Knowledge
Knowledge is critical for business and individuals. Just give us your email address and tell us what areas you are interested in and we will deliver knowledge direct to your inbox - timely and tailored legal updates.
Published Articles
IP/IT
Avoiding data security breaches
« Back to Article List
The Scotsman
March 2008
Recent high profile data security breaches have caused organisations all over the country to examine their data security measures. There have been a number of security lapses resulting in embarrassing publicity for the MoD, NHS boards, police forces and local council – and for private sector businesses such as Carphone Warehouse, Marks and Spencer and logistics firms.
No one wants to join this list of those publicly named and shamed and no one wants to receive a compensation claim or an Enforcement Notice from the Information Commissioner's Office (ICO).
The Data Protection Act 1998 (the Act) is intended to ensure compliance with the data protection principles which aim to protect the security and privacy of individuals' personal data. It is the seventh data protection principle (that data must be kept secure) that has been the subject of recent breaches. These include the loss or theft of unencrypted laptops and USB memory sticks, sensitive documents lost in the post or left on public transport and websites where technical problems have left data exposed.
What are the consequences of breaches in security? Breaches can take many forms from computer viruses paralysing your systems to the theft or unintended release of confidential information. This is to say nothing about the embarrassing publicity such a breach may receive and the loss of public confidence that follows.
These are practical consequences, but what about legal consequences? If the data that is stolen or unintentionally released is either a third party's confidential information or contains someone's personal data then this may lead to a court action for damages or a breach of the Act. Such a breach of the Act can lead to the ICO making a public Enforcement Notice (an official warning and an instruction to remedy the breach) against your organisation. Failing to comply with the Enforcement Notice can lead to a prosecution and fines being imposed both on the organisation and on any manager, director or partner who consented to the breach or whose neglect led to the breach. In addition, where someone suffers financial loss as a result of the breach of the Act then they can claim damages in respect of that loss.
Now that you are concerned about data security how can you avoid damaging breaches of the rules? The ICO has a useful Good Practice Note on the Security of Personal Information (available from its website). Some steps you can take include:
Some organisations are taking this further and seeking to comply with the ISO 27001 standard on information security management. This can be used not only to try and prevent data security breaches and to comply with the Act but also as a tool to demonstrate good working practices and maintain public confidence.
Data security is a topic stepping out of the shadows of the IT department and into the boardroom. You should take the time to think carefully about your organisation's data security and seek appropriate professional advice if you have any concerns.
Graeme Moffett is an Associate specialising in IP/IT law at UK law firm Shepherd and Wedderburn
0141-566 8575
No one wants to join this list of those publicly named and shamed and no one wants to receive a compensation claim or an Enforcement Notice from the Information Commissioner's Office (ICO).
The Data Protection Act 1998 (the Act) is intended to ensure compliance with the data protection principles which aim to protect the security and privacy of individuals' personal data. It is the seventh data protection principle (that data must be kept secure) that has been the subject of recent breaches. These include the loss or theft of unencrypted laptops and USB memory sticks, sensitive documents lost in the post or left on public transport and websites where technical problems have left data exposed.
What are the consequences of breaches in security? Breaches can take many forms from computer viruses paralysing your systems to the theft or unintended release of confidential information. This is to say nothing about the embarrassing publicity such a breach may receive and the loss of public confidence that follows.
These are practical consequences, but what about legal consequences? If the data that is stolen or unintentionally released is either a third party's confidential information or contains someone's personal data then this may lead to a court action for damages or a breach of the Act. Such a breach of the Act can lead to the ICO making a public Enforcement Notice (an official warning and an instruction to remedy the breach) against your organisation. Failing to comply with the Enforcement Notice can lead to a prosecution and fines being imposed both on the organisation and on any manager, director or partner who consented to the breach or whose neglect led to the breach. In addition, where someone suffers financial loss as a result of the breach of the Act then they can claim damages in respect of that loss.
Now that you are concerned about data security how can you avoid damaging breaches of the rules? The ICO has a useful Good Practice Note on the Security of Personal Information (available from its website). Some steps you can take include:
- conducting a risk assessment of the security of your data and carrying out regular data security audits
- appointing someone to have responsibility for your data security
- considering your physical security (e.g. locking up files, laptops, discs and memory sticks)
- training your staff and ensuring they comply with a security policy, including controlling access to certain information
- regularly backing up your data and having an incident response plan
- putting in place technological measures
Some organisations are taking this further and seeking to comply with the ISO 27001 standard on information security management. This can be used not only to try and prevent data security breaches and to comply with the Act but also as a tool to demonstrate good working practices and maintain public confidence.
Data security is a topic stepping out of the shadows of the IT department and into the boardroom. You should take the time to think carefully about your organisation's data security and seek appropriate professional advice if you have any concerns.
Graeme Moffett is an Associate specialising in IP/IT law at UK law firm Shepherd and Wedderburn
0141-566 8575
Knowledge Bank
Lawbox
A range of legal products to help clients address particular needs.
Latest Job Opportunity
Careers
As one of the UK's leading law firms we seek to recruit high calibre professionals to add value to the delivery of our services to clients.
Discover More »