The Data Protection Act 1998 (DPA) regulates how your personal information is used and protects you from its being misused. The Act’s framework is based around eight key principles, which require that your personal information is:
• Processed fairly and lawfully
• Processed for specific purposes
• Adequate, relevant and not excessive
• Accurate and, where necessary, up to date
• Not kept for longer than is necessary
• Processed in accordance with your rights
• Kept secure
• Not transferred overseas without adequate safeguards in place.
Recently, alleged data security breaches have been highlighted in the media. This is a sobering reminder for “data controllers” (those who decide how and why personal data is processed) in all sectors about both their data security obligations under the DPA and the possible damage that can occur if things go wrong. With the Information Commissioner’s Office’s increased focus on areas it perceives to be of highest risk, particularly security and poor housekeeping of data, institutions should review their practices.
Under the Seventh Principle of the DPA, data controllers are required to take appropriate technical and organisational measures to ensure the security and integrity of personal information. In practice, this means having in place robust security management structures, technical and operational security arrangements and staff training and monitoring to ensure that data security procedures are adhered to.
The potential consequences
The need to comply with the Seventh Principle has taken on particular significance in light of the Information Commissioner’s annual report, which highlights examples of action it has taken.
There is a clear message emerging from the ICO that it will take a robust stance in relation to security breaches. The ICO has significant powers available to it in investigating breaches of the DPA. These include powers of entry and inspection upon warrant, and service of information notices, breach of which are potentially criminal offences. In addition, organisations also risk being sued by affected individuals for any damage or distress they suffer as a result of any breach.
Claims could be very costly, particularly if financial information is abused through identity fraud, or if severe distress is caused through the loss of sensitive personal information such as health details.
What can be done?
The DPA does not specifically prescribe what an organisation has to do to comply with the Seventh Principle, but some examples of possible measures are:
• Carrying out a review of existing administrative, physical and technical safeguards for protecting personal information, held in both paper and computerised form, including a review of the security of buildings and mobile devices such as laptops and personal digital assistants (PDAs)
• Ensuring that all workers who have access to personal information, whether computerised or paper based, are suitably trained and aware of the requirements imposed by the DPA, what they need to do to ensure the organisation’s compliance, and what the consequences may be for the organisation and individuals personally if they do not follow procedures
• Avoiding capturing sensitive personal data in unsecured environments without protections such as encryption, or avoiding altogether the processing of data in an identifiable form where this is not necessary.
Finally, organisations should consider formulating a response policy for use in the unfortunate event of an information security breach. This might include, for example, notifying the ICO and working with it to find ways of avoiding a repeat incident, and informing affected data subjects so that they can take measures to minimise the risk of damage (and in turn compensation claims) from identity theft.