c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 8

ava i lab le at www.sc ienced i rec t . com

www.compseconl i ne .com/ publ i ca t ions /prodc law.h tm

Data security: Past, present and future

Marcus Turle

Field Fisher Waterhouse LLP, CLSR Professional Board, London, UK

Keywords:

Data protection

Data security

Privacy enhancing

technologies

1 http://news.bbc.co.uk/1/hi/uk/6301243.stm2 http://news.bbc.co.uk/1/hi/business/6360

www.fsa.gov.uk/pubs/final/nbs.pdf.0267-3649/$ – see front matter ª 2009 Fielddoi:10.1016/j.clsr.2008.11.001

a b s t r a c t

The loss by Her Majesty’s Revenue and Customs (HMRC) of two CDs containing 25 million

child benefit details has changed the data security landscape forever. No longer is data

security the exclusive and rather arcane preserve of spotty technology professionals or

data protection lawyers. HMRC has thrust data security onto the front pages of the

mainstream media and brought it very suddenly to the top of the political and commercial

agendas of senior politicians and boards of directors. In this article, the author will outline

the reasons behind the rise of data security as a front line issue and examine the lessons to

be learnt from HMRC. He will analyse the different facets of data security risk and explore

ways in which organisations can go about managing it. He will outline the attitude of

regulators to data security and where regulatory developments are likely to take us. The

final part of the article looks into the future, with particular focus on the emergence of

privacy enhancing technologies.

ª 2009 Field Fisher Waterhouse LLP. Published by Elsevier Ltd. All rights reserved.

1. Background – a short history of � In January 2007, Clive Goodman, royal editor of the News of

data security

While HMRC was the largest and most high profile data

security breach of last year, it was not the only significant one.

In fact, there have been a series of significant breaches over

the last 18 months. What started as a trickle has now become

something approaching a torrent as the mainstream press has

cottoned on to the political embarrassment of government

shortcomings in data security and the fact that revelations

about lost data directly affect millions of citizens.

The following is a summary of what might be termed the

‘key’ events over the last 18 months. Together, they present

a clear picture of the enormity of the task which lies ahead for

government and business in recognising the significance of,

and identifying and managing, data security risks.

.715.stm, http://www.fsa

Fisher Waterhouse LLP. P

the World, and accomplice Glenn Mulcaire, a private inves-

tigator, were convicted under the Regulation of Investiga-

tory Powers Act 2000 for unlawfully hacking into mobile

voicemail messages of royal employees and were jailed for

four months. Stories were printed about a medical problem

of the Prince of Wales, from information gleaned from

tapping phones of members of staff of the Prince of Wales’

household.1

� In February 2007 the Financial Services Authority (FSA) fined

the Nationwide Building Society £980,000 following the loss

of a laptop which had created a risk of financial crime.2

A Nationwide employee had put details of nearly 11 million

customers onto his laptop which was later stolen from his

home. The fine was a penalty for Nationwide failing to have

effective systems and controls to manage its information

.gov.uk/pages/Library/Communication/PR/2007/021.shtml, http://

ublished by Elsevier Ltd. All rights reserved.

7 http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/what_price_privacy.pdf.

8 http://www.dca.gov.uk/consult/misuse_data/consultation0906.pdf, http://www.dca.gov.uk/consult/misuse_data/consultation0906resp.pdf.

9 http://www.the-sia.org.uk/NR/rdonlyres/1FCBCD2E-B3E0-4B61-A0A4-3C33FAB72C41/0/sia_pi_pa_ria.pdf.

10 http://www.the-sia.org.uk/NR/rdonlyres/8B3F8377-2994-4717-

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 852

security risks and because it had failed to start an investi-

gation for three weeks after the theft occurred.

� In March 2007 the Information Commissioner named and

shamed 12 banks and other financial institutions for failing

to dispose of customer information properly. Each was

found to have left personal customer information in dust-

bins outside their premises. HBOS, Alliance & Leicester,

Royal Bank of Scotland, Natwest, Barclays, Nationwide and

the Post Office (along with five others) were required to sign

a formal undertaking to comply with the data protection

principles.

� In August 2007 Forensic Telecommunications Services,

a company that provides evidence on telephone use for

police forces in connection with investigations, was the

victim of a theft at its premises in Kent in which a server

containing files of forensic evidence used by police in

criminal investigations was stolen. The server contained

details of who had made calls on mobiles, their exact loca-

tion and when they were made.3

� In October, following an attack on its customer database,

the internet service provider FastHosts warned users to

change their main account control panel login password, all

email passwords, all FTP passwords and all passwords for

its hosted MySQL and Microsoft SQL Server databases. It

even took the authoritarian step of unilaterally changing

passwords of customers who ignored the warning.4

� In December, a government wide data security review

revealed nine NHS trusts in England had lost the medical

records of hundreds of thousands of patients.5

� Also in December, the FSA fined Norwich Union Life (NUL)

£1.3 million for not having effective systems in place to

protect customers’ confidential information and failing to

manage its financial crime risks. The failures had enabled

criminals to impersonate customers by using publicly

available information to target NUL policies, and through

contact with NUL’s call centres criminals had obtained (and

in some cases altered) confidential customer information,

including customers’ contact addresses and full bank

account details. Weaknesses in NUL’s customer ID proce-

dures had allowed criminals to instruct the company to

surrender 74 policies to criminals’ bank accounts, resulting

in a loss to customers of £3.3m.6

� In June of this year, an unnamed Cabinet Office employee

was suspended after top secret documents from the Joint

Intelligence Committee were found on a Surrey-bound

commuter train and handed to the BBC. Cabinet Minister Ed

Miliband later admitted to ‘‘a clear breach of well estab-

lished security rules which forbid the removal of documents

of this kind outside secure government premises without

clear authorisation and compliance with special security

procedures.’’

3 http://www.theregister.co.uk/2007/08/15/fts_forensic_data_theft/.4 http://www.theregister.co.uk/2007/11/30/fasthost_hack_update/.5 http://news.bbc.co.uk/1/hi/uk/7158019.stm.6 http://www.fsa.gov.uk/pages/Library/Communication/PR/2007/

130.shtml, http://www.fsa.gov.uk/pubs/final/Norwich_Union_Life.pdf.

These are just a sample of what has now become a litany of

data security breaches involving both government and private

sector organisations. The government has responded with

a series of pivotal policy announcements, legislative devel-

opments and regulatory initiatives:

� In February 2007 the Lord Chancellor announced that

consequent upon What price privacy?7 and a Department for

Constitutional Affairs consultation,8 legislation would be

introduced to amend the Data Protection Act 1998 (DPA).

This amending legislation was introduced in the House of

Commons as part of the Criminal Justice and Immigration

Bill and was passed in May this year, giving the ICO power to

impose substantial fines on organisations which ‘‘deliber-

ately or recklessly’’ breach the DPA. It also gives the Secre-

tary of State power to introduce unlimited fines, or

imprisonment for up to two years, for data theft offences

under s.55 of the DPA.

� In August 2007, the Home Office published its Partial Regu-

latory Impact Assessment on the licensing of private

investigators,9 which resulted in part from What price

privacy? Responses were published in May of this year10 and

a Full Impact Assessment is due to be published shortly.

� As part of the response to HMRC, the Prime Minister

announced that the Information Commissioner would be

given new powers of inspection within the public sector11

and a consultation on this proposal was launched in July.12

� On the regulatory front, at the end of last year the Infor-

mation Commissioner revealed his new strategy for laptop

data security saying that in cases of laptop loss, the absence

of encryption will result in enforcement action.13 This

announcement built upon his data security strategy con-

tained in his July 2007 consultation paper.14 Likewise, the

Financial Services Authority made a number of important

policy announcements about data security, as part of its

fight against financial crime, with Independent Financial

Advisors and appointed representatives15 being identified in

particular. The FSA issued a 100-page report and guidance

document on Data Security in Financial Services in April

this year.

� In July the Walport report, commissioned by the Prime

Minister as an independent review of the data protection

regime, recommended the introduction of a statutory

BF8F-3F00642E1508/0/pi_pa_response.pdf.11 http://news.bbc.co.uk/1/hi/uk_politics/7106366.stm.12 See: The Information Commissioner’s inspection powers and funding

arrangements under the Data Protection Act 1998, available at http://www.justice.gov.uk/publications/cp1508.htm.

13 http://www.ico.gov.uk/about_us/news_and_views/current_topics/Our%20approach%20to%20encryption.aspx.

14 http://www.ico.gov.uk/upload/documents/library/corporate/notices/ico_dp_strategy_draft.pdf.

15 http://www.fsa.gov.uk/pubs/newsletters/fc_newsletter9.pdf.

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 8 53

right to carry out private sector audits and power for the

ICO to be given entry by court order if businesses refuse.

The report also recommended penalties for data protec-

tion breaches that reflect those available to the FSA.16

Following publication of the Walport report, the govern-

ment launched a consultation to examine Mark Walport’s

proposals.17

At EU level there was also significant activity. For example,

in May 2007 the Commission issued a Communication about

Privacy Enhancing Technologies, with specific reference to

Article 17 of the Directive,18 and in November last year it

published proposals for the amendment of the electronic

communications Directives, to introduce a compulsory

‘reporting of security breach’ requirement for operators of

publicly available electronic communications networks and

services.19 In April this year Peter Hustinx, the European Data

Protection Supervisor, adopted an Opinion on the new draft

text of the Directive on Privacy and Electronic Communica-

tions as proposed by the European Commission. He largely

supported the Commission’s proposal, but added that it did

not go far enough. In particular, he recommended that the

obligation to notify any breach of security should not only

apply to providers of public electronic communication

services on public networks but also to providers of informa-

tion society services which process sensitive personal data

(e.g. online banks and insurers and online providers of health

services).20 The Opinion was endorsed by the Article 29

Working Party in May.21

In June, the European Parliament’s Standing Committee

on Civil Liberties, Justice and Home Affairs asked for

measures to correct the Commission’s proposal to amend

the Directive on Privacy and Electronic Communications.

MEPs have proposed that companies should inform national

telecommunications regulators or other ‘‘competent

authorities’’ of ‘‘serious’’ security breaches involving

personal data, and regulators should then decide if

consumers need to be informed. Companies might also be

asked to report the occurrence of security problems in their

annual reports.22

Two key points emerge from these developments. First,

data security is now a priority for government and for regu-

lators, and the legal and regulatory landscape is shifting as

a result. This shift was slow at first, with minor tremors

following some of the cases listed above during the first half of

last year. The seismic events at HMRC have greatly acceler-

ated the process, however. Secondly, the litany of data

16 http://www.justice.gov.uk/reviews/datasharing-intro.htm.17 http://www.justice.gov.uk/publications/cp1508.htm.18 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri¼CELEX:

52007DC0228:EN:NOT.19 http://ec.europa.eu/information_society/policy/ecomm/doc/

library/proposals/dir_citizens_rights_en.pdf.20 http://www.statewatch.org/news/2008/apr/eu-edps-opinion-

telecomm-directive.pdf.21 http://www.statewatch.org/news/2008/may/wp-150-e-privacy.

pdf.22 See: http://www.edri.org/edrigram/number6.13/e-privacy-

review-ep and http://www.heise.de/english/newsticker/news/110110.

security breaches pre- and post-HMRC demonstrates that

organisations are still failing to address this key area. We

therefore need to understand why this is the case and, more

importantly, how organisations can act to preserve the

integrity of their data and their business reputations. Part of

the answer to these questions lies within the lessons to be

learned from HMRC.

2. What have we learned from HMRC?

There are two overriding lessons from HMRC. First, data

security must be viewed and managed at an organisation-

wide level, and treated as a priority by senior management.

Secondly, while organisations generally understand that

technology is a business enabler, they are still failing to

recognise that it is also a risk. The HMRC experience is

instructive because it reflects the approach of many organi-

sations, both public and private sector, who continue to tackle

data security from silos, exclusively at the micro level, rather

than across the entire enterprise, as a management priority.

The Poynter Review, published in June, found ‘‘no visible

management of data security at any level’’ at HMRC and,

indeed, suggested that officials adopted a ‘‘muddle-through

ethos’’ when dealing with customer data. The loss of two

discs, which included the names, addresses and bank details

of every person in the UK who claims child benefit, was not

even reported for three weeks. At the time, Alastair Darling

blamed junior officials for not following procedures, but

Kieran Poynter’s investigation found no evidence of miscon-

duct or criminality by any member of HMRC, instead blaming

the loss on what he called ‘‘serious institutional deficiencies’’.

It is now clear that while numerous policies for handling

data did exist at HMRC, their existence was simply not

communicated to staff. The policies were in any event

described as inadequate, unduly complex and not translated

into guidance or training for junior officials who needed them.

Further, the Poynter Review found that even if adequate

policies and training had been provided, there were no clear

lines of data governance and no clearly assigned data guard-

ians or owners. This meant that HMRC’s entire database of

child benefit claimants could be sent outside the organisation,

by non-secure courier, without any involvement from senior

staff.

Commenting on HMRC’s IT systems, Kieren Poynter

observed that the organisation was heavily crippled by

‘‘fragmentation’’, which was partly a legacy of the merging of

the Inland Revenue and Customs & Excise, and partly the

result of the sheer number and age of IT systems and appli-

cations in use: HMRC operated 650 different systems run from

900 sites, and had over 4500 other software applications of one

sort or another. Some of its systems dated back to the 1970s

and in many cases staff employed archaic media such as

floppy discs to store and transport information. HMRC’s

customer facing operations still operated a predominantly

paper based process, sending out 300 million items of mail

each year.

According to the review, the HMRC data loss was ‘‘entirely

avoidable’’. In the final analysis it was a result of inadequate

organisational and management control.

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 854

3. Approaches to data security

One of the key lessons HMRC teaches is that it is not enough to

have data protection and information security ‘‘policies’’ in

place. A policy is worthless unless it is properly communi-

cated to staff and effectively implemented through ongoing

training and awareness. How then should enterprises

approach data security to ensure that risk is managed

appropriately and effectively?

All readers of this article should be able to rattle off the core

elements of the seventh data protection principle. It is crucial

to understand, however, that when assessing the operational

issues within data security management, the seventh prin-

ciple alone does not provide a complete and reliable frame-

work. Indeed, the DPA itself, while important, is not the only

legal framework of relevance. In setting out a framework for

data security management we need to go much further.

3.1. The legal framework for data security management

The broad scope of the framework for data security manage-

ment is neatly illustrated when we consider how the DPA

applies to manual records. As we know, it refers to ‘‘relevant

filing systems’’ which means manual records which tick all of

the boxes in Lord Buxton’s judgment in Durant v. The Financial

Services Authority.23 But what about manual records which fall

outside of this definition? Do such records fall outside the law

altogether or will they be caught by something other than the

DPA? Well, we know that the Human Rights Act will probably

apply if an individual can argue that they have a reasonable

expectation of privacy in the documents, in which case they

will find their protections within the modified law of

confidence.

In fact, we can even go further than this. Data security

management is just as much about employment law, property

law and contract law as it is about data protection law. Data

security management requires a consideration of all these

other legal frameworks, which, in turn, will give rise to

a variety of operational steps necessary to the management of

risk. The operational steps may, for example, require a formal

process of consultation with trades unions and works coun-

cils, they may require consents for building improvements

from commercial landlords, and they may require the

obtaining of indemnities from suppliers of security devices.

3.2. The holistic approach to data security management

The primary reason why organisations are failing to address

data security management successfully is the tendency to

adopt a silo approach. The silo approach is best illustrated as

follows: an IT manager reads about the Information Com-

missioner’s new guidance on laptop encryption. He decides

that the organisation’s laptops should be encrypted. He

identifies a budget within the department and, having done

so, purchases encryption software which is then rolled out

across the company’s laptop inventory. This approach is

23 [2003] EWCA Civ 1746.

reactive and may successfully address a specific and short-

term weakness. But it is no more than that.

The data protection principles identify a range of quite

specific issues which undoubtedly address the milestones in

the information lifecycle. They do not define a starting point,

however. In reality, when data security management is

viewed from the operational perspective, they define the end

point.

One of the things HMRC demonstrates is that it is neces-

sary to tackle operational data security holistically. A holistic

approach takes as its starting point the information lifecycle

across the entire enterprise and the identification of data

security risks.

4. Identification of security risks

A comprehensive analysis of the information lifecycle should

clearly highlight an enterprise’s risk areas. Organisations

which do this will generally group data risk into four key

areas:

� information risk;

� people risk;

� physical risk; and

� technology risk.

4.1. Information risk

Considerable risk frequently arises from the intrinsic nature

of data itself. Some data are attractive to criminals through

the potential for identity fraud; some may be confidential or

a trade secret and therefore attractive in the context of

industrial espionage. Further, when risk is viewed from an

informational perspective it often becomes clear that the

vulnerability of non-personal data may lead to a secondary

exposure for personal data.

4.2. People risk

People risk comprises a wide spectrum of issues, including the

terms and enforceability of employment contracts, the reli-

ability of staff, training and awareness, controls and

processes. People risk is clearly addressed within the seventh

data protection principle, but it is important to bear in mind

that the DPA focuses only on ‘‘employees’’ and ‘‘processors’’.

The kind of people who may pose a threat to data security

extends much further than these two categories, as consid-

eration of the number of office cleaners who empty the bins

each night will quickly reveal. There are numerous other

categories of non-employee/non-processor people risk which

do not readily fit into the narrow confines of the seventh data

protection principle.

4.3. Physical risk

The seventh data protection principle addresses physical risk

within the phrase ‘‘technical and organisational measures’’.

At one level this means locked rooms and filing cabinets, but it

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 8 55

is clear that many organisations have not got to grips with

some of the more high-level issues, particularly where high

value IT equipment is held on office premises. To use a simple

and real life example, in December last year robbers disguised

as police officers convinced security personnel at Verizon’s

data centre in Kings Cross to allow them access to ‘intercept

intruders’, whereupon they stole £1 million worth of

computer equipment.

4.4. Technology risk

Again, the seventh data protection principle refers to tech-

nology and it is fair to say that in the aftermath of HMRC and

the Poynter Review awareness of technology risk is

increasing. However, while organisations are waking up to the

reality of technology risk, many have found it difficult to

identify appropriate solutions, particularly at a commercially

viable cost/benefit ratio.

We can draw all of these categories of risk together with

one more simple example: the now ubiquitous ‘lost laptop’.

These cases are not always about carelessness or recklessness

on the part of the laptop owner. The reality is that to a heroin

addict the value of a laptop is roughly equivalent to a single

‘hit’. In some reported cases laptops have been mugged out of

the owner’s possession.24 The information risk associated

with such an event depends on the nature of what is stored on

the laptop and there are numerous examples of laptops going

missing which contained highly sensitive information about

customers. The people risk in this case revolves around

whether individuals are using laptops correctly, for example

storing only information which they are permitted to store.

The physical risk is similar to the people risk in this example:

are laptop owners taking appropriate precautions to maintain

their laptop’s integrity and security? Finally, the technology

risk derives from how easily information on the laptop may be

accessed without authorisation. Is it password protected and

encrypted? Any organisation can lose a laptop. The question is

not whether this could happen, but whether you have taken

steps to mitigate the risks associated with it if and when it

does.

Operationally, these core categories of risk pose many

challenges. The key point is that effective data security

management draws upon a much greater body of expertise

than data protection compliance. The downstream conse-

quences of data security breaches require a much wider

approach – a holistic approach.

5. The legal and regulatory landscape

The chronology of data security breaches at the beginning of

this article demonstrates the ramping-up of data security as

a political and commercial priority in the wake of HMRC. What

may not be clear from the chronology is how close we are to

getting new laws that will shape the regulatory landscape and,

as a consequence, operational decisions taken in the

workplace.

24 http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid¼ 7088.

Two key milestones which were not mentioned in the

chronology are likely to shape the future to a significant

degree. The first is the publication of the House of Commons’

Justice Committee Report, Protection of Private Data.25 The

second is the legislative changes to the DPA dealing with s.55

offences and continuing lobbying for expansion of the Infor-

mation Commissioner’s powers. These point the way to

a fundamentally different legal landscape.

6. Breach notification

Users of the Privacy Rights Clearinghouse26 website will be

familiar with the ‘‘Chronology of Data Breaches’’ which lists

all reported security breaches occurring in the US since 2005.

This very lengthy list has been made possible by the torrent of

breach notification laws passed since 2003, when California

first legislated.

At the moment, EU data protection law does not contain

a specific breach notification provision so it is hard to judge

the scale of the security problem in Europe. However, if the

law were to be amended to include a breach notification

requirement then it would be reasonable to expect a deluge of

reporting. Since HMRC’s data breach last year there has in fact

been a mini US-style notification frenzy, as indicated by the

Information Commissioner in evidence to the House of

Commons Justice Committee in December 2007: ‘‘quite

a number of organisations, both public and private sector,

have come to us saying that they think they have found

a problem, to the extent we have almost said they are coming

on a confessional basis to bring to our attention problems they

have encountered with security inside their own

organisations’’.

This section of the article examines the state of UK data

protection laws on breach notification, highlighting proposals

for change.

6.1. Notification obligation

Although the DPA lacks a specific breach notification provi-

sion, it does contain components that are consistent with the

existence of such an obligation. These components exist

within the DPA’s transparency provisions.

The first transparency provision derives from the require-

ments for registration and notification, the legal framework

for which is contained in ss.16–21 of the DPA and within the

Data Protection (Notification and Notification Fees) Regula-

tions 2000 (SI 2000/188). The obligation within s.16(1)(d), which

requires as part of the registrable particulars a description ‘‘of

the purpose or purposes for which the data are being or are to

be processed’’, could be interpreted to include a breach noti-

fication obligation when read in conjunction with s.20, which

contains the duty to notify changes.

The essence of the argument is that following a security

breach, the data controller’s processing operations will

change, particularly in the sense of the processing purpose:

25 http://www.publications.parliament.uk/pa/cm200708/cmselect/cmjust/154/154.pdf.26 http://www.privacyrights.org.

27 Proposal for a Directive of the European Parliament and of theCouncil amending Directives 2002/21/EC on a common regulatoryframework for communications networks and services, 2002/19/EC on access to, and interconnection of electronic communica-tions networks and services, and 2002/20/EC on the authorisationof electronic communications networks and services. COM(2007)697 final, 13 November 2007.

28 ‘Personal Internet Security’, House of Lords Science andTechnology Committee, 5th Report of Session 2006–2007, HLPaper 165-I.

29 ‘Protection of Private Data’, House of Commons JusticeCommittee, First Report of Session 2007–2008, HC 154, 3 January2008.

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 856

prior to the security breach the processing purpose will be

limited to that specified in accordance with the first and

second data protection principles, whereas after a security

breach the processing may expand to cover multiple new

purposes. An illustration would be where processing was

undertaken for the purposes of disciplining an employee

whose actions had been causative of the breach.

A key feature of the registration and notification regime

that is indicative of the existence of a breach notification

obligation is the requirement to provide a general statement

of security measures (see s.18(2)(b)). Section 20(2)(b) makes

this subject to the updating provisions. The argument here is

that in the aftermath of a security breach, new security

measures will be introduced and notifying these might require

an express reference to the breach which gave rise to the new

measures.

The second transparency provision is contained in the fair

processing requirements within the first data protection

principle. These require the data controller to supply the data

subject with information about the processing purposes and

‘‘any further information which is necessary, having regard to

the specific circumstances in which the data are or are to be

processed, to enable processing in respect of the data subject

to be fair’’. The interpretive provisions in Part II of Schedule 1

require this information to be supplied ‘‘before . or as soon as

practicable after’’ the ‘‘relevant time’’. In the aftermath of

a security breach the relevant time will be the point at which

a new processing purpose arises, in which case the fair pro-

cessing requirements will be triggered at that point.

The third transparency provision is subject access. One of

the obligations in s.7 of the DPA relates to the supply of

information about the processing purpose, which brings us

back to the same point made above.

The fourth transparency provision is the information

notice power within s.43. This allows the Information

Commissioner to serve an information notice requiring ‘‘such

information relating to the request [for an assessment under

s.42] or to compliance with the principles as is so specified.’’

In the author’s view, the cumulative effect of these provi-

sions is to open the way for a regulator or judge to hold that

a breach notification obligation does exist within the data

protection regime. Indeed, taken in the context of one of the

core objectives of the DPA, namely the protection of privacy,

and the obligations placed on regulators and judges as public

authorities by the Human Rights Act, it becomes much easier

to see how a judge might hold that a breach notification

obligation already exists within the current legal framework.

Furthermore, there is growing anecdotal evidence that regu-

lators are assuming the existence of a breach notification

obligation, in the sense that the failure to notify a breach may

result in a harsher regulatory response. If this is indeed how

regulators are interpreting the law then we must take it that

they are in effect applying a purposive construction to the

legislation in order to give full effect to the right to privacy.

The Data Protection Directive has been built upon a multi-

faceted transparency framework that is designed to make

processing fair. There is a cogent line of argument that fair-

ness requires post-breach transparency rather than secrecy,

particularly as this could enable data subjects to take steps to

mitigate the consequences. Excluding breach notification

from the framework would represent a major lacuna, which

human rights legislation should not permit.

6.2. Proposals for change

The European Commission has recently addressed the ques-

tion of breach notification in the context of the framework for

publicly available electronic communications networks and

services. It has proposed a new Directive, the adoption of

which will see the introduction of breach notification.27

Article 13(a) says: ‘‘Member States shall ensure that under-

takings providing public communications networks or

publicly available electronic communications services notify

the national regulatory authority of any breach of security or

integrity that had a significant impact on the operation of

networks or services.’’

The Information Commissioner has been calling for the

introduction of formal rules for quite some time. In his written

evidence to the Home Affairs Committee inquiry into

A Surveillance Society? the Commissioner said: ‘‘Allied to the

call for a penalty to be introduced for breaches of the data

protection principles, the Commissioner believes that

consideration should be given to security breach notification

obligations in the UK. These are used in other jurisdictions

and involve the organisation which is the subject of a breach

being obliged to tell those individuals affected by it such as

those whose personal information is involved, as well as, in

some cases, the regulator.’’

The House of Lords Science and Technology Committee

has also called for the introduction of a breach notification

law,28 saying: ‘‘We recommend that the Government, without

waiting for action at European Commission level, accept the

principle of such a law, and begin consultation on its scope as

a matter of urgency.’’ The House of Commons Justice

Committee has also called for the introduction of formal

rules.29

At the moment the picture on breach notification remains

unclear. HMRC may have brought the issue to the front of

Ministers’ minds but the only formal government comment

that we have pre-dates HMRC, being a response to the

proposal of the House of Lords Science and Technology

Committee, and is dismissive of the calls for new legislation:

‘‘The Government provided evidence to the Committee that

recognised that the move towards breach notification laws in

other jurisdictions was an interesting development. We are,

however, clearly not so convinced as the Committee that this

would immediately lead to an improvement in performance

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 8 57

by business in regard to protecting personal information and

we do not see that it would have any significant impact on

other elements of personal internet safety. The experience in

the United States has yet to be fully analysed but there is

a strong body of opinion that doubts whether there has been

significant differences to corporate behaviour and may, in

fact, have desensitised consumers to security issues and

undermined confidence in the internet as a business

medium.’’

In an uncertain regulatory environment, organisations

need to establish their positions on the reporting of security

breaches, and strategies need to be both defensive and

defensible. Currently, the prudent course may be to report any

breach by default, subject to analysis of the facts in the case of

a breach actually occurring.

7. Privacy enhancing technologies

Privacy Enhancing Technologies, or PETs, is a phrase known to

many data protection practitioners although their meaning,

scope and effect, and their role within data protection

compliance (and particularly security) is still somewhat

mysterious. What is important is that lawmakers and opinion

formers are formally embracing PETs and encouraging their

development and adoption by technology companies, data

controllers and consumers.

One of the clearest statements about PETs is provided by

the European Commission, within Com(2007) 228, published

in May 2007. This Communication, titled On Promoting Data

Protection by Privacy Enhancing Technologies, represents

a central commitment to PETs within the data protection

framework at European level and could represent the first

step towards formal legislation. Our own Information

Commissioner has also been promoting PETs within guid-

ance issued in 2006 and 2007. Another strong advocate of

PETs is the Dutch Ministry of the Interior, which published

a PETs ‘Whitebook’ in 2004.

8. PETs and their role in compliance

A consensus on the meaning of PETs has yet to be reached, but

a working definition used by the writer is that a PET is any

technology that can facilitate compliance with the data

protection principles. Thus, there can be PETs for pure secu-

rity, PETs for adequacy, PETs for data transfers and PETs for

data retention. By reference to this formulation, an applica-

tion that permits comprehensive search and retrieval of

electronic files has as much a right to be called a PET as

encryption technology, particularly when viewed from the

perspective of the right of access to data enjoyed by data

subjects. Similarly, access control technologies, perimeter

security technologies and intelligent data storage technolo-

gies can reasonably be called PETs.

We should also, of course, take careful note of the defini-

tions adopted by the European Commission, the Information

Commissioner and the Dutch Ministry, which are,

respectively.

8.1. Com(2007) 228

‘‘There are a number of definitions of PETs used by the

academic community and by pilot projects on this matter. For

instance, according to the EC-funded PISA project, PET stands

for a coherent system of ICT measures that protects privacy by

eliminating or reducing personal data or by preventing

unnecessary and/or undesired processing of personal data, all

without losing the functionality of the information system.

The use of PETs can help to design information and commu-

nication systems and services in a way that minimises the

collection and use of personal data and facilitates compliance

with data protection rules. The Commission in its First Report

on the implementation of the Data Protection Directive

considers that ‘‘the use of appropriate technological measures is an

essential complement to legal means and should be an integral part

in any efforts to achieve a sufficient level of privacy protection.’’.

The use of PETs should result in making breaches of certain

data protection rules more difficult and/or helping to detect

them.’’

8.2. Information Commissioner’s guidance note (2007)

The Information Commissioner considers that privacy

enhancing technologies are not limited to tools that provide

a degree of anonymity for individuals but they are also any

technology that exists to protect or enhance an individual’s

privacy, including facilitating individuals’ access to their

rights under the Data Protection Act 1998.

8.3. Dutch Whitebook (2004)

Privacy Enhancing Technologies (PET) is a collection of infor-

mation and communication technologies that strengthens the

protection of individuals’ private lives in an information

system by preventing unnecessary or unlawful processing of

personal data or by offering tools and controls to enhance the

individual’s control over his/her personal data.

It is very easy to tie PETs to Article 17 of the Data Protection

Directive and the seventh data protection principle, particu-

larly in light of recent security breach cases. For example, at

the end of 2007, the Information Commissioner published

a new enforcement strategy for unencrypted laptops, titled

Our approach to encryption, which is the adoption of a PETs

strategy for data security in all but name. By way of reminder,

the Commissioner’s new strategy says: ‘‘There have been

a number of reports recently of laptop computers, containing

personal information which have been stolen from vehicles,

dwellings or left in inappropriate places without being pro-

tected adequately. The Information Commissioner has

formed the view that in future, where such losses occur and

where encryption software has not been used to protect the

data, enforcement action will be pursued. The ICO recom-

mends that portable and mobile devices including magnetic

media, used to store and transmit personal information, the

loss of which could cause damage or distress to individuals,

should be protected using approved encryption software

which is designed to guard against the compromise of

information.’’ Note use of the word ‘‘will’’ in the

penultimate sentence. This marks a distinct hardening of the

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 858

Commissioner’s approach to the technology risk associated

with mobile IT.

9. PETs within the emerging legal landscape

The importance of the PETs agenda becomes much clearer

when viewed in the context of the emerging legal landscape

for data security. In December 2007, in reaction to HMRC, the

Information Commissioner published his case for the

amendment of the DPA. His report outlined a shopping list of

new powers and penalties which, if implemented, will elevate

the UK to the top table of data protection enforcement.

Perhaps the most interesting proposal was the call for the

criminalisation of breaches of the data protection principles.

In the event, the Criminal Justice and Immigration Act 200830

amends s.55 of the DPA to give the Commissioner power to

impose fines for serious breaches of the data protection

principles where the data controller failed to take reasonable

steps to prevent the contravention. Further, the Secretary of

State is given power31 to impose custodial sentences for s.55

offences.

As far as data security is concerned, the statutory defence

of ‘‘reasonable steps’’ could well be satisfied through the use

of PETs.

10. How will the PETs market develop?

Until now, the PETs’ landscape has been dominated by

small IT companies and groups of academics. While there is

no doubt that they have done an incredible job in raising

the profile of PETs (to the extent that they are now taken

seriously at European Commissioner and national regula-

tory level), there is a growing appreciation that PETs will not

become mainstream until they are supported and adopted

by the big IT companies, which to a large extent means the

US IT companies. Fortunately, these companies are starting

to engage on PETs and important dialogues are opening. IT

companies that have recently expressed interest in the PETs

agenda include the likes of EMC, RSA, Symantec, Hitachi

Data Systems, IBM and Microsoft. The big consulting firms

and systems integrators are also now expressing their

interest. The first tangible outcome of these new develop-

ments was a PETs’ conference in London hosted by RSA, at

which Philippe Renaudiere (European Commission) and

30 Section 144.31 Section 77, Criminal Justice and Immigration Act 2008.

Jonathan Bamford (Office of the Information Commissioner)

shared a platform with RSA’s head within EMEA, Richard

Turner. The importance of this event should not be under-

estimated: it represented the start of a new form of

engagement between the power players identified by the

Commission in its Communication.

In light of the growing interest in PETs it is inevitable that

a sustainable market for PETs will be created. Of course, data

security scares will fuel the market, but the future for PETs

does not rest on there being enhanced interest in just one

component of data protection. As already indicated, PETs

serve a much bigger purpose.

11. Reflections and looking forward

The litany of data security breaches in the last 18 months has

raised data security to a level of significance hitherto unseen.

It is nevertheless clear that organisations across the public

and private sectors are still failing to heed the lessons of

HMRC: namely, that data security must be addressed at an

organisation-wide level and with the backing of senior

management. Data security management can only truly be

addressed using a holistic approach, starting with an assess-

ment of the risks which flow from the information lifecycle.

Data protection, whilst important, represents the end point of

this assessment.

The reaction of government and regulators to the new

world of data security has been twofold: first, to legislate and

to explore ways of legislating further, and secondly, to harden

their approach to enforcement. Organisations everywhere

should be prioritising data security management in the light

of this harsher environment.

Looking ahead, there are a number of developments

underway. One of the most interesting is the emergence of

privacy enhancing technologies which are set to become

foundation stones in the construction of data security

management programmes.

Marcus Turle (marcus.turle@ffw.com) is a member of the Profes-

sional Board of CLSR and a Partner in the Technology Law Group at

Field Fisher Waterhouse LLP. He is a founder member of FFW’s

Privacy and Information Law Group. He is also editor of

Data Protection Laws of the World and a visiting lecturer on the

Northumbria University Information Rights LLM.