Whitehall sets up 'data minefield'

Businesses are being advised to get back to basics as they struggle to understand a minefield of European and national data retention legislation.

This week it emerged that Europol, the police and intelligence arm of the European Union, is proposing that telephone and internet service providers (ISPs) retain data including personal emails and telephone records for access by police and intelligence services.

This came on top of the news that the Government plans to put through an Executive Order today that will allow an unprecedented number of organisations access to data records.

The EU common code on data retention is just the latest piece of snooping legislation aimed at combating the fight against terrorism and major crime by forcing companies to keep information.

Speculation is growing that companies that run Internet sites may be obliged to keep data covering passwords, website addresses visited and web pages looked at for up to five years.

Meanwhile, under the Regulation of Investigatory Powers Act drawn up in response to 11 September and due to be extended today, telecoms and ISPs are required to hold phone, email and website traffic data for a year, despite Data Protection implications.

There are also proposals in the pipeline under the Enterprise Bill to give the Office of Fair Trading powers to force companies to produce a broad range of business documents on demand.

Companies are increasingly concerned about the plethora of rules and regulations and conflicting legislation not to mention the cost implications.

Confusion is rife. As Computing revealed, (18 April) a survey by the Information Commissioner shows most UK web sites fail to comply with current data protection legislation.

Even the Home Office admits that with so much legislation, things are not simple. 'It is confusing and a bit of minefield,' said a spokeswoman.

'There is a voluntary code of practice over data retention still under discussion with the industry, which will go to public consultation later this month or shortly after,' she said.

But Mark Smith, an information security expert from UK law firm Morgan Cole, said that legislation is an unnecessary distraction and that businesses must focus on "the basic need to store data".'

'Most businesses are failing on basic storage and management of data,' he said. A common mistake is 'data being kept in someone's private mailbox rather than a central file.'

Smith said the pressure from, Government is being piled on. 'There is an increased government expectation about retaining transactional and traffic flow data. This has been heightened since 11 September.'

Most of the legislation will only apply to ISPs and telcos but other businesses need to keep records. 'They must ask, what have I got, where is it, how long should I keep it for and how secure is it,' says Smith.

By building on these basics, businesses can meet legislative requirements, he said. 'The debate must be about taking ownership, control and management of the corporate network. It is about policies, education and training.'

The best way to achieve this is by 'getting board support for a joined-up information security policy,' advised Smith.

Alyn Hockey, director of future products at emails monitoring company Clearswift, said the right policies must be in place before enforcement through software is enacted.

'We can take conceptual policy into software practice, but the business must be educated about their obligations. The software is only as good as the rules the company deploys' he said.

'Businesses must manage the intellectual property risk of information getting to the wrong recipient and ensure the network is being used as it should be or they will be blown out of the water,' he said.

There is some sympathy towards industry fears from the Information Commissioner.

'The government needs good reasons for imposing retention obligations over and above companies business requirements', said Phil Jones, an Assistant Information Commissioner. 'We will seek to ensure that any measures taken are appropriate and justified.'

'You must ask how easy will it be to retain and obtain vast amounts of data,' Jones added.

'At some stage the direct cost to businesses will have to be assessed if the obligation is beyond business needs. Where does altruism begin?'