Thursday, September 19, 2013

Is the Data Protection Act harming children?

Tony Pepper
Chief Executive Officer and Co-Founder
Egress Software Technologies Ltd.
Last week, the Data Protection Act came under fire following an article published by Secretary of State for Education Michael Gove in The Telegraph, regarding the safeguarding of children in care homes.

Gove’s article was published in response to a review after serious failings put vulnerable children and young people at risk of abuse. While much of the Education Secretary’s criticism is to be welcomed, his censure also extended to so-called ‘data protection rules’, and thereby called into question the effectiveness of the Data Protection Act. In response, Information Commissioner Christopher Graham issued a written statement and appeared on BBC Radio 4’s World at One programme in defence of the Data Protection Act, labelling it an “enabler” rather than a barrier to safeguarding children.

As the Commissioner declared, “there shouldn’t be room for confusion on anything as serious as child protection” – yet, clearly, there is. Gove detailed that the government body Ofsted was ‘prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing data’. Thus even when it matters most, some people evidently feel unable to share confidential information.

What does the Data Protection Act say?

The Data Protection Act states that information can be processed when this is ‘necessary for compliance with any legal obligation to which the data controller is subject’. The Information Commissioner’s Office (ICO), moreover, has gone further to explain this in their Data sharing code of practice: ‘You will need to judge whether it is still appropriate [to share data] and confirm that the safeguards still match the risk.

Thus the Data Protection Act explicitly states that data can be shared when there is a legal obligation to do so, for example in the case of children at risk of abuse. However, it also, and rightly so, calls for appropriate risk assessments and measures be taken to protect that data – because a breach of personal identifiable information brings with it a different type of threat.

Why, then, do some public sector employees feel that they cannot share confidential information, even when doing so will protect vulnerable children? Clearly there is a chronic misunderstanding of data protection law that urgently needs to be resolved. In particular, it is imperative that organisations put in place mechanisms to protect confidential information when it is shared with third parties. Employees must feel empowered to share sensitive data when necessary and confident that they can remain in control of it at all times – not afraid that they risk exposing that information to unintended recipients, which can ultimately threaten the subject’s safety, the organisation’s reputation and potentially the employee’s livelihood as well.

Unfortunately for the ICO, and despite their best efforts to dispel them, so long as these myths about the Data Protection Act pervade, they have an uphill battle to overcome ignorance and bad publicity.

Thursday, September 12, 2013

How legislation introduced by the SRA is affecting law firms

Jonathan Jongkind
Customer Service Manager
Egress Software Technologies Ltd.
Law firm risk management. If that phrase was thrown around in a conversation, you would presume the person talking knows exactly what they’re going on about – but what does ‘law firm risk management’ actually mean?

In general, risk management can be defined as evaluating, and preparing for, potential risks, making sure you have all of the bases covered should the worst come to the worst. This could mean anything from assessing risks in regard to natural disasters, to large investment projects, to data breaches – which is what I would like to primarily focus on.

Having worked in a small law firm in the past, I have an idea of how risk management works for the legal sector. This can be anything from losing a major case that a lot of time and resources had been invested in, to sending out a court bundle to the wrong address (the legal world still loves their paperwork; the printer in that office was always chugging away).

Setting the standards

Luckily, law firms are not left entirely in the dark with regards to risk management. Launched in 2007, the Solicitors Regulation Authority (SRA) is the regulatory body for all solicitors in England and Wales. Although the SRA also focus on other areas, such as setting behavioural standards for entry and ensuring these are constantly complied with, making sure that data is handled appropriately is another one of their goals.  

This is where it gets interesting for me, being both a techie and a law graduate. Recently, courts have started to accept summons sent via email, whereas before, evidence and summons were only accepted via paper. In fact, UK court summons can now even be served via Facebook! But imagine if those summons were sent to the wrong person… Although this could also happen via normal post, at least technology provides the power to prevent mistakes like these from happening in the first place.

Ensuring compliance

Introduced in July 2012, section 8.5 of the SRA practice notes states that all their licensed bodies require a Compliance Officer for Legal Practice (handily shortened to COLP). These individuals are required to take reasonable steps to ensure compliance with statutory obligations, in addition to any terms or conditions. COLPs are also the bearers of bad news, as they’re obliged to take reasonable steps to record all failures to comply (classed as a ‘material breach’ or a ‘non-material breach’), as well as reporting these failures to the SRA.

Despite imposing these regulations on law practices, COLPs are left with a certain degree of leniency and flexibility, allowing them to interpret and implement the regulations in a way that will work best for their practice. I have no doubt that regulations will be tightened and definitions made clearer over time, but I suppose, much like the law, the SRA is keen to move away from a tightly regulated body to a more efficiently regulated one. The challenge for the SRA is to relay this information in a way that will not cause confusion.

Staying on top

The introduction of new technology and improved forms of communication with clients and courts is a major opportunity for law firms – if taken advantage of, it will lead to improved information security, enhanced efficiency and cost savings.

Obviously, the SRA has a key role to play in this, and their introduction of greater accountability and regulation can only be a good thing for consumers. Part of this involves creating codes of practice and regulations that increase awareness of potential risks and material breaches, drawing attention to the repercussions that can occur when due care isn’t taken. The challenge for law firms is ensuring they stay on top of these changes.

So, now you should have more of an idea of how risk management works in law firms – enjoy that after-dinner conversation with your local COLP!

Is the Cloud still white and fluffy? Examining the role of cloud computing for today’s businesses

Tony Pepper
Chief Executive Officer and Co-Founder
Egress Software Technologies Ltd.
When I first glanced at the IT Cloud landscape, it was a wonderfully picturesque scene offering fluffy, white services that promised massive benefits to any business that wanted to realise cost savings and efficiency gains.

Is this the same landscape I see today? Put simply, no.

While Cloud continues to dominate boardroom agendas, creating panic amongst senior execs, who fear that without a Cloud strategy their business is somehow falling behind the times (and their competitors), I’m sure those ‘technology laggers’ that pinned their colours to traditional on-premise models are feeling rather smug in light of the recent negative press.

Does this mean that over time Cloud services will become less popular with businesses in the Public and Private sectors? Absolutely not, to those cynics out there! It’s all part of the adoption and maturity lifecycle that every new and innovative technology must face. 

The fact is, future delivery of IT service architecture remains unchanged; however professionals and ‘prosumers’ are now increasingly aware that a risk managed approach to consuming services must be applied to both software vendors and their underlying infrastructure providers before today’s grey clouds become white and fluffy again.

Be proactive and informed - not left behind

My team spends every day speaking to customers about data security, promoting UK Government certified encryption services with roots firmly placed in the Cloud. We are fortunate to be able to map trends that start to emerge, and what’s currently coming across loud and clear is the overwhelming shift towards the usage of Active Directory Federated Services (ADFS). 

For those of you that don’t know, ADFS is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organisational boundaries. It uses a claims-based access control authorisation model to maintain application security and implement federated identity. 

In short, ADFS is designed to use on-premise Active Directory as an identity provider to enable users to interact other Web Services and SAML 2.0 compliant federation services (used by Cloud providers), leveraging their existing business username and password. 

This tells me one thing: Cloud and integration with Cloud services is actually in its ascendancy. On-premise and hosted worlds will become more aligned to the point where soon we won’t be able to clearly define what’s inside our corporate boundary and what’s fully hosted.

Laggers be warned: Your number is almost up!