About Us  |  Search  | FAQ  | Contact Us
Data protection
Risk Management
Human Resources
Smarts Cards
Optimise CRM
Data Warehousing
Disaster Recovery
Swift Messaging
BPM & Workflow
Capital Markets
Global Custody

Page last updated
February 16, 2003

ISSN No:1470-5494 All rights reserved. No part or portion of this publication may be reproduced or transmitted in any form without the express, prior and written permission of the publisher. Whilst every effort has been made to ensure accuracy, the publisher accepts no responsibility for any person acting as a result of the content herein.



Data protection Bosses unaware or are they studiously avoiding the issue?


The USA and Europe were facing a global trade war over the new Data Protection measures during 1999. No privacy - no trade we said ... and for the Americans, who have very loose privacy laws, there's was a risk of losing billions of dollars worth of business.

The new European Directive obliged every country to conform to a set of common standards and an ultimatum was issued to Washington. Firms exporting personal data had to protect privacy. But instead of the US tightening up - and UK bosses seem to be trying to ignore the issue ... Julie McCreadie suggests that ignorance will not always be bliss.

In early 1999 Elizabeth France, now Data Protection Commissioner, issued a warning against the introduction of 'look-up' services in the UK. These services, already well established in the USA, bring together extensive collections of personal data about ordinary citizens and make them available to anyone on the payment of a fee.

One way they can be developed is through routinely scanning newspapers to extract information and create, at least a partial, register of criminal convictions outside official control.

"We must take care to ensure that 'look up' type services do not develop in the UK unless they comply fully with the new Data Protection laws."She also warned our trading partners that personal data must be protected or there will be no trade.

The new Data Protection Bill received Royal Assent in 1988 and became official law in March this year.But what has been the reaction...?
Over half of Britain's directors (55%) are unaware, or are not admitting to, the impact of the 1998 Data Protection Act on their business. Also 52% claim to be unaware that the Act came into force officially in March 2000.

These disturbing findings emerged from research by The Stationery Office (TSO), which has been responsible for publishing UK legislation and standards for 200 years. The research was carried to find out the level of UK company directors' awareness of the Information Security Compliance (iSC) Standard and the Continuous Compliance Programme (CCP).

In addition to data protection, the independent iSC Standard covers UK laws on software copyright, computer misuse and the Companies Act. The programme enables all UK organisations to manage their IT legally and securely.

The Continuous Compliance Programme, encompassing the iSC Standard, is the first comprehensive programme for legal IT management. It provides a set of legal risk management procedures - health check, financial and business risk assessment, project plan, compliance resolution and independent certification and offers clear value for money, balanced against the penalties for non-compliance and the risks to the business.

The CCP ensures that subscribers comply with the iSC Standard, by re-certifying annually.

TSO's confidential research amongst directors of companies with over 100 employee, also revealed that 45% of companies questioned had not nominated a Data Protection Officer; 27% had no-one who specifically dealt with IT legal compliance issues - one of the key aspects of the 1998 Data Protection Act - and only 3% planned to have someone in the near future.

When the iSC Standard and the CCP were explained to them, 79% of the sample said they believed both would be important to their business. Some 64% also said they were likely to plan a consultation about the CCP in the next 12 months ... the actual uptake is yet to be published

IT compliance - The knowledge gap
A previous Stationery Office research survey revealed that UK directors' knowledge of IT legal compliance is very limited, and one in five of Britain's bosses believe their staff are breaking the law on IT .

TSO's survey also showed:

n Over one third of directors polled admitted not auditing their company's IT to check legalities blaming lack of guidance from governing bodies, constant changes in legislation and the rapid pace of developments in IT.

n Computer viruses are of major concern to three quarters of directors. Over half are also concerned about data loss, and one third about data protection in terms of both potential legal and financial hazards for any business.

n 96% of those polled had access to e-mail or the internet, but 19% had no clear policy for using either of these essential business tools.

IT auditing and the law
Seventy percent of directors said they had carried out IT audits. But a surprising 78% believed their staff were operating within the law, having admitted having had no relevant IT audit!

Those interviewed who admitted not auditing their company's legal position on IT (18%) blamed constant changes in legislation.

Two other surprising and possibly costly findings were that 48% of the directors surveyed did not have a policy in place which complied with the Companies Act, despite being personally liable for the consequences of legal breaches. And on one in three companies had no internal policy regarding the Computer Misuse Act

The iSC Standard is continually updated to comply with latest legislation, addressing one of the main reasons given by directors for non-compliance.

Public concern over personal data processing
Companies and individuals are concerned about their private data. The Data Protection Commissioner and the National Consumer Council are working on a joint initiative to improve public awareness of data protection issues relating to the collection and processing of individuals' personal data

Central to the campaign is a new graphic signpost called the 'Information Padlock', unveiled to the general public by GMTV's Fiona Philips at London's Data 2000 conference.

The signpost has been devised for use by organisations requesting personal information and must only be used in conjunction with an explanation of why the information is being requested and for what purpose(s) it will be used.

At the conference Elizabeth France, the Data Protection Commissioner said, "This is another important step towards ensuring people and companies have the information they need about how their personal information is being processed by both the private and public sector."

The move is in line with the new Data Protection laws, introducing tighter controls over the use of individuals' records, requiring organisations to be more open about the intended use of information, following the 'eight principles of good information handling'.

Mrs France continued, "Responsibility for good information handling lies with the Data Controllers and the introduction of this signpost device is to make it easier for them to be open at the point of data collection. In turn, this will help individuals to see, at a glance, that their information is to be processed and for what purpose.

"With the benefit of this knowledge, they can go on to make choices about what information to provide and take steps to prevent any mishandling of it."

All organisations whose activities involve the collection of personal data are being asked to use the new signpost at any point where information is requested - this includes application forms, advertising coupons, websites etc.

Marlene Winfield of the National Consumer Council said "We are delighted to be working with the Data Protection Commissioner to introduce this important measure to help give consumers greater control over how their information is used.

"People giving personal information should look for and expect to see the Information Padlock. We hope it will quickly become established as the symbol of organisations with an open and fair approach to data handling. When it's not there, consumers should demand to know why."

Do people really care?
Results of a survey commissioned by The Data Protection Commissioner in revealed that the British public places great importance on their personal privacy

n 73% state that personal privacy isvery important.

n 77% are concerned about the amount of information held (year on year +11%).

n 72% are concerned about the lack of openness from organisations on the information they process.

So what's The size of the problem ... and what is a database?
Each year, it is estimated that in excess of $100 billion changes hands for the use of commercial electronic databases. They constitute the second largest area of the information technology sales market, and form the sixth largest part of the information industry. And we haven't even touched on non-electronic databases!

In today's environment of client server networks, wide area networks, corporate intranets and extranets, databases are becoming widely accessible to a growing number of users.

The concern for those who create, manage and update databases is to protect their investment in producing and marketing their databases through the use of intellectual property rights.

On the other hand, database users want to be able to access database information, while being confident that they are not infringing any third party rights when they use databases.

So what is a database?
We have everyday examples of databases such as the Yellow Pages, employment records, client or customer lists, research results, Encarta, card index, or a collection of short plays. Databases can be in both electronic and non-electronic form, utilising publicly available information such as names and telephone numbers, or using highly researched and commercially valuable information.

What changes in how we treat databases?
The Database Regulation has changed the nature of copyright protection for databases and introduced a new right called the 'database right'. This is an entirely new intellectual property right which lasts for 15 years in addition to the existing copyright protection.

The Database Regulation has not changed the application of copyright law to the contents of a database. Separate copyright will still subsist in the individual items of data making up the database. For example, each of the plays in the collection of short plays is protected by copyright itself, and each of the items of information used in the Encarta encyclopaedia cannot be used without the consent of the copyright owner.

Were databases protected before?
The principle of copyright protection in the UK was established many years ago in cases, involving amongst other things, railway timetables. It is based on the notion that the production of such works, often involving many hours of painstaking labour, deserved protection.

Under English law, copyright protection extends to databases as original literary works and not copied from an existing work, and the author has expended some effort in compiling the work. The contents may be entirely commonplace, and not subject to copyright in themselves (eg. telephone numbers, share prices etc) , but if the compilation required much effort, or 'sweat of the brow' to put it together it qualifies for copyright protection.

This is a very low standard of originality, and one not shared by many other jurisdictions, particularly Europe. Finally, UK copyright protection extends for the life of the author plus 70 years, which is a considerable amount of protection for a work which requires no creativity.

Elsewhere in the world, databases have been protected under copyright law if they are works of 'intellectual creativity'; a difficult criterion for databases to meet so most databases do not quality for copyright protection. This is in contrast to UK databases, which have enjoyed protection.

The purpose of the EC Directive on the legal protection of databases is to harmonise the copyright regime in the EU, and introduce a new, lesser right, the database right, which gives databases protection without extending to databases the full term of copyright protection.

While this is good news for most European countries, it has brought a mixed response in the UK where we already provide very generous protection for databases.

What is not covered?
There is some debate over the status of computer generated databases. A computer generated database, such as an Internet search engine and other computer-generated listings fail the new test of 'intellectual creativity'.

Computer generated works currently enjoy copyright protection under the provision of the CDPA 1988, but they appear to lose that protection under the Database Regulations.

Who owns the database?
The owner invests in obtaining, verifying or presenting the contents of a database.

Where a database is made by an employee in the course of his employment, his employer is the maker of the database, subject to any agreement to the contrary.

Further information
Posters and a leaflet explaining how the Information Padlock should be used are available from the Office of the Data Protection Commissioner and electronic copies of the signpost and leaflet can be downloaded from the website at: www.dataprotection.gov.uk

Information on the iSC Standard on its dedicated website at

Details on the Technology means Business initiative on

Written and compiled by Julie McCreadie, a journalist and publisher for over 20 years. Now also advises companies on IT, new media and changes in the law - particularly regarding publishing, copyright and intellectual property. She is involved in the Technology means Business programme, managed by the Institute of Management and supported by the DTi to promote UK competition with better use of information and communications technology (ICT).

Julie McCreadie





Licence to live
Tackling stress
Truth is Spoken
IT Intergration
Data protection
Islamic Banking
Belgium - Euronext?
Office ailments
Spectrum healing
Colour Therapy
Forget 9/11
Securities Brokers
Bentley Motors




Home  |  About Us  |  Search  | FAQ  | Contact Us