Register to become a member

IT is urged to form Y2K-style teams to tackle privacy

Computer Weekly / 29 April 1999 / David Bicknell

IT directors could lose their firms millions of pounds if they fail to deal with European data privacy legislation. And many are unaware of the scale of the compliance task.

Although the European directive harmonising data privacy legislation across the European Union (EU) was introduced at the start of the year, many national governments have yet to enforce it. In the UK the 1998 Data Protection Act will not come into force until 2001. Details of the Act should be finalised by the end of June.

Legal action
From January 2000, by which time some countries should have begun to enforce the directive, users operating in the EU could find themselves caught up in legal action from employees over privacy.

In addition, the variations in privacy rights between the US (which has no law protecting employees' privacy rights)and the EU has led to fears that users could find their international data traffic being trapped "in transit".

There have been suggestions that Y2K teams should start monitoring privacy issues as their work comes to an end, so urgent is the need to ensure firms are compliant with the harmonisation of privacy laws across Europe.

Such teams would also audit what data is held on staff by organisations - including US-based operations. Y2K teams are best-placed for this because they already have the best knowledge of what is currently held on firms' systems.

The problems of knowing what data is being held on employees, in which European country (or the US), and whether the company is legally covered to hold such sensitive data, has galvanised the International Commerce Exchange (ICX), a user group focusing on electronic commerce issues.

ICX (, which includes multinational companies such as Shell, is planning to create a code of conduct for privacy within six months, which organisations across the Continent can use as a checklist to ensure they are not going to face privacy restrictions.

The organisation hopes to make significant progress on the code of conduct at its annual conference in Dublin on 24-26 May

The privacy issue is a major one for IT directors even if they do not yet realise it. They are likely to be the target for queries from their boards .over whether their systems comply with the European directive. In addition, the wrangle between the Europe and the US over privacy could have a knock-on effect for users.

For example, Nick Mansfield, principal consultant at Shell, who is the driving force behind the code of conduct, has had to consider switching human resources data on Shell's US-based staff to European servers.

Personal data
"We have had to re-assess where we locate servers holding personal data. Much of this material is highly personal, and we do not want to fall foul of the law. This could be a nightmare for IT directors if they do not get to grips with it," said Mansfield.

One of the difficulties is that the privacy issue has been driven from the bottom up. Individuals and advocacy groups, rather than governments, have been the most dynamic players. The problem for users is that they have been seen to have ridden roughshod over privacy rights. Users' images are vulnerable as a result.

IT directors' stance until now has not been encouraging for privacy advocates. A recent poll of nearly 350 chief information officers in the US revealed that 60% believed the ability to track customers' preferences for their companies' data outweighed individuals' privacy rights.

This time next year the issue may not be whether your software is "Y2K compliant", but whether your systems are "privacy-proof".



ICX News

ICX in the News

Newsletter Archive (members only)