- Email: [email protected]
Be prepared
Be Prepared Dr Chris Pounder
any readers will be a\vare that the Data Protection Directive was adopted by the European Communit) bctober 1995: within three years, Member States must incorporate new legislation to conform with its provisions. At the time of going to press, most European Countries are actively planning how the Directive will modify existing data protection law. In Finland for instance, there is a Committee studying how Finnish law will need to be modified; in the L’K, the IIomc Office (the British quivalent to a Ministy for the Interior), published a consultation document in March. In addition, national Data Protection Authorities are monitoring the situation in their respective country. They have a duty under the Directive to inform the Commission of Member States who introduce legislation which significantly diverges from the European norm. Despite this activity, it is probabl) true to say that man)- organizations do not treat data protection as seriously as the!, do security. For instance, securit) policies and procedures are designed to protect an organization’s assets from misuse. from failure and from exposure to identifiable risks; objcctives which are readily understood 1~) management. In contrast, data protection is mainly targeted at protecting the privacy of an organization’s customers, and in man)- circumstances, a new business initiative can only succeed by invading the pri\aq, of the existing customer base (although the organization might prefer to describe this activity as exploiting its personal data
assets!). In contrast to the understanding given to security. data protection barriers arc- unsympatheticall?. received by management; hence the reluctance to provide resources. With the Directive this will change since new legislation will oblige organizations to give data protection :I higher priorit)-. The reason; individuals w-ho are the subject of personal data \vill become empowered as to how an organization can lawful,ly use theil data. This is a huge sh&t of power: organizations who do not take heed ot data protection could 1,~ in for a shock. But what about auditors? What could the), lx doing now? Well if the!found out that their organization was currentl~~ paying lip-senice to current legislation, it does not take an Einstein to dc-duce that it would be ~+oll! unprepared for what’s coming. So why not have a ‘fireside chat‘ with the person responsible for data protection: that is if you can find them’
International trade Auditors working for organizations which increasingly profit from mternational trade should also c,heck whether relevant managers arc’ a\I;‘drc of the implications which can arise from the application of national (and divergent) privacy rules. For instance, l
currently:
In the IrK. if the contents and use of personal data are controlled from the UK, any data used in the IIK arc fillly subject to the ITK Data Protcc-
Computer t
Audit Update 1996. Elsewer
l
May 1996 Sclerice Ltd.
. Ea
kt. SimilarI!. the countr! \vhcre control over the data is exercised is 311 important consideration with respect to the application of the national data protection legislation of Austria. Eire. GuernSC>.. Isle of Mill xnd the- <:hanIl~l
transfer, subject to the legislation of the recipient county (e.g. personal data. in manu;il files. sent from Australia and held in the ITK in non;iutomated form ):
tiotl
Islands. l
l
kance, the application of the French data protection law is rcstrictcd to proccssitlg 3ctil itics which take place, in whole or in part, on French territor). Danish and German data protection lcgislation takes ;I similar stance. 111
In the Netherlands, the lrw come’s into effect wken a fZe of personal data is /~~c-cit~rl in that county.
Thus, if ;L I.K Company prowsscs personal data using the services of 3 French Computer Sewiccs Compaq \+,hich arranges to have the backup files transmittc-d Co the Netherlands, then three national legislations could beconic involve-d. Although, once the Dirccti\~c bccomcs law in e;lch membcr State of the Ilnion. some of these problems Lvill be resolved. Estcrnal transfers outside the Lkion (cg. to (:anad;~, Nor\va) :md Hong Kong) ~~)ulcI still be subject to multiple jurisdictions as described abovc.
In particular, scenarios \Yhich 0
0
0
there arc four xc’ important:
lilxl!~
personal data, even though they are not subject to legislation in the countq~ of origin bccomc, on winsfcr, subject to the legisl;aion of the recipient country (e.g. when pcrsonal information held in manual files is sent to Australia from the LrK): personal data arc transferred from ;1 c‘ountq. which does not have data protection legislation or has not signed the Council of Europe
Computer Audit Update (‘ 1996. Elsevier Science
to legislation in the origin, arc’ not, on
l
May Ltd.
1996
l
data are transferred from ;I county’ ivhich has data protection legislation, to ;inother county’ which has no such legislation or has not signed the Council of Europe Con\wition (c.g. personal data transmitted from Europtc co the USA).
If either of the first two conditions abo\xc applies, the transfer of data is likely to result in data protection controls as soon as they arrive in the recipient’s county.. To avoid privaq problems. therefore, Auditors might avant to check that specific procedures are in plactz to meet the rquircments of the recipient’s national lc-gislation. If tither of the last trru conditions applies, the transfer of data could well result in the reduction of privacy protecxion afforded to individuals. (:onsc-cluently h&x-e data are tr;insferrcd abroad, Auditors might lvish to xsc’ss whether procedures are in place to xssess any circumst3nws that could result in ;i prohibition on the transmission of such data. It might be prudent to seek the views of the Data I’rotcction Authority h&rc effecting the transfer. as they iiiq suggest proce dural conditions or swk binding guar antecs that the transferred data will bt protected by rquivalent safeguards. Strategic business decisions ma! play 2 part in this process; fat CXlI~lplc-. customers (if they Icarn about the transfer) might resent ;I reduclion in privacy controls, or far that the confidentialit)of their person nal data could not bc maintained Procedures \vhich make customers aware of the extent of the transfer> oversas could thus become an im portant consideration.
also
This could not only help keep customers happy; it lvill also help satisfy the provisions of the Directivt xvith respect to such transfers.
any readers will be a\vare that the Data Protection Directive was adopted by the European Communit) bctober 1995: within three years, Member States must incorporate new legislation to conform with its provisions. At the time of going to press, most European Countries are actively planning how the Directive will modify existing data protection law. In Finland for instance, there is a Committee studying how Finnish law will need to be modified; in the L’K, the IIomc Office (the British quivalent to a Ministy for the Interior), published a consultation document in March. In addition, national Data Protection Authorities are monitoring the situation in their respective country. They have a duty under the Directive to inform the Commission of Member States who introduce legislation which significantly diverges from the European norm. Despite this activity, it is probabl) true to say that man)- organizations do not treat data protection as seriously as the!, do security. For instance, securit) policies and procedures are designed to protect an organization’s assets from misuse. from failure and from exposure to identifiable risks; objcctives which are readily understood 1~) management. In contrast, data protection is mainly targeted at protecting the privacy of an organization’s customers, and in man)- circumstances, a new business initiative can only succeed by invading the pri\aq, of the existing customer base (although the organization might prefer to describe this activity as exploiting its personal data
assets!). In contrast to the understanding given to security. data protection barriers arc- unsympatheticall?. received by management; hence the reluctance to provide resources. With the Directive this will change since new legislation will oblige organizations to give data protection :I higher priorit)-. The reason; individuals w-ho are the subject of personal data \vill become empowered as to how an organization can lawful,ly use theil data. This is a huge sh&t of power: organizations who do not take heed ot data protection could 1,~ in for a shock. But what about auditors? What could the), lx doing now? Well if the!found out that their organization was currentl~~ paying lip-senice to current legislation, it does not take an Einstein to dc-duce that it would be ~+oll! unprepared for what’s coming. So why not have a ‘fireside chat‘ with the person responsible for data protection: that is if you can find them’
International trade Auditors working for organizations which increasingly profit from mternational trade should also c,heck whether relevant managers arc’ a\I;‘drc of the implications which can arise from the application of national (and divergent) privacy rules. For instance, l
currently:
In the IrK. if the contents and use of personal data are controlled from the UK, any data used in the IIK arc fillly subject to the ITK Data Protcc-
Computer t
Audit Update 1996. Elsewer
l
May 1996 Sclerice Ltd.
. Ea
kt. SimilarI!. the countr! \vhcre control over the data is exercised is 311 important consideration with respect to the application of the national data protection legislation of Austria. Eire. GuernSC>.. Isle of Mill xnd the- <:hanIl~l
transfer, subject to the legislation of the recipient county (e.g. personal data. in manu;il files. sent from Australia and held in the ITK in non;iutomated form ):
tiotl
Islands. l
l
kance, the application of the French data protection law is rcstrictcd to proccssitlg 3ctil itics which take place, in whole or in part, on French territor). Danish and German data protection lcgislation takes ;I similar stance. 111
In the Netherlands, the lrw come’s into effect wken a fZe of personal data is /~~c-cit~rl in that county.
Thus, if ;L I.K Company prowsscs personal data using the services of 3 French Computer Sewiccs Compaq \+,hich arranges to have the backup files transmittc-d Co the Netherlands, then three national legislations could beconic involve-d. Although, once the Dirccti\~c bccomcs law in e;lch membcr State of the Ilnion. some of these problems Lvill be resolved. Estcrnal transfers outside the Lkion (cg. to (:anad;~, Nor\va) :md Hong Kong) ~~)ulcI still be subject to multiple jurisdictions as described abovc.
In particular, scenarios \Yhich 0
0
0
there arc four xc’ important:
lilxl!~
personal data, even though they are not subject to legislation in the countq~ of origin bccomc, on winsfcr, subject to the legisl;aion of the recipient country (e.g. when pcrsonal information held in manual files is sent to Australia from the LrK): personal data arc transferred from ;1 c‘ountq. which does not have data protection legislation or has not signed the Council of Europe
Computer Audit Update (‘ 1996. Elsevier Science
to legislation in the origin, arc’ not, on
l
May Ltd.
1996
l
data are transferred from ;I county’ ivhich has data protection legislation, to ;inother county’ which has no such legislation or has not signed the Council of Europe Con\wition (c.g. personal data transmitted from Europtc co the USA).
If either of the first two conditions abo\xc applies, the transfer of data is likely to result in data protection controls as soon as they arrive in the recipient’s county.. To avoid privaq problems. therefore, Auditors might avant to check that specific procedures are in plactz to meet the rquircments of the recipient’s national lc-gislation. If tither of the last trru conditions applies, the transfer of data could well result in the reduction of privacy protecxion afforded to individuals. (:onsc-cluently h&x-e data are tr;insferrcd abroad, Auditors might lvish to xsc’ss whether procedures are in place to xssess any circumst3nws that could result in ;i prohibition on the transmission of such data. It might be prudent to seek the views of the Data I’rotcction Authority h&rc effecting the transfer. as they iiiq suggest proce dural conditions or swk binding guar antecs that the transferred data will bt protected by rquivalent safeguards. Strategic business decisions ma! play 2 part in this process; fat CXlI~lplc-. customers (if they Icarn about the transfer) might resent ;I reduclion in privacy controls, or far that the confidentialit)of their person nal data could not bc maintained Procedures \vhich make customers aware of the extent of the transfer> oversas could thus become an im portant consideration.
also
This could not only help keep customers happy; it lvill also help satisfy the provisions of the Directivt xvith respect to such transfers.