The UK Information Commissioner’s Office (ICO) has been increasingly active over the past couple of years in levying fines on various organisations, both government and commercial, for breaches of the Data Protection Act (DPA) 1998 by failing to protect personal information adequately.
Why should I care?
Failure to protect personal information could result in a number of consequences for an organisation. Arguably the least of these is a fine from the ICO which can be up to £500,000. There is also the reputational damage of ‘naming and shaming’ on the ICO website and ‘the press’. In addition there is pressure from some legal quarters for fines against an organisation to be passed on to Third Party Suppliers if they were found to be directly responsible for a data breach.
The seventh principle of the Data Protection Act states:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
There have been a number of cases this year of fines levied against organisations; the most recent reported was a fine against Scottish Borders Council of £250,000 after paper records of employee pension details, salary and bank account information were found in a paper recycling bank. This shows that all forms of information, not just that stored digitally, require appropriate protection.
The ICO has quite considerable powers and in September 2012 SC Magazine reported that the ICO is considering custodial sentences for instance of proven malicious data loss. The ICO Deputy Commissioner stated in a presentation that the biggest risk was now the human factor, as all breaches had a human failing behind them and organisations were not protecting themselves. (See Ascentor’s recent research into the Human Face of Information Risk).
Most recently the ICO has given specific advice aimed at charitable organisations that hold personal information and advised them to be aware of their responsibilities ( read the SC article on this move here )and is also aiming advice at schools.
What can I do about it?
In April 2012 the ICO published its guide for Small and Medium Businesses (SMBs) on how to protect their IT systems to meet the requirements of the DPA and this comprised a number of steps:
- Assess the risk to your business
- Use a layered approach to security (physical, technical and procedural measures)
- Secure data on the move and in mobile devices
- Keep your system up to date
- Keep an eye out for problems
- Make sure that your organisation understand the procedures to protect data
- Minimise your data
- Make sure your IT contractor is doing what he/she should be
Read the ICO guide here Â» A Practical Guide to IT Security .
What shouldI do about it?
As the ICO’s guide points out each organisation’s information handling and business context is different and the principles need to be applied in a sensible and pragmatic manner.
What do I do next?
Decide if the DPA applies to your organisation. If it does, read the ICO guide and then conduct a self assessment to assess if changes need to be made to protect any personal information. If you are not sure if it applies to you or you are not clear about conducting a self assessment get qualified support.
Ascentor believes that protecting personal data is just one part of managing risks to an organisation’s information, whether that is company IPR, details of commercial strategies, customer data, protectively marked information or personal data. It’s about assessing the risks and developing a pragmatic and cost effective approach to managing those risks.
By Steve Maddison , Director and Principal Consultant at Ascentor.