7062664 Information Management in Retail: A Legal Perspective Chris Hill Barlow Lyde & Gilbert LLP 17 September 2009.

7062664

Information Management in Retail: A Legal Perspective

Chris HillBarlow Lyde & Gilbert LLP

17 September 2009

Information Management Information is a key asset of every

business

Technology has revolutionised our ability to access, create, store, search and communicate information

Information Management is in its infancy and lagging behind technological development

“the stone age was marked by man's clever use of crude tools; the information age, to date, has been marked by man's crude use of clever tools”

2006 2007 2008 2009 2010 2011

500

1,000

1,500

2,000

2,500

3,000

3,500

0

2012 2013 2014 2015

4,000

4,500

8,000

10,000

6,000

Storing up trouble…

Inside of an IT storage system

Why is this a problem?

The acquisition of and failure to discard, possessions that are useless or of limited value due to a fear of losing things perceived to be important.

=“PATHOLOGICAL HOARDING DISORDER”

Law and Information Management

IPRs

DPA

Others e.g DDA,

Confidence etc

Data Protection Act

Data Protection Act 1998

EC Directive – EEA wide application

Policed in the UK by the ICO

Protects ‘personal data’ – electronic mainly (but also paper in some cases)

‘data controllers’ must ‘process’ in accordance with the DPA

‘data subjects’ get a number of rights under the DPA

Establishes “Principles” to abide by

The Data Protection Principles

Adequate, relevant and not excessive

Accurate and up to date

Rights for Data Subjects under the Act

Specific purpose

Not kept longer than necessary

Technical and organisational measures

EEA

“fairly and lawfully processed”

Consequences of breaching DPA

Reputational damage

Fines

Criminal offences

ICO increasing policing and enforcement and taking a harder line

5 Key Legal Impacts

1. Security/confidentiality obligations

2. What information can/must be stored

3. Exploitation of information

4. Who has a right to access information

5. Dealing with 3rd parties

1. Security/Confidentiality

Common law confidentiality

Contractual – agreed standards

Data Protection Act – Principle 7

Applicable IT standards “keeping up to date” - adequate technical and organisational (= security) measures – e.g. BS 10012

Practical measures and security standards

2. What Can/Must Be Stored

800+ specified retention periods fixed by statute/common law

VAT records 6 years

Contractual claims 6 years (12 years if a deed)

Data Protection Act

Processing fairly and lawfully

Adequate and not excessive

Accurate and up to date

Not for longer than necessary

IPRs

3. Exploitation of Information Copyright

Arising automatically in original works

Lasts for a set number of years

Generally owned by creator – (including ‘employer’)

Database rights

Arises where "substantial investment" in obtaining, verifying or presenting the contents of the database

Owned by the maker

Data Protection

“fairly and lawfully”

4. Who has a right to access?

Confidentiality – who can it be given to?

DPA

Fairly and lawfully processed

EEA

Subject Access Request

Litigation – duty to provide even if detrimental

Regulatory investigation

5. Dealings with 3rd Parties See 1. to 4. above:

Security

Storage

Exploitation

Access

DPA issues need to be dealt with explicitly in contracts

Liability/Indemnity/Insurance

Right to audit/access and have information returned

Information management policies

Specific retail issues (1)

Customer lists

Marketing

Credit card details

Dealing with consumers – “UCTA” and B2C contracts

Customer retention / media - e.g. TK Maxx

Specific retail issues (2)

Online retailing – data in transit, Distance Selling Regs

Standards – ISO, PCI, “good industry practice”

Levels of encryption and security procedures

Good for your business – marketing and practical risk reduction

Do your suppliers comply with these standards?

Information is your greatest asset, but also your biggest risk...

Not just the Data Protection Act 1998

There is no “magic bullet” solution

A multi-faceted approach is needed:

Contractual and legal protections

IT security and solutions

Practical policies and procedures

Policies

Make it an employee issue not a corporate problem:

Written documents that explains practical day-to-day procedures and rules for use of the data (including communications, storage, passwords, access, home working etc etc)

Provided to all employees who have to sign and comply with them (part of employment / outsourcing contract)

Will reduce the real risk of a leak occurring

Will increase chances of compliance with law and regulation

Will reduce liability

Significantly improves PR damage

Spot the difference if lost…..

and

A B

Questions?