Archive Page 3

Happy birthday BS8878 – some thoughts on the first year

Published December 7, 2011 Disability discrimination , web law Leave a Comment

Jon Hassell, the lead author of BS 8878, contacted me last week asking me to provide some thoughts towards a blog he was pulling together with views from industry experts on its first year. BS 8878 is the British standard that provides a code of practice for commissioning accessible websites and web products. You can read more about it in this blog.

Jon kindly included some of my comments in his blog, which was published earlier today. Here is the long form version of what I said:

BS 8878 is undoubtedly a useful tool for providing organisations with a framework to follow when commissioning new websites and apps. In turn, this makes it an important tool in assisting organisations with complying with their obligations under the Equality Act 2010.

BS 8878 is unusual in that it is a British standard that has been driven primarily to help promote and improve equality and compliance by service providers, employers and educational institutions with their legal obligations under equality law. Often standards come into existence to codify/bring together good practice, and provide an objective way of comparing organisations or easily referencing a requirement in a contract, but it is less common for them to emerge to assist with complying with law. From a lawyer’s perspective, BS 8878 exists because, unlike the building of physical premises, the law does not mandate specific accessibility requirements when building a website. It is true to say that BS 8878 does not do that either, but it does at least provide website operators with a process to follow, issues to consider, questions to ask, and pointers to external technical guidelines like the W3C’s WCAG.

BS 8878′s current standing
But BS 8878 currently sits in an awkward place.

The development of its predecessor, PAS 78 was funded and led by the Disability Rights Commission (DRC), giving endorsement from the organisation mandated with promoting compliance with the Disability Discrimination Act (and therefore implicitly saying “follow this and you’ll be ok”). However, the successor body to the DRC, the Equalities and Human Rights Commission (EHRC) did not appear to formally particpate in the development of the successor standard. So, whilst BS 8878 is mentioned (here and here) on the EHRC website, it is not formally referenced in any of the codes of practice issued by the EHRC. This is despite the EHRC’s code of practice for service providers being published three months after the launch of BS 8878. I look forward to the EHRC updating its statutory codes of practice to include a reference to BS 8878 and provide organisations with clear guidance on what it expects.

The need for education
It is clear that there is still work to be done on educating people on the use of BS 8878. When referring to it in a recent blog, I was asked why I hadn’t referred to the W3C’s WCAG instead. My answer was that whilst that particular blog may have had a techie slant to it, the majority of people involved in procuring web and app design services (or responsible for internal legislative compliance) will find BS 8878 a far more accessible (no pun intended) document than the W3C’s technical guidelines, and provides a framework that goes beyond a list of technical design requirements. BS 8878 emphasises, and this is important, that simply complying with the WCAG guidelines is unlikely to meet the requirements of the Equality Act. As BS 8878 explains, organisations can’t simply carry out an automated tick box check of the HTML, but instead need to user test the site or app itself to ensure that it actually is accessible.

So happy birthday BS 8878. It’s been a good first year, but there is still much work to do to explain to the world how you fit into the legislative framework and to educate people on your true purpose.

IT upgrades and the Christmas change freeze

Published December 2, 2011 Contract Law , In the Media , IT Law Comments

The BBC is today reporting that a number of glitches with the Royal Mail’s website are causing disruption to customers in the run up to the pre-Christmas posting cut-off dates.

The problems are affecting apps on the website that allow customers to calculate the prices of letters and packages. The problems also appear to be affecting services that allow customers to pay for postage online and print out smart stamps.

Here’s what the Royal Mail says about it:

A Royal Mail spokesman said that the shutdown had been caused by a shift of online services to a new server – a process that had been ongoing for 18 months…He said the migration problems had not been anticipated before Christmas.

I can imagine the Royal Mail has a lot of unhappy customers at the moment. It seems that online retailers and mail order businesses are being particularly hit, as they use the systems when fulfilling orders. They are presumably having to use the Royal Mail’s compeititors to fulfil those orders, which won’t be good for the Royal Mail’s business.

It is for this reason that most businesses operate a “change freeze” on their IT systems around their busiest times of the year (for example the run up to Christmas for any retailer, Valentines Day for online florists etc, bank holidays for banks providing ATMs and transaction processing). No matter how much planning is done, IT projects often encounter unanticipated problems, and once the damage is done it is very difficult to pedal back to the previous release.

It is therefore just sensible practice to ensure that no system upgrades or modifications take place during or in the run up to those key periods.

Note that this doesn’t just apply to your internal IT systems, but also those of your key contractors and suppliers. Do your contracts make sure that your contractors don’t implement major changes at the time when you are most reliant upon them?

Independent Commission on Banking – contractual consequences of the ICB’s recommendations

Published November 29, 2011 Contract Law , In the Media , IT Law , Outsourcing Comment

This is an abridged version of an article that I have written for the Society for Computers and Law.

The Independent Commission on Banking (“ICB”) published its Final Report on 12 September, setting out recommendations on structural and non-structural reforms to improve stability and competition in UK banking. 

The recommendations broadly suggest that:

  • Banks need to improve their loss absorbency, by achieving more equity relative to their assets;
  • Competition needs to be encouraged; and
  • Retail banks should be ring-fenced from any wider corporate group and/or financial organisation of which they form part.

Earlier this month my Banking colleague Derek Arnott and I delivered presentations in Brodies’ Glasgow, Edinburgh and Aberdeen offices discussing the recommendations. 

Derek (a lawyer of formidable experience in this field, and a former Head of Group Legal Services at The Royal Bank of Scotland Group) discussed the recommendations from the perspective of a banking solicitor, while I focused on the implications of the retail ring-fence from the perspective of an IT/outsourcing/commercial contracts lawyer.

Recommendations of most significance to the IT/outsourcing/commercial contracts lawyer

I believe that the retail ring-fencing recommendations will have a direct impact on any lawyer who advises on corporate governance or commercial contracts.

The particular recommendations which are of most direct significance to the IT/IP/commercial contracts lawyer are broadly summarised in the following list:

  • Ring-fenced banks should be separate legal entities.
  • Ring-fenced banks should be prohibited from offering certain services and/or carrying out certain activities.
  • Any financial organisation owned or partly owned by a ring-fenced bank should conduct only activities permitted within a ring-fenced bank. Such a financial organisation’s balance sheet should also contain only assets and liabilities arising from these services and activities.
  • The wider corporate group should be required to put in place arrangements to ensure that the ring-fenced bank has continuous access to the entire infrastructure required to continue provision of its services and activities, irrespective of the financial health of the rest of the group.
  • All transactions (including secured lending and asset sales) between a ring-fenced bank and all other entities forming part of a wider corporate group should be conducted on a commercial arm’s-length basis.

Far-reaching consequences

These recommendations, and the overall concept of a ring-fence, are directly at odds with the present day corporate structures of many large banks and financial institutions.

Most financial institutions operate some form of shared service model, with one group entity contracting with suppliers on a basis that allows other group members to benefit from that contract.

The ring-fenced bank will either have to possess its own infrastructure or, if it is shared, then such infrastructure will have to be identified (which may be by no means a straightforward task) and then made available formally to the ring-fenced bank, via:

  • direct agreement with the supplier;
  • direct agreement with another member of the group; and/or
  • a member of the wider group, which contracts with suppliers, but is “bankruptcy-remote”.

Infrastructure separation of the type that is likely to be required by the ICB recommendations may feasibly involve:

  • drafting agreements to formalise supply of infrastructure services to the ring-fenced bank;
  • renegotiation of existing agreements to separate provision of infrastructure services;
  • novation or assignation of agreements to a well-capitalised, bankruptcy-remote shared service subsidiary (without assets or liabilities) to provide infrastructure services on behalf of the separated entities; and/or
  • partial or wholesale outsourcing of infrastructure provision.

Implementation

There are many questions still to be answered regarding the ICB recommendations.

The deadline that the ICB has set for implementation of its’ recommendations is 2019. George Osborne, the Chancellor of the Exchequer, has indicated that he intends to implement the recommendations and will “seek a legislative slot” in the 2012-13 parliamentary session.

What seems certain is that some sort of separation or segregation of retail banks is inevitable and, in this context, the deadline of 2019 is not that far away. Whether acting for financial institutions or their suppliers, from now on the IT/IP/commercial contracts lawyer should keep in mind what is on the horizon when negotiating or renegotiating agreements.

Embedding accessible design skills in the next generation of web developers

Published November 28, 2011 Disability discrimination , eCommerce , Geek Stuff , web law Comments

Last Monday I was in Dundee, speaking to final students at the University of Dundee’s School of Computing.

The School of Computing takes quite a holistic view of teaching computing, and one of the modules covers the “real world”. The School asks external experts to come in and talk to the students about things like identity theft and security standards (such as PCI-DSS), and other laws and regulations that may impact upon what they do when they get out into the working world.

The area that I talk to students about each November is disability discrimination laws and accessible design for websites and mobile apps, an area I’ve been involved with for a number of years (my honours dissertation was on this). This particular talk dovetails with the School’s technical expertise in relation to accessible and usable design.

Rather than bore the students with a dry lecture on The Law, I try to show them how it is relevant to the future careers, and why having a good understanding of the relevant laws will make them more employable, and give their future employers a competitive advantage.

There are a number of key messages that I try to get across:

  • if a website or app is not designed properly, it may be inaccessible to users with disabilities;
  • operators of websites and providers of mobile apps have, in their capacity as service providers educators, and employers, legal obligations not to discriminate on the grounds of disability;
  • failure to do this may lead to that organisation being sued and, perhaps more importantly for a big organisation, suffer damage to its reputation;
  • web and software designers will be responsible for designing and delivering those websites/apps;
  • even if you are working for an independent design company, that company will have contractual liability to the client, and if a site is poorly designed the client may have the right to sue;
  • public sector organisations have a legal obligation to ensure that their ITTs set out requirements in relation to accessibility – if the designer doesn’t have the skills, then it may not get the work;
  • therefore understanding accessible and usable design and the legal obligations applying to your employer/clients will give you a competitive edge – whether in the job market or in winning business.

If we are doing things right, then hopefully accessible and usable design will become second nature to the web and app designers of tomorrow.

If you are involved in commissioning a new website, or a mobile app, then I recommend that you read BS 8878, a new(ish) British standard on commissioning accessible websites. It’s not a technical document, but instead a process that organisations can follow to assist with appointing a designer with appropriate accessibility expertise, and to help ensure the final output is accessible to users with disabilities.

News International and hard drive shredding – why its good information security practice

Published November 21, 2011 Confidentiality , Data Protection , Geek Stuff , In the Media , Outsourcing Leave a Comment

I read in the papers at the weekend that, following an office move, News International last year “shredded” most of the computers used by a large number of News of the World staff.

Leaving aside whether this was a prudent thing to do given the phone hacking allegations and court cases, shredding a hard drive is one of the best ways of securely destroying information. (I love the photos on that website – you really can shred metal).

I blogged about this last year. The problem with erasing data from a drive is that the data recovery people are becoming ever cleverer at reconstructing data. It’s essentially an arms race between data destruction and data reconstruction.

So if you want to make sure data definitely has been deleted then you need to either shred the drive or follow something like the US Department of Defense erase/rewrite standard.

Destruction of disks is something that should be addressed in an organisation’s information security policy, and appropriate requirements specified (or referenced) in any outsourcing or services agreement under which a supplier is processing personal or confidential information.

So whatever the News of the World’s other failings might have been over the years, it’s good to see that their information security policy is robust and ensures that data is properly and completely destroyed, such that it cannot ever be reconstituted.

When is it reasonable to withhold consent under a contract?

Published November 18, 2011 Contract Law Leave a Comment

Contracts often state that a party must not unreasonably withhold its consent. Clients often ask us when it might be unreasonable to withhold consent…here’s a recent case that confirms the existing law and sets out some factors to consider.

In the case of Porton Capital Technology Funds and others v 3M UK Holdings Limited and 3M Company [2011] EWHC 2895 (Comm) the High Court applied existing law to determine whether or not consent had been unreasonably held by a party in a commercial situation.

In brief, the background to this particular case was a purchase by 3MUK of the entire shareholding of Acolyte by way of a share purchase agreement with Acolyte’s shareholders (Porton holding 60.4% of shares). Acolyte’s key, and indeed only, commercial product was ‘BacLite MRSA’ which is used to detect the hospital super-bug MRSA. The purchase price was an initial figure of £10.4 million coupled with a second payment based on net sales, with a (not inconsiderable) potential value of £41 million.

The share purchase agreement had a clause to the effect that Acolyte could only cease to develop and market the BacLite MRSA product if the vendors consented, such consent “not to be unreasonably withheld”. Acolyte did request consent to discontinue the product, but unsurprisingly – considering the potential £41 million payment – the vendors refused to consent. Or at least they said they would only consent if they received the £41 million. They were offered a payment of £1 million instead: deadlock, termination of the BacLite business and a breach of contract claim ensued.

The case considered the issue of whether or not it was reasonable for the vendors to have withheld consent, and made the following key findings:

  • the burden was upon 3M to show that the vendors’ refusal to consent to the closing of the BacLite business was unreasonable;
  • it was not for the vendors to show that their refusal of consent was right or justified, simply that it was reasonable in the circumstances;
  • in determining what is reasonable, the vendors were entitled to have regard to their own interests in earning as large a payment as possible;
  • the vendors were not required to balance their own interest with those of 3M, or to have any regard to the costs that 3M might be incurring in connection with the ongoing business of Acolyte.

The issue of reasonableness will always turn on the particular facts in question, however, the findings in this case do offer useful guidance when considering whether to accept an obligation not to act unreasonably, or when trying to assess your exposure before refusing consent. If there are specific circumstances that the parties think are unreasonable (or reasonable), then the parties should consider expressly setting these out in the contract.

Leigh Kirktpatrick

Legal responsibility for a robot’s actions

Published November 17, 2011 Geek Stuff , IT Law Comment

On Tuesday night I attended the launch of the Strathclyde Centre for Internet Law and Policy. The launch of the centre is in tandem with Strathclyde University’s rebranding of its renowned LLM in Information Technology Law and Telecoms (which yours truly completed in 2003), which is now known as the LLM in Internet Law and Policy.

Marking the launch was a lecture on “Regulating Robots: Re-Writing Asimov’s Three Laws in the Real World?” by Professor Alan Winfield, Director of the University of West of England Science Communication Unit, EPSRC Senior Media Fellow and Lilian Edwards, Professor of E-Governance at Strathclyde University.

The lecture sought to address legal responsibility for a robot’s actions, and whether, given the rapid advances in robotics, we need to legislate for Asimov’s Three Laws:
1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
2. A robot must obey orders given it by human beings except where such orders would conflict with the First Law.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

I found the topic particularly interesting because I had just read an article called “Towards new recognition of liability in the digital world: should we be more creative?” in the International Journal of Law and Information Technology, which discussed the attribution of liability for “intelligent software”. I felt that the article raised a lot of interesting issues, but its conclusion – that we need some collective form of liability taking into account the role every party plays in producing the liability in question – was perhaps impractical.

I was therefore hoping that Professor Winfield and Professor Edwards might reach a different conclusion, and they didn’t disappoint.

It’s impossible to neatly summarise an hour-long lecture, but I think they were proposing that liability for robots should arguably mirror liability for software. This would mean that the party best placed to manage risk assumes it (and insures against it), and if that a robot is subsequently hacked and causes damage, then the hacker should probably be liable for any damage caused.

As for Asimov’s three laws, the Professors acknowledged that the laws were instructive, but proposed that they should be replaced with a new five-part ethical code.

Alan Winfield was very effective at making everybody in the room think differently about “robots”. I appreciate you have probably read to this point and found the confident way I’m talking about “robots” a bit silly.  Well, it turns out that robots are already all around us!  Alan pointed out, quite rightly, that nobody speaks about the “dish washer robot” – it’s just the dishwasher! (Disappointingly the montage of sci-fi robots in Alan’s introductory powerpoint slide didn’t include Optimus Prime, but since Alan bears more than a passing resemblance to the stately Patrick Stewart, I lacked the courage to complain!) The serious point here is that as society increases its use of (and reliance upon) robots, liability for their actions is something that lawyers will increasingly need to consider.

Overall it was a very enjoyable and thought provoking lecture, and I look forward to hearing more from these speakers on this subject in the future.

ICO personal undertaking from advocate highlights importance of data protection compliance by individual data controllers

Published November 16, 2011 Data Protection , In the Media , IT Security Leave a Comment

The Office of the Information Commissioner (ICO) has this morning announced a third personal undertaking to be given by an individual. This follows hot on the heels of yesterdays’s announcement in relation to the Oliver Letwin MP “park bins” incident.

Why is this significant?
In many instances, the data controller will be a company, body corporate or other body (for example, a public authority). However, where an individual acts as a sole trader, or trades/carries out processing in an individual capacity (for example, an MP, barrister, or an accountant trading as a sole practioner), that individual will be the data controller.

This means that it is the individual that is responsible for the processing that he carries out (or that his employees or contractors may carry out on his behalf), and therefore that the individual is therefore also personally liable for any breach of data protection laws. Scary stuff.

What happened in the latest case?
The latest undertaking has been given by an advocate (the Scottish equivalent of a barrister), whose unencrypted laptop was stolen from her house whilst she was on holiday in September 2009.

As I noted in my blog on the Oliver Letwin incident, the Data Protection Act requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The circumstances surrounding the theft are largely academic (the advocate had tradesmen in the house whilst she was away, but it’s not clear when or how the theft took place). What is important is that the laptop, which contained details of various cases that she was working on, was not encrypted. In particular, not withstanding that the theft took place, the ICO appears to be satisfied with the physical security measures that the advocate had in place. However, the failure to put in place adequate security measures in respect of the latop itself have led to the advocate being required to give a personal undertaking. A breach of an undertaking could lead to a fine, or an enforcement notice and ultimately prosecution.

What does the ICO require in respect of security measures?
It’s worth recounting the key parts of the undertaking in full, to re-emphasis what the ICO expects data controllers to be doing in relation to device encryption and security:

  • Portable and mobile devices including laptops and other portable media used to store and transmit
    personal data, the loss of which could cause damage or distress to individuals, are encrypted by 31 December 2011;
  • If personal data is to be stored overnight, other than securely within the data controller’s place of work, it shall be kept in a secure, locked storage place;
  • The data controller shall subscribe to any information security policies and procedures as and when they are implemented by the Faculty of Advocates or her stable [Scottish equivalent of a set of Chambers], and take all appropriate steps to comply with these at all times;
  • The data controller shall implement such other security measures as she deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

I suspect that many individuals who act as data controllers have, to date, generally taken a laxer approach to information security than bodies corporate and public bodies (where information security is a key reputational issue). This undertaking (and yesterday’s undertaking from Oliver Letwin) highlight that there is no difference in the standard that the ICO expects. In instances where individual data controllers are processing personal data (as an advocate, barrister, MP or sole trader will do), it is essential that appropriate steps are taken to ensure that data is kept secure.

Creating a successful online business

Published November 8, 2011 eCommerce , web law Leave a Comment

Last month I attended a Glasgow Chamber of Commerce “Glasgow Talks” presentation by the former managing director of amazon.com in the UK, Glaswegian Brian McBride. I’ve finally found time to look at the notes I made.

Brian reflected on his career in business, and offered thoughts on leadership.

During the Q & A following Brian’s fascinating talk, debate amongst attendees inevitably turned  to the decline of the High Street, and how to create a successful online business.

Some great tips emerged:

  • Don’t be scared of playing with pricing to attract customers, even if it means offering a loss leader.
  • Make available as wide a selection as possible, at as competitive a price as possible.
  • Your website has to be transactional, and ideally should support transactions made via mobile devices.
  • “Classic” kind of products may yield great sales/higher margins than you think.
  • Your website has to be search engine optimised. If your site isn’t on the first page of a Google search result for the name of your business, or one of your principal products – then you’re in trouble.
  • If you haven’t yet read The Long Tail by Chris Anderson – then read it.
  • Don’t forget your legal obligations, not least the E-Commerce Regulations.

PS a short video about the event is here. It’s worth watching, if only to check out the really hunky guy who appears around 2:27.

Targeted online advertising – are you aware of how it works?

Published October 31, 2011 Cloud , Data Protection Leave a Comment

A couple of weeks ago, I was looking at flights and hotels for a trip to Reykjavik this January. One of the websites that I visited was hotels.com, following a link from the Tripadvisor website.

This morning, I read an article on the Guardian website about the recent overhaul of the Independent website. At the foot of that article was the following advert:

Screenshot on Guardian website of hotels.com advert for hotels in Reykjavik

Is it simply a coincidence that the advert the ad server served up (perhaps based on my Google search history) happened to be for hotels in Reykjavik from one of the websites that I visited when booking that trip?

Or does behavioural advertising now go deeper than I thought, and was this served up by hotels.com based upon my recent searches on the hotels.com website?

How does the system work?
Delving into the Guardian’s privacy policy, it appears that it is the latter.

The Guardian is a member of an online behavioural advertising system provided by a company called Audience Science. Audience Science appears to have many partners – from media/news sites to retailers (although hotels.com doesn’t appear to be on the list of advertisers, it is mentioned in a recent press release), each of whom share information on your use of their websites to allow the others to provide targeted advertising.

What I hadn’t previously considered, and find slightly disturbing about this is that the (very wide-ranging) list of partners in Audience Science’s network will continue to expand. However, once you’ve opted in to the system and accepted the cookie, you are unlikely to be aware of subsequent changes (or really have much idea about what information is being shared and with whom). This means that you could be using one website unaware that your browsing habits could subsequently influence advertisements served up on another site. There is no “Audience Science member” flag.

Retargeted advertising
But I don’t think that the advert I saw this morning was served up through the Audience Science system. I think it was another system used on the Guardian website called “retargeted advertising”, provided by an organisation called Criteo. Here is what the Guardian’s privacy policy says about it:

For example, if you have visited the website of an online clothes shop you may start seeing ads from that same shopping site displaying special offers or showing you the products that you were browsing. This is allows companies to advertise to website visitors who leave their website without making a purchase.

Again, I don’t ever remember consciously opting in to this system. Clearly, I must have accepted a cookie at some point (or passively accepted hotels.com’s privacy policy), but wasn’t aware that by doing so hotels.com was going to chase me around the Internet.

Interestingly, according to Criteo’s privacy policy, the only way of opting out of the Criteo program is to accept a permanent cookie. So if you don’t like cookies, but don’t like your Internet usage being tracked then tough.

Maybe the European Commission is right about the lack of transparent information for users and the recent change to laws governing the use of cookies isn’t so crazy after all?

What do you think? Is behavioural advertising A Bad Thing? Do you think it impedes on your privacy? Is it ok provided that you understand how it is being used?

PS I got the Hotel Thingholt much cheaper on Expedia.

PPS Luckily, the trip wasn’t intended to be a surprise.

PPPS The Internet Advertising Bureau allows you to centrally control your behavioural advertising preferences for services provided by its members here.

« Previous PageNext Page »

Twitter: @BrodiesTechBlog feed

 

February 2012
M T W T F S S
« Jan    
 12345
6789101112
13141516171819
20212223242526
272829  
Follow

Get every new post delivered to your Inbox.

Join 135 other followers