IT
is urged to form Y2K-style teams to tackle privacy
Computer
Weekly / 29 April 1999 / David Bicknell
IT directors could lose their firms millions
of pounds if they fail to deal with European data privacy
legislation. And many are unaware of the scale of the compliance
task.
Although the European directive harmonising
data privacy legislation across the European Union (EU) was
introduced at the start of the year, many national governments
have yet to enforce it. In the UK the 1998 Data Protection
Act will not come into force until 2001. Details of the Act
should be finalised by the end of June.
Legal action
From January 2000, by which time some countries should have
begun to enforce the directive, users operating in the EU
could find themselves caught up in legal action from employees
over privacy.
In addition, the variations in privacy rights
between the US (which has no law protecting employees' privacy
rights)and the EU has led to fears that users could find their
international data traffic being trapped "in transit".
There have been suggestions that Y2K teams
should start monitoring privacy issues as their work comes
to an end, so urgent is the need to ensure firms are compliant
with the harmonisation of privacy laws across Europe.
Such teams would also audit what data is
held on staff by organisations - including US-based operations.
Y2K teams are best-placed for this because they already have
the best knowledge of what is currently held on firms' systems.
The problems of knowing what data is being
held on employees, in which European country (or the US),
and whether the company is legally covered to hold such sensitive
data, has galvanised the International Commerce Exchange (ICX),
a user group focusing on electronic commerce issues.
ICX (www.icx.org), which includes multinational
companies such as Shell, is planning to create a code of conduct
for privacy within six months, which organisations across
the Continent can use as a checklist to ensure they are not
going to face privacy restrictions.
The organisation hopes to make significant
progress on the code of conduct at its annual conference in
Dublin on 24-26 May
(www.icx.org/icx/events.html).
The privacy issue is a major one for IT
directors even if they do not yet realise it. They are likely
to be the target for queries from their boards .over whether
their systems comply with the European directive. In addition,
the wrangle between the Europe and the US over privacy could
have a knock-on effect for users.
For example, Nick Mansfield, principal consultant
at Shell, who is the driving force behind the code of conduct,
has had to consider switching human resources data on Shell's
US-based staff to European servers.
Personal data
"We have had to re-assess where we locate servers holding
personal data. Much of this material is highly personal, and
we do not want to fall foul of the law. This could be a nightmare
for IT directors if they do not get to grips with it,"
said Mansfield.
One of the difficulties is that the privacy
issue has been driven from the bottom up. Individuals and
advocacy groups, rather than governments, have been the most
dynamic players. The problem for users is that they have been
seen to have ridden roughshod over privacy rights. Users'
images are vulnerable as a result.
IT directors' stance until now has not been
encouraging for privacy advocates. A recent poll of nearly
350 chief information officers in the US revealed that 60%
believed the ability to track customers' preferences for their
companies' data outweighed individuals' privacy rights.
This time next year the issue may not be
whether your software is "Y2K compliant", but whether
your systems are "privacy-proof".
|