Data Protection: A Necessity, Not An Option

Posted on June 15, 2012 by Ellie Hurst

We are delighted to have a guest post from Peter Harthan of Riverview Solicitors

The news that the Information Commissioners Office (ICO) has served its highest-ever civil monetary penalty (CMP) is the starkest warning yet of how severely it will punish businesses who fail to take their data protection responsibilities seriously. The ICOs penalty of 325,000 on Brighton and Sussex University Hospitals NHS Trust for what it describes as a serious breach of the Data Protection Act follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff including some relating to HIV on hard drives sold on an internet auction site in 2010. The Trust plans to appeal the decision but it is a timely reminder that complying with the Data Protection Act is not optional. If youre ever unsure of your responsibilities then consult your solicitor or even seek advice from the ICO. Believe it or not, the ICO arent here just to investigate and punish businesses when things go wrong. They also offer invaluable ways to help businesses improve their processing of personal data with audits aimed at larger businesses that are likely to have a basic understanding of the Act but would benefit from some assistance in meeting their obligations. While for small to medium sized businesses who may be struggling to understand what they need to do about data protection and need some practical advice, they offer advisory visits. Both audits and advisory visits are free and more information is available on the ICO website. In the meantime, remember these six best practice tips for handling personal data: Carry out a risk assessment

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

Treating Risk Raising Security Carry out a risk assessment to identify the areas where the data held by the business may be at risk. Youll need to think about issues such as:
Physical risks, for example, damage to data or systems caused by fire, theft or

vandalism; and The potential impact of human error, such as the careless disposal of data by your staff. Consider not only information which is held on the business premises, but also any that is taken off-site, such as on staff laptops. Dont overlook data which is handled elsewhere by a third party, for example outsourced to a payroll administrator. Draw up a data handling policy Ensure that you have a written policy for staff regarding data handling, so that they are aware of the Data Protection Act 1998 (the Act) and how its requirements affect their daily working practices. Staff awareness and training are key to ensuring compliance with the Act. Your data handling policy should cover issues such as:
which staff members have access to particular kinds of information; whether that information is password-protected, or in the case of physical data

such as files, whether they are kept in a locked cabinet; whether data held on your systems is encrypted or protected by other means such as a firewall or anti-virus software; and the way in which data is securely disposed of. Put in place a business continuity plan You should put in place a business continuity or contingency plan that your staff can follow if disaster strikes and you suffer a serious loss of data. This should be reviewed and updated on a regular basis to ensure that it remains adequate to meet the changing requirements of the business and its operations, and the evolving risks to which it is exposed.

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

The contingency plan should identify the business functions and assets (including personal information) that would need to be maintained in the event of a disaster, and set out the procedures for protecting and restoring them if necessary. Keep up-to-date The BS ISO/IEC 27001 Standard is the defacto international Standard on information security and a useful source of information on good practice for data security, although its not in itself a legal requirement. It offers a business-led approach to best security practice and provides a framework to implement and maintain effective security within a business. The Information Commissioners Office (ICO) has also published guidance on good practice in relation to data security, and a note on encryption which you can find on their website. In relation to encryption, the ICO recommends that any portable and mobile devices including magnetic media, which are used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information. Monitor external data processors The Act requires businesses or data controllers to ensure that there are adequate safeguards in place regarding any processing that is carried out on their behalf by external, third party, data processors for example, outsourced functions such as HR administration. As a business you should take care when selecting a third party processor:
choose a data processor which provides sufficient guarantees with regard to its

technical and organisational security measures; take reasonable steps to ensure that the data processor complies with these measures; and ensure that the processing takes place under a written contract which stipulates that the processor will act only on your instructions, and that they will have security measures in place that ensure compliance with the seventh data protection principle and the Act generally. Review your security arrangements
Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

You must notify the ICO if you process personal data of any kind, unless you are exempt from doing so. Failure to notify is a criminal offence. When completing a notification form, you will be asked to give a general description of the measures you are taking to protect the personal information the business deals with. Use this as an opportunity to review the adequacy of the safeguards you have in place and consider whether more needs to be done in order to comply with your obligations under the Act. If you would like further information about data protection and other legal matters, register for free on the Riverview Law website for access to over 650 plain English advice pages and over 450 documents, letters and templates.

UKs leading Independent Holisitc Security Consultancy

Ellie www.advent-im.co.uk Head Office: 0121 559 6699 London Office: 0207 100 1124 Email: bestpractice@advent-im.co.uk Advent IM is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications.
www.adventim.wordpress.com www.adventimforarchitects.wordpress.com www.adventimforuklegal.wordpress.com

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

www.adventimforgambling.wordpress.com

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM