The Digital Economy Bill & Age Verification: a reminder of information security
Dec 12, 2016
Author: Louisa Duffield-Harding
Earlier this year, Part 3 of the Digital Economy Bill was passed by parliament which introduces age verification checks for access to all websites and apps containing pornographic material, due to come into force in 2017. The objective is to safeguard children from accessing content online that is either not suitable or could be harmful. It also introduces a framework with sanctions to monitor, notify and enforce compliance, including a new regulator. Surely this can only be a good thing?
Some may disagree. MindGeek estimates there are 20 to 25 million adults in the UK who regularly access adult content. And the proposed age verification system could mean all of those adults being required to share their identity (and/or other personal details) to a pornography website or even a third party company; that’s potentially a lot of sensitive data. It is arguable that the Bill fails to address the information security risks that this presents – for example, data leaks similar to the Ashley Madison hack – and relies solely on the provisions of the Data Protection Act 1998 (“DPA”).
So what does the DPA require in terms of security? The seventh data protection principle, as it is known, requires: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” So if your business holds personal data, according to the ICO, this principle also requires you to: (i) design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; (ii) be clear about who in your organisation is responsible for ensuring information security; (iii) make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and (iv) be ready to respond to any breach of security swiftly and effectively. In summary, there is no ‘one size fits all’ security policy.
It remains to be seen exactly how the security risks that are introduced by the age verification checks will be addressed; it will likely be the market that will provide the tools via social media or even payment providers (which present their own issues), although it is clear that non-compliance with the checks will result in fairly significant financial penalties.
Senior Associate, Commercial Contracts