Management Toolkit

IT industry: Data retention mess needs fixing

Colin Barker ZDNet.co.uk

Published: 20 Oct 2006 12:50 BST

Most government regulation of the storage of sensitive customer information is "based on ignorance", and is largely irrelevant at best and harmful at worst, according IT industry association Eurim.

Speaking at the Storage Expo conference on Wednesday, Eurim boss, Philip Virgo argued that there were some 17 different legal requirements in UK law alone over data retention. Companies are forced to retain data for anything from four days, for ISP Web logs to 25 years for company building records, he said.

Virgo added that IT departments are under an increasing legislative burden when it comes to data retention. Seven data specific acts have been introduced in Europe in the last seven years and two more waiting in the wings, he said.

"Nowhere are the politics more confused than when it comes to the triangle of demands for information to be retained for law enforcement and regulators to have access, supposedly to protect citizens and consumers from abuse," Virgo claimed. "Unnecessary retention puts customers at more risk of abuse, not less."

The legislation was often contradictory, Virgo pointed out, making it difficult for companies to comply. But he added that there was a clear need "to distinguish between demands for information from government, regulators and law enforcement and what they actually need to do their jobs".

Virgo pointed out examples of data required and retained and then left unused, such as Form 42 covering share issues which the Inland Revenue demanded financial institutions complete and, some years later, "no-one had done anything with the forms".

What is needed, Virgo argued, was for users and businesses to work with peers and suppliers, and trade associations to ensure that government and regulators produce more relevant regulations.

The second requirement, he argued, was to produce business procedures that can be follows "by ordinary human beings".