Posts Tagged ‘paper records’

Data Security

Thursday, December 3rd, 2009

Compliance with the Data Protection Act 1998

Data controllers must comply with the provisions of the 1998 Act even if they are exempt from notification.

Ask yourself this question:  what might be the consequence if you or your employee lost personal data that you were holding in a client or customer database? It might be on a disk, in a folder, on a flash stick or on your phone.

It would largely depend on your Professional Indemnity Insurance cover – so it is just as well to check your cover because not all policies will provide for the loss or theft of the data.  If the policy doesn’t include this you leave yourself open to a claim against you for neglience.

 

There are eight data protection principles.  In summary, they require that data shall be:

  1. fairly and lawfully processed;
  2. processed for limited purposes;
  3. adequate, relevant and not excessive;
  4. accurate;
  5. not kept longer than necessary;
  6. processed in accordance with the data subject’s rights;
  7. secure; and
  8. not transferred to countries outside the European Economic Area without adequate protection.

I quote this list directly from the Information Commissioner’s Office.

This Act places obligations on all organisations and individuals who use personal information and gives individuals certain rights.  It clearly states that those who record and use personal information must be open and transparent about how that information is used and must follow the eight principles of ‘good information handling’ listed above.

There are 100′s of thousands of businesses that need to be aware of this legislation:  the list would probably run the length of the UK two or three times.   Accountants, Solicitors, Bankers, HR departments, secretaries, PA’s and VA’s are just some of those who need to complete a risk assessment.  The mind boggles to think of all the different organisations, SME’s included, who are handling sensitive personal information that should never find it’s way into the public domain.   What percentage of them have taken action to address the risk.

Under the Act every organisation (data controller) that processes personal information (personal data) must notify the Information Commissioner’s Office of the type of information they process.  Failure to notify is a criminal offence.

Data controllers are required to inform the ICO of certain details about their processing of personal information.  The Commissioner uses these details to make an entry describing the processing in the register, which is available to the public at www.ico.gov.uk.

What exactly is the purpose for the register?   The main purpose is reported to be ‘notification to the public register to promote openness in the use of personal information’.    I believe the emphasis is skewed.  Openness is one thing, but more weight should be given to the notion of  ’protection’ and I have seen no reference made to this by the ICO.  We all need to take on board the acute necessity to protect personal information from identity theft/crime.

In my opinion the ICO does not go far enough to emphasise the necessity to protect information.   I guess it is from fear of being labelled a patronising ‘big brother’.  Surely it is blatantly obvious to organisations the steps they need to take to protect data.   If it isn’t clear then why should people think it condescending to be told.

It ought to be obvious to high ranking government officers, that taking a laptop home which contains thousands of private personal records is a No-No, but still they are taken out of the office, and still they leave them on trains, or back seats of cars only to be stolen while the owner pops into the shop on the way home from work.  When organisations have banned the practise of taking laptops home, people have taken paper records instead and left them on trains and on buses too!

So down to the practicalities, if you hadn’t already thought it through here’s a quick check list.

 

 

Does your office, at home or within an organisation, have the following security in place:

  • Is there physical security of the room in which the computer/boxfiles etc live?
  • Are laptops allowed to leave the building? Why is this necessary when it is much more secure for people to login to the server remotely if they need to work from home?
  • If laptops leave the building routinely they need fail-safe protection in the form of a ‘remote destruct device’ in case they become lost or stolen [my preferred provider is Backstopp and Leakstopp].
  • Is there Antivirus protection and Firewall protection loaded onto the computer or laptop?
  • Have passwords been set?
  • If your children use your home computer for chatrooms and games do you have protection set for them [my preferred provider is CrispThinking]?
  • Are other users of the computer in the home environment as enlightened as you are? Perhaps you should spend some time briefing them.
  • Are all paper records containing personal information, shredded before being disposing of?
  • If it is absolutely necessary to pass information via text e.g. account numbers, DON’T send the complete number in one text send it in two halves like this – 1st text contains 12345***, 2nd text contains *****678.
  • Don’t risk losing your data due to a lightening strike. There is nothing that you can do to stop lightening travelling down a BT cable and into your home computer. This will destroy your hard disk.  So the answer is to  make sure you have a back-up procedure in place.  Back-up your disk to a remote server [my preferred product is Carbonite where I have unlimited storage space and the whole process happens automatically].
  • Check the cover on your Professional Indemnity Insurance.
  • Finally, if you take folders containing personal information out of the office environment there should be a reporting system which records the fact that that folder has left the filing cabinet, who has it in their possession, where it is being taken to and when it will be returned.

Does all of this sound rather ‘over the top’?  You won’t think so when you take a look at MobileBozos.

Mobilebozos show examples of data loss in the UK and USA.   Look at the example of a woman working at her laptop while travelling by train, with a bunch of papers alongside her machine ….. she leaves the whole scene unprotected while she goes off to the buffet carriage.

Footnote:

Fees for Registration to ICO are currently set at:

  • For organisations with up to 250 employees £35.00
  • For organisations with over 250 employees £500.00
  • All Charity organisations pay £35.00

Contact by telephone: ICO 01625 545 745

http:www.ico.gov.uk

Tags: , , , , , , , , , , , , , ,
Posted in Data Security | No Comments »