Legal Issues in Smart Card Projects

Shelagh Gaskill, Partner and Jon Fell, Partner

Introduction

What is a smart card? Who owns a smart card? Who are the key players? What are the key contractual relationships? Typical contracts Information security Entitlement Cards Consultation Paper Biometrics

What is a smart card?

Credit card sized card with integrated chip Memory only EEPROM (Electrically Erasable Programmable

Read Only Memory) Contact or contactless

Single Function -v- Multiple Function One card or many Interoperability of systems

Examples of Smart Cards

ID cards and medical cards Phone cards Transport cards Building access cards Technology access cards E-Money cards, eg Mondex

Who owns a smart card?

Who has an interest in the card? Card issuer Secondary service provider Card user

Card issuer owner and controller

but who is the card issuer?

Card user has little or no interest

Who are the key players?

Smart card suppliers

IT suppliers

Card issuers

Card users

Main contractual relationships

Card issuer and card supplier

Card issuer and IT suppliers

Card issuer and secondary service providers

Card issuer and card user

Card user and secondary service providers

Main contractual relationships

Card Issuer

Card Supplier IT Suppliers

Secondary Service Provider

Card User

Typical contracts

Card Issuer and Card Supplier: Development Agreement for design of card Supply Agreement Data Processing Agreement

Card Issuer and IT Suppliers Data Processing Agreement Hosting Agreement Outsourcing Agreement Maintenance Agreement Systems Supply and Integration Agreements

Typical contracts

Card Issuer and Secondary Service Providers “Rental” Agreement Data Processing Agreement

Card Issuer and Card User Terms and Conditions of Use Data Protection Notice

Card user and Secondary Service Providers Terms and Conditions of Use Data Protection Notice

Main contractual issues

Warranties Quality of the card Technical specification - interoperability Intellectual property

Security Processes and procedures Maintain and enhance

Data Management Data processing Data sharing - access protocols

Main contractual issues

Scheme Management Issue and renewal of cards Revocation of cards Alteration of card functionality Maintenance of central database Availability of card readers and infrastructure Password and PIN control

Service Levels Response and fix times Availability

Main contractual issues

Limitation of Liability Who is liable for what? Does one party take overall responsibility?

Ownership of Card Who has power to revoke? What is the principle object of the card?

Term and termination

CITU - Smart Cards Framework Paper

Information security

ISO 17799: Code of Practice for Information Security

Confidentiality: Accessible only to authorised personnel

Integrity: Safeguarding accuracy and completeness

Availability: Authorised users able to access when required

ISO 17799

PIU Privacy and Data Sharing Report April 2002 Recommend that ISO 17799 be adopted across

the Public Sector (Recommendation 13)

ISO 17799 Asset classification and control Risk assessment and management Security policy Security responsibility

Technical and organisational www.humanfirewall.org

Entitlement Cards and Identity Fraud

Consultation Paper Issued 3 July 2002 Closes 10 January 2003

Entitlement Card Scheme Central database of all UK residents Secure procedures for entering and maintaining data Links between central register and other systems Issue of cards to everyone on the central register

Entitlement Cards and Identity Fraud

Three possible models: Voluntary Universal Compulsory

Uses: Provision of better services Tackling identity fraud Tackling illegal immigration and illegal working Convenient travel document Proof of age Reducing crime Electoral registration and voting Emergency medical information

Legal Basis for Scheme

Primary legislation All residents not just citizens Power to make regulations on:

How cards will be issued Information sharing

New criminal offences: Fraudulent application/ use of card Counterfeiting Identity Fraud

Statutory powers: Does the card issuer have the necessary powers?

Biometrics

Physiological measurements DNA

Best identifier but analysis is expensive and slow

Fingerprints Not unique Can be difficult to collect electronically

Iris Recognition Need to focus on fixed point Not work well with blind/partially sighted

Facial Recognition Our faces change over time

Issues with Biometrics

Live subjects only Constant need for renewal

As we get older we change Susceptible to accidents

Electronic files can be: Copied Hacked Corrupted

No fall back position Biometric Database

Safeguards

30 Aylesbury Street

London EC1R 0ERTel: 020 7490 6377Fax: 020 7490 2545www.masons.comwww.out-law.com

jon.fell@masons.com

Legal Issues in Smart Card Projects

Shelagh Gaskill, Partner

Trends

Move towards interoperability or multi-application use

Renting of spare capacity Integrated Government services and e-

Government

What Are the Main Privacy Concerns?

Identity theft Modification or duplication of data Data matching Access to data and security Location data and location technologies

Old Definition Data user controlled the “contents and use”

of the data New Definition

Data controller determines the “purposes for which and the manner in which personal data are processed”

Compare the position of data processors Front-end collectors of data

Data controller

Data means information which is automatically processed recorded with the intention … recorded as part of a relevant filing system

What is a relevant filing system?

Data

Must relate to and identify a living individual Includes data which are “likely to come into the

possession” of the controller (encrypted data) Distinction between opinion and intention is

removed

Personal data

Definition of “processing” is very wide: obtaining recording using holding erasure destruction “any operation” on the data

Processing

Used to be processing by “reference to the data subject”

Business to business lists now caught

Processing

Anyone instructed by the data controller to do any operation on personal data

Excluding employees of the data controller New requirements:

contract in writing adequate security measures must only act on controller’s instructions imposes obligations similar to 7th principle data controllers must audit the data

processor’s compliance with the contract

Data processor

Seventh principle: security measures against the unauthorised

or unlawful processing of personal data and accidental loss or destruction of personal

data

Data processor

Schedule 2 - for all personal data AND Schedule 3 - but only for sensitive personal

data AND Article 10 notice - for everybody AND Article 11 notice - for all third parties unless

recording the information by law or disproportionate effort

Four Golden Rules for Smart Card Processing

Schedule 2 conditions: the data subject has consented processing is necessary for the performance

of a contract or pre-contract steps legal obligation of the data controller (other

than contract) vital interests of the data subject administration of justice, by or under any

enactment, government department etc legitimate interests of the data controller so

long as the rights and freedoms or legitimate interests of the data subject are not prejudiced

Lawful processing

Sensitive data are: Racial or ethnic origin Political opinions Religious or other beliefs Trade union membership Physical or mental health or condition Sexual life Criminal offences or Criminal convictions

Lawful processing

Schedule 3 conditions: the data subject has given his explicit

consent the processing is necessary for rights or

obligation in connection with employment necessary to protect the vital interests of the

data subject or another person non-profit making bodies where the personal data have been made

public by the data subject

Lawful processing

Schedule 3 conditions continued: the processing is necessary for legal

proceedings, legal advice or defending legal rights

administration of justice, by or under any enactment, government department

medical purposes by a health professional racial or ethnic origin, equality of opportunity

Lawful processing

Sub-ordinate legislation provides further conditions where processing can take place without explicit consent for preventing or detecting unlawful acts or confidential counselling

Lawful processing

Difference between consent and explicit consent is governed by the amount of information the data controller gives to the data subject in the Article 10 or Article 11 notice

Consent

How to obtain consent: a positive action on the part of the data

subject is required silence or inaction can never equal consent consent can be oral, it does not have to be in

writing consent does not last forever

Consent

In addition to lawful processing you must process fairly.

Processing will not be fair unless you also give a data protection notice

or the Act excuses you from giving a notice or all your processing activities are obvious

Fair processing

The data subject must be told: the identity of the data controller; the purposes of the processing especially any

non-obvious uses; cross-mailing by group companies or third

parties; marketing by telephone, fax or e-mail; credit scoring or credit searching; and use of transactional data.

Data protection notice

The identity of any third parties to whom the data may be disclosed and their purposes

Any other information that is necessary to make the processing fair:

right of access to personal data right to rectify any inaccuracies in the data

Data protection notice

Position the notice so that it cannot be avoided by links

Make the notice a mandatory screen presentation with accept or reject button - Netscape case

Granularity - multiple opt-outs Ensure IT systems can cope

How to position notice on website

An individual may demand that no decision significantly affecting him is made solely by automatic means for the purpose of evaluating matters relating to him, for example his performance at work, his credit worthiness, his conduct

Automated decisions

The right does not apply if the decision was: taken in the course of entering into or

performing a contract; and the effect of the decision is to grant a request

of the data subject; or steps have been taken to safeguard the

legitimate interests of the data subject, for example he has been given an immediate right of appeal.

Exemptions

Personal data must be obtained for specified and lawful purposes and must not be further processed in any manner incompatible with those purposes

Data protection notices

Second principle

Personal data must be adequate relevant and not excessive

How often do you check your data? Do you spring clean?

Third principle

Personal data must be accurate and kept up to date

Controller must take steps to check accuracy of data

Have procedure to flag inaccuracies in the data which are notified to the controller by the data subject

Fourth principle

Personal data must not be kept for longer than necessary

Do you have procedures in place to ensure that data are not kept longer than necessary?

Fifth principle

Personal data must be processed in accordance with rights of data subjects

This is limited to provisions regarding: access to personal data processing causing damage/distress direct marketing automated decision-taking

Sixth principle

Technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of personal data

Seventh principle

Consider the harm that might result and the nature of the data

Data processors - contracts Consider access controls, audit trails, reliability of

staff, training and awareness BS7799 ISO 17799

Seventh principle

Seventh data protection principle Data controller must put contract in writing with all

data processors Organisational and technical measures to keep the

personal data safe Right of audit

Data processors

Any service provider who comes into contact with personal data:

website developers statutory auditors IT outsourcing companies organisations who take away and destroy

confidential computer printouts

What is a data processor?

Personal data must not be transferred to a country outside the EEA unless it ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Eighth principle

Data controller

Assumes all the obligation, liabilities and costs - e.g. 45 IT systems implications of the 1998 Act

Has to take reasonable steps to ensure the accuracy of the information

But gets to use the data for any purposes specified in the data protection notice

Data processor

The Act does not apply to data processors The law which applies is the contract

imposed by the data controller But gets no rights to use the data

Cost benefit analysis

Analyse the business requirement Calculate costs of compliance Calculate the value of the data Reach reasoned conclusion Negotiation

Information sent to UK from abroad

Data controller established in UK Data controller established outside EEA but

uses equipment in UK for processing otherwise than for transit

Transfers of personal data to third countries

Eighth data protection principle Transfers outside the EEA prohibited unless that

country ensures an adequate level of protection Adequacy findings - Switzerland Hungary and

Canada

Transfers to third countries

Analyse nature of transfer If from data controller to mere data processor then adequacy can be

ensured by the data processor contract International groups of companies Banking or travel industries Professional services Transfers governed by IP rights Sale by data controller to data controller

Schedule 4 - The Derogations

Data subject has consented Transfer is necessary for the performance of a contract

with the data subject or pre-contract steps Transfer is necessary for a contract with a third party at

the request of, or in the interests of, the data subject Substantial public interest

Schedule 4 - The Derogations continued

Legal proceedings, legal advice or establishing, exercising or defending legal rights

Vital interests of the data subject Public Register data Terms approved by the Commissioner Transfer authorised by the Commissioner

Model Contracts

E U Commission Decisions Data controller to data controller - 18 June 2001 Data controller to data processor - 27

December 2001 ICC clauses - 17 September 2001

Transfers to third countries

If the transfer is from data controller to data controller then the other adequacy tests must be satisfied

Data protection law with independent data protection commissioner

No data protection law but general law satisfactory to uphold contract rights

Safe Harbor

Data controller to data controller (so not US websites)

US entity must be subject to a statutory body e.g. Federal Trade Commission

Safe Harbor

US entity must sign-up by developing its own compliant policy or TrustE or US sector regulations

Safe Harbor

Self-certifying to US Department of Commerce Requirement for specified information e.g.

published privacy policy List opened in November www.ita.doc.gov/econ Annual review

Safe Harbor

Complaints from individuals must be dealt with by an independent body

FTC - unfair trade practices - for breach

Data subject rights have been extended

For example: access to manual data access to the logic of any computerised

decision making process right to prevent certain processing rights in relation to automated decision taking

Rights of data subjects

Request in writing and payment of fee Right to be informed:

whether personal data are being processed and if so, to be given a description of the

personal data

Access to personal data

to be told in an intelligible form the purposes for the processing the sources of those data the recipients of those data (which includes

employees and data processors) the logic of a decision (if taken by solely

automatic means)

Access to personal data

An individual can require the controller to cease processing his personal data if

the processing is likely to cause substantial damage or distress and

such damage or distress is unwarranted

Preventing processing

The right does not apply: if individual has consented if performing or entering into a contract if complying with a legal obligation in order to protect the vital interests of the

individual

Preventing processing

The Act introduces a more rigorous regime in respect of direct marketing

absolute right to prevent processing no reasons need be given no exemptions

Direct marketing

Compensation

Compensation for damage Compensation for distress plus damage Defence: such care as was reasonably

required to comply with the requirement concerned

E-Government

Problems with Data Sharing and Data Matching

Particularly in local government PIU Report on Privacy and Data Sharing Published on 12 April 2002 www.piu.gov.uk Two years in the writing Aim: “New strategic approach to the use of

personal data held by public sector”

Why are the issues of privacy & data sharing important ?

Public expect “joined-up” and “personalised” services”

New technologies New legal framework: DPA and HRA Public concern about privacy is on the rise

Twin Objectives

Enhancing privacy- Public trust is key Better use of personal data to deliver public

services Not mutually exclusive PM endorsed view

Key Recommendations

Twenty-five main recommendations Three recommendations for consultation Pick out key points Many general best practice

recommendations- consistent with DPA For example, clear principles collection, use,

access, management and correction of data

Key Recommendations

Building public trust Improving accuracy and reliability More secure and joined up data use Modernising management of public sector

data Legal framework

Building Public Trust

Clear and consistent principles across the public sector - A Public Services Trust Charter- Recommendation One

Consultation set out in report Codes of practice/information sharing

protocols/management guidance

Building Public Trust

Recommendation - two FOI bodies publish data sets held and and data-sharing practices as part of publication scheme

supplement to subject access Recommendation three and four - Improve

and set targets for subject access/ Produce guidance on rights

Recommendation seven - All public sector organisations to have Chief Knowledge Officer with expert deputies for DP, HR and FOIA.

Accuracy & Reliability

Data field standardisation- office of e-envoy Standards in data labelling LC and PRO to publish model codes of

practice and protocols The use of data protection audits is

recommended Development of data quality audit tool

Secure & joined up data use

Secure Use-Identification, authentication and entitlement

Privacy enhancing technologies- P3P and hardcoding

Recommendation thirteen - ISO 17799 should be adopted across public sector

Recommendation sixteen - Programme of smart card pilots/interoperability -Page 88

Managing information

Information management core function of service delivery

Chief knowledge officer- Board level Better training for information management

professionals

Legal framework

Lord chancellor to develop guidance on data sharing in current legal framework

Government to consult on legislation to enable public bodies to share personal data with consent

Government to consult on legislation to allow sharing without consent by SI

Points to Consider When Considering Smart Card Projects

Data processor or data controller: who owns the data?

Data processor contracts in place Proper security standards - 7th Principle If government - statutory grounds for

processing Adequate data protection notices Access and disclosure procedures

30 Aylesbury Street

London EC1R 0ERTel: 020 7490 6591Fax: 020 7490 2545www.masons.comwww.out-law.com

shelagh.gaskill@masons.com