Avoiding the gaze of the Information Commissioner

This is the first of a short series or articles on data protection and data security, writes Matt Howgate.

Well, after a slow start, the Information Commissioner seems to have found his teeth.  The Information Commissioner’s Office has now handed out some pretty hefty fines to companies breaching the Data Protection Act (‘DPA’) through losing or inadvertently disclosing confidential personal information.

These fines have include £60,000 to A4e for losing a laptop containing the personal details of the clients from the Leicester and Hull CLACs, £100,000 to Croydon Council after a bag containing papers relating to a child sex abuse victim was stolen from a pub and £80,000 to Norfolk County Council for disclosing information about allegations against a parent to the wrong recipient.

In 2011 the owner of a defunct solicitors’ firm was fined £1,000 for data security lapses but the Information Commissioner made clear that the fine could have been closer to £200,000 had the firm stull been trading.

I get the distinct impression, during the data security training I deliver to firms and advice agencies of all sizes, that more often than not that they are at serious risk of breaching the Data Protection Act.

Often, as I describe the some of the more risky data processing extremely risky activities, I see people squirming in their seats – knowing that they probably did the self same thing just a day or so ago.  So this is the first of a short series of articles intended to help you avoid falling foul of the law and experiencing the sharper end of the Information Commissioner’s stick.

Tip 1: Password protect all computers (especially laptops) and stop using memory sticks.  If you are using laptops and memory sticks, make sure the data is encrypted.
Many of the most high profile significant data losses have been the result of unsecured laptops being lost or left in cars or bars and being stolen.   Remember, we often carry all sorts of confidential client information on laptops (as well as commercially sensitive data).

We leave work and go to the pub for a drink, leaving the laptop in a bag near our coats, only to find that it has gone missing by the end of the evening – or we stop at the supermarket on the way home leaving the laptop bag on the back seat or in the boot of the car, only to find the car stolen when we get back with the shopping. If either of these things happen, better the laptop is password protected and better still encrypted, than easily accessible to anyone.

Memory sticks are even easier to lose.  They’re small and light and insignificant and can easily fall out of pockets or get left around.

The additional problem with both laptops and memory sticks is that we rarely keep track of what data is actually saved on them – so not only are they at risk of loss but, once lost, we can rarely work out what data was actually lost with them and therefore which clients to warn and how to approach the task of mitigation.  None of this goes down particularly well with the Information Commissioner.

If you can avoid using memory sticks, and for the most part the new cloud technologies seem to make memory sticks obsolete, then do so.  If you have to use them then make sure that the data on them is password protected and encrypted.

 

Tip 2:  Have clear data security provisions in your working from home policy.
So you have password protected your laptops; smashed all of the memory sticks; installed a high end firewall and password protected your office computer network and then one of your staff gets to 5.40pm on a Friday afternoon and hasn’t finished the statement and pleadings needed for Monday morning.

Intending to work on them over the weekend they email the documents to their personal email address and, as intended, they work on it on the Sunday so that everything is ready for Monday – saving the various drafts directly to their home PC’s hard drive.

That PC isn’t password protected.  It is not in a locked office and doesn’t have a decent firewall.  It has viruses and worms and trojans and for 70% of the time is used by your staff member’s teenage children and their friends.

You don’t know what client data is saved on it and you won’t likely know if it is stolen.   You won’t be able to ensure that the hard drive is professionally wiped when it is thrown away or taken to the charity shop.  You’ve lost control of that data and are already potentially in breach of your obligations under the Data Protection Act.

Staff shouldn’t be allowed to store client data on their home PCs.  The use of a secure cloud type server could ensure that the client data is always stored somewhere within your control.   If you are relying on staff to use their own computers then ensure that they are secure and that you know what data is stored on them and that only your staff member can access that data – as you would with any computer in your office.

 

Implementing these 2 simple tips over the next couple of weeks could significantly reduce the risk of data loss and thus your risk of one day being fined by the Information Commissioner.

Leave a comment

Your email address will not be published. Required fields are marked *