NEWS // Looking After Personal Data
The loss of personal data has been a hot topic as of late. The public has been bombarded with multiple news reports of data loss, starting with the loss of CDs relating to Child Benefit claimants, the theft of a laptop belonging to the Ministry of Defence and the more recent loss by the NHS of data including details of patients. Millions of people’s personal information has been laid bare to the possibility of unknown persons exploiting this information for their personal gain.
These events have raised concerns as to what security measures are in place to protect such sensitive information and what sanctions are in place when organisations holding such personal information lose it?
What is the Relevant Law?
The relevant legislation governing this area is the Data Protection Act 1998
(the “Act”). The Act is concerned with the way in which personal information is processed and stored. It gives rights to individuals and duties to the holders of such information. The overall enforcement of the Act is through the Information Commissioner who will take action on organisations who breach the terms of the Act. The Act applies to personal data and this term is defined widely as ‘information about living, identifiable individuals’. It therefore covers very basic information held about people such as their name, address, date of birth, email address and phone number, to much more sensitive information such as their sexual orientation or ethic background.
Is there a duty under the Act to keep personal data secure?
Yes, there is a clear duty under the Act to keep personal data safe and secure. The Act also makes it clear that to comply with such a duty you must have regard to technologies available on the market, the costs of implementing such measures, the nature of the personal data to be protected and the harm that might result from the unauthorised or unlawful access and use of such personal data.
Some degree of common sense is to be exercised in this regard. Clearly the loss of CDs containing personal data relating to 25 million claimants of Child Benefit, which included extremely sensitive information such as bank details, was a clear breach of duty under the Act to keep such information secure. Had an adequate data management policy been in place then such embarrassment may have easily been avoided. A data management policy need not even be overly complicated - simple encryption, use of passwords or restricting the number of employees that have access to information held could help prevent such losses.
What is clear from the Act, however, is that you must keep your IT systems under review in light of technological developments and you cannot assume that a ‘top of the range’ system implemented 5 years ago is still adequate today.
Continued...