data security: past, present and future
TRANSCRIPT
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 8
ava i lab le at www.sc ienced i rec t . com
www.compseconl i ne .com/ publ i ca t ions /prodc law.h tm
Data security: Past, present and future
Marcus Turle
Field Fisher Waterhouse LLP, CLSR Professional Board, London, UK
Keywords:
Data protection
Data security
Privacy enhancing
technologies
1 http://news.bbc.co.uk/1/hi/uk/6301243.stm2 http://news.bbc.co.uk/1/hi/business/6360
www.fsa.gov.uk/pubs/final/nbs.pdf.0267-3649/$ – see front matter ª 2009 Fielddoi:10.1016/j.clsr.2008.11.001
a b s t r a c t
The loss by Her Majesty’s Revenue and Customs (HMRC) of two CDs containing 25 million
child benefit details has changed the data security landscape forever. No longer is data
security the exclusive and rather arcane preserve of spotty technology professionals or
data protection lawyers. HMRC has thrust data security onto the front pages of the
mainstream media and brought it very suddenly to the top of the political and commercial
agendas of senior politicians and boards of directors. In this article, the author will outline
the reasons behind the rise of data security as a front line issue and examine the lessons to
be learnt from HMRC. He will analyse the different facets of data security risk and explore
ways in which organisations can go about managing it. He will outline the attitude of
regulators to data security and where regulatory developments are likely to take us. The
final part of the article looks into the future, with particular focus on the emergence of
privacy enhancing technologies.
ª 2009 Field Fisher Waterhouse LLP. Published by Elsevier Ltd. All rights reserved.
1. Background – a short history of � In January 2007, Clive Goodman, royal editor of the News of
data security
While HMRC was the largest and most high profile data
security breach of last year, it was not the only significant one.
In fact, there have been a series of significant breaches over
the last 18 months. What started as a trickle has now become
something approaching a torrent as the mainstream press has
cottoned on to the political embarrassment of government
shortcomings in data security and the fact that revelations
about lost data directly affect millions of citizens.
The following is a summary of what might be termed the
‘key’ events over the last 18 months. Together, they present
a clear picture of the enormity of the task which lies ahead for
government and business in recognising the significance of,
and identifying and managing, data security risks.
.715.stm, http://www.fsa
Fisher Waterhouse LLP. P
the World, and accomplice Glenn Mulcaire, a private inves-
tigator, were convicted under the Regulation of Investiga-
tory Powers Act 2000 for unlawfully hacking into mobile
voicemail messages of royal employees and were jailed for
four months. Stories were printed about a medical problem
of the Prince of Wales, from information gleaned from
tapping phones of members of staff of the Prince of Wales’
household.1
� In February 2007 the Financial Services Authority (FSA) fined
the Nationwide Building Society £980,000 following the loss
of a laptop which had created a risk of financial crime.2
A Nationwide employee had put details of nearly 11 million
customers onto his laptop which was later stolen from his
home. The fine was a penalty for Nationwide failing to have
effective systems and controls to manage its information
.gov.uk/pages/Library/Communication/PR/2007/021.shtml, http://
ublished by Elsevier Ltd. All rights reserved.
7 http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/what_price_privacy.pdf.
8 http://www.dca.gov.uk/consult/misuse_data/consultation0906.pdf, http://www.dca.gov.uk/consult/misuse_data/consultation0906resp.pdf.
9 http://www.the-sia.org.uk/NR/rdonlyres/1FCBCD2E-B3E0-4B61-A0A4-3C33FAB72C41/0/sia_pi_pa_ria.pdf.
10 http://www.the-sia.org.uk/NR/rdonlyres/8B3F8377-2994-4717-
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 852
security risks and because it had failed to start an investi-
gation for three weeks after the theft occurred.
� In March 2007 the Information Commissioner named and
shamed 12 banks and other financial institutions for failing
to dispose of customer information properly. Each was
found to have left personal customer information in dust-
bins outside their premises. HBOS, Alliance & Leicester,
Royal Bank of Scotland, Natwest, Barclays, Nationwide and
the Post Office (along with five others) were required to sign
a formal undertaking to comply with the data protection
principles.
� In August 2007 Forensic Telecommunications Services,
a company that provides evidence on telephone use for
police forces in connection with investigations, was the
victim of a theft at its premises in Kent in which a server
containing files of forensic evidence used by police in
criminal investigations was stolen. The server contained
details of who had made calls on mobiles, their exact loca-
tion and when they were made.3
� In October, following an attack on its customer database,
the internet service provider FastHosts warned users to
change their main account control panel login password, all
email passwords, all FTP passwords and all passwords for
its hosted MySQL and Microsoft SQL Server databases. It
even took the authoritarian step of unilaterally changing
passwords of customers who ignored the warning.4
� In December, a government wide data security review
revealed nine NHS trusts in England had lost the medical
records of hundreds of thousands of patients.5
� Also in December, the FSA fined Norwich Union Life (NUL)
£1.3 million for not having effective systems in place to
protect customers’ confidential information and failing to
manage its financial crime risks. The failures had enabled
criminals to impersonate customers by using publicly
available information to target NUL policies, and through
contact with NUL’s call centres criminals had obtained (and
in some cases altered) confidential customer information,
including customers’ contact addresses and full bank
account details. Weaknesses in NUL’s customer ID proce-
dures had allowed criminals to instruct the company to
surrender 74 policies to criminals’ bank accounts, resulting
in a loss to customers of £3.3m.6
� In June of this year, an unnamed Cabinet Office employee
was suspended after top secret documents from the Joint
Intelligence Committee were found on a Surrey-bound
commuter train and handed to the BBC. Cabinet Minister Ed
Miliband later admitted to ‘‘a clear breach of well estab-
lished security rules which forbid the removal of documents
of this kind outside secure government premises without
clear authorisation and compliance with special security
procedures.’’
3 http://www.theregister.co.uk/2007/08/15/fts_forensic_data_theft/.4 http://www.theregister.co.uk/2007/11/30/fasthost_hack_update/.5 http://news.bbc.co.uk/1/hi/uk/7158019.stm.6 http://www.fsa.gov.uk/pages/Library/Communication/PR/2007/
130.shtml, http://www.fsa.gov.uk/pubs/final/Norwich_Union_Life.pdf.
These are just a sample of what has now become a litany of
data security breaches involving both government and private
sector organisations. The government has responded with
a series of pivotal policy announcements, legislative devel-
opments and regulatory initiatives:
� In February 2007 the Lord Chancellor announced that
consequent upon What price privacy?7 and a Department for
Constitutional Affairs consultation,8 legislation would be
introduced to amend the Data Protection Act 1998 (DPA).
This amending legislation was introduced in the House of
Commons as part of the Criminal Justice and Immigration
Bill and was passed in May this year, giving the ICO power to
impose substantial fines on organisations which ‘‘deliber-
ately or recklessly’’ breach the DPA. It also gives the Secre-
tary of State power to introduce unlimited fines, or
imprisonment for up to two years, for data theft offences
under s.55 of the DPA.
� In August 2007, the Home Office published its Partial Regu-
latory Impact Assessment on the licensing of private
investigators,9 which resulted in part from What price
privacy? Responses were published in May of this year10 and
a Full Impact Assessment is due to be published shortly.
� As part of the response to HMRC, the Prime Minister
announced that the Information Commissioner would be
given new powers of inspection within the public sector11
and a consultation on this proposal was launched in July.12
� On the regulatory front, at the end of last year the Infor-
mation Commissioner revealed his new strategy for laptop
data security saying that in cases of laptop loss, the absence
of encryption will result in enforcement action.13 This
announcement built upon his data security strategy con-
tained in his July 2007 consultation paper.14 Likewise, the
Financial Services Authority made a number of important
policy announcements about data security, as part of its
fight against financial crime, with Independent Financial
Advisors and appointed representatives15 being identified in
particular. The FSA issued a 100-page report and guidance
document on Data Security in Financial Services in April
this year.
� In July the Walport report, commissioned by the Prime
Minister as an independent review of the data protection
regime, recommended the introduction of a statutory
BF8F-3F00642E1508/0/pi_pa_response.pdf.11 http://news.bbc.co.uk/1/hi/uk_politics/7106366.stm.12 See: The Information Commissioner’s inspection powers and funding
arrangements under the Data Protection Act 1998, available at http://www.justice.gov.uk/publications/cp1508.htm.
13 http://www.ico.gov.uk/about_us/news_and_views/current_topics/Our%20approach%20to%20encryption.aspx.
14 http://www.ico.gov.uk/upload/documents/library/corporate/notices/ico_dp_strategy_draft.pdf.
15 http://www.fsa.gov.uk/pubs/newsletters/fc_newsletter9.pdf.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 8 53
right to carry out private sector audits and power for the
ICO to be given entry by court order if businesses refuse.
The report also recommended penalties for data protec-
tion breaches that reflect those available to the FSA.16
Following publication of the Walport report, the govern-
ment launched a consultation to examine Mark Walport’s
proposals.17
At EU level there was also significant activity. For example,
in May 2007 the Commission issued a Communication about
Privacy Enhancing Technologies, with specific reference to
Article 17 of the Directive,18 and in November last year it
published proposals for the amendment of the electronic
communications Directives, to introduce a compulsory
‘reporting of security breach’ requirement for operators of
publicly available electronic communications networks and
services.19 In April this year Peter Hustinx, the European Data
Protection Supervisor, adopted an Opinion on the new draft
text of the Directive on Privacy and Electronic Communica-
tions as proposed by the European Commission. He largely
supported the Commission’s proposal, but added that it did
not go far enough. In particular, he recommended that the
obligation to notify any breach of security should not only
apply to providers of public electronic communication
services on public networks but also to providers of informa-
tion society services which process sensitive personal data
(e.g. online banks and insurers and online providers of health
services).20 The Opinion was endorsed by the Article 29
Working Party in May.21
In June, the European Parliament’s Standing Committee
on Civil Liberties, Justice and Home Affairs asked for
measures to correct the Commission’s proposal to amend
the Directive on Privacy and Electronic Communications.
MEPs have proposed that companies should inform national
telecommunications regulators or other ‘‘competent
authorities’’ of ‘‘serious’’ security breaches involving
personal data, and regulators should then decide if
consumers need to be informed. Companies might also be
asked to report the occurrence of security problems in their
annual reports.22
Two key points emerge from these developments. First,
data security is now a priority for government and for regu-
lators, and the legal and regulatory landscape is shifting as
a result. This shift was slow at first, with minor tremors
following some of the cases listed above during the first half of
last year. The seismic events at HMRC have greatly acceler-
ated the process, however. Secondly, the litany of data
16 http://www.justice.gov.uk/reviews/datasharing-intro.htm.17 http://www.justice.gov.uk/publications/cp1508.htm.18 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri¼CELEX:
52007DC0228:EN:NOT.19 http://ec.europa.eu/information_society/policy/ecomm/doc/
library/proposals/dir_citizens_rights_en.pdf.20 http://www.statewatch.org/news/2008/apr/eu-edps-opinion-
telecomm-directive.pdf.21 http://www.statewatch.org/news/2008/may/wp-150-e-privacy.
pdf.22 See: http://www.edri.org/edrigram/number6.13/e-privacy-
review-ep and http://www.heise.de/english/newsticker/news/110110.
security breaches pre- and post-HMRC demonstrates that
organisations are still failing to address this key area. We
therefore need to understand why this is the case and, more
importantly, how organisations can act to preserve the
integrity of their data and their business reputations. Part of
the answer to these questions lies within the lessons to be
learned from HMRC.
2. What have we learned from HMRC?
There are two overriding lessons from HMRC. First, data
security must be viewed and managed at an organisation-
wide level, and treated as a priority by senior management.
Secondly, while organisations generally understand that
technology is a business enabler, they are still failing to
recognise that it is also a risk. The HMRC experience is
instructive because it reflects the approach of many organi-
sations, both public and private sector, who continue to tackle
data security from silos, exclusively at the micro level, rather
than across the entire enterprise, as a management priority.
The Poynter Review, published in June, found ‘‘no visible
management of data security at any level’’ at HMRC and,
indeed, suggested that officials adopted a ‘‘muddle-through
ethos’’ when dealing with customer data. The loss of two
discs, which included the names, addresses and bank details
of every person in the UK who claims child benefit, was not
even reported for three weeks. At the time, Alastair Darling
blamed junior officials for not following procedures, but
Kieran Poynter’s investigation found no evidence of miscon-
duct or criminality by any member of HMRC, instead blaming
the loss on what he called ‘‘serious institutional deficiencies’’.
It is now clear that while numerous policies for handling
data did exist at HMRC, their existence was simply not
communicated to staff. The policies were in any event
described as inadequate, unduly complex and not translated
into guidance or training for junior officials who needed them.
Further, the Poynter Review found that even if adequate
policies and training had been provided, there were no clear
lines of data governance and no clearly assigned data guard-
ians or owners. This meant that HMRC’s entire database of
child benefit claimants could be sent outside the organisation,
by non-secure courier, without any involvement from senior
staff.
Commenting on HMRC’s IT systems, Kieren Poynter
observed that the organisation was heavily crippled by
‘‘fragmentation’’, which was partly a legacy of the merging of
the Inland Revenue and Customs & Excise, and partly the
result of the sheer number and age of IT systems and appli-
cations in use: HMRC operated 650 different systems run from
900 sites, and had over 4500 other software applications of one
sort or another. Some of its systems dated back to the 1970s
and in many cases staff employed archaic media such as
floppy discs to store and transport information. HMRC’s
customer facing operations still operated a predominantly
paper based process, sending out 300 million items of mail
each year.
According to the review, the HMRC data loss was ‘‘entirely
avoidable’’. In the final analysis it was a result of inadequate
organisational and management control.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 854
3. Approaches to data security
One of the key lessons HMRC teaches is that it is not enough to
have data protection and information security ‘‘policies’’ in
place. A policy is worthless unless it is properly communi-
cated to staff and effectively implemented through ongoing
training and awareness. How then should enterprises
approach data security to ensure that risk is managed
appropriately and effectively?
All readers of this article should be able to rattle off the core
elements of the seventh data protection principle. It is crucial
to understand, however, that when assessing the operational
issues within data security management, the seventh prin-
ciple alone does not provide a complete and reliable frame-
work. Indeed, the DPA itself, while important, is not the only
legal framework of relevance. In setting out a framework for
data security management we need to go much further.
3.1. The legal framework for data security management
The broad scope of the framework for data security manage-
ment is neatly illustrated when we consider how the DPA
applies to manual records. As we know, it refers to ‘‘relevant
filing systems’’ which means manual records which tick all of
the boxes in Lord Buxton’s judgment in Durant v. The Financial
Services Authority.23 But what about manual records which fall
outside of this definition? Do such records fall outside the law
altogether or will they be caught by something other than the
DPA? Well, we know that the Human Rights Act will probably
apply if an individual can argue that they have a reasonable
expectation of privacy in the documents, in which case they
will find their protections within the modified law of
confidence.
In fact, we can even go further than this. Data security
management is just as much about employment law, property
law and contract law as it is about data protection law. Data
security management requires a consideration of all these
other legal frameworks, which, in turn, will give rise to
a variety of operational steps necessary to the management of
risk. The operational steps may, for example, require a formal
process of consultation with trades unions and works coun-
cils, they may require consents for building improvements
from commercial landlords, and they may require the
obtaining of indemnities from suppliers of security devices.
3.2. The holistic approach to data security management
The primary reason why organisations are failing to address
data security management successfully is the tendency to
adopt a silo approach. The silo approach is best illustrated as
follows: an IT manager reads about the Information Com-
missioner’s new guidance on laptop encryption. He decides
that the organisation’s laptops should be encrypted. He
identifies a budget within the department and, having done
so, purchases encryption software which is then rolled out
across the company’s laptop inventory. This approach is
23 [2003] EWCA Civ 1746.
reactive and may successfully address a specific and short-
term weakness. But it is no more than that.
The data protection principles identify a range of quite
specific issues which undoubtedly address the milestones in
the information lifecycle. They do not define a starting point,
however. In reality, when data security management is
viewed from the operational perspective, they define the end
point.
One of the things HMRC demonstrates is that it is neces-
sary to tackle operational data security holistically. A holistic
approach takes as its starting point the information lifecycle
across the entire enterprise and the identification of data
security risks.
4. Identification of security risks
A comprehensive analysis of the information lifecycle should
clearly highlight an enterprise’s risk areas. Organisations
which do this will generally group data risk into four key
areas:
� information risk;
� people risk;
� physical risk; and
� technology risk.
4.1. Information risk
Considerable risk frequently arises from the intrinsic nature
of data itself. Some data are attractive to criminals through
the potential for identity fraud; some may be confidential or
a trade secret and therefore attractive in the context of
industrial espionage. Further, when risk is viewed from an
informational perspective it often becomes clear that the
vulnerability of non-personal data may lead to a secondary
exposure for personal data.
4.2. People risk
People risk comprises a wide spectrum of issues, including the
terms and enforceability of employment contracts, the reli-
ability of staff, training and awareness, controls and
processes. People risk is clearly addressed within the seventh
data protection principle, but it is important to bear in mind
that the DPA focuses only on ‘‘employees’’ and ‘‘processors’’.
The kind of people who may pose a threat to data security
extends much further than these two categories, as consid-
eration of the number of office cleaners who empty the bins
each night will quickly reveal. There are numerous other
categories of non-employee/non-processor people risk which
do not readily fit into the narrow confines of the seventh data
protection principle.
4.3. Physical risk
The seventh data protection principle addresses physical risk
within the phrase ‘‘technical and organisational measures’’.
At one level this means locked rooms and filing cabinets, but it
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 8 55
is clear that many organisations have not got to grips with
some of the more high-level issues, particularly where high
value IT equipment is held on office premises. To use a simple
and real life example, in December last year robbers disguised
as police officers convinced security personnel at Verizon’s
data centre in Kings Cross to allow them access to ‘intercept
intruders’, whereupon they stole £1 million worth of
computer equipment.
4.4. Technology risk
Again, the seventh data protection principle refers to tech-
nology and it is fair to say that in the aftermath of HMRC and
the Poynter Review awareness of technology risk is
increasing. However, while organisations are waking up to the
reality of technology risk, many have found it difficult to
identify appropriate solutions, particularly at a commercially
viable cost/benefit ratio.
We can draw all of these categories of risk together with
one more simple example: the now ubiquitous ‘lost laptop’.
These cases are not always about carelessness or recklessness
on the part of the laptop owner. The reality is that to a heroin
addict the value of a laptop is roughly equivalent to a single
‘hit’. In some reported cases laptops have been mugged out of
the owner’s possession.24 The information risk associated
with such an event depends on the nature of what is stored on
the laptop and there are numerous examples of laptops going
missing which contained highly sensitive information about
customers. The people risk in this case revolves around
whether individuals are using laptops correctly, for example
storing only information which they are permitted to store.
The physical risk is similar to the people risk in this example:
are laptop owners taking appropriate precautions to maintain
their laptop’s integrity and security? Finally, the technology
risk derives from how easily information on the laptop may be
accessed without authorisation. Is it password protected and
encrypted? Any organisation can lose a laptop. The question is
not whether this could happen, but whether you have taken
steps to mitigate the risks associated with it if and when it
does.
Operationally, these core categories of risk pose many
challenges. The key point is that effective data security
management draws upon a much greater body of expertise
than data protection compliance. The downstream conse-
quences of data security breaches require a much wider
approach – a holistic approach.
5. The legal and regulatory landscape
The chronology of data security breaches at the beginning of
this article demonstrates the ramping-up of data security as
a political and commercial priority in the wake of HMRC. What
may not be clear from the chronology is how close we are to
getting new laws that will shape the regulatory landscape and,
as a consequence, operational decisions taken in the
workplace.
24 http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid¼ 7088.
Two key milestones which were not mentioned in the
chronology are likely to shape the future to a significant
degree. The first is the publication of the House of Commons’
Justice Committee Report, Protection of Private Data.25 The
second is the legislative changes to the DPA dealing with s.55
offences and continuing lobbying for expansion of the Infor-
mation Commissioner’s powers. These point the way to
a fundamentally different legal landscape.
6. Breach notification
Users of the Privacy Rights Clearinghouse26 website will be
familiar with the ‘‘Chronology of Data Breaches’’ which lists
all reported security breaches occurring in the US since 2005.
This very lengthy list has been made possible by the torrent of
breach notification laws passed since 2003, when California
first legislated.
At the moment, EU data protection law does not contain
a specific breach notification provision so it is hard to judge
the scale of the security problem in Europe. However, if the
law were to be amended to include a breach notification
requirement then it would be reasonable to expect a deluge of
reporting. Since HMRC’s data breach last year there has in fact
been a mini US-style notification frenzy, as indicated by the
Information Commissioner in evidence to the House of
Commons Justice Committee in December 2007: ‘‘quite
a number of organisations, both public and private sector,
have come to us saying that they think they have found
a problem, to the extent we have almost said they are coming
on a confessional basis to bring to our attention problems they
have encountered with security inside their own
organisations’’.
This section of the article examines the state of UK data
protection laws on breach notification, highlighting proposals
for change.
6.1. Notification obligation
Although the DPA lacks a specific breach notification provi-
sion, it does contain components that are consistent with the
existence of such an obligation. These components exist
within the DPA’s transparency provisions.
The first transparency provision derives from the require-
ments for registration and notification, the legal framework
for which is contained in ss.16–21 of the DPA and within the
Data Protection (Notification and Notification Fees) Regula-
tions 2000 (SI 2000/188). The obligation within s.16(1)(d), which
requires as part of the registrable particulars a description ‘‘of
the purpose or purposes for which the data are being or are to
be processed’’, could be interpreted to include a breach noti-
fication obligation when read in conjunction with s.20, which
contains the duty to notify changes.
The essence of the argument is that following a security
breach, the data controller’s processing operations will
change, particularly in the sense of the processing purpose:
25 http://www.publications.parliament.uk/pa/cm200708/cmselect/cmjust/154/154.pdf.26 http://www.privacyrights.org.
27 Proposal for a Directive of the European Parliament and of theCouncil amending Directives 2002/21/EC on a common regulatoryframework for communications networks and services, 2002/19/EC on access to, and interconnection of electronic communica-tions networks and services, and 2002/20/EC on the authorisationof electronic communications networks and services. COM(2007)697 final, 13 November 2007.
28 ‘Personal Internet Security’, House of Lords Science andTechnology Committee, 5th Report of Session 2006–2007, HLPaper 165-I.
29 ‘Protection of Private Data’, House of Commons JusticeCommittee, First Report of Session 2007–2008, HC 154, 3 January2008.
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 856
prior to the security breach the processing purpose will be
limited to that specified in accordance with the first and
second data protection principles, whereas after a security
breach the processing may expand to cover multiple new
purposes. An illustration would be where processing was
undertaken for the purposes of disciplining an employee
whose actions had been causative of the breach.
A key feature of the registration and notification regime
that is indicative of the existence of a breach notification
obligation is the requirement to provide a general statement
of security measures (see s.18(2)(b)). Section 20(2)(b) makes
this subject to the updating provisions. The argument here is
that in the aftermath of a security breach, new security
measures will be introduced and notifying these might require
an express reference to the breach which gave rise to the new
measures.
The second transparency provision is contained in the fair
processing requirements within the first data protection
principle. These require the data controller to supply the data
subject with information about the processing purposes and
‘‘any further information which is necessary, having regard to
the specific circumstances in which the data are or are to be
processed, to enable processing in respect of the data subject
to be fair’’. The interpretive provisions in Part II of Schedule 1
require this information to be supplied ‘‘before . or as soon as
practicable after’’ the ‘‘relevant time’’. In the aftermath of
a security breach the relevant time will be the point at which
a new processing purpose arises, in which case the fair pro-
cessing requirements will be triggered at that point.
The third transparency provision is subject access. One of
the obligations in s.7 of the DPA relates to the supply of
information about the processing purpose, which brings us
back to the same point made above.
The fourth transparency provision is the information
notice power within s.43. This allows the Information
Commissioner to serve an information notice requiring ‘‘such
information relating to the request [for an assessment under
s.42] or to compliance with the principles as is so specified.’’
In the author’s view, the cumulative effect of these provi-
sions is to open the way for a regulator or judge to hold that
a breach notification obligation does exist within the data
protection regime. Indeed, taken in the context of one of the
core objectives of the DPA, namely the protection of privacy,
and the obligations placed on regulators and judges as public
authorities by the Human Rights Act, it becomes much easier
to see how a judge might hold that a breach notification
obligation already exists within the current legal framework.
Furthermore, there is growing anecdotal evidence that regu-
lators are assuming the existence of a breach notification
obligation, in the sense that the failure to notify a breach may
result in a harsher regulatory response. If this is indeed how
regulators are interpreting the law then we must take it that
they are in effect applying a purposive construction to the
legislation in order to give full effect to the right to privacy.
The Data Protection Directive has been built upon a multi-
faceted transparency framework that is designed to make
processing fair. There is a cogent line of argument that fair-
ness requires post-breach transparency rather than secrecy,
particularly as this could enable data subjects to take steps to
mitigate the consequences. Excluding breach notification
from the framework would represent a major lacuna, which
human rights legislation should not permit.
6.2. Proposals for change
The European Commission has recently addressed the ques-
tion of breach notification in the context of the framework for
publicly available electronic communications networks and
services. It has proposed a new Directive, the adoption of
which will see the introduction of breach notification.27
Article 13(a) says: ‘‘Member States shall ensure that under-
takings providing public communications networks or
publicly available electronic communications services notify
the national regulatory authority of any breach of security or
integrity that had a significant impact on the operation of
networks or services.’’
The Information Commissioner has been calling for the
introduction of formal rules for quite some time. In his written
evidence to the Home Affairs Committee inquiry into
A Surveillance Society? the Commissioner said: ‘‘Allied to the
call for a penalty to be introduced for breaches of the data
protection principles, the Commissioner believes that
consideration should be given to security breach notification
obligations in the UK. These are used in other jurisdictions
and involve the organisation which is the subject of a breach
being obliged to tell those individuals affected by it such as
those whose personal information is involved, as well as, in
some cases, the regulator.’’
The House of Lords Science and Technology Committee
has also called for the introduction of a breach notification
law,28 saying: ‘‘We recommend that the Government, without
waiting for action at European Commission level, accept the
principle of such a law, and begin consultation on its scope as
a matter of urgency.’’ The House of Commons Justice
Committee has also called for the introduction of formal
rules.29
At the moment the picture on breach notification remains
unclear. HMRC may have brought the issue to the front of
Ministers’ minds but the only formal government comment
that we have pre-dates HMRC, being a response to the
proposal of the House of Lords Science and Technology
Committee, and is dismissive of the calls for new legislation:
‘‘The Government provided evidence to the Committee that
recognised that the move towards breach notification laws in
other jurisdictions was an interesting development. We are,
however, clearly not so convinced as the Committee that this
would immediately lead to an improvement in performance
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 8 57
by business in regard to protecting personal information and
we do not see that it would have any significant impact on
other elements of personal internet safety. The experience in
the United States has yet to be fully analysed but there is
a strong body of opinion that doubts whether there has been
significant differences to corporate behaviour and may, in
fact, have desensitised consumers to security issues and
undermined confidence in the internet as a business
medium.’’
In an uncertain regulatory environment, organisations
need to establish their positions on the reporting of security
breaches, and strategies need to be both defensive and
defensible. Currently, the prudent course may be to report any
breach by default, subject to analysis of the facts in the case of
a breach actually occurring.
7. Privacy enhancing technologies
Privacy Enhancing Technologies, or PETs, is a phrase known to
many data protection practitioners although their meaning,
scope and effect, and their role within data protection
compliance (and particularly security) is still somewhat
mysterious. What is important is that lawmakers and opinion
formers are formally embracing PETs and encouraging their
development and adoption by technology companies, data
controllers and consumers.
One of the clearest statements about PETs is provided by
the European Commission, within Com(2007) 228, published
in May 2007. This Communication, titled On Promoting Data
Protection by Privacy Enhancing Technologies, represents
a central commitment to PETs within the data protection
framework at European level and could represent the first
step towards formal legislation. Our own Information
Commissioner has also been promoting PETs within guid-
ance issued in 2006 and 2007. Another strong advocate of
PETs is the Dutch Ministry of the Interior, which published
a PETs ‘Whitebook’ in 2004.
8. PETs and their role in compliance
A consensus on the meaning of PETs has yet to be reached, but
a working definition used by the writer is that a PET is any
technology that can facilitate compliance with the data
protection principles. Thus, there can be PETs for pure secu-
rity, PETs for adequacy, PETs for data transfers and PETs for
data retention. By reference to this formulation, an applica-
tion that permits comprehensive search and retrieval of
electronic files has as much a right to be called a PET as
encryption technology, particularly when viewed from the
perspective of the right of access to data enjoyed by data
subjects. Similarly, access control technologies, perimeter
security technologies and intelligent data storage technolo-
gies can reasonably be called PETs.
We should also, of course, take careful note of the defini-
tions adopted by the European Commission, the Information
Commissioner and the Dutch Ministry, which are,
respectively.
8.1. Com(2007) 228
‘‘There are a number of definitions of PETs used by the
academic community and by pilot projects on this matter. For
instance, according to the EC-funded PISA project, PET stands
for a coherent system of ICT measures that protects privacy by
eliminating or reducing personal data or by preventing
unnecessary and/or undesired processing of personal data, all
without losing the functionality of the information system.
The use of PETs can help to design information and commu-
nication systems and services in a way that minimises the
collection and use of personal data and facilitates compliance
with data protection rules. The Commission in its First Report
on the implementation of the Data Protection Directive
considers that ‘‘the use of appropriate technological measures is an
essential complement to legal means and should be an integral part
in any efforts to achieve a sufficient level of privacy protection.’’.
The use of PETs should result in making breaches of certain
data protection rules more difficult and/or helping to detect
them.’’
8.2. Information Commissioner’s guidance note (2007)
The Information Commissioner considers that privacy
enhancing technologies are not limited to tools that provide
a degree of anonymity for individuals but they are also any
technology that exists to protect or enhance an individual’s
privacy, including facilitating individuals’ access to their
rights under the Data Protection Act 1998.
8.3. Dutch Whitebook (2004)
Privacy Enhancing Technologies (PET) is a collection of infor-
mation and communication technologies that strengthens the
protection of individuals’ private lives in an information
system by preventing unnecessary or unlawful processing of
personal data or by offering tools and controls to enhance the
individual’s control over his/her personal data.
It is very easy to tie PETs to Article 17 of the Data Protection
Directive and the seventh data protection principle, particu-
larly in light of recent security breach cases. For example, at
the end of 2007, the Information Commissioner published
a new enforcement strategy for unencrypted laptops, titled
Our approach to encryption, which is the adoption of a PETs
strategy for data security in all but name. By way of reminder,
the Commissioner’s new strategy says: ‘‘There have been
a number of reports recently of laptop computers, containing
personal information which have been stolen from vehicles,
dwellings or left in inappropriate places without being pro-
tected adequately. The Information Commissioner has
formed the view that in future, where such losses occur and
where encryption software has not been used to protect the
data, enforcement action will be pursued. The ICO recom-
mends that portable and mobile devices including magnetic
media, used to store and transmit personal information, the
loss of which could cause damage or distress to individuals,
should be protected using approved encryption software
which is designed to guard against the compromise of
information.’’ Note use of the word ‘‘will’’ in the
penultimate sentence. This marks a distinct hardening of the
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 5 ( 2 0 0 9 ) 5 1 – 5 858
Commissioner’s approach to the technology risk associated
with mobile IT.
9. PETs within the emerging legal landscape
The importance of the PETs agenda becomes much clearer
when viewed in the context of the emerging legal landscape
for data security. In December 2007, in reaction to HMRC, the
Information Commissioner published his case for the
amendment of the DPA. His report outlined a shopping list of
new powers and penalties which, if implemented, will elevate
the UK to the top table of data protection enforcement.
Perhaps the most interesting proposal was the call for the
criminalisation of breaches of the data protection principles.
In the event, the Criminal Justice and Immigration Act 200830
amends s.55 of the DPA to give the Commissioner power to
impose fines for serious breaches of the data protection
principles where the data controller failed to take reasonable
steps to prevent the contravention. Further, the Secretary of
State is given power31 to impose custodial sentences for s.55
offences.
As far as data security is concerned, the statutory defence
of ‘‘reasonable steps’’ could well be satisfied through the use
of PETs.
10. How will the PETs market develop?
Until now, the PETs’ landscape has been dominated by
small IT companies and groups of academics. While there is
no doubt that they have done an incredible job in raising
the profile of PETs (to the extent that they are now taken
seriously at European Commissioner and national regula-
tory level), there is a growing appreciation that PETs will not
become mainstream until they are supported and adopted
by the big IT companies, which to a large extent means the
US IT companies. Fortunately, these companies are starting
to engage on PETs and important dialogues are opening. IT
companies that have recently expressed interest in the PETs
agenda include the likes of EMC, RSA, Symantec, Hitachi
Data Systems, IBM and Microsoft. The big consulting firms
and systems integrators are also now expressing their
interest. The first tangible outcome of these new develop-
ments was a PETs’ conference in London hosted by RSA, at
which Philippe Renaudiere (European Commission) and
30 Section 144.31 Section 77, Criminal Justice and Immigration Act 2008.
Jonathan Bamford (Office of the Information Commissioner)
shared a platform with RSA’s head within EMEA, Richard
Turner. The importance of this event should not be under-
estimated: it represented the start of a new form of
engagement between the power players identified by the
Commission in its Communication.
In light of the growing interest in PETs it is inevitable that
a sustainable market for PETs will be created. Of course, data
security scares will fuel the market, but the future for PETs
does not rest on there being enhanced interest in just one
component of data protection. As already indicated, PETs
serve a much bigger purpose.
11. Reflections and looking forward
The litany of data security breaches in the last 18 months has
raised data security to a level of significance hitherto unseen.
It is nevertheless clear that organisations across the public
and private sectors are still failing to heed the lessons of
HMRC: namely, that data security must be addressed at an
organisation-wide level and with the backing of senior
management. Data security management can only truly be
addressed using a holistic approach, starting with an assess-
ment of the risks which flow from the information lifecycle.
Data protection, whilst important, represents the end point of
this assessment.
The reaction of government and regulators to the new
world of data security has been twofold: first, to legislate and
to explore ways of legislating further, and secondly, to harden
their approach to enforcement. Organisations everywhere
should be prioritising data security management in the light
of this harsher environment.
Looking ahead, there are a number of developments
underway. One of the most interesting is the emergence of
privacy enhancing technologies which are set to become
foundation stones in the construction of data security
management programmes.
Marcus Turle ([email protected]) is a member of the Profes-
sional Board of CLSR and a Partner in the Technology Law Group at
Field Fisher Waterhouse LLP. He is a founder member of FFW’s
Privacy and Information Law Group. He is also editor of
Data Protection Laws of the World and a visiting lecturer on the
Northumbria University Information Rights LLM.