You might have seen recent headlines about organisations who keep data on employees and customers being scolded by the Information Commissioner’s Office (ICO) for having insufficient protections in place to ensure data they hold is kept secure, for example, when laptops containing personal information have been stolen.
These cases have concerned breaches of the data protection principle governing security , which requires appropriate technical and organisational measures to be taken to prevent unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data (Security Principle).
In some cases, such measures will require encryption or some other form of protection to keep the data safe, particularly where personal data is stored on a laptop or home PC or sent to a third party electronically or via removable electronic media.
These are some of the recent reports of activities which might sound very familiar:
- Theft of contractor’s laptop containing personal data – Amicus Legal Ltd has been held to be in breach of the Security Principle following the theft of an unencrypted laptop privately owned by an Amicus consultant but which contained personal information about 100,000 Amicus customers.
- Loss of USB sticks containing sensitive patient information – Ashford and St Peter’s Hospitals NHS Trust was found to have breached the Security Principle after unencrypted USB sticks containing sensitive cancer patient information were lost. The information was in Word format, leaving the material easily accessible to anyone with a computer.
- Transfer of personal data to home computer – The Mid Staffordshire NHS Foundation Trust was held to be in breach of the Security Principle when someone in its HR department transferred personal information about a Trust employee to a home PC that was not password or encryption protected.
Failure by the above organisations to meet the remedial activities required is likely to lead to enforcement action by the ICO.
You can find some useful guidance on how to handle, and responsibilities in relation to, personal data in the Personal Data Guardianship Code .
So what security measures should you implement to protect personal information on laptops or other portable devices?
The ICO advises that where the information held on a laptop or other portable device could be used to cause an individual damage or distress, in particular where it contains financial or medical details, you should encrypt it.
You should periodically review and update the level of protection provided by the encryption to ensure that it is sufficient if the device was lost or stolen – you may need to seek specialist technical advice. In addition to technical security, organisations must have policies on the appropriate use and security of portable devices and ensure their staff are properly trained in these.
If it is brought to the ICO’s attention that portable devices that have been lost or stolen have not been protected with suitable encryption, it will consider using its enforcement powers.
What happens if there is a breach of the Data Protection Act (DPA) requirements?
The ICO has extensive powers where there is a breach – for example, it can conduct assessments and audits to check compliance with the DPA, serve enforcement notices requiring organisations to take specified steps to ensure compliance and prosecute those who commit criminal offences under the DPA.
Certain breaches of the DPA can result in prosecution with a fine of up to £5,000 in the magistrates’ court and an unlimited fine in the Crown Court. In addition, if you are an employer, scrutiny by the media or otherwise being known for breaching data protection regulations can be very damaging in monetary terms as well as for your brand and reputation.
The adverse publicity and harm caused not just by the actual loss of important data but from losing or abusing data, or even just taking a wrong step regarding protecting data, should not be underestimated.
Angela Cornelius, TRG law.
This article is intended as general information only. If you wish to seek legal advice, please telephone 0118 9422385 or email a.cornelius@TRGlaw.com. TRG law advises on technology, outsourcing and general commercial contracts, e-commerce, data protection and use of IT. For more details see www.TRGlaw.com.
back to January 2010 techbytes...