Leaving Data

Tomas Nielsen, IT Systems Magazine

Once a company starts to store its data in electronic form, the question of security soon comes to mind. This issue becomes more urgent in cases where a company does not store its data on its own computers but uses external - outsourcing - services. So, what approach should be taken when co-operating with company's data administrators?

The risk of data being lost always exists. That is the reason why the IT industry specialising in data storage outsourcing has been flourishing in the recent years: many companies entrust their data to the (hopefully) better protected data storage facilities owned by specialised companies. However, the transfer of data to the outsourcing company may entail, inter alia, some psychological barriers (will my data be safe "outdoors"?) Yet there are legal barriers as well and companies should be prepared to deal with them.

Giving up full control over the company's own data - be it in the form of remote data storage lease or usage of remote information systems where company data are stored into databases administered outside their own servers - is a step that needs to be thought of very carefully. There are many arguments in favour of such decision. There are business and marketing arguments such as "leave data protection to the experts and focus on your core business", technical arguments (specialised data protection companies usually offer affordable and sophisticated preventive and subsequent forensic information protection) as well as legal arguments.

The most important issue is the shift of responsibility for data loss from labour law to commercial law. Aside from loss of data due to professional hacker attacks, the risk lies in leakages due to negligence of own personnel. If the person responsible is the company's own employee, then - according to the relevant legal provisions on employee responsibility for negligence - the company can claim damages only up to the amount of 4.5 times the employee's wage. However, if there was misconduct on the part of the external service provider, then the responsibility is governed exclusively by the contract concluded between the parties. Besides the damages, sanctions may be agreed in the contract; in that case, it is not necessary to prove the amount of the damage which is a great advantage for the entitled party. It is not easy to prove the damage range incurred due to data loss or leakage.

Before transferring data to a third party for administration, companies are to analyse what data should be transferred and what level of protection is required. In case of own data such as the company's know-how, these questions must be assessed exclusively by the company's management. The know-how, business procedures, etc. are usually protected only as the so-called trade secret. In order to be protected as such, it must comply with conditions set in Section 17 of the Czech Commercial Code. There is one condition at the end of this legal provision that is crucial, yet often underestimated - trade secret consist only of facts that "are to be kept confidential at the discretion of the entrepreneur who ensures their trade secrets are protected in a suitable manner". That means the authorised representatives of companies should carefully choose the person they entrust with the company's data and should ensure protection of these data (especially by way of a contract) in order to maintain their status as trade secret. Failure to comply with this obligation may in extreme cases result in the liability of governing body members for damage incurred due to publication of trade secret or in their criminal liability (as administrators of other persons' property).

Personal data are subject to specific protection. If the processed (stored) data is personal data, the company must know where the data will be stored. If the administrator is located in the EU, there may not be any problem. The only thing to bear in mind is that when placing the data abroad, legislation of the relevant state may apply. Personal data protection regulations often apply not only to companies with registered seat in the country concerned, but also to data processed within systems located in the country concerned. The companies should therefore pay attention to local legislation and ensure they do not commit any administrative or other delicts, not even unconsciously. If the data are to be stored outside the EU, the company should take into account legislation based especially on Directive 95/46/EC of the European Parliament and of the Council. This Directive orders the member states to impede processing of personal data in countries where the level of protection does not reach the level applied in the European Union. The EU Commission even publishes lists of non-member states where personal data protection is considered acceptable. In case the country where the company wishes to store its data is not found on the list of approved states, it is recommended that the company asks for the Commission's opinion.

There are also other types of data requiring special protection, e.g. in the field of banking, legal profession, energy, electronic communications, and similar fields. Companies wishing to use modern data processing technologies should previously and clearly define the type of data they wish to transfer and analyse legal impacts of such transfer. IT service providers offering modern models such as outsourcing, SaaS or the increasingly popular Cloud Computing should respond to these requirements and approach their customers with offers that are absolutely transparent. We can hope that the European Union will gradually accept new IT business models and will adapt its rather strict and wide regulation to the new market conditions.