Information Management in FSS: A Legal Perspective Paul Hinton Ian Mason Barlow Lyde & Gilbert LLP 17 September 2009

Information Management Information is a key asset of every business Technology has revolutionised our ability to access, create, store, search and communicate information Information Management is in its infancy and lagging behind technological development “the stone age was marked by man's clever use of crude tools; the information age, to date, has been marked by man's crude use of clever tools”

,000 1,500 2,000 2,500 3,000 3, ,000 4,500 8,000 10,000 6,000 Storing up trouble…

Inside of an IT storage system

Why is this a problem? The acquisition of and failure to discard, possessions that are useless or of limited value due to a fear of losing things perceived to be important. = “PATHOLOGICAL HOARDING DISORDER”

Law and Information Management IPRs DPA Others e.g DDA, Confidence etc

Data Protection Act Data Protection Act 1998 EC Directive – EEA wide application Policed in the UK by the ICO Protects ‘personal data’ – electronic mainly (but also paper in some cases) ‘data controllers’ must ‘process’ in accordance with the DPA ‘data subjects’ get a number of rights under the DPA Establishes “Principles” to abide by

The Data Protection Principles Adequate, relevant and not excessive Accurate and up to date Rights for Data Subjects under the Act Specific purpose Not kept longer than necessary Technical and organisational measures EEA “fairly and lawfully processed”

Consequences of breaching DPA Reputational damage Fines Criminal offences ICO increasing policing and enforcement and taking a harder line

5 Key Legal Impacts 1.Security/confidentiality obligations 2.What information can/must be stored 3.Exploitation of information 4.Who has a right to access information 5.Dealing with 3 rd parties

1. Security/Confidentiality Common law confidentiality Contractual – agreed standards Data Protection Act – Principle 7 Applicable IT standards “keeping up to date” - adequate technical and organisational (= security) measures – e.g. BS Practical measures and security standards

2. What Can/Must Be Stored 800+ specified retention periods fixed by statute/common law VAT records 6 years Contractual claims 6 years (12 years if a deed) Data Protection Act Processing fairly and lawfully Adequate and not excessive Accurate and up to date Not for longer than necessary IPRs

3. Exploitation of Information Copyright Arising automatically in original works Lasts for a set number of years Generally owned by creator – (including ‘employer’) Database rights Arises where "substantial investment" in obtaining, verifying or presenting the contents of the database Owned by the maker Data Protection “fairly and lawfully”

4. Who has a right to access? Confidentiality – who can it be given to? DPA Fairly and lawfully processed EEA Subject Access Request Litigation – duty to provide even if detrimental Regulatory investigation

5. Dealings with 3 rd Parties See 1. to 4. above: Security Storage Exploitation Access DPA issues need to be dealt with explicitly in contracts Liability/Indemnity/Insurance Right to audit/access and have information returned Information management policies

FSA DOCUMENT RETENTION OBLIGATIONS Firms are required to take reasonable care to make and retain adequate records of matters and dealings which are the subject of requirements and standards under the regulatory system No prescribed time period – “should be retained for as long as is relevant for the purposes they were made” No prescribed format, but must be capable of being reproduced on paper Destruction of documents during an investigation not a good idea! FSA Principle 3 – “A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”

FSA INFORMATION GATHERING AND INVESTIGATION POWERS Very broad powers to obtain documents and interview witnesses FSA must use its powers proportionately FSA Enforcement Division has a specialised computer forensic team Importance of co-operation – FSA Principle II, relations with regulators Legal privilege may be maintained Use FSA scoping visit to discuss approach to disclosure of documents

FSA’S INCREASING EMPHASIS ON INFORMATION SECURITY HSBC companies fined over £3 million for inadequate systems and controls to protect customers’ confidential data Nationwide Building Society fined £980,000 for information security lapses Norwich Union fined £1.26m for security breaches

Top Tips Have you undertaken a documented data security risk assessment? Have all points/red flags arising from risk assessment, internal audit etc been addressed? How accessible are procedures and guidance? Does staff practice in reality reflect these procedures? Is training adequate?

Information is your greatest asset, but also your biggest risk... Not just the Data Protection Act 1998 There is no “magic bullet” solution A multi-faceted approach is needed: Contractual and legal protections IT security and solutions Practical policies and procedures

Policies Make it an employee issue not a corporate problem: Written documents that explains practical day-to-day procedures and rules for use of the data (including communications, storage, passwords, access, home working etc etc) Provided to all employees who have to sign and comply with them (part of employment / outsourcing contract) Will reduce the real risk of a leak occurring Will increase chances of compliance with law and regulation Will reduce liability Significantly improves PR damage

Spot the difference if lost….. and A B

Questions?

Follow and use our hashtag #ioduk Simply search for the Information on Demand UK group Subscribe to the IOD UK blog at iodukblog.com