In pure financial terms, falling into line with the security requirements of the Data Protection Act 1998 (DPA) is by far and away the most important element of privacy compliance. Yet organisations continually fail to put in place appropriate measures, as a series of recent headline demonstrate.
Do the basics, and do them well
The most blatant and widely reported incident concerns Stoke on Trent City Council (SoTCC). They were fined £120,000 by the Information Commissioner’s Office (ICO) on 23 October.
The fine resulted from a solicitor sending an email to an incorrect address on no less than 11 separate occasions. The emails contained highly sensitive information relating to a child protection legal case and affected not only the child in question but two other children and two adults as well.
The case reinforces some very basic security messages.
- Policies and guidance are only part of the picture. Whilst the law recognises that absolute security is not possible, the ICO’s focus is on what happens on the ground. So if you have policies and guidance, but they are long, impenetrable, out-of-date, buried away in some corner of your intranet, hardly ever/never accessed by or otherwise communicated to your staff they will not serve to help you if the ICO comes knocking on your door. Chances are they will not help you much if you want to discipline your staff either. In the case of SoTCC, the relevant lawyer had not complied with internal security guidance but they admitted that their policy on information protection “was not widely known to staff”.
- Training, training, training. The ICO continually talk about the importance of training. It is explicitly mentioned as a factor in many of the fines they levy. Yet organisations continually fail to have it in place. Training not only serves to make sure your policies and guidance are in the forefront of people’s minds, it helps people put them into practice in their day to day work. It is also vital in building a true “call to action”. If people don’t understand at a basic level why policies and guidance exist, they tend not to implement them, even if they know of them and what to do. This educational process does not have to be vastly complex or expensive. In the case of SoTCC, they admitted that no relevant training had been provided, and have since rolled out e-learning.
- You need to give people the tools to comply. This may seem obvious, but in larger organisations it is frequently easier to write policies and guidance, than actually roll out the practical means of compliance. In the case of SoTCC, the legal team was meant to use a secure network when distributing personal data or encrypt the data itself. SoTCC knew email was being used, yet never provided any encryption software to the legal team, so they could not have complied with the internal policies, even if they had known about them.
- Encryption should be the basic building block of your information security policy around personal data. It should be deployed on all removable media, mobile devices, and means of data exchange. If you haven’t deployed it, any you have a security breach, chances are you will be fined by the ICO. SoTCC had been previously investigated by the ICO following the loss of an unencrypted USB stick, and signed an undertaking to roll out encryption to all mobile devices. The ICO took this into account.
- If you send an email to an incorrect address, do something about it. At the very least, approach the actual recipient, make sure they realise they have received something in error, assess whether they are trustworthy or not, and get some assurance that the recipient has deleted the email, in writing if possible. Doing nothing just risks making a bad position worse. SoTCC tried to make contact, but received no response from the recipient.
These messages are easy to talk about, but far harder to implement in practice. We have seen a great many clients in a similar position to SoTCC.
Perhaps the key point is the fact that SoTCC found itself in hot water because of human error.
In this sense, its experience is very similar to many (if not most) of the cases in which the ICO has levied fines.
In a climate of increasing cyber security risks, a lot of attention is justifiably placed on perimeter security measures against hacking and similar threats, and increasingly on ensuring layered counter-measures (or defence in depth) is in place. We would not advocate any relaxation in this approach.
It is just worth remembering that the DPA record to date points towards an organisation’s own staff as being the most likely source of a quasi-negligent data security breach.
Think end to end from customer to the last of your suppliers
In an article posted on the 22nd October, the BBC highlighted further research work undertaken by German academics on the security of mobile applications.
The research work focussed on Google’s Android platform, and found that significant numbers of applications left highly sensitive personal data unprotected, including bank account details and social media logins, and exposed to “man in the middle” attacks.
It should come as no surprise that such security gaps are heavily frowned upon by data protection regulators. As stated above, the law recognises that absolute security is not possible, but it does require the security techniques that are deployed to keep track of prevailing industry norms. The prevailing view is that modern technology readily allows for sophisticated encryption to be used end to end in data transfer arrangements.
Furthermore, to cite the BBC’s report, the researchers found that “standard” encryption techniques had not been used.
On this basis, if a data breach resulted, the organisations responsible for the apps could expect to be investigated under EU data protection laws if they have a place of business or servers based in the EU.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.