JILT 1997 (3) - Pounder & Kosten
YEAR 2000: A Date with Destiny?
Dr. Chris Pounder and Freddy Kosten
Cap Gemini UK Ltd
dp.news@capgemini.co.uk
Contents
Abstract
According to the pundits, the failure of software and hardware to deal with the change of year at the end of the millennium, is a disaster waiting to happen. Yet Government still maintains that legislation is not needed to force organisations to resolve any problems they might have.
The article shows, that with respect to the processing of personal data, the Data Protection Directive (EC/95/46), which must be implemented as part of UK law before November 1998, and the current UK Act provide such a statutory obligation.
The article, in particular, considers:
- the general relationship between Year 2000 and data protection legislation
- the penalties likely to arise in cases where non Year 2000 compliance is proven
- the need to choose a Processor offering Year 2000 guarantees, once the Data Protection Directive is implemented
- the implications of arranging a Year 2000 solution by transferring personal data to a supplier based outside the UK.
This is a Commentary Article published on 17 July 1997
Citation: Pounder C et al, 'Year 2000: A date with destiny?', Commentary, 1997 (3) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/dp/97_3poun/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1997_3/pounder/>
1. Introduction
Although it seems obvious that failure to resolve the 'Year 2000 problem' could result in breaches of the Data Protection Act, we still see commentary and articles in the press which claim that legislation is needed to stop an impending catastrophe; for instance, the Financial Times published a long editorial (`Do countries need a law to force computers to remember the date correctly?') on 26th February. Often this is met by the counter claim that legislation is not needed, and that the correct approach is via self regulation; for instance, Ian Taylor MP, the Minister for Science and Technology in the last Government, told Parliament, during the Committee stage of the Companies (Millennium Computer Compliance) Bill, that the legislation was unacceptable because "we believe that the best way forward is for companies to take voluntary action". Whatever the pros and cons of this debate, many pundits have clearly overlooked that the Data Protection Act and the two Data Protection Directives contain statutory obligations which impinge on the resolution of the Year 2000 problem; in this Section we identify these obligations. The message derived from our analysis is simple; there is an urgent need for Data Users:
- to consider, from a data protection perspective, Year 2000 problems and their potential solutions
- to act in a reasonable and timely fashion to resolve these problems, and to establish proof to this effect in order to take advantage of the defence offered by the legislation
- to identify who is responsible for implementing Year 2000 solutions, especially if Computer Bureau services are used. Note: a two page paper entitled 'The Millennium Bomb' is now available from the Registrar's office.
2. Year 2000: Basic Data Protection Issues
Most readers will (we hope) be familiar with the end-of-the-millennium problems likely to afflict software and hardware in the run-up to January 1st, 2000 and beyond. According to the Registrar there are two problems: whenever a two-digit year 99 changes to year 00, personal data `may be interpreted as (relating to) 1900 rather than 2000' (ie the date is out by 100 years); also `year 2000 is a leap year, which is not usually the case for a centenary year'. Six basic data protection issues emerge; Year 2000 problems:
- can result in the processing of inaccurate personal data. Obviously, therefore, the provisions in the Act which relate to accuracy, namely the Fifth Principle and Section 22 (compensation for damage caused through the use of inaccurate personal data), come into play
- can result in unfair processing. The Registrar provides two examples: that `personal data could be processed unfairly if the processing is date dependent' (eg `age dependent calculations may give incorrect results'), and that the deletion of personal data 'before the expected retention time had expired' could also be unfair processing. Such eventualities, in our view, would also lead to breaches of the Fourth Principle
- can result in the loss of personal data. In the context of Year 2000, 'loss', as used in the Eighth Principle and Section 23, should be interpreted as including circumstances where personal data have been irretrievably lost (eg destroyed prematurely), as well as circumstances in which personal data are lost temporarily (eg personal data which are unavailable for processing whilst a software bug is fixed). The Registrar, in her paper, refers to the unavailability of personal data 'at worst, ... through catastrophic failure of a system'
- can impact on the choice of Computer Bureau. This is a consequence of Section 2(2) of the Act which limits the obligations of a Computer Bureau to the Eighth Principle, but defines the obligations of Data Users in terms of all Principles. Thus, if a Year 2000 problem impacts on the Eighth Principle (ie through the loss of personal data), then two 'persons' could be responsible; no doubt, if the worst happened, each side would try to pin the blame on the other. To avoid this, Data Users and Bureaux need to ask each other one essential question: 'Who has ultimate responsibility for resolving any Year 2000 problem, and who has the capability to implement the solutions?'
- are already being encountered and will merely become more high-profile closer to the millennium. Data Subjects could be affected now if personal data involve time-scales which extend into the next century (eg long-term contracts have already involved remedial action on the Year 2000 front)
- could tax the Registrar's increasingly limited resources. She notes in her paper that she will 'expect organisations holding personal data to have made an assessment of the risk from the year change from 1999 to 2000 and to have taken action to avert any problem before any personal data are affected' (Registrar's emphasis). She will 'consider using her powers of enforcement to require appropriate remedial action to be taken'.
3. Accuracy of Personal Data
The Fifth Principle states that 'Personal data shall be accurate and, where necessary, kept up to date'; clearly, any dated personal data which are out by a hundred years are inaccurate (and therefore in breach of the Principle). Similarly, where compensation arising from the processing of inaccurate personal data is in question, Section 22(3) posits a simple test with respect to accuracy: 'data are inaccurate ...if incorrect ...as to any matter of fact' and, obviously, dated data are likely to be factually wrong if a Year 2000 problem is involved. In the data protection context, therefore, analysis must focus on the relevant defences in the Act that are available to a Data User. Pertinent scenarios include:
- an investigation by the Registrar. When the Registrar investigates a Data User, one key query is certain to arise: are the data protection issues with respect to Year 2000 being managed responsibly? Note that such an investigation can arise well before the dreaded date change. For instance, it is open to the Registrar to send Data Users a questionnaire asking them what they are doing to resolve Year 2000; those who choose not to respond could perhaps be investigated, whilst any response sent to the Registrar could be filed just in case there is a complaint. Similarly, a concerned Data Subject might write to a Data User seeking assurance about an account as Year 2000 approaches; an incomplete or evasive response could trigger a complaint. In other words, since the Registrar has powers now to investigate a potential Year 2000 problem, it is clear that Data Users need evidence now that they are coping with the problem
- resisting claims for compensation. Compensation can only be awarded when damage has actually arisen, and such damage will not usually reveal itself until after the Year 2000 dawns. If the Data User wishes to resist compensation claims, the main defence provided by Section 22 of the Act must be established: namely that the User 'had taken such care as in all the circumstances was reasonably required to ensure the accuracy of the data at the material time'. Note that the burden is on the User to prove 'reasonable care'; damaged Data Subjects do not have to prove that the User acted 'unreasonably'
- obtaining proof of action. Evidence that a Data User acted 'reasonably' includes keeping records of: details of all Year 2000 audits of software; plans, schedules and specifications associated with the review and the testing of resultant software modifications; details of the management of Year 2000 projects, including the financial and personnel resources committed at each stage. If other organisations are involved, records should be kept of instructions given to providers of services, and of the agreed levels of expected services. If problems are identified in minutes of meetings, for instance, care must be taken to ensure that subsequent minutes identify how and when each such problem is 'ticked off'; otherwise that proof might remain elusive. Finally, it is essential to keep track of what other Users in the same line of business, or with similar software problems, are doing; in this way it may become possible to demonstrate 'reasonableness' through comparison with the activities of others
- unfair processing. A Data User would be vulnerable to claims of unfair processing of personal data if the system used for that processing, either now or sometime in the future, could not vouchsafe the accuracy of personal data, and whose continued use was, therefore, likely to cause damage or distress to Data Subjects.
4. Security of Personal Data
The Eighth Principle differs from the Fifth in that the former applies to the measures taken by Data Users and Computer Bureaux, whilst the latter establishes obligations faced only by Data Users. With respect to Year 2000, the Interpretation of the Eighth Principle describes certain measures that should be taken by Users and Bureaux to prevent the 'loss' of personal data: 'Regard shall be had to the nature of the personal data and the harm that would result from ... loss ... as ... mentioned in this principle ... and to security measures programmed into the relevant equipment...'. In the Year 2000 context, the phrase 'would result' makes it clear that anticipatory action to identify potential causes of loss of data is essential; similarly, the reference to 'security measures programmed into the relevant equipment' can be related to the software modifications needed to ensure Year 2000 compliance. Failure to take such action in advance of the new millennium can, therefore, constitute a potential breach of this Principle. Thus Data Users and Computer Bureaux need to:
- demonstrate compliance with the Eighth Principle (eg carry out a risk assessment with respect to the impact of Year 2000 on all relevant processing of personal data). In the case of Bureau services, this assessment would include any such processing undertaken on behalf of clients, and the services, contractual arrangements, service level agreements and software specifications developed in anticipation of Year 2000. If particular contract conditions or limitations seem likely to impede such an assessment, the Bureau would be well advised to alert the clients involved to Year 2000 issues
- establish defences against claims for compensation. Section 23 provides Data Subjects with the right to seek compensation should damage be caused through 'the loss of data'; as in Section 22, the main defence would rest on proof that 'reasonable care' had been taken. Hence, as with the accuracy provisions in the Act, documentary evidence associated with Year 2000 initiatives needs to be retained (see 'obtaining proof of action' above for details). However, in this case, matters can be complicated by the joint Data User / Computer Bureau responsibility for security matters. Our advice is that any confusion should be removed as soon as possible, as it is in the interests of both parties to know which of the two 'persons' involved would be potentially liable if a security breach occurred. This could, of course, involve delicate negotiations to identify who is responsible for implementing Year 2000 solutions. However, the bullet has to be bitten; there must be no doubt as to who owns the problem
- unfair processing. A Data User would be vulnerable to claims of unfair processing of personal data if the system used, either now or sometime in the future, was one which could not guarantee the availability of these data, and where this was likely to cause damage or distress to Data Subjects.
5. Overseas Transfers of Personal Data
Many organisations, alarmed at the cost of Year 2000 compliance, are looking at the most cost-effective way of checking their software. Some are turning to the emerging software industries, based outside Europe, as offering the most advantageous solution; personal data might thus be transferred to such a supplier. If so, the following points would need to be considered:
- registration. The Data User would be well advised to register P074 ('Software Development, Test and Demonstration') if that has not been done already. The Overseas Transfer and associated disclosure of personal data would also require registration (eg appropriate 'T0xx' code and D206). Once a Transfer is registered it can proceed unless and until the Registrar intervenes, or unless the Transfer would breach other legislation
- security. Even though the personal data are transferred overseas, the Registrar still has powers of enforcement; these arise because control of the contents and use of the personal data resides with a Data User based in the UK, and the data are intended for use in the UK (Section 39 of the Act). Thus, the Data User would still be ultimately responsible for compliance with the Eighth Principle (ie for security of the personal data) in the relevant overseas country. Consequently, the Data User would be strongly advised to specify, in the contract or service level agreement with the contractor, security standards at least as rigorous as those that would apply in the UK, and to identify any audit requirements; full records must be kept in case proof is needed. Note: in the Ninth Report, in relation to the back-record conversion of criminal records not held on computer, the Registrar noted that, in order to reduce cost, these records might be keyed-in overseas before entry on the Police National Computer. The Registrar had 'drawn the Home Office Police Department's attention to the Eighth Data Protection Principle which requires appropriate security for personal data'
- fairness and customer relations. Consideration would need to be given to the customer base and to whether the transfer of personal data would cause other problems, especially if the personal data are of a confidential nature. For instance, could Data Subjects object to a particular overseas transfer (eg on political, cultural or religious grounds)? If so, could this cause future difficulties for the business in general? Could the transfer, in data protection terms, generate complaints of 'unfair processing' (eg on the basis that it caused distress to Data Subjects)?
- redress. Suppose Data Subjects sue the Data User, under the terms of the Data Protection Act, because the Year 2000 conversions caused damage through the loss or inaccuracy of the personal data. Could the User then take action against the contractor given that a foreign jurisdiction is involved? This, of course, is the nightmare scenario which one hopes will never happen; but since nightmares occasionally occur, we advise that somebody thinks through the 'impossible' and establishes the appropriate contract terms
- subcontracting. All the problems identified above could also arise if a UK contractor, who provides Year 2000 solutions, transfers the Data User's holding of personal data to a subcontractor based overseas (eg to a subsidiary organisation). Consequently, the contractor should be placed under an obligation to seek the Data User's prior approval for any likely overseas transfer to a subcontractor (eg so that the User's registration can be amended in good time).
6. The Main Data Protection Directive
The Data Protection Directive (EC/95/46) must be implemented as part of UK law before November 1998, some fourteen months in advance of the new millennium. Article 32 of that Directive provides for derogations, but these relate to 'processing already under way' at the time the legislation comes into effect. The conclusion reached is that that any processing of personal data collected after October 1998 has to comply with the Directive's provisions. Clearly, therefore, the additional obligations arising from these provisions are relevant to any Year 2000 solutions. The main issues arising from the Directive are:
- no diminution of protection for Data Subjects. Recital 10 states that the convergence of European data protection laws 'must not result in any lessening of the protection they afford'; thus the protection afforded to Data Subjects by the current Data Protection Act with respect to Year 2000 should remain, once personal data become subject to the legislation implementing the Directive
- extra-territoriality. Article 4 establishes that each Member State shall apply the Directive to the processing carried out, in a Member State, on behalf of a Controller who is not established in the European Union. This Controller would be required to appoint 'a representative established in ... that Member State', who would be available to the Data Protection Authority to account for compliance with the Directive's provisions (as incorporated into national law). Suppose, for example, that a USA company processes personal data in the UK; since compliance with this Directive includes Year 2000 solutions (see below), the USA company might find itself in in breach of UK legislation if it failed to appoint a representative charged to implement any required Year 2000 solution. In this way, suppliers of processing services based in Europe, who have customers outside the European Union, would be obliged to offer services which are Year 2000 compliant
- unlawful processing. Chapter II of the Directive confines lawful processing of personal data to that processing which accords with national data protection law based on the Directive. Thus any processing which is in contravention of Chapter II (and failure to implement a Year 2000 solution can result in processing which falls into that category) can be equated with unlawful processing. This is important, because in any litigation, or compliance investigation, the Data Subject's side of an argument will inevitably prevail if a Controller has demonstrably processed personal data unlawfully
- Principles. Article 6 introduces a duty on Member States to ensure that Controllers comply with five 'principles relating to data quality'. Two principles are relevant to the Year 2000 problem; these state that personal data must be 'processed fairly and lawfully' (thereby introducing the unfair processing points previously analysed with respect to the current UK Act) and be 'accurate and, where necessary, kept up to date' (thereby introducing the accuracy points). With respect to inaccurate personal data, the Principle states that 'every reasonable step must be taken (by Controllers) to ensure that data which are inaccurate ... are ... rectified' (our emphasis); a provision which can clearly be interpreted as a statutory duty to address Year 2000. Finally, it is noteworthy that Article 12(c) provides Data Subjects with the right to have third parties notified of any inaccuracy in personal data previously disclosed to them; an inability to satisfy this basic right would rub salt into any Year 2000 wound!
- security. Article 17 requires Controllers and Processors to take 'appropriate technical and organisational measures to protect personal data against .... accidental loss ... and against all other unlawful forms of processing'. The Article also requires that 'such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected'. In other words, the relationship between Year 2000 and the security provisions of the current UK Act, as outlined above, is maintained. There is one difference: breach of any Article can directly be equated with 'unlawful forms of processing'
- choice of processor. Article 17 also relates to circumstances in which a Controller uses another organisation to provide any service with respect to the personal data; such organisations are defined as 'Processors'. Examples include Computer Bureaux (as defined in the UK Act) and any service provider who processes the Controller's personal data (eg collects, discloses, or destroys personal data on behalf of the Controller). The Article places the Controller under an obligation to 'choose a Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out', and to 'ensure compliance with those measures' (eg hold meetings to discuss the issue and, where appropriate, carry out audits to satisfy the Controller that compliance is likely to occur). The impact of this provision is to oblige Controllers to chose Processors who can provide guarantees with respect to Year 2000 problems, and to monitor, and record, compliance with regards to such guarantees
- claims for compensation. Article 23 requires Member States to ensure that 'any person who has suffered damage as a result of an unlawful processing operation... is entitled to receive compensation from the controller for the damage suffered'. Note that this is far wider than the UK provision since it is linked to 'unlawful processing' (eg breach of any of the provisions in Chapter II); if unlawful processing is proved, one can expect that a claim for compensation would be difficult to resist
- Overseas Transfers. If a Controller wishes to solve Year 2000 problems by transferring personal data to a Processor based outside the European Union, then the provisions concerning Transfers to Third Countries need to be taken into account. These might not be as straightforward as the current arrangements in the UK Act (see 'Over the seas' paragraph above), particularly if the laws of the 'third country' involved do 'not ensure' the 'adequate level of protection' cited in Article 25. It might be necessary to make special arrangements (eg to seek the consent of each Data Subject, or to identify the transfer as being necessary for the performance or conclusion of a contract; Article 26) as well as to 'choose a processor providing sufficient (security) guarantees' (Article 17);
- Data Protection Authority. The Authority is to be endowed with 'investigative powers, such as powers of access to data forming the subject-matter of processing operations', 'powers to collect all the information necessary for the performance of its supervisory duties', and 'effective powers of intervention'. Thus if the Authority was worried by the Year 2000 threat, it could carry out spot audits to assess its nature and order Controllers to take any necessary remedial action (always assuming it had the necessary resources at its disposal)
- Data Protection Act standards could apply until November 2001. If the Government takes advantage of the maximum three year period, as specified in Article 32 of the Directive, in order to phase in the application of the Directive to that 'processing (of personal data) already under way', those personal data affected will not be left in a data protection vacuum. Such data will remain subject to the obligations set out by the UK Act. In other words, our analysis as outlined in the first half of this Section would apply to these data during the phasing-in period.
7. The Telecommunications Directive
It's early days yet to assess the degree to which the Telecommunications Directive is relevant to Year 2000 since the final text is not yet ready; however, as we explained in the last issue, this Directive will also be incorporated in national law before November 1998. Two additional requirements can be identified now; these are:
- the duty to talk. Article 4 imposes a duty on all publicly available Telecommunications Services to 'take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the Public Telecommunications Network with respect to network security'. In other words, Year 2000 issues should constitute a vital part of the wider security discussions between such bodies; formal records should be made of such discussions.
- specific security risks have to be publicised. Where there is 'a particular risk of a breach of the security of the network, the provider of a publicly available Telecommunications Service must inform the Subscribers concerning such risk and any possible remedies, including the costs involved' (our emphasis). This plainly includes any obvious Year 2000 problems!
8. Conclusion
We end with a warning: Data Protection is not the only consideration should a Data User awake to a Year 2000 nightmare. For instance, those affected by software problems might raise arguments that these goods were not a 'fit and proper product' (eg through Consumer Protection or Sale of Goods legislation); no doubt, too, teams of lawyers are currently beavering away looking for other legal avenues of redress. Despite this, our analysis shows that those with data protection responsibilities must play their part in ensuring that personal data can be reliably processed despite the advent of the new millennium, and that the Data User's and/or the Computer Bureau's defences cover data protection aspects. So, if you haven't yet played your part in resolving your Year 2000 problems act now; there is not much time left.
9. Finale
This article was first published in Data Protection News (Spring 1997, Issue No. 29); the views expressed in this are those of the authors (Dr. Chris Pounder and Freddy Kosten). Details of Data Protection News are available from Chris Pounder, Data Protection News, Cap Gemini UK ltd, 95 Wandsworth Road, London SW8 2HG or by email: <dp.news@capgemini.co.uk>.
10. Links
- Common position (EC) No 57/96 (ISDN Directive) http://www2.echo.lu/legal/en/dataprot/isdn/isdn.html
- European Directive on Data Protection http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_1/special/directive/
- UK Data Protection Act 1984 - http://www.hmso.gov.uk/acts/acts1984/1984035.htm