Does your data let you down?

Data protection legislation is a source of anxiety and insecurity for many organizations - and it’s not hard to understand why.

It is an unfortunate irony that advances in technology that permit increasingly fluid connectivity between the systems of different organizations should coincide with a proliferation of laws that seem designed to inhibit such exchanges.

First there was 1998’s Data Protection Act, safeguarding the individual against misuse of data held on them. Then there was the Freedom of Information Act in 2000, intended to foster a culture of openness among public sector bodies by enhancing the public’s right of accessibility. Next up was the Sarbanes-Oxley Act of 2002, which requires businesses to comply with tough rules on storage and the reuse of data. Then last December came the Privacy and Electronic Communications Regulations, an EC directive aimed at protecting individuals from electronic annoyances such as spam and cookies. In all, some 18 different pieces of legislation now pertain in one way or another to how data is handled.

Each successive legislative hurdle, far from clarifying where data-holding organizations stand, seems to raise fresh questions of its own. For example, anyone trying to get to grips with the new Privacy and Electronic Communications Regulations might query the effectiveness and purpose of laws with a purely European scope in dealing with a multinational problem like spam.

The Office of the Information Commissioner has promised to review its guidance on data protection, and produce clear and unambiguous advice on how to comply with the law. It has already kicked this off with a new and improved Data Protection Helpline. Companies can now call 01625 545745 for advice on compliance.

But UK Information Commissioner Richard Thomas has made it clear that failure to heed this guidance will come at a price. He says that ignorance of data legislation will not protect any organization from the full force of the law if they are caught in serious breach of it.

The onus is now on corporate management to act on this warning. And it is a board level matter, not just something that should be left to fester in the IT director’s in-tray. Managing directors and financial directors would do well to take a degree of personal responsibility for a review of how data is collected and used by their organization.

They would also be well advised to remember that legislation like the DPA is not just about the use of data. It concerns itself with the accuracy of data too. The Act outlines eight so called ‘principles’, which are not simply useful guidelines. They are mandatory legal obligations. The fourth principle specifies that corporate data be as accurate as possible.

This means that any organization considering a fundamental review of its data policies in the light of the Act can’t afford to limit the scope of its revised policies simply to include the processing, storage and use of that data.

There are always likely to be grey areas when it comes to data and the law. Companies whose business is centred around data will have to resign themselves to sometimes treading a fine line between effective use of that data and the law. But there’s no excuse for data that’s just plain inaccurate.

Guy Matthews, IT Magazine Editor