Centiq Approved as Buying Solutions Sub-Contractor
In this series of articles I will be covering many of the challenges which face IT departments with regards to the management of business information. Whilst not focused on any specific industry, and therefore specific uses of information in the day to day running of an organisation, I hope to provide insight into key areas of data management, demystify jargon and provide some simple techniques to gain insight to what data is being stored and why.
Following on from the announcements that the maximum fine for data privacy breaches is to rise from £5,000 to £500,000 this first article covers the eight guiding principles of the Data Protection Act.
History of the Data Protection Act
The Data Protection Act (1998) is the United Kingdom’s legal implementation of the European Union Data Protection Directive (1995) and defines the obligations and control of personal and sensitive personal data by an organisation and the responsibilities of that organisation’s data controller.
In the Act the following is defined as “sensitive personal data”
- the racial or ethnic origin of the data subject,
- his political opinions,
- his religious beliefs or other beliefs of a similar nature,
- whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992),
- his physical or mental health or condition,
- his sexual life,
- the commission or alleged commission by him of any offence, or
- any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
The control and security of this information is the responsibility of any organisation that
- Is established in the United Kingdom and the data are processed in the context of that establishment, or
- the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.
(Additional obligations have to be complied with in this case)
Enforcement of the Data Protection Act is from the Office of the Information Commissioner which is responsible for investigating, and bringing cases to tribunal for breaches.
For the latest information on breach enforcements see: http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
The second main element of the act is to provide individuals with entitlement to understand what personal information an organisation may hold on them, how that information is being processed and the purpose of its retention.
The 8 Guiding Principles and their Impact on Information Management
The fundamentals of the act are based on eight guiding principles:
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
- at least one of the conditions in Schedule 2 is met, and
- in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
These principles raise a number of challenges for IT departments and the support of the business. The following are just some of the examples where organisations may be in breach.
Breaches of the Act
The most common breach currently reported is pertaining to “end point security”. Misplaced memory sticks and stolen laptops are by far the most prevalent failures in an organisation. Firewalls, etc provide necessary protection from external attack but, with the rising number of incidents coming from within the organisation, data officers should review technologies that either lock devices or the information itself.
One area that is particularly susceptible is the test and development and training environments of an organisation. This is for two reasons: the first is that it is very unlikely that the data is being used for the purpose it was provided in breach of principle 2; the second is that security and visibility of data in these environments is generally less well monitored.
Deletion of data in accordance with principle 5 is rare amongst the majority of organisations with many continuing to run legacy systems. Data Controllers need to establish with relevant departments the long term retention needs of this historic data and set in motion processes to delete pertinent records. Controllers should take particular care when reviewing unstructured data such as Word documents and spreadsheets are susceptible to copying and renaming. Modern classification and search tools may provide assistance for those organisations with widespread unstructured data stores. For those companies that are unsure of the current unstructured estate the next article in this series will show how to interrogate the file system metadata to better understand the types of data being stored.
Best Practice Guidelines
The Data Protection Act doesn't guarantee personal privacy at all costs, but aims to strike a balance between the rights of individuals and the sometimes competing interests of those with legitimate reasons for using personal information. It applies to some paper records as well as computer records.
This short checklist will help you comply with the Data Protection Act. Being able to answer 'yes' to every question does not guarantee compliance, and you may need more advice in particular areas, but it should mean that you are heading in the right direction.
- Do I really need this information about an individual? Do I know what I'm going to use it for?
- Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for?
- If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this?
- Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure?
- Is access to personal information limited to those with a strict need to know?
- Am I sure the personal information is accurate and up to date?
- Do I delete or destroy personal information as soon as I have no more need for it?
- Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
- Do I need to notify the Information Commissioner and if so is my notification up to date?
To help determine how well you comply with the data protection principles, the Information Commissioners Office (ICO) provides an audit guide:
Additionally the British Standards Institute (BSI) has released standard BS10012:2009 to provide a framework for organisations to enable effective use of information within the confines of the act by introducing a Personal Information Management System (PIMS)
References
If you have questions regarding an individual organisations implementation of the Act and its legal standing we recommend referring to an industry specific lawyer.
