This story was written when it was discovered that there seems there is insufficient evidence to prosecute Boris Johnson for misconduct in a public office; the police had been investigating him as a result of his alleged relationship with Jennifer Arcuri in the light of decisions taken by the Mayor’s Officer to support her business. It should be noted that he did not declare his relationship as a potential conflict of interest. His day-time visits to her home, so presumably during working hours, were, it seems, for ‘technology lessons’; it reminds me of the Private Eye euphemism of “Ugandan discussions”. One disturbing part of the affair is that many of the emails seem to be unavailable., possible in contravention of the GLA’s & Mayor’s statutory record keeping rules and duties. The rest of this blog looks at alternative legal approaches to investigating if wrong doing has occurred; it highlights the role of ISO 27001 in specifying good IT Management and Security practices and that compliance/certification may be seen as part of a legal defence against liability for a security breach. Without good IT Security controls, essential audit questions cannot be answered.
In order to help consider how that might have happened, I have just written a short note on how ISO 27001 deals with deletion. It is clear that the rules and means of making data deletions need to be specified and controlled. ISO guidance on “Asset Management” specifies good practice for data management and the section on “Logging & Monitoring” details how business actions need to be, well …, logged and monitored. Without these tools, we cannot know who took any actions, and who instructed that these actions occur. I talk about the well known exception to the storage principle, that data needed for disputes or compliance must not be deleted until these needs aee no longer in place. If these tools, are not available, perhaps we should be asking, why not? Who said that these controls were too expensive? The GDPR establishes that using a certified code is an important indicator that the organisation has “adequate technical and organisational protection”.
While Johnson’s relationship with Arcuri is not what led me to look at the Bribery Act, I wrote a short note on that and discovered that a bribe is
[any] act designed to obtain or having the effect of obtaining advantage through the ‘improper performance’ of another person.
Originally published at https://davelevy.info on May 24, 2020.