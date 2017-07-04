Earlier this year, Part 3 of the Digital Economy Bill was passed
by parliament which introduces age verification checks for access
to all websites and apps containing pornographic material, due to
come into force in 2017. The objective is to safeguard children
from accessing content online that is either not suitable or could
be harmful. It also introduces a framework with sanctions to
monitor, notify and enforce compliance, including a new regulator.
Surely this can only be a good thing?
Some may disagree. MindGeek estimates there are 20 to 25 million
adults in the UK who regularly access adult content. And the
proposed age verification system could mean all of those adults
being required to share their identity (and/or other personal
details) to a pornography website or even a third party company;
that's potentially a lot of sensitive data. It is arguable that
the Bill fails to address the information security risks that this
presents – for example, data leaks similar to the Ashley
Madison hack – and relies solely on the provisions of the
Data Protection Act 1998 ("DPA").
So what does the DPA require in terms of security? The seventh
data protection principle, as it is known, requires:
"Appropriate technical and organisational measures shall
be taken against unauthorised or unlawful processing of personal
data and against accidental loss or destruction of, or damage to,
personal data." So if your business holds personal data,
according to the ICO, this principle also requires you to: (i)
design and organise your security to fit the nature of the personal
data you hold and the harm that may result from a security breach;
(ii) be clear about who in your organisation is responsible for
ensuring information security; (iii) make sure you have the right
physical and technical security, backed up by robust policies and
procedures and reliable, well-trained staff; and (iv) be ready to
respond to any breach of security swiftly and effectively. In
summary, there is no 'one size fits all' security
policy.
It remains to be seen exactly how the security risks that are
introduced by the age verification checks will be addressed; it
will likely be the market that will provide the tools via social
media or even payment providers (which present their own issues),
although it is clear that non-compliance with the checks will
result in fairly significant financial penalties.
Originally published December 12, 2016
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
