Less than a quarter of UK companies have policies in place to ensure compliance with key parts of the Human Rights Act that directly affect them, and less than half have documented procedures to ensure compliance with the Data Protection Act.
The research, contained in the Information Security Breaches Survey 2002, published in full today at the Infosec security conference in London, has found a wide lack of understanding of UK laws that protect employees and customers -- and in some cases the companies themselves.
The same report pointed the finger at employees as a major threat to companies' security, it appears that employers are failing in their obligations too. Staff, say the report's authors, are unaware of their obligations, with one company reporting that it had about 100 disciplinary cases a year for staff misusing IT systems, mostly in respect of inappropriate emails or Internet surfing.
But companies trying to crack down on inappropriate email and Internet use risk running foul of the law themselves. "An example of an issue related to the Human Rights Act is the need for employers to identify when they can or cannot read an employer's email and if necessary get permission from their employees to do so," said the report's authors. "Many organisations consider their email system as a business tool and therefore automatically assume their right to monitor it; this assumption could be dangerous given recent developments in human rights and data protection legislation."
Only 48 percent of UK businesses reported having documented procedures to ensure compliance with the Data Protection Act, which affects both employees and customers alike. "This indicates that a significant number of UK businesses are either unaware of their data protection duties or see compliance as a low business priority," said the authors. "If the Act is contravened, the data controller can be ordered to pay compensation to an individual if the controller has caused him or her to suffer any damage." The reason many companies do not see non-compliance as a threat, said the authors, is that the Information Commissioner "has so far publicly admonished only relatively few UK business, so the evidence is that most UK businesses do not yet perceive this as a real threat to them."
The problem is compounded, according to the report, by the fact that a significant number of transactional Web sites do not give consumers enough information to enable them to give informed consent to provide their personal data. Only 34 percent of UK transactional Web sites disclose their privacy or data protection policy on the Web site. Furthermore, only 46 percent disclose their security policy, just 52 percent encrypt transactions over the Internet, and 33 percent encrypt customer files on the Web server.
Overall, UK companies lacked documented procedures for many IT-related laws, including the Computer Misuse Act, the Copyright, Designs and Patents Act, the Electronic Communications Act and the Digital Signatures Directive. The research was prepared by PricewaterhouseCoopers and the Department of Trade and Industry.