The Network Box guide to avoiding the wrath of the Data Protection laws
In April of this year the Information Commissioner was given the ability to levy fines of up to £500,000 for failure to observe the Data Protection Act. Nobody thinks that this will be applied to the local newsagent who isn’t adequately protecting the stored information of existing and potential customers; but then again, nobody knows just who is likely to be fined for what. In tried and tested British legalese, it is difficult to pin down exactly what would be a breach of the DPA, and what would be a reasonable defence against any action brought under the DPA (see my comment here on “The Weasel Words Principle that underpins British law-making“)
Network Box rides to the rescue with a paper called: Information Commissioner’s Office Powers: A Guide to Compliant Security in the UK from Network Box. It attempts to combine the legal expertise of James Pickering, a commercial litigation barrister, with its own experience in and knowledge of information security. First, Pickering discusses the problem:
The basic purpose of the DPA 1998 is to regulate those who possess and control personal data relating to individuals. In general terms, it does this in 2 main ways. The first is to give individuals whose data is being held certain rights to obtain information about the nature and content of the relevant data being held in relation to themselves. The second is to create statutory obligations on the part of those holding the data to deal with such data in what can be broadly described as a “fair” way.
…a person who controls data is under a statutory obligation (note the use of the words “it shall be the duty of…”) pursuant to section 4(4) of the DPA 1998 to comply with the “data protection principles” including in particular the 7th principle which requires data controllers to take “appropriate technical and organisational measures” against, amongst other things, “accidental loss or destruction of…personal data”.
And that’s the problem. What on earth is “appropriate technical and organisational measures”? Network Box offers 11 steps to cover yourself:
- Avoid human error.
- Plan for a breach.
- Review any third-party suppliers that host data.
- Encrypt any data that has to be moved.
- Check all data leaving the building.
- Remember that security is about more than just email.
- Review what applications and systems are used across the organisation as part of your ISO9001 meetings or about once per quarter.
- Ensure that all data is routed through the appropriate channels and that nothing bypasses security systems.
- Educate employees.
- Use a secure VPN for home workers.
- Don’t allow employees to download anything that isn’t approved by the security team.
What is considered “appropriate” will depend on all the circumstances of the case, but there can be no doubt that the greater the level of commercial security application in place, the less chance that any particular business will be seen to have not taken sufficient or appropriate steps. Similarly, the greater the level of advice taken by a data controller from entities such as Network Box, the greater the prospects of that business being able to show that any contravention was neither deliberate nor reckless and therefore outside the ambit of section 55A of the DPA 1998.