UK – Data

The UK 2016 Updated NAP

2. The State Duty to Protect Human Rights

The existing UK legal and policy framework

  1. Examples of wide ranging legislation protecting human rights in the business context include… the Data Protection Act 1998 which applies to companies and ensures respect for the privacy of individuals.

Actions taken [page 9]

  1. To give effect to the UN Guiding Principles, the Government has:

(ix) strengthened international rules relating to digital surveillance, including leading work in the Wassenaar Arrangement to adopt new controls on specific technologies of concern. Specifically new controls were agreed on:

equipment and software for creating and delivering “intrusion software” designed to be covertly installed on devices to extract data. “internet surveillance systems” which can monitor and analyse internet traffic and extract information about individuals and their communications.

3. Government expectations on business

Actions taken to support business implementation of the UNGPs [page 15]

  1. To help businesses to fulfil their responsibility to respect human rights the

Government has:

(iii) partnered with the Cyber Growth Partnership industry guidance on assessing human rights risks relating to cyber security exports, with techUK and input from civil society. port_Risks_website_FINAL_3.pdf

Government commitments

Box – Cyber Export Guidance [page 17]

The expansion of ‘cyber space’ has brought huge economic and social benefits. However, it also poses risks and new opportunities for hackers, criminals and terrorists. To help mitigate these risks, companies have developed security products and services which defend networks from malicious activity. In many countries, such as the UK, these products are used legitimately, including by law enforcement authorities, in accordance with domestic and international law obligations. However, in some countries which do not adhere to their international human rights obligations, there is a risk that the same products are used in ways that could breach state’s legal obligations, e.g. to restrict freedom of expression or to contribute to internal repression.

Normally, exports that could cause harm, such as arms, are covered by the export-licensing regime. However, many cyber capabilities, products and services are not listed. This problem was recognized by the Cyber Growth Partnership a joint body representing industry, academia and government. The FCO worked with techUK, a technology trade association, and the Institute for Human Rights and Business to produce practical guidance for companies on managing human rights risks.

“Assessing Cyber Security Export Risks: Human Rights and National Security” was published in November 2014. It is the first guidance for this sector in the world, and sets out:

  • the different sorts of potential harm associated with particular cyber capabilities;
  • a process to help companies assess country specific risks and to evaluate business partners and re-sellers; and potential mitigation options for avoiding or reducing risks.