By Kenneth Muhangi Esq.
LLB(HONS) UCU LLM(WALES)
Dip.Lp(LDC)
Defining “computer security” or data security is not as trivial as it makes its self out to be. The difficulty is enshrined in developing a broad definition that encompasses all the areas of data security, which cuts across what data, is and whether it can actually be secured in either a physical way or a “technological” way. Physical data security may require restricted access to rooms where computers are held and using data encryption to transfer or transport data safely. In a generic sense, security is “freedom from risk or danger.” In the context of computer science, security is the prevention of, or protection against,
- access to information by unauthorized recipients, and
- intentional but unauthorized destruction or alteration of that information
Data is defined as information which is being processed by means of equipment operating automatically in response to instructions given for that purpose[1]. Hence, data security involves various measures to ensure data is stored in a safe, non evasive way. The nature of online retail businesses requires it to collect and keep customer data. So, while companies themselves through due diligence might take steps to control and secure this data, legislation has also been enacted in countries like the UK to try and ensure data is handled properly. However, this has not been the case in Uganda notwithstanding the nature of information technology which is dynamic and constantly changing[2].
In Europe, the first steps taken towards regulating data protection were taken through the council of Europe convention 1981[3]. This opened the floodgates to countries specifically within the European Union to enact specific laws to address the issues of data security. In 1995, the UK, thus eventually adopted directive 95/46/EEC[4]. This directive, required through article three, for all member states to protect the fundamental rights and freedoms of natural persons and in particular the right to privacy with respect to the processing of personal data. The gist of this article was to compel member states, to enact or supplement on already existing legislation recognizing the right to privacy in regard to personal data. In the UK for example, although the Data protection act, 1984, was existent, it had failed to address new issues that had evolved and as such needed to be strengthened. It had been designed, to control the storage and use of data in a computer. The road leading to the 1984 Act was paved with Parliamentary Bills, Reports and White Papers concerning privacy and data protection.[5] It finally came into force on 11 November 1987.[6]
Uganda is yet to enact a data protection law. Once enacted, it will most likely mirror the UK Data Protection Act 1998[7] which implements Directive 95/46/EC[8].The act[9]. However, Legislators must be wary of the ambiguities which have placed the act under scrutiny.
One such ambiguity is in the definition of the term “personal data”. The act defines it as data:-
“Which relate to a living individual who can be identified–
(a) From those data, or
(b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Firstly, the effect of this seems to be that data security/protection only deals with the “living”. Also, it seems to indicate that as long as data relates to a person then that data is subject to the law. So, even if a data base contains only a number identifying someone, (like a national insurance number) then that is classified as personal data.
Another aspect is the term “data controller”. The Act states:-
“Data controller’ means . . . a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
In the case of DURANT V FINANCIAL SERVICES AUTHORITY[10]the discussion revolved around what constituted “personal data” and who a “data controller was”. It was concluded that data will relate to an individual if it is information that affects a person’s privacy, whether in his personal or family life, business or professional capacity.
What is the Data Protection Act 1998 ?
The Data Protection act 1998 revolves around eight principles concerning data protection and these are the gist of this act. They propose that data should be collected in a lawful and fair manner; it should be adequate, and not excessive, accurate, shouldn’t be kept longer than necessary, should be secure and shouldn’t be transferred outside the EU.
A number of cases have come up concerning the principles like in Rhondda BC v Data Protection Registrar[11], where the Tribunal upheld the Registrar’s interpretation of the fourth Principle (third Principle under the 1998 Act) and confirmed the enforcement notice issued against the officers in charge of collecting information.
However, when it comes to data security, the seventh principle will be our main area of interest. It states that all personal data shall have appropriate security measures in place. However, the DPA 1998 falls short in defining what “appropriate” measures are. It is not disputed that a data controller should be always vigilant, and ensuring data is secure to the best of his ability. Also, it seems like the DPA 1998, places a lot of obligation on the data controller. In fact, in 1998, the European Commission forwarded a paper[12] on the implementation of Platform for Privacy Preferences (P3P) that tried to reduce this liability by proposing that data protection be between the internet user whose data is being collected and the data controller. If this were implemented it would reduce the influx of cases involving security breaches reported daily. In November 2007 for example, two CD-ROMs containing 25 million records of child benefit recipients, including names, addresses and bank details, were lost by Her Majesty’s Revenue and Customs (HMRC) when sent by courier.
In December 2007, sensitive data, including religious beliefs and sexual orientation, relating to junior doctors were accessible to anyone accessing a website of the Department of Health. In the same month, the Driving Agency’s US contractor lost a computer hard drive containing contact details of three million candidates for the driving theory test. In January 2008, the Ministry of Defense lost a computer containing 600,000 staff records[13].The information commissioner’s office, which has the mandate to handle data security, claims in the UK, has fined companies in the hundreds. In march2007 alone, 11 banks were fined for security breaches[14]. Data controllers have had sleepless nights over the seventh principle and how to come up with appropriate security systems.
Over the years, more and more ways are introduced to handle data security. And because change is inevitable, as a business grows, the risks also grow. The law, time and memorial has always held the employer vicariously liable for the acts of his employees. And, most often than none, it is the employees/contractors of a company that lose data even when state of the art security systems are in place.
The interpretative provisions set out in the data protection act 1998, Schedule 1, Pt II specify that where processing of personal data is carried out by a data processor on behalf of a data controller, compliance with the Seventh Principle requires the data controller to:
- choose an organization that offers guarantees about the security of the processing it is undertaking on the organization’s behalf;
- put in place a written contract setting out the requirement for appropriate technical and organizational security measures and restricting processing to carrying out the data controller’s instructions; and
- Take reasonable steps to ensure compliance with the security measures.
Hence, the data controller must take reasonable steps to ensure the reliability of any employees with access to personal data.
Cloud computing is another area that is affecting the application of principle 7. It has no specific definition but it can be defined as the process of storing, accessing and sharing company data and processes remotely on the Internet.
Most cloud services are offered on a shared server basis, that is, the IT resources on a given server are shared between multiple organizations. Some companies are going down the route of signing up for non-shared cloud services that are offered on a secure basis by the likes of IBM and Unisys.[15]
The promise of cloud computing even with its short comings is slowly being embraced not only in Uganda and the United Kingdom but worldwide, for example, the United States Of America Air Force has adopted a new project to design and demonstrate a mission oriented private cloud environment.
Cloud computing is also being used to combat malaria in Tanzania where by a cloud collaboration service is used to apply smart technologies including mobile phones and text messaging. In Canada, the McGill University Health Centre is implementing a private storage cloud to securely house patient Data. Over 800,000 patient cases at multiple sites are then provided to clinics around the clock, providing a strategic and single view of data, including clinical images[16]. But, cloud computing raises various concerns like where the data collected is stored and who can access that data. Directive 95/46/EEC in article 18 (1)[17] talks about cloud computing and states that if data is to be transmitted over a network,
“The controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.”
But, it would be rather difficult to control data that is in a network like the ones above. Especially, if it goes to a “third country” as provided for in Article 25 of the Directive[18]. However, it is imperative to note that although this area is relatively new, the current law needs to be reviewed to specifically define what cloud computing is and how it can managed.
Data security, in its entirety is one that many find to enforce. The problems with it lie in various factors. One of them is ignorance. Most companies fail to sensitize their employees about Data Protection laws and how to be vigilant .they view it as costly to introduce training workshops yet these would have saved them thousand s of pounds in the end. Sadly, ignorance of the law is not a defense and thus breaches by ignorant employees find the employers in breach of laws governing data security.
Poor password management is another problem. Weak passwords, shared passwords and unchanged passwords still plague most businesses. With current password cracking software able to decipher 10 alpha-numeric character passwords in a matter of minutes, poor password management practices can lead to a system being compromised in a matter of seconds. Account sharing is another problem as it makes a database an easy target for unauthorized access. Also, data access restriction is not looked at as well as it should. The more people with access to personal data, the more likely there will be for a security breach. Laptops and PDA’S like and the more recent introduction of the I Pad, encourage employees to take work home or to work from anywhere. But, these can be easily lost or stolen and with them personal data can be lost at the expense of an organization[19].
The biggest challenge in data security comes down to interpretation. Principal seven of The Data Protection Act 1998, as already shown concerns data security. But, the problem manifests in the interpretation of what “appropriate “means. The act does not help show what would be appropriate and what would not fit that criterion. But, over the years, various practices have been developed and these can be considered to be appropriate when it comes to data security. I recommend Hayes international adopt some security measures like,
Firstly, only essential data should be collected. Principle three of the DPA 1998, in fact provides that personal data should be adequate and not excessive. The effect of this principle is that a company collects data that is manageable. In turn, this would minimize the risk involved with personal data.
Data should also not be retained for longer than necessary. Principle five of the DPA 1998 makes it mandatory for data not to be kept longer than necessary. Data controllers should not collect data with the hope that it may be useful one day. Hence, a data retention policy should be enacted within the organization to ensure data is not kept for long because the longer data is kept the more prone it is to security breaches.
Employees should also be well screened before they are hired. Those hired should be sensitized about data security and a policy enacted in that respect detailing what data security is and how it can be enforced and the repercussions for its breach. Care should also be taken when outsourcing. Firms should be properly vetted and appraised.
Data should be backed up regularly, and passwords changed as often as possible. It would be prudent, to review any security measures as often as possible. These measures can be in the form of anti viruses, malware, spyware, firewalls among others. And, in the event of a security breach, containing the breach should be the first priority. And in compliance with the breach notification law, all breaches should be reported in order to minimize losses.
The organization should also regularly monitor the Information Commissioner’s website[20] for guidance and watch for relevant codes of practice for data protection in relevant forms of business or other activity published, for example, by trade associations.
In conclusion, there is still much to explore before a conclusive data protection law can be enacted in Uganda. There is need for review particularly when it comes to the understanding of what personal data is and areas that have been introduced like cloud computing.
Outsourcing which is a new phenomenon in Uganda has also not been given its due recognition under the law. There is need for policies/ directives that outline what appropriate measures are and how they can be enforced.
In more developed jurisdictions, a lot of pressure is put on organizations to do all they can to ensure data security and even when all possible care has been taken and a breach occurs, they are punished severely. In the UK for instance, there was a public outcry in 2007 when Richard Thomas, the Information Commissioner, to the Justice Committee of the House of Commons suggested that breaches to the eight data protection principles be criminalized[21].
Such radical changes to the law would not help. Rather, a more proactive approach should be introduced where the law is implemented bearing in mind that it works better in practice, giving individuals an improved set of rights and protections whilst providing greater clarity and reducing unwarranted burdens for data controllers.
END NOTES.
[1] Data Protection Act 1998, Interpretation section
[2]This was observed in the Poynter report, 2007,where Poynter was quoted,” the speed with which IT has developed in recent years makes it imperative that security policies are regularly reviewed to ensure that they deal with all the types of IT processes undertaken within the organization.”
[3]convention 108 for the protection of individuals with regard to the automatic processing of tracts
[4] OJ L 281, 23.11.1995, p.31
[5]The Lindop Report Report of the Committee on Data Protection, Cmnd 7341, HMSO, 1978, was one of the key papers that influenced the need for a change.
[6]Bainbridge, David. Introduction to Computer Law, 2004, at 431.
[7]The Data Protection Act 1998,Came into force on 1st March 2000
[8] Ibid 4
[9] Ibid 8
[10]Michael John Durant v Financial Services Authority [2003] EWCA Civ 1746, Court of Appeal (Civil Division) decision of Lord Justices Auld, Mummery and Buxton dated 8thDecember 2003.
[11](Unreported) 11 October 1991.
[12]Working Party on the protection of individuals with regard to the processing of personal data, European Commission, XV D/5032/98
[13]Journal of the European lawyer 2008.
[14] http://www.ico.gov.uk
[15]Tolley’s Practical Audit &Accounting The Monthly Key To Practical Audit And Accounting Solutions 21 PAA 1, 11 October 2009.
[16]The Economist. Is Cloud Computing secure computing ?, April 23rd-29th 2011, page 26
[17] Ibid 4
[18] Ibid 4
[19] Richard Hollis , Data security Part 1 — five factors leading to data compromise .Privacy and Data Protection Volume 10 Issue 2,2009
[20]www.dataprotection.gov.uk
[21]Article in The Sunday times, December 7 2007
BIBLIOGRAPHY
TEXTBOOKS
- Bainbridge, David. Introduction to Computer Law, 5th Edition, Pearson Education, UK, 2004.
- Dickie, John. Internet and Electronic Commerce Law in the European Union, Hart Publishing, 1999.
ARTICLES
- Adam, Bosnian. ‘Cloud Computing’, Tolley’s practical Audit & Accounting ( 1st October ,2009)
- Mark, Turner & Nick Pantlin. ‘Financial services in the cloud’, Journal of International Banking & Financial Law Volume 26/Issue 2, February 2011.
- Encyclopedia of Forms and Precedents, ‘Data Protection and Freedom of Information Volume’ 12(2)
- Stewart, Room. ‘The changing face of data security law’, Journal of Privacy and Data Protection, Volume 8, Issue 7, August, 2008.
- Halsbury’s Laws of England, ‘The Data Protection Principles, The seventh Data Protection Principle. Confidence and Data protection’ volume 8(1)(2003)
- Mandy, p. Webster. ‘Data Security and Outsourcing’, Company Secretary’s Review, Issue 21, February 2009.
- Richard, Hollis. ‘Data security Part 1 — five factors leading to Data Compromise Privacy and Data Protection’, Volume 10,Issue 2,December 2009
- Richard, Hollis. ‘Data security Part 2 — five factors leading to Data Compromise Privacy and Data Protection’, Volume 10, Issue 3, February, 2010.
- Tim, Wright & Dominic, Hodgkinson. ‘Government response to House of Lords Science and Technology Committee Report on Personal Internet Security’ , Computer and Telecommunications Law Review2008
- The Economist. ‘Is Cloud Computing secure computing?’ April 23rd-29th 2011.
- The Sunday times, December 7 2007.
WEBSITES
- http://www.pdpjournals.com
- http://www.ico.gov.uk
- http://www.data-archive.ac.uk
- http://www.dataprotection.gov.uk
LEGISLATION
- Data Protection Act, 1998
- Data Protection Act, 1984
- Directive 95/46/EEC
CASE LAW
- Michael John Durant v Financial Services Authority [2003] EWCA Civ 1746, Court of Appeal (Civil Division)
- Rhondda BC v Data Protection Registrar (Unreported) 11 October 1991