Santa’s “Naughty List” and data protection compliance

Back in December 2010 Martin offered some wonderful advice to Santa Claus regarding his data processing obligations, and provided some further thoughts yesterday on how the proposed draft data protection regulation might affect Santa’s data processing activities.

With under a week to go until Christmas Day I thought it would be good to offer Santa some further advice about that Naughty List that his mince spies have spent all year compiling.

Complying with the First Data Protection Principle
Santa’s Naughty List contains lots of personal data about misbehaving children, and the First Data Protection Principle of the Data Protection Act 1998 (the “DPA”) provides that personal data shall be processed “fairly and lawfully”. In particular, personal data should not be processed unless at least one of the conditions in Schedule 2 is met.  (And further, if the personal data involved is “sensitive” – for example concerning the “commission or alleged commission of any offence” (!) – then at least one of the conditions in Schedule 3 also has to be met too).

Santa has to tread carefully here (not easy after gorging on so much sherry and mince pies!) because the Information Commissioner has provided clear guidance that enticing children to divulge personal data with the prospect of a prize (or similar inducement) is likely to breach the requirements of the Data Protection Act.

For children of a certain age (11 or under), Santa should ensure that parental/guardian consent for any disclosure of personal data has been obtained.  (This is potentially a good result for Santa, as a naughty child would have been unlikely to consent to Santa processing his/her data and therefore limiting his/her prospects of presents.)

But before Santa heads down the chimney, he also has to comply with Paragraph 2 of Part II of Schedule 1 to the DPA, which provides that for the purposes of the First Data Protection Principle, personal data isn’t processed fairly unless the data subject is provided with:

• the identity of the data controller;
• if he has nominated a representative for the purposes of the DPA, the identity of that representative;
• the purpose or purposes for which data are intended to be processed; and
• any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed.

Complying with the Fourth and Fifth Data Protection Principles

Having dealt with the First Data Protection Principle, we then arrive at a pair of subordinate clauses.

The Fifth Data Protection Principle requires that data is not kept for longer than is necessary.  It’s virtually impossible to provide an easy answer as to how long is truly “necessary”, but Santa should consider:

• the current and future value of the information;
• the costs, risks and liabilities associated with retaining the information; and
• the ease or difficulty of making sure it remains accurate and up to date.

Ensuring the data is accurate and up to date is actually the Fourth Data Protection Principle. In order to comply with this principle, Santa should:

• take reasonable steps to ensure the accuracy of any personal data he obtains;
• ensure that the source of any personal data is clear;
• carefully consider any challenges to the accuracy of information; and
• consider whether it is necessary to update the information.

Keeping the Naughty List up to date must be a huge undertaking, especially when candidates even appear from heavenly sources.

Blacklists
Of course, Santa wouldn’t be the first individual to have compiled a blacklist that potentially breaches the DPA. 

You may remember that in 2009, a secret blacklist of construction industry workers made the headlines.  That blacklist was found by the ICO to have been established and maintained in contravention of a number of the Data Protection Principles described above.

The exact nature of the information held is still coming to light, and the ICO is still trying to deal with the fallout.  The private investigator who compiled the blacklist was fined £5,000 – the maximum fine available at that time for persistent breaches of the DPA. 

It’s likely that if such a blacklist was discovered today it would be deemed to be a deliberate breach of the DPA (or at best risking a breach likely to cause substantial damage or distress), with the result that whoever compiled it could face a monetary penalty of up to £500,000.

This isn’t to say that blacklists are impossible to maintain.  For example, Stockholm football club Djurgården has a “hooligan register” (though everybody on it has to be informed, and their details immediately deleted if they successfully contest their inclusion). 

So, if Santa follows our guidance above then he might keep the Naughty List on the right side of the law.  Not that he’s probably too bothered – if you spend all night out sleighing, then you’re probably more worried about the police then the ICO!
 
Merry Christmas!

How will the proposed data protection law reform affect Santa?

A couple of years ago, I blogged about how European data protection law applies to Santa Claus – in particular how data protection law applies in relation to the list that he maintains of children that are naughty and nice.

In that blogpost I based my analysis on the fact that Santa’s place of establishment was Lapland (an area covering EU member states Finland and Sweden).

However it was subsequently pointed out that Santa may actually be based in Greenland – which has had home rule since 1979 and left the EU (or EEC as was) in 1985. If that is the case, then Santa is in fact established outside the EEA and (therefore) the scope of EU data protection laws.

Perhaps in a bid to close this loophole, earlier this year, the European Commission announced plans to introduce a new data protection regulation, which would replace the existing directive and local implementation of that directive in each member state.

Crucially, the proposed new regulation would change the regime applying to data controllers established outside the EEA (such as Facebook, Twitter and Santa Claus).

The proposed new regime
The current data protection directive states that the laws apply only to organisations that were “established” in the EU. However Article 3 of the draft regulation would extent the laws to:

…the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:
(a) the offering of goods or services to such data subjects in the Union; or
(b) the monitoring of their behaviour.

This would appear to clearly cover Santa in respect of naughty and nice lists of, and the delivery of presents to, children in the EU.

As a consequence, Santa will be obliged, under Article 22 of the draft regulation, to appoint a representative in one of the member states where he delivers presents to children, and to ensure that his processing of personal data complies with the strict new rules under the regulation (for more on that, see my original blogpost on the application of data protection laws to Santa’s processing of personal data and this blogpost on the new regulation).

As the new regime is intended to simplify regulatory accountablity (by allowing data controllers to select a single supervisory regulator, rather than being subject to different regulators in each member state), it will be interesting to see whether Santa elects to appoint a representative in a country with a traditionally business friendly approach to regulation (such as the UK), rather than a country with a strict approach to regulation (for example, CNIL in France).

Changes to rules on consent
The new regulation also proposes changes to the rules on consent.

In particular, stricter rules would be introduced in relation to obtaining consent from children and consent will not be legally valid if there is:

a significant imbalance between the position of data subject and the controller

Given Santa’s strong bargaining position in relation to the delivery of Christmas presents, it’s doubtful whether consent could be freely given by any child. This may mean that Santa has to rely upon the ground for processing in relation to organisations that exist for philosophical purposes (covered in Article 9 2(d) of the draft regulation).

Breaches of the new regulation
Under the Commission’s proposals, organisations that seriously breach the new law could be fined up to 2% of their global turnover. Whilst the finances behind Santa’s operations are opaque, for someone who sources and delivers presents to many millions of children such a fine could be vast.

No doubt Santa is watching in earnest to see what shape the regulation finally takes.

Managing the legal risks with BYOD

I have an article in this month’s edition of Supply Management, the journal for the Chartered Institute of Purchasing and Supply.

The article looks at how organisations can manage some of the legal risks arising out of allowing staff to use their own smartphones, tablets and other devices for work purposes (“bring your own device” or “BYOD”).

In particular, I look at:

• how to manage the information security risks and the benefits of mobile device management software as a way of controlling access to enterprise data;
• the software licensing issues that can arise from allowing staff to access the enterprise network through a virtual desktop such as Citrix or from a device that isn’t owned by the employer; and
• the importance of a BYOD policy, and what this should cover

The article is essential reading for any organisation that allows (or is thinking of allowing) staff to access enterprise systems on their own devices. This applies regardless of whether such access is provided under a formal BYOD scheme or is done on a “turning a blind eye” basis.

As my employment law colleagues noted in our recent seminars on BYOD, the latter approach is likely to lead to problems, as the employer may be unable to take disciplinary action against the employee in the event of an information security breach. In contrast, a properly drafted BYOD policy will put the employer in a far better position – in terms of setting expectations with its employees (and managing misconduct) and compliance with its obligations under data protection laws.

You can read the article on the Supply Management website.

European Commission considers reform of laws protecting business/research knowhow

The European Commission has announced a consultation on the effectiveness of laws protecting business and research knowhow.

Knowhow and trade secrets
The Commission notes that in many instances the protections offered by many forms of intellectual property rights are only available in certain circumstances, or are costly to apply for and/or maintain.

An inventor of a patenable invention will also need to keep the invention secret until the patent application is made (because inventions that form part of the prior art (ie they are in the public domain) cannot be patented). A failure to do this is likely to mean that the invention is not patentable, in which case the commercial value of the invention may be lost.

For this reason, many organisations often protect their intellectual assets by keeping them secret, and rely upon contractual and common law confidentiality undertakings, and other remedies such as espionage and theft. Confidentiality undertakings can be enforced by obtaining a court order to stop the recipient of confidential information from using that information, and compensation for damages.

The limits of confidentiality undertakings
However, these remedies are of limited use. For example, no exclusive rights to use the information are granted, and it is not possible to stop someone else creating the same knowhow (for example, by independent research or reverse engineering) and marketing it in parallel.

This means, for example, that there would be nothing to stop me independently coming up with the recipe for Irn Bru (a trade secret) and marketing the product my self (as long as my branding of the product did not infringe AG Barr’s trade marks).

In addition, the way in which trade secrets or knowhow is protected varies between different member states. This means that such information is not always properly protected in cross border business, and may not act as a sufficient deterrent against misappropriation.

The Commission is concerned that this could dissuade organisations from sharing confidential business information with business partners in other member states, who might otherwise be able to help develop innovative products.

The consultation
The Commission is therefore looking for views on how the law currently operates and how trade secrets and knowhow is used by organisations, with a view to considering reform of the law in this area.

The consultation closes on 8 March 2013.

European Commission proposes new laws on accessibility of public sector websites

As I reported on Twitter earlier this week, the European Commission has proposed a new directive governing the accessibility of websites operated by organisations in the public sector.

If passed, the directive would set out requirements in relation to how many public sector bodies ensure that their websites are accessible to users with disabilities. The European Commission estimates that there are over 700,000 public sector websites in the EU.

Determining what is “accessible”
One of the big issues with legislating on website accessibility is the need to have an objective set of criteria for determining what an accessible website looks like. Accessibility, by its nature, is a subjective issue, as accessibility problems will vary depending on an individual’s disabilities and the device/browser software that the user is using. This makes it difficult to have a law that sets out clearly what organisations have to do.

The UK Equality Act deals with this by a set of objective criteria for determining discrimination (that apply regardless of the type of discrimination that is alleged to be taking place), but translating this into the specific steps an organisation should be taking in relation to its website has always been difficult, as the law simply refers to policies or practices that have effect of discriminating against the individual concerned.

The proposed directive addresses this issue by presuming that the website meets the accessibility requirements where it complies with a number of external standards.

These are:

• initially, the recently approved international standard on website accessibility ISO/IEC 40500), which in turn references Level AA conformance under version 2.0 of the W3C‘s long-established and recognised web content accessibility guidelines (WCAG);
• any European standard on website accessibility, which may include any standard under the ongoing Commission’s Mandate M/376 project (which is also likely to be based on WCAG Level AA conformance); and
• ultimately the harmonised standards for accessibility drawn up and approved by the EU institutions, which in turn will be based on the European standard based on M/376.

Disappointingly, the presumption of “accessibility” appears to be based only on compliance with tick box criteria (rather than say, user testing, as recommended by the British Standard BS8878). However, as I note above, it is difficult to legislate for subjective assessment.

The proposed directive is intended to sit alongside the proposed European Disability Act, which will address the accessibility of goods and services, including ICT.

Timescales
As a directive, the new laws will need to be locally implemented in each member state. The Commission’s current timetable envisages the date for this laws coming into force as being 30 June 2014.

Whilst the transitional arrangements are not yet clear, public sector bodies looking to update their websites over the coming year should bear in mind the likely new laws and accessibility requirements when developing their technical requirements specifications.

For many, this should not require a huge change in approach, as WCAG level AA conformance has been a UK Government recommended standard for several years now. However, if the directive is passed then that obligation will now be part of a clear legal framework.