1 / 28

Managing regulatory compliance

Managing regulatory compliance. Stephen Mason, Barrister Director, Data Protection Research & Policy Group. Outline. Overview The business - legal interaction Governance Records management. 1. Overview. The business perspective.

adlai
Download Presentation

Managing regulatory compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing regulatory compliance Stephen Mason, Barrister Director, Data Protection Research & Policy Group

  2. Outline Overview The business - legal interaction Governance Records management

  3. 1. Overview

  4. The business perspective • Dependence on IT infrastructure in running the business of the organization across jurisdictions • Virtually all correspondence, papers, contracts and such like are now created by computers • Varying degrees of confidentiality and privacy attributed to documents means they must be protected • Data must remain available • The integrity of documents should be considered • Balance the costs of security and storage against the value of information and the risks

  5. The liability • Vicarious liability • Falls at the highest levels • There is a need to take appropriate measures to • Manage the infrastructure safely and securely • Prevent or detect improper or illegal activities taking place • Comply with legal and regulatory requirements • The issue is how we adapt to and control the use of the technology

  6. 2. The business - legal interaction Control of data Value of e-mail correspondence: contract Employees Data protection Retention of documents Evidence Litigation

  7. Controlling access to data • Basis of control • The organization owns and controls the communications infrastructure • Various legal duties are imposed by judges, politicians and regulatory authorities • Private use increases the risk to the organization • Where private use not permitted, it must still be enforced by the organization

  8. Contracts and e-signatures England and Wales • Hall v Cognos Limited • Pretty Pictures Sarl v Quixote Films Ltd United States of America • Roger Edwards LLC v Fiddes & Son Ltd Singapore • SM Integrated Transware Pte Ltd v Schenker Singapore (Pte) Ltd

  9. E-mail and employees • Defamation • Western Provident v Norwich Union • Sexual discrimination (e.g of retaining e-mails for defensive reasons) • Carina Coleman v Lansdowne Capital Limited & Alan Dargan • Forwarding inappropriate images • Sangster v Lehman Brothers Limited • Criminal offences • Miseroy v Barclays Bank plc

  10. Data protection: EU • Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (23.11.95 OJ I281/31) • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (12.1.2001 OPJ L8/1)

  11. General global guidance • Protection of workers’ personal data (International Labour Office, Geneva, 1997) • Code of Practice for e-Work across Borders (Ethical Guidelines for World Wide Work, 2000 http://www.unomondo.org)

  12. Human rights: comparisons United Kingdom • Halford v United Kingdom (1977) EHRR 523 France • Onof v Nikon France Decision no 4164, October 2, 2001 (99-42.942) United States of America • Fraser v Nationwide Mutual Assurance 135 F Supp 2d 623 (E D Pa 2001) [amongst others] - no interception

  13. Retention of documents • Organizations need to keep certain types of document or record for both commercial and legal reasons • There is no need to retain every document for ever • Document retention periods are set against different criteria: • Retention periods prescribed by law • Rules issued by regulatory bodies • Best practice • IT may be the custodians of the documents, but must be advised by legal, company secretary, compliance, HR, data protection • The policy should: • Provide for the extension of time limits and the suspension of the disposal of documents where legal action is anticipated or has begun • Be reasonable, measured and appropriate

  14. Evidence • Digital documents are adduced in evidence in all types of forum • There is a practical problem: many digital documents remain in an unstructured medium • The content determines the nature of the document • Some digital documents must be retained, whilst others can be legitimately deleted

  15. E-documents in litigation • Litigation is expensive (legal fees, court fees, directors time, IT time, media interest, reputation issues) • The Fulbrights & Jaworski 2nd annual ‘Litigation Trends Survey’ (2005) illustrated an increasing problem: • Electronic disclosure is a serious issue • Most numerous types of dispute: employment, contract, product liability, IPR, personal injury • What documents have you got to prove your case? How do you find them? • All documents are admissible in legal proceedings, although judges have the discretion to exclude evidence • Once a document is admissible, the next question is the weight of the evidence • In deciding weight, the question is: how reliable is the evidence?

  16. 3. Governance The law and governance interweave

  17. United States of America Legislation • Sarbanes-Oxley Act of 2002 (Public Law 107-204 of the 107th Congress) Regulation • US Securities and Exchange Commission • Financial Accounting Standards Board (http://www.fasb.org/)

  18. European Union • Report of the high level group of company law experts on a modern regulatory framework for company law in Europe (2002) • Commission Recommendation of 16 May 2002 Statutory Auditors’ Independence in the EU: A Set of Fundamental Principles (OJ 19.7.2002 L 191/22) • Communication from the Commission to the Council and the European Parliament reinforcing the statutory audit in the EU (OJ 2.10.2003 C 236/02) • Report on European Governance (2003 - 2004) • Modernising company law and enhancing corporate governance in the EU (http://europa.eu.int/comm/internal_market/smn/smn32/a17_en.htm) • Proposal for a Directive of the European Parliament and of the Council on Statutory Audit of Annual and Consolidated Accounts

  19. United Kingdom: legislation • Companies Act 1985 (International Accounting Standards & other Accounting Amendments) Regulations 2004 SI 2004/2947 • Companies Act 1985 (Operating & Financial Review and Directors’ Report etc) Regulations 2005 SI 2005/1011 • Companies (Audit Investigations and Community Enterprise) Act 2004

  20. United Kingdom: guidance • Cadbury Report on the Financial Aspects of Corporate Governance (1992) • Greenbury Recommendations for best practice in determining and accounting for Directors’ remuneration (1995) • Turnbull Report on Internal Control Guidance for Directors on the Combined Code (1999) (Reviewed by Douglas Flint, 2004) • Combined Code on Corporate Governance (2003) [supersedes and replaces the Combined Code issued by the Hampel Committee on Corporate Governance in1998] • Higgs Review of the role and effectiveness of non-executive directors (2003) • Tyson Report on the Recruitment and Development of Non-Executive Directors (2003)

  21. Global and regional • OCED • Principles of Corporate Governance (1999) • Commonwealth Association for Corporate Governance • Guidelines (1999)

  22. 4. Records management Some issues to consider

  23. Some considerations • Litigation • Freedom of Information requests • Protection of data (personal and corporate) • Internally • From outside attacks • Legal privilege • Issues of confidentiality as between jurisdictions • Balancing: • Internal audit and risk • Ease of use of IT system • Development of the technical architecture • Limitations of the technology • Human behaviour

  24. The response • Priorities need to be agreed: • IT needs to be higher on the agenda • Revenue and growth are not incompatible with security and privacy • In the commercial field, the Logica-CMG (2004) survey demonstrated that shareholders rate IT security as a high priority • The pressure to do something to take control of digital data is coming from the need to comply with laws and the regulatory framework • The balancing act: • the cost of retaining documents + security + storage + retrieval + business continuity + disaster recovery against • the value of information and the risks: especially regulatory and legal

  25. Concluding remarks

  26. A networked world • Business processes and the law are inextricably intertwined • Whatever your business, your data is central • Employees data • Customers data • Intellectual property • End user security is sloppy • Data and communications tend to be handled recklessly • Attitudes must change • IT are only the custodians of the data

  27. The eternal triangle • Politicians pass laws • Best practice and good governance • Judges interpret laws These closely interrelate: somebody has to balance them

  28. Stephen MasonDirector, Digital Evidence Research Programme British Institute of International and Comparative LawCharles Clore House17 Russell SquareLONDONWC1B 5JPDirect telephone number: + 44 (0)20 7862 5436 Telephone number: + 44 (0)20 7862 5159 Facsimile number: + 44 (0)20 7862 5152 http://www.biicl.org Main publications: Electronic Signatures in Law (LexisNexis Butterworths, 2003) Networked communications and compliance with the law (xpl publishing, 5th edn, 2005) General Editor of the e-Signature Law Journal www.e-signaturelawjournal.co.uk

More Related