Post on 17-Dec-2015
transcript
Legal Issues in Smart Card Projects
Shelagh Gaskill, Partner and Jon Fell, Partner
Introduction
What is a smart card? Who owns a smart card? Who are the key players? What are the key contractual relationships? Typical contracts Information security Entitlement Cards Consultation Paper Biometrics
What is a smart card?
Credit card sized card with integrated chip Memory only EEPROM (Electrically Erasable Programmable
Read Only Memory) Contact or contactless
Single Function -v- Multiple Function One card or many Interoperability of systems
Examples of Smart Cards
ID cards and medical cards Phone cards Transport cards Building access cards Technology access cards E-Money cards, eg Mondex
Who owns a smart card?
Who has an interest in the card? Card issuer Secondary service provider Card user
Card issuer owner and controller
but who is the card issuer?
Card user has little or no interest
Who are the key players?
Smart card suppliers
IT suppliers
Card issuers
Card users
Main contractual relationships
Card issuer and card supplier
Card issuer and IT suppliers
Card issuer and secondary service providers
Card issuer and card user
Card user and secondary service providers
Main contractual relationships
Card Issuer
Card Supplier IT Suppliers
Secondary Service Provider
Card User
Typical contracts
Card Issuer and Card Supplier: Development Agreement for design of card Supply Agreement Data Processing Agreement
Card Issuer and IT Suppliers Data Processing Agreement Hosting Agreement Outsourcing Agreement Maintenance Agreement Systems Supply and Integration Agreements
Typical contracts
Card Issuer and Secondary Service Providers “Rental” Agreement Data Processing Agreement
Card Issuer and Card User Terms and Conditions of Use Data Protection Notice
Card user and Secondary Service Providers Terms and Conditions of Use Data Protection Notice
Main contractual issues
Warranties Quality of the card Technical specification - interoperability Intellectual property
Security Processes and procedures Maintain and enhance
Data Management Data processing Data sharing - access protocols
Main contractual issues
Scheme Management Issue and renewal of cards Revocation of cards Alteration of card functionality Maintenance of central database Availability of card readers and infrastructure Password and PIN control
Service Levels Response and fix times Availability
Main contractual issues
Limitation of Liability Who is liable for what? Does one party take overall responsibility?
Ownership of Card Who has power to revoke? What is the principle object of the card?
Term and termination
CITU - Smart Cards Framework Paper
Information security
ISO 17799: Code of Practice for Information Security
Confidentiality: Accessible only to authorised personnel
Integrity: Safeguarding accuracy and completeness
Availability: Authorised users able to access when required
ISO 17799
PIU Privacy and Data Sharing Report April 2002 Recommend that ISO 17799 be adopted across
the Public Sector (Recommendation 13)
ISO 17799 Asset classification and control Risk assessment and management Security policy Security responsibility
Technical and organisational www.humanfirewall.org
Entitlement Cards and Identity Fraud
Consultation Paper Issued 3 July 2002 Closes 10 January 2003
Entitlement Card Scheme Central database of all UK residents Secure procedures for entering and maintaining data Links between central register and other systems Issue of cards to everyone on the central register
Entitlement Cards and Identity Fraud
Three possible models: Voluntary Universal Compulsory
Uses: Provision of better services Tackling identity fraud Tackling illegal immigration and illegal working Convenient travel document Proof of age Reducing crime Electoral registration and voting Emergency medical information
Legal Basis for Scheme
Primary legislation All residents not just citizens Power to make regulations on:
How cards will be issued Information sharing
New criminal offences: Fraudulent application/ use of card Counterfeiting Identity Fraud
Statutory powers: Does the card issuer have the necessary powers?
Biometrics
Physiological measurements DNA
Best identifier but analysis is expensive and slow
Fingerprints Not unique Can be difficult to collect electronically
Iris Recognition Need to focus on fixed point Not work well with blind/partially sighted
Facial Recognition Our faces change over time
Issues with Biometrics
Live subjects only Constant need for renewal
As we get older we change Susceptible to accidents
Electronic files can be: Copied Hacked Corrupted
No fall back position Biometric Database
Safeguards
30 Aylesbury Street
London EC1R 0ERTel: 020 7490 6377Fax: 020 7490 2545www.masons.comwww.out-law.com
jon.fell@masons.com
Legal Issues in Smart Card Projects
Shelagh Gaskill, Partner
Trends
Move towards interoperability or multi-application use
Renting of spare capacity Integrated Government services and e-
Government
What Are the Main Privacy Concerns?
Identity theft Modification or duplication of data Data matching Access to data and security Location data and location technologies
Old Definition Data user controlled the “contents and use”
of the data New Definition
Data controller determines the “purposes for which and the manner in which personal data are processed”
Compare the position of data processors Front-end collectors of data
Data controller
Data means information which is automatically processed recorded with the intention … recorded as part of a relevant filing system
What is a relevant filing system?
Data
Must relate to and identify a living individual Includes data which are “likely to come into the
possession” of the controller (encrypted data) Distinction between opinion and intention is
removed
Personal data
Definition of “processing” is very wide: obtaining recording using holding erasure destruction “any operation” on the data
Processing
Used to be processing by “reference to the data subject”
Business to business lists now caught
Processing
Anyone instructed by the data controller to do any operation on personal data
Excluding employees of the data controller New requirements:
contract in writing adequate security measures must only act on controller’s instructions imposes obligations similar to 7th principle data controllers must audit the data
processor’s compliance with the contract
Data processor
Seventh principle: security measures against the unauthorised
or unlawful processing of personal data and accidental loss or destruction of personal
data
Data processor
Schedule 2 - for all personal data AND Schedule 3 - but only for sensitive personal
data AND Article 10 notice - for everybody AND Article 11 notice - for all third parties unless
recording the information by law or disproportionate effort
Four Golden Rules for Smart Card Processing
Schedule 2 conditions: the data subject has consented processing is necessary for the performance
of a contract or pre-contract steps legal obligation of the data controller (other
than contract) vital interests of the data subject administration of justice, by or under any
enactment, government department etc legitimate interests of the data controller so
long as the rights and freedoms or legitimate interests of the data subject are not prejudiced
Lawful processing
Sensitive data are: Racial or ethnic origin Political opinions Religious or other beliefs Trade union membership Physical or mental health or condition Sexual life Criminal offences or Criminal convictions
Lawful processing
Schedule 3 conditions: the data subject has given his explicit
consent the processing is necessary for rights or
obligation in connection with employment necessary to protect the vital interests of the
data subject or another person non-profit making bodies where the personal data have been made
public by the data subject
Lawful processing
Schedule 3 conditions continued: the processing is necessary for legal
proceedings, legal advice or defending legal rights
administration of justice, by or under any enactment, government department
medical purposes by a health professional racial or ethnic origin, equality of opportunity
Lawful processing
Sub-ordinate legislation provides further conditions where processing can take place without explicit consent for preventing or detecting unlawful acts or confidential counselling
Lawful processing
Difference between consent and explicit consent is governed by the amount of information the data controller gives to the data subject in the Article 10 or Article 11 notice
Consent
How to obtain consent: a positive action on the part of the data
subject is required silence or inaction can never equal consent consent can be oral, it does not have to be in
writing consent does not last forever
Consent
In addition to lawful processing you must process fairly.
Processing will not be fair unless you also give a data protection notice
or the Act excuses you from giving a notice or all your processing activities are obvious
Fair processing
The data subject must be told: the identity of the data controller; the purposes of the processing especially any
non-obvious uses; cross-mailing by group companies or third
parties; marketing by telephone, fax or e-mail; credit scoring or credit searching; and use of transactional data.
Data protection notice
The identity of any third parties to whom the data may be disclosed and their purposes
Any other information that is necessary to make the processing fair:
right of access to personal data right to rectify any inaccuracies in the data
Data protection notice
Position the notice so that it cannot be avoided by links
Make the notice a mandatory screen presentation with accept or reject button - Netscape case
Granularity - multiple opt-outs Ensure IT systems can cope
How to position notice on website
An individual may demand that no decision significantly affecting him is made solely by automatic means for the purpose of evaluating matters relating to him, for example his performance at work, his credit worthiness, his conduct
Automated decisions
The right does not apply if the decision was: taken in the course of entering into or
performing a contract; and the effect of the decision is to grant a request
of the data subject; or steps have been taken to safeguard the
legitimate interests of the data subject, for example he has been given an immediate right of appeal.
Exemptions
Personal data must be obtained for specified and lawful purposes and must not be further processed in any manner incompatible with those purposes
Data protection notices
Second principle
Personal data must be adequate relevant and not excessive
How often do you check your data? Do you spring clean?
Third principle
Personal data must be accurate and kept up to date
Controller must take steps to check accuracy of data
Have procedure to flag inaccuracies in the data which are notified to the controller by the data subject
Fourth principle
Personal data must not be kept for longer than necessary
Do you have procedures in place to ensure that data are not kept longer than necessary?
Fifth principle
Personal data must be processed in accordance with rights of data subjects
This is limited to provisions regarding: access to personal data processing causing damage/distress direct marketing automated decision-taking
Sixth principle
Technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of personal data
Seventh principle
Consider the harm that might result and the nature of the data
Data processors - contracts Consider access controls, audit trails, reliability of
staff, training and awareness BS7799 ISO 17799
Seventh principle
Seventh data protection principle Data controller must put contract in writing with all
data processors Organisational and technical measures to keep the
personal data safe Right of audit
Data processors
Any service provider who comes into contact with personal data:
website developers statutory auditors IT outsourcing companies organisations who take away and destroy
confidential computer printouts
What is a data processor?
Personal data must not be transferred to a country outside the EEA unless it ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
Eighth principle
Data controller
Assumes all the obligation, liabilities and costs - e.g. 45 IT systems implications of the 1998 Act
Has to take reasonable steps to ensure the accuracy of the information
But gets to use the data for any purposes specified in the data protection notice
Data processor
The Act does not apply to data processors The law which applies is the contract
imposed by the data controller But gets no rights to use the data
Cost benefit analysis
Analyse the business requirement Calculate costs of compliance Calculate the value of the data Reach reasoned conclusion Negotiation
Information sent to UK from abroad
Data controller established in UK Data controller established outside EEA but
uses equipment in UK for processing otherwise than for transit
Transfers of personal data to third countries
Eighth data protection principle Transfers outside the EEA prohibited unless that
country ensures an adequate level of protection Adequacy findings - Switzerland Hungary and
Canada
Transfers to third countries
Analyse nature of transfer If from data controller to mere data processor then adequacy can be
ensured by the data processor contract International groups of companies Banking or travel industries Professional services Transfers governed by IP rights Sale by data controller to data controller
Schedule 4 - The Derogations
Data subject has consented Transfer is necessary for the performance of a contract
with the data subject or pre-contract steps Transfer is necessary for a contract with a third party at
the request of, or in the interests of, the data subject Substantial public interest
Schedule 4 - The Derogations continued
Legal proceedings, legal advice or establishing, exercising or defending legal rights
Vital interests of the data subject Public Register data Terms approved by the Commissioner Transfer authorised by the Commissioner
Model Contracts
E U Commission Decisions Data controller to data controller - 18 June 2001 Data controller to data processor - 27
December 2001 ICC clauses - 17 September 2001
Transfers to third countries
If the transfer is from data controller to data controller then the other adequacy tests must be satisfied
Data protection law with independent data protection commissioner
No data protection law but general law satisfactory to uphold contract rights
Safe Harbor
Data controller to data controller (so not US websites)
US entity must be subject to a statutory body e.g. Federal Trade Commission
Safe Harbor
US entity must sign-up by developing its own compliant policy or TrustE or US sector regulations
Safe Harbor
Self-certifying to US Department of Commerce Requirement for specified information e.g.
published privacy policy List opened in November www.ita.doc.gov/econ Annual review
Safe Harbor
Complaints from individuals must be dealt with by an independent body
FTC - unfair trade practices - for breach
Data subject rights have been extended
For example: access to manual data access to the logic of any computerised
decision making process right to prevent certain processing rights in relation to automated decision taking
Rights of data subjects
Request in writing and payment of fee Right to be informed:
whether personal data are being processed and if so, to be given a description of the
personal data
Access to personal data
to be told in an intelligible form the purposes for the processing the sources of those data the recipients of those data (which includes
employees and data processors) the logic of a decision (if taken by solely
automatic means)
Access to personal data
An individual can require the controller to cease processing his personal data if
the processing is likely to cause substantial damage or distress and
such damage or distress is unwarranted
Preventing processing
The right does not apply: if individual has consented if performing or entering into a contract if complying with a legal obligation in order to protect the vital interests of the
individual
Preventing processing
The Act introduces a more rigorous regime in respect of direct marketing
absolute right to prevent processing no reasons need be given no exemptions
Direct marketing
Compensation
Compensation for damage Compensation for distress plus damage Defence: such care as was reasonably
required to comply with the requirement concerned
E-Government
Problems with Data Sharing and Data Matching
Particularly in local government PIU Report on Privacy and Data Sharing Published on 12 April 2002 www.piu.gov.uk Two years in the writing Aim: “New strategic approach to the use of
personal data held by public sector”
Why are the issues of privacy & data sharing important ?
Public expect “joined-up” and “personalised” services”
New technologies New legal framework: DPA and HRA Public concern about privacy is on the rise
Twin Objectives
Enhancing privacy- Public trust is key Better use of personal data to deliver public
services Not mutually exclusive PM endorsed view
Key Recommendations
Twenty-five main recommendations Three recommendations for consultation Pick out key points Many general best practice
recommendations- consistent with DPA For example, clear principles collection, use,
access, management and correction of data
Key Recommendations
Building public trust Improving accuracy and reliability More secure and joined up data use Modernising management of public sector
data Legal framework
Building Public Trust
Clear and consistent principles across the public sector - A Public Services Trust Charter- Recommendation One
Consultation set out in report Codes of practice/information sharing
protocols/management guidance
Building Public Trust
Recommendation - two FOI bodies publish data sets held and and data-sharing practices as part of publication scheme
supplement to subject access Recommendation three and four - Improve
and set targets for subject access/ Produce guidance on rights
Recommendation seven - All public sector organisations to have Chief Knowledge Officer with expert deputies for DP, HR and FOIA.
Accuracy & Reliability
Data field standardisation- office of e-envoy Standards in data labelling LC and PRO to publish model codes of
practice and protocols The use of data protection audits is
recommended Development of data quality audit tool
Secure & joined up data use
Secure Use-Identification, authentication and entitlement
Privacy enhancing technologies- P3P and hardcoding
Recommendation thirteen - ISO 17799 should be adopted across public sector
Recommendation sixteen - Programme of smart card pilots/interoperability -Page 88
Managing information
Information management core function of service delivery
Chief knowledge officer- Board level Better training for information management
professionals
Legal framework
Lord chancellor to develop guidance on data sharing in current legal framework
Government to consult on legislation to enable public bodies to share personal data with consent
Government to consult on legislation to allow sharing without consent by SI
Points to Consider When Considering Smart Card Projects
Data processor or data controller: who owns the data?
Data processor contracts in place Proper security standards - 7th Principle If government - statutory grounds for
processing Adequate data protection notices Access and disclosure procedures
30 Aylesbury Street
London EC1R 0ERTel: 020 7490 6591Fax: 020 7490 2545www.masons.comwww.out-law.com
shelagh.gaskill@masons.com