Free initial chat

Free Initial Chat

Complete this form if you would like a free, no obligation conversation with a solicitor.

The Digital Economy Bill & Age Verification: a reminder of information security

Dec 12, 2016

Author: Louisa Duffield-Harding

Earlier this year, Part 3 of the Digital Economy Bill was passed by parliament which introduces age verification checks for access to all websites and apps containing pornographic material, due to come into force in 2017. The objective is to safeguard children from accessing content online that is either not suitable or could be harmful. It also introduces a framework with sanctions to monitor, notify and enforce compliance, including a new regulator. Surely this can only be a good thing?

Some may disagree. MindGeek estimates there are 20 to 25 million adults in the UK who regularly access adult content. And the proposed age verification system could mean all of those adults being required to share their identity (and/or other personal details) to a pornography website or even a third party company; that’s potentially a lot of sensitive data. It is arguable that the Bill fails to address the information security risks that this presents – for example, data leaks similar to the Ashley Madison hack – and relies solely on the provisions of the Data Protection Act 1998 (“DPA”).

 

So what does the DPA require in terms of security? The seventh data protection principle, as it is known, requires: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” So if your business holds personal data, according to the ICO, this principle also requires you to: (i) design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; (ii) be clear about who in your organisation is responsible for ensuring information security; (iii) make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and (iv) be ready to respond to any breach of security swiftly and effectively. In summary, there is no ‘one size fits all’ security policy.

It remains to be seen exactly how the security risks that are introduced by the age verification checks will be addressed; it will likely be the market that will provide the tools via social media or even payment providers (which present their own issues), although it is clear that non-compliance with the checks will result in fairly significant financial penalties.


Would you like further advice on information security for your business? Call and speak with someone in the Commercial & IT team on 0207 234 0200 or email contact@waterfront.law.

 Louisa Duffield-Harding

 Senior Associate, Commercial Contracts

 Louisa has a wide range of experience in commercial deals, such as supply of goods and  services, with a focus on technology clients. She advises on online and technology  services and licensing; from IT outsourcing and software development to APP terms of  use and related IP and data protection issues. Her clients include businesses in a  number  of sectors, such as TMT, retail, healthcare and financial services.