'Back to basics' on data retention

Businesses trying to get their head around 'snooping' legislation affecting data retention are being advised to get back to basics and not become too distracted by the numerous legislative acts and codes.

This week it emerged that Europol, the police and intelligence arm of the European Union (EU), is proposing that telephone and internet service providers (ISPs) retain data including personal email and telephone records for access by police and intelligence services.

The EU common code on data retention is the latest piece of snooping legislation aimed at combating the fight against terrorism and major crime by forcing companies to keep information.

Speculation is growing that companies running internet sites may be obliged to keep data covering passwords, website addresses visited and web pages looked at for up to five years.

Meanwhile, the government is pushing for new data retention measures under the Regulation of Investigatory Powers Act to gain parliamentary approval before the summer recess.

Under anti-terrorism legislation drawn up in response to 11 September, the Act would permit telcos and ISPs to hold phone, email and website traffic data for a year, overriding data protection procedures which ensure that information is not kept longer than necessary.

There are also proposals in the pipeline under the Enterprise Bill to give the Office of Fair Trading powers to force companies to produce a broad range of business documents on demand.

Unsurprisingly companies are becoming increasingly concerned about what exactly the plethora of rules and regulations and conflicting legislation, not to mention cost, means for them.

Confusion is rife. A survey published by the Information Commissioner shows that most UK websites fail to comply with current data protection legislation.

Even the Home Office admits that, with so much legislation, things are not simple. "It is confusing and a bit of minefield," said a spokeswoman.

Outlining the current state of play, she said: "There is a voluntary code of practice over data retention still under discussion with the industry, which will go to public consultation later this month or shortly after."

But Mark Smith, an information security expert from UK law firm Morgan Cole, said that legislation can become an unnecessary distraction and that businesses must focus on "the basic need to store data".

"Most businesses are corresponding by email, but many are failing on basic storage and management of data," he explained. "There is a real need for evidence of contract. We can do ebusiness but we are struggling to integrate the transaction processing with retention and recording."

A common mistake is "data being kept in someone's private mailbox rather than a central file", said Smith.

He explained that the pressure is being piled on businesses to get a grip on data retention in response to a global terrorist threat.

"There is an increased government expectation about retaining transactional and traffic flow data which has been heightened since 11 September," he said.

The problem is that Downing Street is also groping in the dark. "The government is saying to business 'show me what you've got' in a crude sense. That is why both sides are keen to retain a voluntary code. It is still a time for understanding about what can realistically be done," said Smith.

But he pointed out that, in practical terms, a considerable chunk of the legislation only applies to ISPs and telcos.

"There are special rules regarding data retention for the telecoms operators and ISPs," he said. "What businesses need to do is keep records. They must ask: what have I got, where is it, how long should I keep it for and how secure is it?"

By building on these basics, businesses can meet legislative requirements. "The debate must be about taking ownership, control and management of the corporate network. It is about policies, education and training," explained Smith.

Software products exist to help businesses take control of their network. "Companies should look at products that deal with content filtering and monitoring web usage," he said. "They will provide the raw data to help enforce policies which the company puts in place."

But he added that "there is a need for a sophisticated balance between monitoring and privacy".

The best way to achieve this is by "getting board support for a joined-up information security policy", advised Smith. "It is most successfully achieved when human resources and IT work together. The result is a more coherent internal message."

But Smith warned against complacency. "Policy is not static," he maintained. "There needs to be continuous training and informed IT teams keeping up to date with obligations.

"For example, with PDAs and wireless the IT department may know what its technology capabilities are, but they must ask whether policies should be changed."

Alyn Hockey, director of future products at email monitoring company Clearswift, insisted that the right policies must be in place before enforcement through software is enacted.

"We can take conceptual policy into software practice, but the business must be educated about their obligations," he said. "The software is only as good as the rules the company deploys."

Cost needn't be too burdensome, according to Hockey. "Many companies find that an outsource model can be relatively cheap," he explained. "But with email becoming the biggest medium in which to do business, investment is essential.

"Businesses must manage the intellectual property risk of information getting to the wrong recipient and ensure that the network is being used as it should be or they will be blown out of the water."

There is sympathy towards industry fears that it will collapse under the weight of data retention from the Information Commissioner.

Phil Jones, an assistant Information Commissioner, said: "The government needs good reasons for imposing retention obligations over and above companies' business requirements. We will seek to ensure that any measures taken are appropriate and justified.

"If you impose massive retention obligations on businesses, you must ask how easy will it be to retain and obtain vast amounts of data. At some stage the direct cost to businesses will have to be assessed if the obligation is beyond business needs. Where does altruism begin?"

Jones encapsulated what many businesses feel. "We recognise the need to take action against crime and terrorism, but it should be thought out how much of what must be retained will be genuinely useful," he concluded.