It is fair to say that until very recently, data security issues have not generally been regarded as a mainstream issue for business. But the major breaches of data security at the end of last year, most notably the loss of 25 million child benefit records by HM Revenue and Customs, have changed this almost overnight. Technology has been advancing at breakneck speed, with data security lagging behind. A few years ago, mislaying a file of personal details would have affected a relatively small number of people. Now the loss of a single disc can result in millions of individual records going missing. So far, the majority of the high profile incidents have involved the loss of personal information by government departments and businesses with a large customer base, equally significant for other employers, albeit that the numbers of individual records involved may not be as great. Organisations now have a responsibility to customers and employees alike to keep their personal information secure.

Changes

These events have given added momentum to the campaign already being mounted by the Information Commissioner's Office (ICO), the body responsible for overseeing data protection law, for greater sanctions for breaches of data protection law. It now seems a distinct possibility that some or all of the measures the ICO has been lobbying for will now be introduced, for example: the power to fine for breaches; serious breaches to be criminal offences; the ICO to be able to conduct spot check audits; notification of breaches to be mandatory and even a duty on senior management to certify that they are satisfied that personal data is adequately protected in their organisation. Anyone who processes personal data has to abide by a set of data protection principles, contained in the Data Protection Act 1998. Processing is very widely defined and includes, in effect, any activity involving personal data. Personal data is information relating to particular individuals and includes computerised material and also manual records if they are held in a filing system. It includes information such as names, addresses, telephone numbers and dates of birth and does not have to be confidential. The data protection principles are concerned with fair and lawful processing. One principle deals specifically with security. It says that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing and to prevent accidental loss. Another stops data from being transferred outside the European Economic Area unless the recipient country has an adequate level of data protection. At the moment, the ICO is limited to serving improvement and enforcement notices on data controllers (those who decide how data is processed), requiring them to make changes to comply with the law. Breach of an enforcement notice is a criminal offence. It may also have commercial implications; the recipient of the notice can be prevented from using the personal data. Individuals can apply for compensation from data controllers for a breach of the law. But aside from legal sanctions, as recent events have shown, failure to comply with data protection law can result in damaging adverse publicity. The ICO now routinely publishes details of enforcement action taken against organisations. Recent examples are a prohibition on a company from allowing employees to share computer passwords and an order for the encryption of laptop hard drives (following the theft of an unencrypted laptop, containing details of personal data of employees, from the house of a contractor).

Action to consider

Now is a good time to conduct a review of data security in your organisation. This might include:

  • checking who has access to personal records; it should be based on genuine need not seniority
  • ensuring that access controls and passwords are in place for computer material (and that secure cabinets are used for manual documents)
  • making sure that there are audit trails and regular checks for unauthorised/suspicious use
  • ensuring that induction and refresher training for staff includes data security; it can be a criminal offence for employees to disclose personal data without their employer's authority
  • controlling the taking of records off site; making sure everyone knows what can be taken and the rules for security
  • checking that data is transmitted between organisations by email or fax only if there is a secure network
  • making sure that any third parties (such as IT contractors) who have access to personal data have appropriate security in place; the primary responsibility for compliance is on data controllers. If you use others to process data, you must have a written contract which obliges them to comply with the data security requirements.

Clearly, it is always worth ensuring that there is a record of this sort of review and of the compliance procedures that are in place. In most cases where the ICO has taken action, it is not that anyone has deliberately failed to comply with the law, but more that individuals in the organisation have not been made aware of their responsibilities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.