Data security

Print    

When HM Revenue and Customs (HMRC) recently admitted to losing discs containing details of 25 million child benefit claimants, there was a public outcry. It was said that in the wrong hands, the records could provide sophisticated criminals with a valuable tool to steal the identity of millions of people – to open bank accounts, get credit cards and loans, claim state benefits and generate passports and driving licences.

In an age where face-to-face transactions are no longer the norm and paper records are increasingly obsolete, maintaining confidence in the way personal information is handled is essential best practice in business. Organisations must not take good security for granted - the stakes are simply too high to get it wrong. HMRC found this out to its cost. Within hours of the announcement that it had lost the discs, the Chairman resigned, questions were asked in Parliament and the Information Commissioner’s Office (ICO) commenced formal investigations under the Data Protection Act 1998.

Here we explore the importance of managing personal information properly, outlining organisations' legal responsibilities to protect personal information, the consequences of failing to do so and practical steps that can avoid some of the most damaging pitfalls.

High-profile security blunders

The problems suffered by HMRC highlight the risks of failing to properly protect personal information. Sadly, the case is not unique. Earlier this year, Nationwide Building Society was fined a record £1m when a laptop containing 11 million customer records was stolen from an employee’s car and a further 11 banks and building societies were ‘named and shamed’ for the reckless way in which they discarded customer records on the high street.

These incidents damage customer confidence, erode reputations and ultimately lose businesses money. High-profile security blunders in the US and continental Europe have seen companies lose millions of dollars off stock market values and make massive payouts to blighted consumers and vexed regulators.

Complying with the Data Protection Act

  • Protecting personal information is not just sound commercial practice, it is a legal requirement. Any organisation responsible for the collection and use of personal information must comply with the Data Protection Act (DPA).
  • The DPA requires organisations to keep personal information secure against unauthorised or unlawful use and to manage personal information in a 'fair and lawful' manner. This means:
  • Holding personal information on secure IT systems;
  • Ensuring personnel remain aware of the importance of keeping data secure and confidential;
  • Notifying the ICO and the individual staff, customers, etc whose personal information are held about how their personal details are collected and used;
  • Ensuring personal information are only used for 'fair' purposes - for example, to fulfil a legitimate business need or a statutory duty, or where the individual has given their express consent;
  • Keeping records up-to-date and cleansed from systems when no longer required;
  • Allowing individuals right to obtain a copy of their records on demand; and
  • Taking extra care when transferring data to third parties outside the UK.

Enforcement under the DPA

The ICO regulates compliance with the DPA. It investigates alleged breaches of the legislation and wields significant power to carry out investigations and take enforcement.

The ICO has a deliberate policy of raising awareness of data protection through publicising poor working practices. Organisations under investigation are likely to be exposed to adverse publicity and, if systemic failures are identified, fines. If individual members of staff make unauthorised disclosures of personal information, they face the additional prospect of a custodial sentence.

Take steps to ensure compliance

Establishing a clear regime of information governance will ensure compliance with the rules and limit the risk of problems occurring. As a basic checkpoint, make sure the following are in place:

  • There is a clear understanding of the personal information collected and used within the organisation.
  • The use of personal information remains consistent with the expectation of the individuals concerned.
  • Records are regularly updated and (when obsolete) deleted.
  • Policies, procedures and IT systems are designed to maintain the integrity of data, prevent unauthorised access and effectively identify and manage breaches.
  • Regular data protection compliance audits are carried out.
  • A senior officer (directly accountable to board level) exists with overall responsibility for management of data protection and security compliance.
  • Specific approval should be required before personal information can be passed outside the business, overseas or used for any 'new' purposes.

What to do if things go wrong

If an information security breach occurs, avoid the temptation to keep quiet and hope the problem passes by unnoticed. This is usually a recipe for more trouble. Rather, take immediate steps to protect the individuals concerned:

  • Notify the ICO;
  • Communicate what has happened to the individuals affected;
  • Explain any risks they may be exposed to and steps they can take to preserve their privacy; and
  • Start an investigation to understand the cause of the problem and implement appropriate remedial action to prevent any recurrence.

For the future

The ICO has just been given the power to audit and inspect those government organisations that hold and process personal information without first having to gain permission. Similar powers are being sought for businesses.

Further, section 55 of the DPA relates to the illegal buying and selling of personal information. Presently it carries a criminal penalty of up to £5,000 in a magistrate's court or an unlimited fine in a crown court. But going through Parliament as part of the Criminal Justice and Immigration Bill is a proposal to add a two-year prison sentence. Also, the ICO wants reckless breaches of the Act to become a criminal offence. Only section 55 breaches and breaches of an enforcement notices are criminal offences under the present law.

Conclusions

People expect their personal information to be properly protected at all times. Organisations that fail to put in place appropriate measures to keep information secure risk alienating their customers, upsetting regulators and undermining their commercial viability. These risks are real and substantive. If not already in place, commit now the appropriate resource and attention needed to ensure effective information governance for the future.

Andrew Dyson

Andrew Dyson is a Partner in DLA Piper. He specialises in information law and data protection issues. For more information contact Andrew.Dyson@dlapiper.com.

TopPrint