There are simple steps to take to minimise your risk to data protection breaches, writes Grant Campbell, pictured, the head of the Technology, Information and Outsourcing Group at Brodies LLP.
Recently the Information Commissioner’s Office (ICO) announced that the Commissioner, Chris Graham, was exercising for the first time his new powers to serve monetary penalty notices on Hertfordshire County Council and community legal advice centre operator, A4e, for serious data protection breaches. The fines of £100,000 and £60,000 respectively were substantial and both organisations have issued apologies for what happened although that probably hasn’t stopped them suffering substantial reputational damage from the press coverage that ensued.<br>It’s a timely reminder, if one were needed, of the importance of making sure that data protection obligations are taken seriously but, as the facts of each case show, it’s also a reminder that much of what is required are common sense processes and procedures that prevent very basic things going wrong.<br> <br>What is very interesting from the Commissioner’s penalty notices is the importance that he places on ensuring that any data security policies and procedures are robust, adequate and actually implemented by data controllers. It is not enough to roll out a policy or process if the policy or process is not being adhered to. In that regard, data controllers need to give careful thought to how they actually implement the policies and processes they put in place. They also need to think about how they would go about demonstrating to the Commissioner that the steps they had taken to ensure that the policies and procedures were implemented, had been taken and were themselves adequate. So, if a particular process required training, had training been provided and had all affected employees undertaken that training?<br>When thinking about data security the following basic principles should serve as a good starting point.<br><br>- The basic requirement in terms of data security for personal data requires controllers to take "appropriate technical and organisational measures" to ensure a level of security appropriate to the nature of the data to be protected and the harm that would result if the security of that data were compromised.<br>- As a result, you will be expected to ensure that the level of security you provide for data is proportionate to its sensitivity or the harm that might be caused were it compromised. Sensitive data requires a higher level of security.<br>- Remember that data security is best tackled holistically. It is not just an IT issue. Implementing simple operational processes to minimise the dangers of data compromise are also necessary. Control of access to data, physical security, basic operational and office procedures are all necessary planks of a data security plan. In the case of Hertfordshire, basic safeguards around faxing procedures would have prevented the data being compromised. Standards such as ISO 27001 and BS10012:2009 are good source material on good practice.<br>- Think data security at all times and ensure that all policies and procedures within your organisation have been developed in a way that is consistent with sound data security principles.<br>- Make sure your policies and procedures are properly implemented. If the implementation of a policy needs to be phased, eg for the encryption of laptops in the case of A4e, then how will that phasing be handled – for instance, what restrictions should be placed on the use of laptops that have still to be encrypted and how will that be policed?<br>- Make sure you can demonstrate that your policies and procedures have been properly implemented if called on to do so. This is not only important if you have a data security incident and the Commissioner becomes involved but (increasingly) those with whom you deal (customers included) may ask to see evidence that you take security of their data seriously.<br>- Finally, recognise that there is always the possibility that no matter how good your data security is, you may have an incident. Be prepared and make sure you know what to do to deal with it promptly, effectively and in a way that mitigated any harm that has been caused. Further guidance can be found on the ICO’s website – www.ico.gov.uk.<br>Remember – if a data security incident occurs, this does not automatically amount to a breach of the Data Protection Act. An incident will only result in a DPA breach where the data controller fails to demonstrate that it had taken appropriate measures to keep the data safe. If the controller can show that it had met the relevant standard but the data was still compromised then it won’t have breached the DPA. Ultimately though, the value in taking data security seriously runs much more widely than the DPA. It reduces the risk of the incident happening in the first place and that helps protect the organisation maintain trust in its reputation which as the public becomes increasingly savvy about these things becomes more and more important.<br><br>Two case studies<br><br>Hertfordshire County Council – there were two serious incidents in which the Council’s childcare litigation unit sent two faxes to the wrong recipients. The first fax contained sensitive information about a child abuse case; the second contained information relating to the care proceedings of three children as well as details of previous convictions and domestic violence records of other individuals. Clearly, the fact that the second incident happened at all was seen as an aggravating factor since it suggested that the measures adopted by the Council to prevent a recurrence of the first incident were inadequate. In the Commissioner’s view, the sensitive nature of the information involved was such that if that information was to be faxed, the Council should have ensured that it had a ‘phone ahead’ and ‘confirmation of receipt of fax’ process in place at the very least.<br><br>A4e – The company issued one of its employees with a laptop for home working. The laptop was stolen from the employee’s home. It contained personal data and sensitive personal data relating to 24,000 legal advice centre clients – including the case type (for example, debt, welfare or employment), the name, postcode, date of birth and gender of the data subject together with whether or not the client was a lone parent, care leaver, carer, a victim of violence, ex-offender, young offender or gypsy traveller. While the laptop had password protection, it was unencrypted and the Commissioner also noted that the company had not provided the employee with a cable lock or other security device to secure the laptop. Furthermore, the fact that the company had policies in place which required data secured on laptops to be encrypted suggested that it was aware of the risks of a data security breach, but had not actually ensured they had been addressed.
