, location data, data relating to children or employee data in large scale filing systems is processed, a DPO will have to be appointed;
- A company’s ability to profile users of its services automatically will be limited; instead it will require the prior, explicit consent of the individual whose data it intends to process;
- Data subjects will have the “Right to Erasure”, i.e. the right to withdraw consent, in which case a company must erase their personal data if requested (although this obligation has been watered down in recent amendments);
- Designated data controllers and processors will have an obligation to notify authorities of data breaches without delay, within 72 hours in most cases. Supervisory authorities will have a new duty to maintain a public register of the types of notified breaches;
- The activities of the European Data Protection Board (EDPB) have been expanded to imposing decisions of national supervisory authorities if necessary, issuing guidelines, and other codes for best practice;
- The current draft allows regulators to impose penalties of up to the greater of €100m or 5% of annual worldwide turnover for serious breaches.
Points of View
The proposed legislation was approved on 22 October 2013 by the EU’s Civil Liberties Committee (LIBE) by 49 votes to 3 (one abstention); the necessary first step to the proposal becoming law. The next step, obtaining agreement of the EU’s 28 Member States, will be a more fraught affair.
The UK Government: In the UK, there is general consensus that strengthening the law in favour of protecting the individual is a good thing; however, there is debate on just how far the legislation should go. The UK Government has had to play a delicate balancing act to ensure that it addresses the concerns of our commercial sector, the human rights lobby, and our US friends.
The UK Government has had to navigate through these diverse positions, and in November 2012, the Ministry of Justice published an extensive report on the proposed Regulation giving its view: ‘The UK Government are seriously concerned about the potential economic impact of the proposed data protection regulation… a further serious issue is the possibility of stifling innovation through prescriptive and inflexible rules on gaining individuals’ consent…’
The Business View: There is mixed reaction from the business community, although the majority view is that it is ‘over prescriptive and imposes unnecessary administrative burdens on Britain’s businesses at a time when Government should be doing the very opposite. The Federation of Small Businesses (FSB) observed that: ‘if you prescribe in too much detail, you don’t leave room for industry to develop their own standards or find their own solutions.’
Microsoft stated itself to be: ‘very surprised to find that a lot of new burdens were imposed on them, without receiving any new rights and new incentives’.
The UK Regulator: The Information Commissioner’s Office itself, the UK regulator on data protection issues, commented that the draft Regulation ‘would have considerable resource implications for all supervisory authorities.’ Fears were expressed that the ICO would be unable to keep up with the demand to respond to requirements such as receiving breach notifications and approving international transfers of data.
The US: The view across the pond is also one of reserved hostility. Washington has ‘actively been trying to water down the draft law through aggressive lobbying (which catches US companies if they are processing data of EU citizens) ‘by making US companies de facto exempt from it.’
Consumer Groups: On the other side of the argument, EU consumer groups are complaining that the proposals do not go far enough. French consumer group, La Quadrature du Net, worries that ‘there are some big loopholes that could void the effectiveness of the whole legislation’. For example, it highlights draft wording such as ‘legitimate interest’ as too vague, and could supply businesses with an easy and undefined defence to collecting and processing personal data. Are, for example, the purposes of providing a better service, a legitimate interest?
Future Progress of the Bill
Now that the LIBE Committee of the European Parliament has approved the draft legislation, the European Parliament must hold another vote, involving the agreement of all 28 Member States of the EU. This final vote was due to take place in the European Parliament in 2014, but the UK Government has fought to delay the passing of the legislation, and in October 2013 succeeded in doing so until 2015. On the assumption that there will be a two year implementation period (and this may be wrong), the new legislation may be in force by as late as 2017. However, we would advise organisations to prepare for implementation as early as 2015/16.
Pitmans understands the complexities of effectively managing your customers’ data and has had specific experience with the bespoke legal issues involved. Should you require any further information or guidance, please contact:
May 17th, 2013
Exciting times. The UK has launched its first cyber security export strategy. Cyber Security is an essential component of the £2 trillion global ICT market, and already worth £123 billion in its own right, growing by over 10% every year. The UK market is conservatively estimated at £3.9 billion, with 2,500 companies operating in the sector.
When it comes to exports, the US is the UK’s top destination, accounting for 31% of business. The UK Trade & Investment (UKTI) export strategy sets out the opportunities for UK businesses to further expand this £805 million export market and outlines government plans to support the UK cyber sector in finding new international customers.
Key actions promoted by the export strategy include:
- creating a UK catalogue of cyber specialists;
- preparing market insight reports on overseas opportunities for UK suppliers;
- developing of clear guidance on exports controls for cyber security products and services;
- ensuring a coherent whole-of-Government approach to working with the sector.
According to experts, the threat posed by cyber sabotage is becoming increasingly real. Whilst speaking at yesterday’s Westminster eForum’s CyberSecurity expert panel session, James Quinault, Director, Office of Cyber Security and Information Security, Cabinet Office, warned of imminent, ”deliberate attacks to degrade or destroy critical infrastructure and people’s assets” and clearly stated that maintaining security is essential to businesses’ survival.
Steve Purser, Head of Core Operations, ENISA and Jeff Parker, Director of Projects, International Cyber Security Protection Alliance (ICSPA) spoke at the Westminster e-Forum CyberSecurity event.
Philip James, Partner at Pitmans, also spoke on an expert panel at the event, and comments, “One of the prevalent and more positive themes arising from the discussion was that ensuring good security is a business enabler. It creates value and jobs, builds trust and allows organisations to secure and recognise greater revenue from investment in intellectual property and R&D”.
As the global threat increases, so do the conditions for market growth. The UKTI export strategy has been devised to fully develop this opportunity, and will implement its key actions in close collaboration with the UK sector, including with the recently created Cyber Growth Partnership.
To view the UKTI export strategy document, please click here.
For more information on cyber security, please visit:
To discuss how we can help, please contact:
February 13th, 2013
New cyber proposals on both sides of the Atlantic are today due to have a seismic shift upon the legal framework which governs notification of security incidents and information sharing to limit risk and improve security.
Personal data breaches – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.
According to the Information Commissioner’s Office (ICO) the number of personal data breaches has increased by nearly ten times in the last 5 years. This is not widely publicised as currently only ‘public electronic communications service providers’ (PECNPs) (i.e. telcos) have a duty to notify breaches but a proposal by the EC is calling for increased obligations on organisations and greater transparency surrounding data breaches. In addition, the absence of contractual provisions requiring a supplier to notify a customer in the event of a breach can place an organisation in a difficult position when deciding when and how to notify authorities and its customers.
Data Breaches – what effect do they have?
A personal data breach can have a major impact on an organisation. Not only does it lead to negative PR and damage reputation, trust, brand and goodwill, it also affects consumer confidence and, ultimately, share price and investor relations. It is no wonder that companies try to conceal these breaches but the new Regulations specify transparency surrounding such events.
Data breaches effect even the largest organisations. In April 2011, Sony came under scrutiny as they were hacked into and the personal data of thousands of users was leaked. Users were furious that it took 6 days for them to be notified that their personal details were no longer secure.
In January 2012, the EC published a draft set of Data Protection Regulations (Regulations) to update the existing primary EU Directive which governs data protection law. The aim was to increase the burden on organisations to ensure that personal data is held securely. Due to the nature of the cyber world most breaches are likely to have a cross-border impact and this has led to the implementation of a single harmonised law across the EU.
Article 31 of the proposed Regulations, which is due to come into force in late 2014 or early 2015, specifies that every personal data breach, in all sectors, must be reported to the relevant supervisor, where feasible, within 72 hours (the original draft suggested 24 hours, but this was widely criticised; 72 hours is not much longer, but at least better) of the data controller having knowledge of the breach. In the UK the supervisor will be the Information Commissioner. If notification takes longer than 72 hours then a written explanation will also need to be sent. Further to this, those breaches that are “likely to affect the protection of the personal data or privacy of the individual” must be notified without further delay.
The nature of the notification differs depending on who is notified; a great level of detail is necessary when notifying the authorities. As a minimum the notification must detail the nature of the breach and the measures taken to mitigate any adverse effects that the breach may have.
The Regulations also introduce potential penalties for data breaches of up to 2% of an organisation’s global turnover. With these increased penalties proposed many companies are investing in improving data security and information assurance prior to the introduction of the Regulations.
These Regulations may seem particularly onerous, especially for smaller companies however the reality is that Europe are behind the time in protecting personal data. California took the lead in 2003 when they introduced a law regarding data breach notifications. Since then 46 states have followed suit and the US now has comprehensive laws governing data breaches.
New Cyber Security Rules On Both Sides Of Atlantic
The EU has just released a proposal concerning a Directive to ensure a high common level of network and information security across the Union, 2013/0027 (COD), (Cyber Directive). The aim of the proposed Directive is to ensure a high common level of network and information security (NIS). This means improving the security of the Internet and the private networks and information systems underpinning society and economies. The Directive will require Member States to cooperate and operators of critical national infrastructures (CNI), such as energy, transport, and key providers of information society services (e-commerce platforms, social networks, such as facebook and linkedin), as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities. The new proposals therefore cast the net far, far wider than the current mandatory telco notification.
The Directive has three limbs:
- Member States must have in place a minimum level of capabilities by establishing competent authorities for NIS, setting up Computer Emergency Response Teams (CERTs), and adopting national NIS strategies and national NIS cooperation plans.
- National competent authorities should cooperate within a network enabling secure and effective coordination, including coordinated information exchange as well as detection and response at EU level. Through this network, Member States should exchange information and cooperate to counter NIS threats and incidents on the basis of the European NIS cooperation plan.
- Leveraging the existing Framework Directive for electronic communications to ensure that a culture of risk management develops and that information is shared between the private and public sectors.
Companies in the specific critical sectors outlined above and public administrations will be legally bound to assess the risks they face and adopt appropriate and proportionate measures to ensure NIS. These entities will be required to report to the competent authorities any incidents seriously compromising their networks and information.
On the other side of the pond, a US Cybersecurity Bill (aka, the Cyber Intelligence Sharing and Protection Act) (CISPA) is to be introduced today (13 February 2013). The Bill received significant resistance from lobbyists, privacy and human rights campaigners and proposes to be a landmark battleground for Congress and the US administration. CISPA is intended to prevent and limit the effect of cyber attack by facilitating information sharing about threats and malware with the intelligence community and the Department of Homeland Security. It seems that, in this regard, the US and EC legislators are fully aligned.
What should you do now?
There are many steps an organisation can take to manage the impact that these Regulations will have.
Organisations should have a dedicated Incident Response Team who have procedures in place should a breach occur. With the short timeframes introduced by the Regulations, companies need to have a process in place and those involved should know how to react.
Organisations should review their data protection policies and amend them if necessary. This involves looking at any contracts with contractors as well to ensure that personal data is safe if it is outsourced at any point. Contracts should also be reviewed for responsibility and where possible a company should endeavour to limit its liability for any breach by a contractor or sub-contractor.
Although the new Regulations and Cyber Directive will inevitably encourage companies to be more transparent there is a concern that other problems may be caused by the implementation of this law:
- The new Regulations and Cyber Directive may encourage excessive disclosure. For example, due to the time restrictions companies may decide to notify all those who have potentially been affected rather than waiting to establish who has actually been affected. This is likely to worry consumers and lead to bad publicity even if it then turns out that some of these individuals have not been affected.
- Notification will use up resources which could be working to rectify the problem. Fixing the problem should be the priority in these situations.
- There will be serious concerns raised by competitors when disclosing potentially sensitive information regarding information assets and confidential information and intellectual property. Careful consideration will need to be taken to ensure sufficient information is disclosed, whilst keeping it secure and limiting the extent to which it may be used and shared. Those who share should also benefit from receipt of reciprocal information. In contrast, those who refuse to do so, may be disadvantaged from not being part of the information security inner circle.
- Notification will cost money. In austere economic times, companies are looking to keep spending to a minimum but the introduction of the Regulations will undoubtedly force companies to spend more money on protecting the data they hold.
Only time will tell if the Regulations will help manage data breaches or just cause unnecessary worry and costs. Either way your business should be prepared and take precautions now to minimise the impact they will have.
If you would like further assistance on this matter please contact Pitmans’ Cyber Risk Management Team or
Pitmans SK Sport & Entertainment LLP
December 19th, 2012
Welcome to Pitmans’ December Technology Update
Our team has put together a rich medley of festive treats for your digital stocking including: incisive comment on the perils of social media demonstrated no better than the recent slurs made against Lord McAlpine, the do’s and don’ts of software licensing (from a litigator’s perspective), and the latest on the opportunities presented by Patent Box.
Philip James, Partner
Autonomy and Hewlett-Packard: the risks of technology M&A
Just over a year after completing the takeover of Autonomy, Hewlett Packard has gone public with claims that it may have been duped into paying too much and that the value of its investment was being written down. Is this about issues specific to HP and Autonomy, or does it tell us something about the risk inherent in mergers and acquisitions, and in the technology industry particularly? Read more
Getting your software licence right first time
Businesses entering into licences for specialist software should not underestimate the time and effort required to ensure that the licence documentation accurately reflects the commercial agreement: to do otherwise risks costly litigation and the threat of mission-critical software being withdrawn. Read more
Is half a loaf better than none?
Google has come under increasing pressure from both sides of the Atlantic to offer robust proposals to address what is seen by many as potential abuse of its market dominance. However, with only meager proposals being put forward by Google, the European Commission must determine whether the proposals should be accepted to reach a settlement rather than face a protracted legal battle. Read more
Innovative Intellectual Property Strategy: The Patent Box
Patents are commonly used as commercial instruments which give companies the edge over their competitors and encourage investment opportunities. Thanks to the introduction of the Patent Box in August this year, patents now have the added benefit of tax benefits. But how can your company benefit from this? Read more
Lord McAlpine and the Myth of a Luddite Legal System
On 2 November 2012, the BBC broadcast an edition of Newsnight which included allegations (subsequently established to be incorrect) by a former care home resident that during the 1980′s he had been abused by a prominent Conservative politician. The BBC did not name anyone within the story but subsequently a significant number of people speculated about those involved. Read more
WEEE wish you a Merry Christmas
Whether it is the latest phone, computer, tablet or kitchen device that you are after, electrical goods are sure to make an appearance on all our Christmas lists but what materials are used in them and are they legal? Read more
Upcoming Technology Events
7 February 2013 – London
Pitmans Annual Cyber Conference
This year’s event will focus on Reputation Management & Information Security. We are delighted to announce that Professor Sadie Creese and John Bassett OBE will be making opening and closing addresses. Register today
What to watch out for in 2013:
- the increased prevalence of crowdsourcing platforms
- the introduction of the CAP Code on Online Behavioural Advertising (OBA Code) which comes into force on 4 February 2013 (the rules do not guarantee compliance with the law)
- the outcome of the OFT’s consultation into Personalised Pricing which closes on 4 January 2013 (where prices are determined by a user’s profile)
- the success of the Cyber Incident Response Scheme (CIRS) having been launched by the Communications-Electronics Security Group (CESG, part of GCHQ) and the Centre for the Protection of National Infrastructure (CNII). CIRS is an initiative which forms part of the Government’s UK Cyber Security Strategy. If you want to know more, come along to Pitmans Annual Cyber Conference.
Finally, as the winter solstice approaches and we seek to stare into The Sky At Night to see what the future holds, we pay tribute to the life of astronomer, Sir Patrick Moore. Whilst undoubtedly controversial, Sir Patrick is said to have responded to criticism of his right-wing beliefs: “I may be accused of being a dinosaur, but I would remind you that dinosaurs ruled the Earth for a very long time.” Take from that what you will; regardless, we encourage you to look into the sky over the holiday season to see if you can spot a sleigh passing a new dinosaur constellation, following the broadcaster’s departure.
December 19th, 2012
Where we are now
We are living in a world where organisations are under constant attack from ever evolving cyber threats. Institutions around the world are struggling to operate securely in the cyber environment and are vulnerable to reputational, financial and competitive damage. According to a recent Cisco Security Intelligence Operations report , this is partly a result of the fundamental shift from mass spam attacks to more targeted and profitable attacks on organisations. These malicious attacks have quadrupled over the past year and they cost institutions globally US$1.29 billion in the last twelve months. Given the tough economic climate experienced over the last four years, many organisations have suffered budget cuts, and in many cases, security programs and their funding have diminished. Cyber criminals do not target organisations in specific sectors but target all sectors. The UK government, for example, now receives over 20,000 malicious attacks every month, according to George Osborne.
As organizations become increasingly reliant upon mobile devices, social networks and increased use of remote, outsourced, cloud based services, there is a growing concern that security progress will fall behind technological advance, leaving firms relatively vulnerable to cyber crime. Research shows that less than 40% of firms have security measures in place to protect mobile devices, the cloud and social media. Even less carry out any sort of robust, technical and operational due diligence checks upon service providers to verify security, both prior to and during engagement.
Other worries include cyber criminals finding new ways to bypass the virtual defences of organisations without a trace, to introduce malware within legitimate web content management software and to use increasingly complex ‘spearphishing’ email attacks. Recent commentators have also highlighted that individuals within organizations are likely to be targeted with greater frequency and influenced by monetary and blackmail incentives to assist in disclosure and access to sensitive information.
Why does this matter to your organisation?
The Pitmans Annual Cyber Conference will contain two keynote speeches and two panels about how to manage and prepare for breach incidents and thereby limit any resulting cost, liability and damage to your brand and reputation (and potentially share price). The conference is designed to help your organisation understand the threats and take advantage of achievable, commercial, preventative measures. The session will also set out ways in which relevant stakeholders can build a credible business case for investing sufficient resources in preparing against such threats. Carefully selected panelists will help you gain an insight into potential future threats to your institution’s security infrastructure and will advise of practical, cost effective, steps to reduce your attack surface and reduce risk exponentially. As partners, directors, board members and management, responsibility falls on your shoulders to understand these risks and to clarify the roles and responsibilities of those within organisation. Act now. This is not a dress rehearsal.
To learn more and register, attend Pitmans’ Annual Cyber Conference.
October 16th, 2012
Fraud, a betrayal of trust
White collar business fraud in the UK sadly continues to be a by product of corporate life. Rather like car accidents or physical crime most of us think “it will never happen to me”. Fraud inevitably takes its victims by surprise and is often a tragic breach of trust by friends, co-workers or business colleagues who are well known to the victim. In the case of pension fraud, it can have serious implications for the scheme and its members as pension schemes are, by their very nature, the custodians of large amounts of assets both in terms of cash and information.
Fraud is the betrayal of trust. Its prevention and detection requires transparency and accountability. Both trustees and scheme managers should be initiating and complying with strict checks and controls, but it is also important to use common sense and keep an open mind so that when a fraud is discovered, the scheme can move quickly to protect its funds, data and members’ interests.
Prevention, not cure
Under pensions legislation and the Pension Regulator’s (tPR’s) Code of Practice on Internal Controls it is essential that trustees and schemes have a dedicated fraud risk management plan in place for the safe custody and security of pension scheme assets. The first 24 hour period after discovering fraud is crucial and the checklist of action to take should include: scheme objectives for the outcome; a dedicated investigation team; possible suspension of the wrongdoer if appropriate; evidence should be protected, gathered and assessed; insurance check and notification; and management of the publicity as well as perhaps, in some circumstances, notifying members of the issue. Reporting fraud to a law enforcement agency may be required, but in itself may not lead to recovering any loss. But there are a range of civil recovery measures in place for that. The first step must be to protect the current position. A Court order can be obtained quickly to prevent transactions or to freeze assets. A search order allows entry into premises to look for, preserve and copy evidence.
Who to pursue?
Who should a claim for recovery be against? The perpetrator, or the party in possession? Or, maybe against the party who failed in their duty of care, such as a scheme administrator, a trustee or a professional advisor to the scheme. A simple request for repayment in some cases may suffice. Otherwise, insolvency proceedings may be the most effective tool to use. A trustee in bankruptcy can be appointed to investigate the extent of wrongdoing, while a similar role can be played by an insolvency practitioner where a company is put into liquidation. Whatever options considered, always consult an expert legal team first.
GP Noble Trustees Limited
A recent example of a major fraud of pension scheme monies and serious breaches of trust involved GP Noble Trustees Limited. GP Noble manager, Graham Pitcher, was convicted of conspiracy to defraud and given a jail sentence of eight years for transferring £52m from nine pension schemes into two offshore accounts, to invest in buying land for development in Thailand, an on line bookmaker in Australia and finance a Hollywood movie project. All of the people involved were able to hide their fraudulent activities from the parent company and regulatory authorities, and denied their part in the fraud in court. Whilst some of the people involved were cleared, the main instigators, who were jailed, held positions of responsibility and trust within GP Noble Trustees Limited.
The GP Noble case may seem extreme however; the principles behind pensions fraud, the prevention and recourse are equally the same whether there has been a fraud on a major scale or on a smaller scale. The effect of fraud on a pension scheme can cause major issues and have catastrophic consequences for the members, the future of the scheme, the trustees and sponsoring employer.
Trustees need to ensure they have a risk assessment and risk register in place which is reviewed regularly, that any custodians and any key persons are risk assessed and all mandated personnel whether on bank accounts, investments and assets are also risk assessed. The Trustee may wish to consider recruitment screening of key personnel especially those who monitor cash transactions and allow basic and random checks, including regular supervisory review of their working. Also a rotation of jobs within an organisation may not be popular but does make it more difficult for an employee to become ensconced and start to operate a system to their personal financial advantage. In terms of professional advisers we have listed the safeguards that trustees can take under our article detailing duties under the Data Protection Act.
If in doubt, get legal advice
If you are a trustee, scheme administrator, pensions manager, the employer or any other person related to pension schemes and the management of pension scheme assets, you have a duty to report any breaches, even if these are ultimately unfounded. If in doubt, we can assess the merits of a potential fraud and lead you through the process to ensure the safe custody of pension scheme assets for your members.
Pensions, Trustees’ and Scheme Administrators’ Duties under the Data Protection Act. A Load of Rubbish?
October 16th, 2012
The Scottish Borders Council has recently been fined £250,000 for breaching its data protection duties under the Data Protection Act 1998 (Act). Failing to keep personal data secure in this way also has significant implications for pension schemes and in particular fraud in pension schemes.
In this case, the data in question had been outsourced to a contractor to process but the contractor failed to dispose of the hard copy records in the appropriate manner. The data contained files with the Council employees’ names, addresses, national insurance numbers, salaries and bank details. As the Council failed to secure a contract with the offending company, it was held liable for the incident. Yet, loss, disclosure or theft of data is not confined to physical records. Digital records present an even greater risk given the ease with which large volumes of data may be extracted on an electronic medium.
Why are Trustees and, potentially also, Scheme Administrators at risk?
The Act governs the collection, processing and use of personal data. Both processing and personal data are widely defined and include information collected in the context of the governance and administration of occupational pension schemes. Poor governance of pension schemes which includes poor internal controls and record keeping is more important during the economic downturn where there can be a higher risk of fraud and dishonesty amongst scheme administrators, trustees, employers or other related advisers.
The Pensions Regulator (tPR) has set a deadline of 31 December 2012 by which tPR expects all occupational pension schemes to achieve “100% of ‘common’ data – such as name, address and date of birth” for members who have been in an occupational pension scheme since June 2010 and a 95% standard for members who have been in an occupational pension scheme before June 2010. The need for and use of increased member data can lead to higher risks of fraud. If proper systems are not in place to maintain the security of data, the trustees and/or scheme administrators of a pension scheme could be liable under a breach of trust, a breach of data protection or a breach of pensions legislation.
“Data Controller” v “Data Processor”
In most cases, pension scheme trustees will be “data controllers” for the purposes of the Act and therefore will take on the same responsibilities. Trustees will often use external administrators to process the information on their behalf. As was shown in the Scottish Borders Council case, trustees will be held responsible for any breaches by third parties unless they have taken adequate measures to protect members’ personal data and keep it secure.
Trustees must notify the Information Commissioner’s Office (ICO) that they are a data controller and register the personal data that they control. Any failure to notify is a criminal offence for which trustees may be liable, unless they are exempt. The only exemption generally available is if the individual is the sole member and the sole trustee of an occupational pension scheme.
Administrators of a scheme will usually be “data processors” under the Act as they will be processing members’ personal data on behalf of trustees. However, where administrators are independently, or jointly, determining the purposes for which members’ personal data may be processed, they may also be held to be data controllers and therefore be primarily liable under the Act.
Changes in the pipeline
In January this year new draft EU Regulations were published which will potentially introduce a number of changes in relation to data protection. These include an obligation on companies to report any serious data breach to the authorities within 24 hours and the maximum fine will be capped at 2% of the annual worldwide turnover of the company or firm involved. Another change that scheme administrators should be aware of is that data processors, as well as data controllers, may also be held primarily liable for breaches of the Act. This change is aimed at sharing the responsibility amongst all parties involved rather than the data controller being solely responsible and is a landmark step change in data protection regulation.
The ICO can issue fines of up to £500,000 for any serious breach of the Act.
In order to be found liable the ICO must prove that the data controller deliberately or knowingly failed to take reasonable steps to prevent the breach. The fine imposed depends on the seriousness of the breach.
How can Trustees and Scheme Administrators minimise their risk?
To achieve compliance, reduce fraud, protect the reputation and brand of a pension scheme and minimise the potential costs of a breach, trustees and, where relevant when acting as data controllers, scheme administrators should:
- use third parties who have safeguards in place to maintain data security;
- check that all contracts with third parties include data security clauses;
- check all liability caps in the contracts to ensure that the third party will pay the whole amount should a breach occur;
- undertake due diligence on third parties;
- perform regular audits to check compliance;
- review insurance cover and exclusions;
- be ready to manage breaches if they occur; and
- devise and put in place a contingency plan to determine what to do in the event of an incident.
If you would like any assistance in safeguarding your pension scheme against these risks, please contact either:
If you require any further information regarding data protection or are interested in undertaking a Cyber Asset Audit please see:
June 27th, 2012
The Article 29 Working Party has adopted a working document (see here) on Binding Corporate Rules (“BCRs”) for data processors. The BCRs, aimed at both the private sector and data protection authorities, contain the key legal principles covering transfers of personal data from the European Union. They are intended to operate as internal policies and rules concerning data privacy and security for multinational companies. The working document also contains a full checklist of the requirements for BCR processors, including the requirements of BCRs and details of the information to be presented to a data protection authority in a BCR application.
The Working Party hopes to meet the expectations of companies acting as data processors by giving them the opportunity to benefit from the protection offered by BCRs in the context of international transfers of personal data, for example in the context of outsourcing activities or cloud computing. Official approval of a set of BCRs grants processors the status of “safe processor” that, in turn, will allow the processor’s customers to overcome data-transfer limitations under EU data-protection laws.
The new rules are partly due to the previous success of the Working Party’s BCRs for controllers, as well as proposals to explicitly include BCRs for both processors and controllers in the future legislative framework of the European Union.
Carolyn Butler, a solicitor at Pitmans LLP, said that “since the BCRs are intended to provide a “toolbox” of practical measures data processors could take to fulfil their data-protection obligations, they will be a great help to responsible organisations seeking clarification of how compliance may be most effectively achieved”.
The Working Party has promised to follow up the working document with a European coordination procedure, similar to the existing procedure for BCRs for controllers, and an EU application form.
T: 0118 957 0234
June 6th, 2012
Non-payment for goods supplied is an ever increasing risk for business. A validly drafted and effectively incorporated express clause providing for reservation of legal title to goods supplied is a useful method of protection for non-payment in solvent and distressed situations alike. A valid retention of title clause will:
(i) provide quasi security in the event of the buyer’s insolvency in respect of the goods supplied; and
(ii) absent insolvency allow the seller to recover the goods supplied if they have not been paid for.
Such clauses, if enforceable, can greatly increase a creditor’s bargaining position and, as such, prospects of payment.
Retention of Title clauses range from, a basic clause providing that legal title to particular goods sold (on an order-by-order basis) does not pass to the buyer until the goods have been paid for in full, to an “all monies” clause, which does not permit title to pass in any goods supplied at any time until all sums owed – for any goods that have been supplied by the seller – have been paid in full.
The addition of a mixed goods clause is advisable in situations where the goods supplied are to be subject to a manufacturing process (where they are combined with other goods owned by third parties) to create a new product. Such a clause is only effective in law where the goods supplied retain their identity and can be easily removed from the manufactured product without causing damage.
Similarly, it is often necessary to consider the effect of a valid retention of title clause where there is likely to be a sub-sale to an end user and, in particular, the frequently found addition of a clause which aims to attach a claim to the proceeds of sale paid on a sub-sale of the goods. Such a clause will often be drafted so widely as to create a charge which may be invalid if it is not registered as a legal charge.
Further, where it is intended that finished goods are to be supplied for the purpose of an immediate on-sale by the buyer to its customers it is possible that an “all monies clause” may be considered ineffective unless an express provision has been made for the re-sale of the goods.
A well drafted retention of title clause should provide for the seller to gain access to the buyer’s premises to repossess the goods. However, where the buyer is a company in administration, no steps can be taken to repossess any goods supplied without first obtaining the permission of the appointed Administrators’ or an Order of the Court.
The law relating to retention of title is constantly evolving and changing. It is, therefore, important that parties seeking to rely upon the terms of a retention of title clause ensure that such provisions are regularly reviewed and updated. The key is to ensure that such clauses are not drafted so widely so as to render them unenforceable in any moment of need.
If you have concerns or queries about any of the issues dealt with in this article please contact:
May 28th, 2012
STOP PRESS: The ICO’s moratorium on enforcing the new EC Privacy Directive (“Directive”) expired on 26 May 2012. The Directive requires website operators to gain consent before storing or accessing ‘information’ on a user’s or subscriber’s device. While the Directive applies to any form of information stored or accessed, the main application has been in the use of web browser cookies.
What’s the status of the current law?
Termed by many as the Cookie Directive, the change in law actually took effect some twelve months ago. However, the Information Commissioner’s Office (ICO) decided it would allow businesses a year to get their act together before commencing pro-active enforcement. Previously website operators and app publishers could merely provide an option to opt out of the cookies used on their site. Now, they must gain the consent of users before cookies are stored or accessed via user’s devices, after providing clear and comprehensive information explaining why such cookies are used. The exception to this is that consent is not required where cookies are used solely to promote a service requested by the user or to enable transmission over a network.
What’s the anticipated reaction by business?
It is inevitable that many websites will not comply following the 26 May 2012 deadline. Those that fail to comply could face fines of up to £500,000. Although it is highly unlikely that any fine would be anywhere near this amount, the main risk remains damage to brand, loss of consumer trust and the embarrassment of being subjected to enforcement action for not respecting users’ privacy. Regardless, conducting an audit of your organisation’s digital real estate is prudent and the Directive provides a genuine incentive to see what’s really going on under your site’s or app’s hood.
What guidance has been issued?
The ICO has recognised that many organisations are unlikely to comply and has issued updated guidance to assist organisations to comply. In addition, Dave Evans of the ICO has released a blog and video with further specific guidance. For further details see here.
The ICO is not intending suddenly to “launch a torrent of enforcement action” but will instead seek to use enforcement notices to encourage compliance. Christopher Graham has said that the ICO’s enforcement approach is to do with risk to peoples’ privacy, and the more intrusive the cookie is, the more likely it is to risk sanction. The level of penalty imposed will be worked out using a sliding scale.
What are cookies?
The ICO has intimated that websites operating the less intrusive analytical cookies will not be met with a fine on 27 May 2012; instead only those sites showing wilful contravention of the law will face tougher enforcement action. Aside from the fine mentioned above, being seen to infringe your users’ data privacy is likely to have a negative impact on your brand reputation.
There are simple steps that website operators can take now to show that they comply with the principles of the Cookie Directive:
- Carry out an audit; understand what cookies are used on your website and what data they store and access. However, this shouldn’t be confined to just cookies – the Directive applies to any information stored or accessed on a user’s device; also search, for example, for scripts of code that can be used to track a user such as web beacons and URL tracking.
- Privacy Impact Assessment (PIA); consider the extent to which the information concerned may infringe a user’s privacy and whether any pose a risk of enforcement action. Third party cookies (from an affiliate) are more likely to be seen to be invasive than first party cookies (i.e. those placed by your own site’s editorial).
- Consider gaining active consent of users; an opt-in system is best practice but can prejudice usability and data metrics used on your site. Consider other practical ways to gain consent from users and ensure that your website is being seen to respect users’ privacy (bearing in mind that paying pure lip service may be insufficient).
- Respect user preferences; once a user has chosen his/her preferences, respect those preferences.