Telecom firms prepare for big changes in UK data protection laws

TELECOM FIRMS and Internet service providers (ISPs) are getting ready for important changes in UK data protection laws concerning privacy and electronic communications next month.

Speaking at London's Infosecurity conference, the Information Commissioner's Office (ICO) director of data protection David Smith said the new rules will only apply, for the moment, to telcos, such as British Telecom (BT), mobile phone companies and ISPs.

For ISPs, notification of data breaches to the ICO and customers who have been affected will become a legal requirement for the first time in the UK. They will also be legally obliged to have a security policy.

The ICO's legal powers will be extended, which means it will have a compulsory power of audit to check that service providers have made the data breach notifications they have been supposed to, and it will have the ability to impose monetary penalties if they haven't.

One of the most important new laws concerns "consent to cookies". Cookies are data kept by the user's web browser, which can often include information that they don't want to share.

Smith said, "The directive behind the new law essentially says that any storage of information on the user which is not strictly necessary for the provision of a service (such as a cookie on a browser) can only take place with the consent of the individual."

"That is a substantial change in the current law where essentially it is kept unless the user or individual objects," he stated.

For example, this might be information left behind in an Amazon shopping basket but also used in the delivery of marketing messages.

He added, "There will be an easing-in period where we suspend enforcement action, but these regulations and changes do need to be taken seriously."

"There are activities going on to change how web browsers work, but at the end of the day it is the operator of the website who is responsible for ensuring compliance."

Smith said that the new legal provisions will clearly place requirements on service providers like BT to get clear consent from individuals before they take part in anything that uses their data. In the infamous Phorm case, BT didn't do that. µ