Practical advice for clients is not easy. As Tarlo Lyons IT partner George Gardiner says: "There is no act to mandate for the level of security you should use for any system – so it all comes down to what is appropriate."
The Data Protection Act 1998 is the leading legislation in this area. Bill Jones, IT partner at Wragge & Co, says: "When the first data protection act came in it was like dragging a horse to water to get clients to look at it." But this time he believes there is much greater interest because of burgeoning e-business.
The legislation establishes a number of principles for businesses, including a requirement to put in place technological or organisational measures to address the risk of unauthorised and unlawful processing. They must also address the risk of accidental loss or the destruction or damage of data.
The law as to what employers can or cannot do to make sure that their employees take full regard of security is also far from clear. The Regulation of Investigatory Powers Act (RIPA) received Royal Assent this year and controls the interception of communication on telecommunication systems, on both public and private networks. The Government has just published its Lawful Business Practice regulations allowing employers to monitor the emails of employees for certain purposes, such as ensuring the security of systems. This protection potentially clashes with the new Human Rights Act 1998, which safeguards the right to privacy of correspondence. But it also conflicts with a new code of practice published by the Data Protection Commissioner this month. According to Jones, the new code adopts a far more prescriptive approach. "On almost every issue it goes further," he says. "If an email is on the face of it personal then you shouldn't open and read the contents because that is a private communication."