Security of personal data is a key principle of the Data Protection Act and breaches can be dealt with quite severely by the courts or by the Information Commissioner’s Office (ICO).
A lapse can be inadvertent – not securing your site or files well-enough to prevent unauthorised access – or simply plain stupid, such as when staff leave information in unencrypted form, either in the form of hard copy pages or, more usually, on a computer or data stick which is simply left behind on a train or at a restaurant, or which is stolen from an employee’s house.
Annoyingly, so many of the breaches fall into the latter category; they are ‘stupid’ as they could have been prevented with just a moment’s careful thought.
Think about it – do you leave a stack of gold coins unattended on the restaurant table, or your expensive Rolex watch lying loose on the dashboard of your car? Or do you keep a close eye on them at all times, usually securing them with some form of burglar alarm when you leave the house? It’s only when we can persuade staff – and management – that data is just as valuable that we will get anywhere.
So what are the steps?
Does the data need to be encrypted or, at the very least, password protected? Invariably, it should. Simple password protection should be at heart of any operation holding any data. It’s by no means infallible, but it prevents the casual inspection of data that should be locked away. Encryption is hardly a complicated process, but it ensures that your data is meaningless to all but the most determined individual.
But let’s go back a stage. What is that data doing on a laptop or a memory stick anyway? And out of the office? Is there a proven need for your personnel to take loose memory sticks around? Can’t the data be maintained on high security servers, with a combination of password and encryption access – which means they are always available (and, as there’s only one copy, always up-to-date, no problems with different versions) and always secure. Your policies should not allow any sensitive data to be downloaded without a degree of encryption.
Manchester Police are the latest culprit of this sort of stupidity, which became public when they were fined around £120,000 following the theft of a memory stick from a detective’s private residential accommodation. The data was, wait for it, both unencrypted and not passworded. There had been a similar breach a couple of years earlier, but the lessons had not been learnt, so the force was fined the equivalent of at least a couple of police officers for a year. For more on this story see:
If you want to refresh your memory on what data security is all about, you could do worse than spend a few minutes casting your eye over this item from the Information Commissioner’s Office: