Protect your data

It pays to know the difference between data protection and the protection of data.

In business today, the phrase 'dataprotection' has a different meaning and purpose than 'protection of data' - but bringing together the right technology and processes for the two missions individually can have overlapping benefits, according to IT and legal experts.

On the other hand, failing to take a 21st century approach to either task can have a devastating impact on a company in this data-sensitive age.

"If you have a records retention policy, for instance, that is based on a paper environment, and you're operating in a real-time, online environment with e-mail and messaging, your policy is simply outdated," says Alan Brill, senior managing director of Kroll Ontrack, the technical services group of global risk consultancy Kroll. "Companies have a responsibility to make sure their HR policies keep up with technology."

'Data protection' refers to implementing regulations that involve primarily personal data. 'Protection of data', on the other hand, has more commercial implications, focusing on easily identifiable information and proprietary data, such as intellectual property. But both are getting their share - and more - of corporate attention.

"The issues of protection of data, confidentiality and personal data protection are rising up the agenda of importance within companies," says Justin Ellis, partner in the innovation and media group of UK law firm, DMH.

HR may be more immediately concerned with data protection (see box), but its attention is likely to be increasingly drawn to issues involving the protection of data in the development and implementation of corporate policies surrounding employee computer usage.

Such policies must focus on keeping corporate proprietary information safe, as well as on maintaining company IT systems' security and meeting regulatory compliance, particularly within the financial services industry.

And it's not just IT's problem. HR is widely seen as the critical element in ensuring the effective use of such policies. "These policies can't be left just to IT because in many cases, the distribution and enforcement mechanisms go through HR," says Brill. "HR are the professionals within the company who know the most about drafting effective policies that will be understandable to the users and will pass legal muster."

To help business protect its proprietary data and guard against inappropriate - or even illegal - internet activity in the workplace, advanced software tools have been developed to scrutinise e-mail and voice communications for clues to possible wrong-doing. Some even operate in real time. They are not cheap, but as Brill says, "It's a matter of becoming sufficiently secure to get a real cost benefit, and I think that time is coming".

Factors prompting the development of and interest in such sophisticated tools include global terrorism, malicious computer attacks, heightened regulatory environments and legal pressures. But fortunately, the benefits of investing in highly sophisticated software that can detect slips in confidentiality or the ill-intended sharing of information for personal gain, actually can be spread throughout an organisation's different operations - even for HR management practices, according to Ian Black, managing director of Cambridge's Aungate, a division of Autonomy, a leader in the field of intelligent software.

Black says that several major consultancies are looking at such tools for potential use in HR management practices.

"Businesses are approaching this as another way of measuring their processes, to measure the soft parts of their business," Black says. "It's the beginning of a new era - exciting and nerve-racking."

• The CIPD's Software Show 2004 takes place on 23 and 24 June at Olympia, London. For further information, call 020 8263 3434

Data protection for HR

A collective sigh of relief could be heard throughout the UK's HR community last December when the Court of Appeal issued findings in the case of Durant v Financial Services Authority.

As interpreted by the court, the most crucial points involved limiting the scope of what could be defined 'personal' data under the Data Protection Act 1998, and determining what comprised 'a relevant filing system' - both points being key factors with 'subject access requests' or requests from employees for information held about themselves.

"I think that case was very helpful as far as employers are concerned," says DMH's Justin Ellis.

Subject access requests, Ellis says, are "used quite often as a tool for disgruntled employees to try to get information about themselves or just to cause inconvenience to their former employer. I think that's one area where HR managers are finding the Data Protection Act challenging".

A subsequent High Court case in February, Johnson v Medical Defence Union Ltd, followed Durant in taking a narrow approach to what counts as personal data, says Christopher Mordue of law firm Pinsents, confirming that the mere mention of an individual in an e-mail or letter is not enough. The document must focus on the individual in a personal sense, affect their privacy or be essentially biographical in nature. Johnson also stresses that many manual filing systems fall outside the scope of a subject access request and supports the withholding of data to respect the rights of third parties whose own data is included.

"On the other hand, Johnson shows that a set of documents can amount to personal data when considered as a whole," Mordue says.

Mordue warns that it's too early to consider the Durant findings to be the ultimate solution, adding that practitioners involved in responding to data requests "still face an onerous and uncertain task".

www.informationcommissioner.gov.uk