IT Focus – Privacy Act shockwaves.

The applications suite, based on SAP R3 technology, was intended to handle customer service billing, travel allowances and operational finance management. But, according to Shell, the company belatedly realised that the way the system dealt with personal data meant it was potentially in breach of the 1998 Data Protection Act.

The Act, which is based on new European legislation, came into force earlier this year, but led to Shell cancelling the worldwide rollout of its system just seven days before it was due to go live.

According to Phil Jones, an assistant commissioner at the Data Protection Registrar’s office, Shell is by no means the only organisation to experience this confusion, however. ‘There are some provisions that are difficult,’ he says.

‘One of the problems is that besides generally processing data fairly and lawfully, they have to process data in line with certain conditions, especially sensitive data. This is giving a significant number of companies difficulty as to whether they are satisfying these conditions,’ he adds.

While the 1998 Act is thousands of words long, it is based on only a few basic principles. Personal data should be processed fairly and lawfully, but it should only be processed if the individual concerned has given their consent or such processing is deemed necessary, for example, to comply with legal regulations, or to ensure the administration of justice.

Sensitive data such as racial origin, political opinions and so forth carries even tighter restrictions.

Personal data should only be obtained for specific purposes, and any additional use is in breach of the Act. It must be adequate, relevant and not excessive, as well as accurate and up to date, and must not be held for any longer than is required for the particular use that has been stipulated.

Once data has been collected, it must be made available to the individual on request within 40 days, and should not be used to cause damage or distress. Organisations must take appropriate organisational and technical action against the unauthorised use of data – in other words, they must protect it both from external hackers and unauthorised use by employees.

Finally, data must not be made available to countries outside the European Economic Area – the 15 European Union member states as well as Iceland, Liechtenstein and Norway – unless that country can guarantee similar levels of protection to the individual.

But Paul Vassidis, head of information security and risk at the National Computing Centre (NCC), says many companies are finding the new regulations something of a shock. ‘Their initial thoughts are that it’s not very difficult, but they find there are ramifications they haven’t foreseen,’ he explains.

‘The biggest issue that most people have is that the new act covers more than just electronic information. The next is mandatory issues on personal data. A lot of people have not really had to address that in a formal way before. The other issue is one of training and awareness.

‘Virtually all customer facing staff need some awareness of things like the fair processing code,’ he says.

But many apparently simple provisions are actually quite hard to comply with, Vassidis warns. ‘People are now realising that this business of responding in 40 days is quite a tall order. It affects things like e-mail, letters, half a dozen databases. ‘A council, for example, may have 20 or 30 different contact points with an individual – parking tickets, the local education authority, library card information and so on,’ he adds.

There are further complications if data is exported from one country to another, even within the EU. While the directive provides a basic level of protection, each country has its own national law. This national law may extend levels of protection in some cases, but others have not yet even enacted the directive. In the UK, for example, transitional provisions effectively give companies until October next year to comply fully with the new regulations.

This means, according to Freddie Dawkins, co-ordinator of the International Commerce eXchange (ICX), that even basic terms have to be clarified. ‘In English law, what is a derogation? What is it in Napoleonic law?’ he asks.

The ICX consortium is trying to solve these issues by coming up with a code of conduct to provide companies with confidence that they are satisfying the rules.

Dawkins explains that it was ignorance of such international regulations that had led Shell to make its mistake. ‘That was a system that was going to run in the US, and no one in the US was aware of the situation in Europe,’ he says. ‘If it had spoken to European colleagues, it could all have been planned in from the start.’

But there have been several well-publicised data privacy breaches over the past few months from companies such as PowerGen, Barclays, and most recently Credit Suisse.

The latter inadvertently enabled web surfers to access the personal account details of a number of customers, including several celebrities, on its website. But Dawkins acknowledged that most breaches lead to no more than a reprimand.

‘Some of the data commissioners are really good. The last thing they want to do is bring an action,’ he says. ‘If you ask, they’ll send in a team who will do an inspection and a full report, so they are giving free advice.’

Vassidis agrees current prosecution levels are low. ‘I think we’ll see a general increase in this with the rise of online shopping, but actually I don’t think most people are aware of their rights,’ he says.

‘At the moment, I don’t think the commissioner’s got the resources to cope with a high level of complaints anyway.’ But he warns the number of complaints is rising rapidly and that organisations cannot afford to be arrogant.

‘A lot of people object to the fact there is legislation covering what they perceive as their data,’ he says. ‘We have to make it clear to them that it’s not their data. It belongs to the subjects.’


Differing US perspectives on data protection and a lack of practical guidance are preventing businesses from complying with the European Union rules on data privacy, writes Andy McCue.

This was the warning from Nick Mansfield, principal consultant for Shell Services International, speaking at the Compsec 2000 security conference in London earlier this month.

Mansfield cites Shell’s own experience as a warning to other users. The company was forced to cancel the worldwide rollout of a $36m SAP finance system just seven days before going live.

The system was designed to run customer service billing, travel allowances and operation finance management, but ran too great a risk of contravening the EU directive.

‘We stopped dead because the system, containing personal information, was subject to the EU directive,’ says Mansfield.

Mansfield is also chairman of the International Commerce eXchange consortium, whose members include BT and Royal Mail subsidiary Viacode.

ICX has drawn up practical guidelines for businesses to comply with the EU Directive and the 1998 Data Protection Act, which was introduced in the UK as a result of the directive.

Legal experts said data protection is a minefield for businesses. ‘What I always say to companies is: “You are breaching the data protection legislation left, right and centre, so don’t make a target of yourself”,’ says Dai Davis, head of the IT group at law firm Nabarro Nathanson.

‘What the Data Protection Registrar can do is limited by her budget.

It’s not in her interest to make waves.’

This article was first published in Computing magazine.

Related reading

aidan-brennan kpmg