Information Technology - avoid it, embrace it or manage it
by Alan Alden, ERS, Practice, Deloitte & Touche
This is the first of a series of articles aimed at giving easy-to-understand insight into the challenges facing businesses today in the constantly changing world of information technology.
The articles serve as a run-up to a one-day conference being organised by Deloitte & Touche and which will held at the Malta Hilton on 27 September. The focus of the conference, "Technology, Avoid IT, Embrace IT or Manage IT?", is on the ever-growing proliferation of Information Technology and the new risks and opportunities emerging therefrom.
The aim of every business is to increase or maintain its market share and resultant profitability, however, the Internet has brought about a revolution in the way that business is carried out both with other businesses and with consumers and this is bringing about new challenges.
Privacy - what privacy?
Information is money (and power). Consequently, at every opportunity someone somewhere is attempting to gather information about you. They want to know where you live, where you work, how many children you have, what your hobbies are, what you buy, what insurance policies you have, your tastes, and so on. Furthermore, we constantly give away information to enterprises and government entities so that we may receive a
service or to satisfy local legislation, for example, tax regulations. Therefore, there is a lot of information about you held on different systems (manual and automated) over which you have no control.
Why do people gather information about individuals?
There are businesses with products and/or services to sell and they want to know who has the money and who will be interested in buying them. Therefore, either by buying information from third parties or by gathering information themselves about individuals, they can more easily and more cheaply target the right persons. This is called direct marketing and it is proving to be the most cost-effective method of selling.
In the new Maltese Data Protection Law White Paper there is a special section which states that whoever is collecting the data must allow the data subject the option to opt out from direct marketing.
Another acronym you may hear is CRM, which stands for Customer Relationship Management. Databases are being designed to offer management access to customer information in such a way that will permit them to be able to make specific marketing related decisions or design products or services. Then there is data which is gathered and used in the day to day running of the business. For example, most enterprises have a company payroll system which contains information about present and past employees.
These systems may contain health, financial and other personal information about employees. The company will be expected to keep this information as private as possible no matter where it is stored.
Is it legal to do this?
At the moment, in Malta it is not illegal to collect information or to pass information to third parties, unless that information is covered by the Professional Secrecy Act 1994 with the penalty for breaking the law being a maximum of a Lm20,000 fine and/or maximum two years imprisonment. This act covers information held by banks, lawyers, doctors, insurance companies, stockbrokers, fund managers, government employees and other professionals about their customers and puts down strict requirements on the holders of the data and those with access to it. Apart from this act there are also the MFSC Act, The Banking Act, The Investment Services Act, The Insurance Business Act and other similar ones which offer protection to more specific customers &/or data.
However, protection for all consumers will be forthcoming as we prepare for accession to the EU and to embrace the Internet age and e-business. The White Papers have already been published for the Data Protection Law, e-Commerce Law and Computer Misuse Law and they should soon be enacted. They should offer Maltese citizens and other citizens carrying out business in Malta, the same level of protection offered in EU countries.
The Data Protection Law, which is the main subject of this discussion, covers all entities holding any data pertaining to an individual (natural person). So far, it seems that data relating to companies has been excluded from the Act. Another major improvement to consumer protection is that this act imposes upon holders of data the responsibility of implementing adequate security measures, " ..technical and organisational" to protect the data.
It also gives rights to the individual over his personal data held. The White Paper defines this individual as a "Data Subject" and the holder of such data as being a "Controller of Data".
The act allows a holder of data the right to use data belonging to a natural person but the ownership of the data is never actually transferred from the data subject to the controller of the data.
The Data Protection Act broadly states that personal data shall only be collected and used for the purposes intended by persons authorised to do so. This purpose must also be a legitimate one. The data processed must be accurate and up to date and removed from the organisation's system when no longer required.
The consumer also has the right to oppose further processing of his data and revoke at any time consent that had been previously given. While this is protection for the consumer it may cause problems for the controller of the data.
There is also special protection afforded to sensitive data, such as race and political belief, and on how the Identity Card Number can and cannot be used.
The law gives the competent authority the power to stop processing of data if a controller of data does not comply with the requirements of the act.
What sort of security does the Data Protection Act require?
Most of the principles should not be too complex to comply with by implementing appropriate controls and procedures.
On the other hand, the security issue, especially in computerised environments, will be harder to comply with. The act states "The controller of personal data shall implement appropriate technical and organisational measures to protect the personal data."
It is not clear what is meant by appropriate. The company may have to demonstrate that it is committed to security and has introduced the necessary processes to ensure the continued security of its systems. Other countries have adopted control frameworks such as COSO (United States), CoCo (Canada), Cadbury (UK) and CobIT (ISACA) which can serve as guidelines to determine whether the controls are appropriate or not. What will Malta adopt?
How do we go about securing all the data we hold?
First of all, it is essential to carry out a risk assessment to determine whether the law affects your company and to what extent:
In order to be able to secure data cost effectively the first process would be to identify all the data and where it is held (both electronically and in paper format).
The next step would be to classify the data you hold on your systems. Some data may be readable by all, for example, name and address.
The next one would identify who requires access to the various data components.
The next would be to implement the controls necessary to restrict access to authorised personnel.
And finally, monitor that controls are being adhered to.
The last two steps would be the most difficult to implement as assigning access of specific data components to specific users requires a flexible and carefully designed database and application. However, who's going to do this? Who will monitor that these controls are being adhered to?
The answers to these questions are not that straightforward especially for smaller companies. However, the Data Protection Act does consider cost when talking about implementation of security.
For the bigger organisations, the answer would be the creation of an Information Security Department, an Internal Audit Department, Audit Committee and Compliance Unit. These Departments are part of the Corporate Governance recommendations outlined in the control frameworks mentioned above.
For more information on this one day conference contact Deloitte & Touche on tel: 335323, fax: 332606 or conferences@deloitte.com.mt.
| 
