Recently it was reported, that government employees are still able to copy unencrypted information from internal databases, while policies in government departments are criticised as not going far enough to prevent data loss.
Paula Barrett, head of the data protection group at international law firm Eversheds comments:
“This is not a case of new laws being required here. The existing legislation for data protection already covers the need for encryption, however the implementation of that legislation and existing guidelines is the most challenging aspect for government and the wider business community. That USB sticks can still be used and unencrypted data downloaded is not surprising in itself. The questions this raises are more along the lines of what data can be accessed and who by? If USB ports haven’t been disabled, what training and other awareness raising activities have been undertaken to deter inappropriate copying? Are encrypted USB sticks being used and are there any restrictions on what can be copied?”
Charlotte Walker-Osborn, a partner in the technology team at Eversheds and committee member of the British Computer Society-Information Security Specialist Group, adds:
“A good example of this is the recent case when the Information Commissioner’s Office (ICO) spoke with a major high street retailer when a laptop which held over 25,000 employees’ details, without encryption protection, was stolen from one of its contractors. The ICO stated that the retailer might be subject to criminal charges if it did not encrypt all of its hard drives by a certain date last year. The retailer initially appealed the enforcement notice. According to the ICO, laptops must have adequate security protection in place, such as password protection or encryption if they leave employer premises and have personal data on them. In the end, the ICO and the retailer reached an agreement whereby the ICO accepted undertakings from the retailer to comply with the Data Protection Act (DPA). This demonstrates that the law is there to deal with security issues like data loss. However, until a significant fine or criminal charge is given, companies may not have the impetus to spend the money on ‘adequate security protection’.”
Paula continues:
“In the wake of the Data Handling Review and the Walport and Thomas report, there is still much work to be done to implement the recommendations made. Accountability was a key thread of both reports. Inevitably attention to that factor is likely to increase further once the Ministry of Justice determines the level of fines which the ICO can levy under its new powers.”
