The Organisation As A System and Commissioning a Web Site Legals

The Organisation As A System
The Performance Organisers
Structured Coherent Design
Commissioning a Web Site
Part Two – Legals, a Changing
Environment
The introduction slide deck video can be downloaded here

http://www.jitsoftware.co.uk
Commissioning a Web Site - Legals

About the Author:
• Allen Woods, recently retired.
• Ex British Army (1971 – 1995) Taught Arctic Warfare, Several Years
On Operations, Funded Himself through College to Study IT
• Chartered Member of the British Computer Society for 20 years
• Member of the Chartered Status Interview Panel for BCS
• In 2010, Finalist of UK “Developer Of The Year” Competition for HSIS
• Primarily Employed in UK Defence Supply Chain and Logistics IT
since 1995 until 2019
• Credits: MoD Health and Safety Information System, Various Internal
to Defence P&G Portals, CATMIS, IQB Oversight to Defence Voyager
Programme IM Transformation
• Linkedin Profile

I am not a Lawyer…..
But…..
• Detailed and forensic review of licence terms of an
£800m outsourcing contract
• The MoD Health and Safety Information System
• US Arms Export Control Act
• Internal MoD Security and Data/Information
Management
• GDPR – I have read it – Several times – It’s a game
changer for us Geeks
• GDPR is not the be all and end all……
• This will take about an hour…….

Caveats
• Guide, not gospel
• Pathfinder
• Prove, validate and verify
• There are no “licensed” GDPR experts
• Brexit will change stuff
• When building a web site, you are extending your organisation
boundary.. But its YOUR boundary…
• Beware of geeks bearing gifts…

The Basic Problem(s)
• The bad guys don’t do compliance
• For much of the last 40 years IT has been largely
unregulated
• Scale of computer related crime is unsustainable
• IT as a consequence, is being “gripped”
• Privacy in particular is causing significant concerns
• Across the world, government is asserting control
• Internet of things (IOT) and Bring Your Own Device
(BYOD)
• The need for cultural change…

Focus on Privacy

Privacy Regulation and Legislation – Where Does it Come From
• The Data Protection Act 1998 (and before)
• Council of Europe Treaty 108
• European Charter of Fundamental Rights
• The Lisbon Treaty
• General Data Protection Regulation (GDPR)
• UK Data Protection Act 2018

Each incorporating EU regulation into national legislation

Not forgetting the rest of the world….
A guide….

Legal Context – Scope of UK Information
Commissioners Remit
• Privacy and Electronic Communications (EC
Directive) Regulations 2003 (PECR)
• Freedom of Information Act 2000 (FOIA)
• Environmental Information Regulations 2004 (EIR)
• Investigatory Powers Act 2016
• Re-use of Public Sector Information Regulations
2015
• Security of Network and Information Systems
Directive (NIS Directive)
• Electronic Identification, Authentication and Trust
Services Regulation (eIDAS)
• Data Protection Act 2018 (DPA)
• General Data Protection Regulation (GDPR)

Post Brexit
• “Third Country”
• Adequacy agreement - eventually
• Standard Contract Clauses
• Binding Corporate Rules
• Territorial Scope and Material Presence

For the individual, there are new rights..
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling
But the rights are not absolute

For the site owner, the lawful basis for processing
personal data are:
• Consent - Opt In
• Contract – You must hold personal data for, say, a service
fulfilment purpose
• Legal Obligation – Health and Safety etc
• Vital Interest – Threat to life
• Public Task – Directed by the authorities
• Legitimate Interest
• Special Category Data – especially sensitive data
• Criminal Offence Data – CRB checks if your organisation is
obliged to carry them out
But:
• You must be able to justify data collection
• You must have the policy and auditable governance in place to
prove policy is being adhered to
• And not forgetting more mundane things like multiple
languages…

Commissioning a Web Site - Introduction
Person
Client 1
Client 3
Client 2
Server room
Internet Service Provider
External Client
Technical Legal
Consultancy
People
Staff
Personal Data
Personal Information Identifiers (PII)
Interaction “as a maturing conversation”
Stakeholders

Commissioning a Web Site - Introduction
Person
Client 1
Client 3
Client 2
Server room
Internet Service Provider
External Client
Technical Legal
Consultancy
People
Staff
For the site owner, the
most significant change
is that people now have
rights they can exercise
whenever and wherever
they like and the site
owner MUST respond to
the exercise of those
rights…….

Some Basic Operating Principles:
• Liability – Joint, Vicarious and Fiduciary (at least)
• “Privacy by design” means what it says
• The concept of “Ownership” of data has been reversed.
• Those collecting personal data in particular are its custodians
• The minimum data for the minimum time consistent with lawful
processing standards
• Validation, verification are key
• Data means “structured” and “unstructured” data
• Get it wrong and there are penalties
• GDPR and Privacy regulation provides a means to focus on your
legal situation…
• Compliance is a quality assurance matter.
• Unless agreed and properly contracted, no data crosses your
organisation boundary such that third parties “do stuff” with it.
You WILL need legal advice in due course…..

Other considerations:
• Controller/Processor – whose code and data does what
• Data Protection Officer – Do you need one
• The Information Commissioner – Policeman and Registration
• Brexit – Adequacy, transfer of data into the EU and vice versa
• Marketing and Cookies - PECR
• Policy and Governance
• Management of Location
• Understanding Ownership
• Risk Management
• Increasingly, data management is architectural in nature

But Privacy Is Not The Only Legal Concern

Primary Legislation
• Companies Act
• Health and Safety Regulations
• International Law
• EU Regulation and Directives
• Accessibility
• And more besides……

Standards and Compliance
• IFRS
• ISO 27001
• ISO 9000
• Cyber Essentials
• Professional standards
• Business Sector Standards

But there is no legally sanctioned
accreditation scheme….. Yet…..

7P’s – A simple preparatory exercise..

Plan and Prepare Compliance Effort:
• Download, read and study the regulations
• Download and read this guide
• The “Nightmare Letter”
• The nightmare letter first exercise
• The nightmare letter second exercise
• The nightmare letter third exercise
• Review all three exercises
• Develop policy and governance
• Prepare web site requirements
• Then decide on external expertise. If you need it.
• Start compliance effort… Register, or take registration test.

Exercise Deliverables:
• Data Dictionary
• Document Librarian
• DPIA Audit Tool
• Records of Processing Activity
• Risk Register
• Asset Register
• Understanding of Location of “stuff”
• Positioning of Data Protection as an activity
• Understanding of data protection roles
• Training Needs Analysis
• And more…..

People who can help………
Tara Taubman-Bassarian
Paul Gillingwater
Dave Dickson
Daniel Suciu
Humperdinck Chapman
Rosario Murga Ruiz
Kris Long
Philipa Jane Farley
Graeme McGowan
Anthony Rocha
Rowenna Fielding
In the US
Jason Sarfati
Diana Candela
Oxebridge
Debbie Reynolds
Chris Roberts

On Expertise…… Caveat Emptor…..

Reading List
• The Legal Environment of Computing
• Transatlantic Data Protection In Practice
• Privacy Impact Assessment
• IT Governance
• Regulatory IT Policies
• Build a Better Privacy Policy
• Managing Cyber Security Risk
• Big Data Governance
• The Mythical Man Month
• The Art of Software Testing

• Useful Organisations
• The Law Society
• The UK Information Commissioners Office
• The UK National Cyber Security Centre
• Irish Data Protection Commission
• CNIL
• The US National Institute of Standards in Technology
• The Open Web Application Security Project
• The British Computer Society
• The International Association of Privacy Professionals
• The British Standards Institute
• The Centre for Information Technology and Law

The Portal
Its all about the Architecture…..

Summary
The world of compliance for IT has changed and will continue to
change (amongst other things case law and technological pace f
change will drive a need to amend and update legislation)
7P’s. Compliance is not a simple matter
This slide deck explains, as a starter for 10, some of the legal
considerations that will need to be given when commissioning a web
site.
The key principle is that the controller is responsible for the
guardianship of personal data (and other data come to that). You no
longer “own” personal data…
While privacy is significant, it is not the only legislation you may need
to consider
You will need three kinds of expertise.. Legal, Security and Technical
but depending on your circumstances there may be a need to involve
other professional disciplines
The next slide deck in the series.. Developing Policy and Governance

http://www.jitsoftware.co.uk
Tel: +44 07780 568449
Email: allenwoods@jit-software.com
Skype: apw808

The Organisation As A System and Commissioning a Web Site Legals

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The Organisation As A System and Commissioning a Web Site Legals

Similar to The Organisation As A System and Commissioning a Web Site Legals (20)

More from Allen Woods

More from Allen Woods (9)

Recently uploaded

Recently uploaded (20)

The Organisation As A System and Commissioning a Web Site Legals