UK Security Management Practice and Regulatory Acts - Essay Example

Running Header: UK Security Management Practice and Regulatory Acts Your Introduction In the United Kingdom, several national government agencies are entrusted with investigations including the ordinary police or the criminal investigation division (CID) or Scotland Yard and the secret intelligence agencies like the M15, SIS (M16) and the British Army. The intelligence agencies conduct investigations both within the country (M15) and outside the country (M16). Within private organisations and households, progressively more people and organisations are increasingly turning to private investigation companies to cater for their security needs hence not entirely relying on the public government sanctioned security forces for both their own safety concerns and also in personal investigations. Many insurance companies and financial firms are hiring their own team of investigators who are incorporated within their organisation to manage security and carry out investigations in case of fraud or theft in their organisations. Nevertheless both the public and private security agencies have been lately been hampered by many new regulations that frown upon the likelihood of investigators violating individual personal data even when the information is deemed crucial to future intelligence. Modern Security Operations Modern security operations are obliged to observe the several individual privacy laws that oblige organisations to adhere to human rights laws that do not violate citizen’s personal liberty. Security management with the United Kingdom therefore requires a keen observation of the assorted regulatory statutes and guidelines including the: The 1998 Human Rights Act. The Criminal Procedure and Investigations Act of 1996. The 1998 Data Protection Act. The 2001 Private Security Industry Act. The 2000 Regulation of Investigatory Powers Act – used as a procedural guide. The role of the private security companies (PSC) has within the recent past gained prominence as the private security industry expanded greatly in several nations. In many countries including the UK, the number of PSCs has surpassed those of the official government cadre as has their budgets. The Confederation of European Security Services in 1999 indicated that there were more private security guards within the EU than the number those of the public security forces (Richards and Smith, 2007). Modern security administration among leading western democracies has increasingly come under new threat in form of religious terrorist organisations like the Osama bin Laden led Al-Qaeda terrorist organisations that have fundamentally challenged security forces in many nations due to their manic obsession with mass suicide bombings that have proved almost impossible to guard against. This phenomenon has seen the relaxation of some of the privacy laws to enable access to personal information for those individuals termed as potential threats to public safety. Although the UK has over thirty years experience in terrorist acts mostly from the North Ireland’s Irish Republican Army (IRA) the Middle East, based Muslim groups constitute a more latent threat due to the indiscriminate fanatical disregard of human existence. The constant state of siege that has engulfed particularly in Britain and United States has however enhanced the importance of private security firms that are deployed to compliment government efforts in keeping vigil over these radical elements that have infiltrated their countries. The government’s has formed the Counter-Terrorism Strategy (CONTEST) unit whose stated objectives are the four Ps or the prevention, pursuit, protection and preparedness against the terrorist organisations. The private security agencies are increasingly playing a big role in managing security for all organisations that live under the constant threat of terrorist attacks as well as other criminals as the public authorities got overwhelmed by the demand of guarding all public utilities. Risk Management The main task entrusted to a security manager in several organisations is that of risk management. According to the CISA Review Manual (2006) risk management is’ the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization’(Pg.85). Risk management entails the security manager and organisation leadership applying various controls within the organisation including administrative, logical and physical controls. Administrative controls are merely procedural issues encompassing written strategies, principles and methods that form the basis of the security policy and strategy within the organisation. Logical controls are technical methods used to scrutinize and manage access to data and IT systems including passwords, network, firewalls and information encryption tools. By virtue of the principle of least privilege, employees are limited access to data that can lead to intrusion of personal information of other people or company’s confidential data. Physical control is the management or control of the organisation’s environment and IT systems. These encompass the physical buildings, fire, doors, barricades, guards among others. The security manager is therefore obligated to not only protect the organisation, its assets and workforce but also ensure access control over both personal and company information as outlined in the Data Protection Act 1998 while also acting on due diligence to not violate individual rights while dispensing security thus keep within the Human Rights Act of 1998. This prevents undue ligation suits that can enjoin the organisation from former employees or any other stakeholder that may feel aggrieved by overly application of security procedures. In modern organisations, the issue of safety has gained prominence as firms recognize the critical significance of the task of securing its assets and gaining the confidence of their shareholders. Security management has therefore gained evolved from mere guarding to gain a strategic management role that is a cornerstone of organisation structure. Organisations assets, including personnel, physical assets, research and development processes are entrusted to the security managers to safeguard as well as ensuring their sustenance for the organisations future development. The security manager must strife to earn the International Organization for Standardization (ISO) certifications for excellence in maintaining high standards. These include ISO-20000, IT - Service management, and ISO-27001, IT - Security techniques and Information security management systems In analysing the role effect of the various regulations and Acts enacted in the UK have on security manager’s ability to conduct investigations within the UK; we shall interrogate the role of these rules in organisations security management systems. The Data Protection Act 1998 The Data Protection Act 1998 was majorly a consequence to the European Directive 95/46/EC, European Union Data Protection Directive (EUDPD) on the processing of personal data held either in paper or in computers databanks (Strobl et al, 2000). The Data Protection Act 1998 requires individuals to be made aware of any envisioned personal information projected for processing but not necessary have their consent as ‘fair processing requirement’ based on a principle of ‘no surprises’ to reduce instances of personal damage or distress. Iversen et al (2006) therefore argue that, ‘the law allows personal information to be used and disclosed without explicit consent, subject to certain safeguards, when it is impractical to obtain consent and an important public interest is at stake’ (Pg.169). Nonetheless Jay (2004, Pg.1) observes that although The Data Protection Act 1998 (DPA) protects individual rights particularly in regards to personal information, the act must balance the need for public interest, research and security that sometimes overrides personal interest. The Data Protection Act has therefore legislated against maliciously use of private information by both individuals and organisations. The security management strategy is therefore designed to avoid conflicts with the Act while ensuring that an organisation has ample data on staff and other stakeholders that may compromise the security of the organisation. Security managers mostly rely on security software and other metrics that are construed to deter any potential leak or attacks both form own staff or outside elements. Due to the efforts of human rights activities and other lobbyists, a national security agency the Information Commissioners Office (ICO) was formed to regulate data security (Leigh- Pollitt and Mullock, 2001). The Data Protection Act has further been amended to incorporate the use of closed circuit cameras (CCTV) on how they collect, store and utilisation of the footage to avoid leakage of content to the wrong parties and avoid filming of private or personal moments that have n relation of security of the organisation. The Act has also instructions on how to conduct investigations particularly on the use of personal data thus an investigator is required to justify the utilisation of this information and persons who will access the processed data prior to admittance. The investigator must therefore comply with the eight stated principals of the Data Protection Act [see outline below Figure 1]. Other compliance measures include the right to object to direct marketing and observe fulfilment of notification or information protection registration to avoid violations of the Data Protection Act of 1998. Figure 1 Exceptions In instances when it is necessary to keep sensitive personal information, the Act requires the security investigator to seek additional permission from the concerned individual. These include information regarding race or ethnicity, political inclination, religion faith, industrial unions, physicality or psychosomatic state, sexual leanings and criminal record but exclude age, gender and financial data. Nevertheless, exploratory information by investigators may sidestep the additional confirmation by proving there was an initial consent and that the data is only for that investigative purpose. Security managers are guided in obtaining this data legitimately by the provisions of the Fair Processing Code which stipulates that the information controller must be identified to the individual under investigation as well as informing the subject of any other pertinent matters regarding the intrusion of personal information. This necessitates under Data Protection Act the application of any of the twenty six topics of which information may be requested or held by which the data controller rigorously assigns the relevant heading (Sorrell, 2000). Information Commissioners Office The DPA (section 47) instructs that the data controller notify the Information Commissioners Office (ICO) about all relevant information they hold to ensure conformity and transparency within the Act’s provisions. The data is then published in the inventory of data controllers for analytical purposes by any stakeholder hence ensuring there is no duplication by other agencies while according the subject the opportunity of discerning whether their personal data is available in other forums or agencies (Sorrell, 2000). In case the consent for information is sought under proxy whereby an investigator may approach an employer, medical practitioner or financial institution for personal data on a subject under investigation, the inquiring authority is confronted with impediments as most authorities deny them the right to scrutinize their client’s information unless substantial authorization has been accorded or mitigating circumstances are proofed by the investigator. Whereas the information sought by the investigator is covert, usually when there is evidence of illegal activities, consent requirements can be waived but the DPA has not specifically set guidelines on this area hence subjects under scrutiny may become aware of the intrusion. However, the PDA necessitates the acquired information is withheld before release to the reporting agency or third party until the subject is made aware of the probe (Jay, 2004). This has been cited as a source of hindrance to crime prevention sometimes leading to dire consequences when the information is either withheld or omitted from records due to PDA requirements on collection, privacy and storage. In the aftermath of the murder of schoolgirls Holly Wells and Jessica Chapman in August 2002 by Ian Huntley, the Humberside Police blamed the Data Protection Act for the failure in keeping records and poor data management that inadvertently enabled Huntley to be engaged as a school caretaker despite having nine prior charges against him. The Act directs deletion of records that do not lead to conviction hence Huntley records were not accessed prior to his employment. Nevertheless, an independent inquiry led by Sir Michael Bichard deferred with the allegations laying the blame on the police. Bichard asserted that the Data Protection Act need not be revised but still concurred that there was an urgent need for better methods of ‘collection, retention, deletion, use and sharing of information’ among intelligence officials and other stakeholders. IT, Networking and Internet Control Modern security management encompass the partial control of IT, network and internet usage and violations. Security agencies however are only mandated to intrude or regulate personal information within the confines of the PDA and Human Rights Act 1998. Privacy laws prohibit Internet Service Providers (ISP) from maintaining personal information regarding their clients. The authorised regulators are only allowed to intercept data transmission if there is consent of one the parties to the communication. The investigator must therefore obtain a court order or Secretary of State to allow access to the transmission between suspected criminals. The ISPs companies are then accordingly financially compensated for the use of their equipment in retaining such information. Criminals however can avoid detection by using small ISPs (less than 10,000 clients) who are not mandated to keep their records by the law due to financial expenditure involved. The Human Rights Act 1998 The 1998 Human Rights Act that is also derived from the European Convention on Human Rights (ECHR) enacted in October 2000. One of its most significant acts was the abolition of the death penalty in British law, which was in conformity with the EU law. The Act in effect made UK law compliant to the European Court of Human Rights in Strasbourg. The ECHR Article 8 states that: Everyone has the right to respect for his private and family life, his home and his correspondence. Also there shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and that which is necessary in a democratic society, in the interests of national security, public safety, the economic well-being of the country, the prevention of disorder or crime, the protection of health or morals, or for the protection of the rights and freedoms of others (ECHR, Article 8) Role of the ECHR The Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) was adopted under the auspices of the Council of Europe in 1950 to protect human rights and fundamental freedoms with the European Union (EU). Nevertheless, the United Nations Universal Declaration of Human Rights (UDHR) of 1948 forms the basis of most of these human rights instruments, which have generated various international and regional instruments that guide the international laws on human rights. Human Rights have therefore been described as the inalienable moral entitlement to all persons equally, by virtue of their humanity, irrespective of race, nationality, or membership of any particular social group (UNHCHR, 2009). However, under the provisions of the Regulation of Investigatory Powers Act 2000 (RIP), the government can revoke existing regulations in case of national security when intending to investigate illegal activities, prevent crime, public safety or health or for economic purposes that have national implications. Due to the onset of terrorism, internet crime and paedophilia threats in cyberspace, the RIP Act was enacted to deal with individuals violating the worldwide web to impute public and personal attacks on unsuspecting individuals [see summary of the regulations in figure 2 below]. The information garnered under the RIP Act was initially only provided access to nine authorities including education, employment agencies and municipal councils but has now been substantially opened up to encompass 792 organisations or which 474 are municipalities. This RIP Act has drawn widespread criticism from civil rights groups who are dismayed by the continued allowance given to authorities to snoop at private individual data especially with the onset of terrorist threats (Rayner and Alleyne, 2008). Figure 2: Summary of RIP Act Regulations The Investigatory Powers Tribunal (IPT) In view of the numerous complaints against unauthorised privacy violations, the government formed the Investigatory Powers Tribunal (IPT) which was charged with conducting inquiry into the specific complaints. Nonetheless very few of these complaints have withstood the IPT scrutiny or been upheld by organisation (Thomas, 2007). [See summary report below, Table 1] The Human Rights Act 1998 nevertheless gives the right of litigation in case of violations of the RIP Act as provided in section 4 of its Act hence testing the legitimacy of the RIP interceptions Hansen (2003). Table 1: The Investigatory Powers Tribunal (IPT) Complaints vs. Complaints Upheld 2001-2008 Year Total Complaints Complaints Upheld 2000-2001 102 nil 2002 130 nil 2003 109 nil 2004 90 nil 2005 80 1 2006 86 nil 2007 66 nil 2008 136 2 Total 799 3 ( Read More