Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing regulatory compliance Stephen Mason, Barrister Director, Data Protection Research & Policy Group.

Similar presentations

Presentation on theme: "Managing regulatory compliance Stephen Mason, Barrister Director, Data Protection Research & Policy Group."— Presentation transcript:

1 Managing regulatory compliance Stephen Mason, Barrister Director, Data Protection Research & Policy Group

2 Outline 1.Overview 2.The business - legal interaction 3.Governance 4.Records management

3 1. Overview

4 The business perspective Dependence on IT infrastructure in running the business of the organization across jurisdictions Virtually all correspondence, papers, contracts and such like are now created by computers Varying degrees of confidentiality and privacy attributed to documents means they must be protected Data must remain available The integrity of documents should be considered Balance the costs of security and storage against the value of information and the risks

5 The liability Vicarious liability Falls at the highest levels There is a need to take appropriate measures to –Manage the infrastructure safely and securely –Prevent or detect improper or illegal activities taking place –Comply with legal and regulatory requirements The issue is how we adapt to and control the use of the technology

6 2. The business - legal interaction Control of data Value of e-mail correspondence: contract Employees Data protection Retention of documents Evidence Litigation

7 Controlling access to data Basis of control –The organization owns and controls the communications infrastructure –Various legal duties are imposed by judges, politicians and regulatory authorities Private use increases the risk to the organization Where private use not permitted, it must still be enforced by the organization

8 Contracts and e-signatures England and Wales Hall v Cognos Limited Pretty Pictures Sarl v Quixote Films Ltd United States of America Roger Edwards LLC v Fiddes & Son Ltd Singapore SM Integrated Transware Pte Ltd v Schenker Singapore (Pte) Ltd

9 E-mail and employees Defamation –Western Provident v Norwich Union Sexual discrimination (e.g of retaining e-mails for defensive reasons) –Carina Coleman v Lansdowne Capital Limited & Alan Dargan Forwarding inappropriate images –Sangster v Lehman Brothers Limited Criminal offences –Miseroy v Barclays Bank plc

10 Data protection: EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (23.11.95 OJ I281/31) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (12.1.2001 OPJ L8/1)

11 General global guidance Protection of workers’ personal data (International Labour Office, Geneva, 1997) Code of Practice for e-Work across Borders (Ethical Guidelines for World Wide Work, 2000

12 Human rights: comparisons United Kingdom Halford v United Kingdom (1977) EHRR 523 France Onof v Nikon France Decision no 4164, October 2, 2001 (99-42.942) United States of America Fraser v Nationwide Mutual Assurance 135 F Supp 2d 623 (E D Pa 2001) [amongst others] - no interception

13 Retention of documents Organizations need to keep certain types of document or record for both commercial and legal reasons There is no need to retain every document for ever Document retention periods are set against different criteria: –Retention periods prescribed by law –Rules issued by regulatory bodies –Best practice IT may be the custodians of the documents, but must be advised by legal, company secretary, compliance, HR, data protection The policy should: –Provide for the extension of time limits and the suspension of the disposal of documents where legal action is anticipated or has begun –Be reasonable, measured and appropriate

14 Evidence Digital documents are adduced in evidence in all types of forum There is a practical problem: many digital documents remain in an unstructured medium The content determines the nature of the document Some digital documents must be retained, whilst others can be legitimately deleted

15 E-documents in litigation Litigation is expensive (legal fees, court fees, directors time, IT time, media interest, reputation issues) The Fulbrights & Jaworski 2nd annual ‘Litigation Trends Survey’ (2005) illustrated an increasing problem: –Electronic disclosure is a serious issue –Most numerous types of dispute: employment, contract, product liability, IPR, personal injury What documents have you got to prove your case? How do you find them? All documents are admissible in legal proceedings, although judges have the discretion to exclude evidence Once a document is admissible, the next question is the weight of the evidence In deciding weight, the question is: how reliable is the evidence?

16 3. Governance The law and governance interweave

17 United States of America Legislation Sarbanes-Oxley Act of 2002 (Public Law 107-204 of the 107th Congress) Regulation US Securities and Exchange Commission Financial Accounting Standards Board (

18 European Union Report of the high level group of company law experts on a modern regulatory framework for company law in Europe (2002) Commission Recommendation of 16 May 2002 Statutory Auditors’ Independence in the EU: A Set of Fundamental Principles (OJ 19.7.2002 L 191/22) Communication from the Commission to the Council and the European Parliament reinforcing the statutory audit in the EU (OJ 2.10.2003 C 236/02) Report on European Governance (2003 - 2004) Modernising company law and enhancing corporate governance in the EU ( Proposal for a Directive of the European Parliament and of the Council on Statutory Audit of Annual and Consolidated Accounts

19 United Kingdom: legislation Companies Act 1985 (International Accounting Standards & other Accounting Amendments) Regulations 2004 SI 2004/2947 Companies Act 1985 (Operating & Financial Review and Directors’ Report etc) Regulations 2005 SI 2005/1011 Companies (Audit Investigations and Community Enterprise) Act 2004

20 United Kingdom: guidance Cadbury Report on the Financial Aspects of Corporate Governance (1992) Greenbury Recommendations for best practice in determining and accounting for Directors’ remuneration (1995) Turnbull Report on Internal Control Guidance for Directors on the Combined Code (1999) (Reviewed by Douglas Flint, 2004) Combined Code on Corporate Governance (2003) [supersedes and replaces the Combined Code issued by the Hampel Committee on Corporate Governance in1998] Higgs Review of the role and effectiveness of non-executive directors (2003) Tyson Report on the Recruitment and Development of Non-Executive Directors (2003)

21 Global and regional OCED –Principles of Corporate Governance (1999) Commonwealth Association for Corporate Governance –Guidelines (1999)

22 4. Records management Some issues to consider

23 Some considerations Litigation Freedom of Information requests Protection of data (personal and corporate) –Internally –From outside attacks –Legal privilege Issues of confidentiality as between jurisdictions Balancing: –Internal audit and risk –Ease of use of IT system –Development of the technical architecture –Limitations of the technology –Human behaviour

24 The response Priorities need to be agreed: –IT needs to be higher on the agenda –Revenue and growth are not incompatible with security and privacy –In the commercial field, the Logica-CMG (2004) survey demonstrated that shareholders rate IT security as a high priority The pressure to do something to take control of digital data is coming from the need to comply with laws and the regulatory framework The balancing act: –the cost of retaining documents + security + storage + retrieval + business continuity + disaster recovery against –the value of information and the risks: especially regulatory and legal

25 Concluding remarks

26 A networked world Business processes and the law are inextricably intertwined Whatever your business, your data is central –Employees data –Customers data –Intellectual property End user security is sloppy Data and communications tend to be handled recklessly Attitudes must change IT are only the custodians of the data

27 The eternal triangle 1.Politicians pass laws 2.Best practice and good governance 3.Judges interpret laws These closely interrelate: somebody has to balance them

28 Stephen Mason Director, Digital Evidence Research Programme British Institute of International and Comparative Law Charles Clore House 17 Russell Square LONDON WC1B 5JP Direct telephone number: + 44 (0)20 7862 5436 Telephone number: + 44 (0)20 7862 5159 Facsimile number: + 44 (0)20 7862 5152 Main publications: Electronic Signatures in Law (LexisNexis Butterworths, 2003) Networked communications and compliance with the law (xpl publishing, 5th edn, 2005) General Editor of the e-Signature Law Journal

Download ppt "Managing regulatory compliance Stephen Mason, Barrister Director, Data Protection Research & Policy Group."

Similar presentations

Ads by Google