Data security should not be taken lightly. It is an issue that is increasingly being brought to the fore in the media, with last week’s Carphone Warehouse hacking incident involving over two million customers’ account details being the latest high-profile incident.
A report published this week by pro-privacy group, Big Brother Watch, has highlighted that local authorities in the UK experienced over 4000 data protection breaches between April 2011 and April 2014 – an average of four per day. The report was compiled using information obtained through freedom of information requests.
Aside from negative publicity and concomitant reputational damage, the Information Commissioner’s Office has the power to impose a penalty of up to £500,000 on local authorities which breach the DPA. Some of the most substantial penalties that the ICO has imposed until now have been in the data security context.
The value and importance of effective staff training and education cannot therefore be overemphasised.
What is a data protection breach?
Examples of the data protection breaches highlighted by Big Brother Watch included:
- letters and emails being sent to the wrong addresses or containing information not intended for or related to the recipient;
- unauthorised disclosures of personal data;
- data loss, including theft;
- lost or stolen flash drives, laptops and tablet devices, including a laptop containing school pupils’ reports;
- paper files containing sensitive information relating to children being left on public transport and a paper file being left on the roof of a car;
- unauthorised access to benefit claim records;
- use of CCTV systems to watch a private wedding reception; and
- employees sending local authority information to their personal e-mail accounts.
What does the law require?
The Data Protection Act 1998 (the DPA) requires local authorities, as data controllers of the personal data used by them in carrying out their functions, to put in place “appropriate technical and organisational measures” to protect against certain risks, such as loss of or damage to such personal data.
In implementing such measures, local authorities must consider:
- the state of the art and cost of security measures;
- nature of personal data to be protected, with information relating to children and health to be accorded higher standards of protection;
- the resulting harm which may arise from breach, such as significant emotional upset or financial loss;
- the effectiveness of existing measures and weaknesses identified; and
- the reliability of staff and the levels of due diligence undertaken on their staff and contractors relative to the roles performed.
Top tips: what data security measures can local authorities take?
In order to reduce the risk of data security breaches, local authorities should:
- carry out a data security audit to identify areas for improvement and assess the data security measures that could be implemented;
- implement a data security policy so that staff are aware of the need to exercise caution when handling personal data;
- provide regular and refresher data protection and data security training to staff appropriate to their grade and involvement with personal data;
- enforce a clean desk policy and encourage staff to put files away in drawers and cabinets (which are capable of being locked) when they are not required;
- keep internet security software up-to-date in order that the network is protected from the latest threats;
- enforce strict “bring your own device” policies;
- implement suitable security measures for mobile devices to protect personal data “on the move”; and
- minimise the personal data held. The more personal data that is held, the greater the risk of a data security breach occurring.
Get in touch
If your organisation requires advice or training on data protection or data security, please contact us to find out how we can help.