Enshrined in its seventh principle, the data security provisions of the Data Protection Act 1998 (DPA) are by far its most newsworthy. Until recently, they have been the exclusive source of regulatory fines for breach of the DPA. Furthermore, most organisations appreciate that data security is important, so tend to sit up and take notice. We continue our series of posts on the DPA by looking this most fundamental of areas.
Before we dive in, we should state at the outset that this article just addresses the core security obligations under the DPA.
It does not address the appointment of suppliers directly, or the supplemental regulatory guidance which has been published relatively recently on data security. Have a look for later posts on these topics.
What does the DPA actually say?
The DPA's seventh principle reads as follows:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
This basic principle is then supplemented by the following clarificatory language set out in the DPA:
"Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b) the nature of the data to be protected."
So what are the implications for organisations?
Firstly, it is important to recognise (at the risk of stating the obvious) that the law does not set absolute minimum security measures. This position can be frustrating for organisations as it makes compliance a matter of careful thought and judgement rather than a box-ticking exercise.
Secondly, and more positively, it is also important to recognise that the DPA does not require an organisation to prevent any data security issue from ever occurring. In adopting this approach, the DPA recognises that absolute security is arguably unachievable, and would certainly be disproportionate in most cases. It does require a sensible, proportionate, and savvy approach though.
Thirdly, the DPA focuses on data security risk mitigation; actual harm does not have to occur for its provisions to be breached. The mere potential for harm is all that is required. This position in turn means that the DPA mandates conscious, positive action. Absent a risk assessment, and at least minimal security being in place, an organisation cannot say it has taken any "technical and organisational measures" worthy of the name.
So what should we actually be doing?
Specifically, an organisation:
- Must consider the specific nature of the data being used and the harm that might result in each case before deciding what to do. In practice this obviously means doing a risk assessment. This assessment should then be used in choosing the security measures for that data.
- Must guard against "unauthorised or unlawful processing". This requirement cover the classic situation where someone, whether an employee or an external third party, abuses data. Note the use does not have to be unlawful per se (e.g used for fraud), organsations should also be covering against use of the data which is simply beyond that which was originally intended and which is not otherwise exempted under the DPA.
- Must also guard against "accidental loss, destruction or damage" to data. This requirement is largely self-explanatory, but is worth noting as it gives legal weight to the need for appropriate data integrity, cleansing, resilience, continuity and recovery practices, amongst other things.
- Has to cover all bases which might result in any of the above outcomes. The DPA does not distinguish between the means of access or damage to data. The breadth of this position is a real challenge as it means organisations should think of and then cover against all eventualities, from technologically advanced means such as hacking, down to the data being simply plucked in paper form out of a skip.
- Must deploy "technical" measures. These can range from technical security measures such as firewalls, encryption, anti-viruses, intrusion detection and action logging, through to more basic electronic access, copying and printing restrictions.|
- Must also deploy "organisational" measures such as process and data maps, controls and policies e.g. around risk assessment criteria, risk reporting, risk escalation, audit checks, supplier engagement and secure data destruction.
- Can take into account the cost of potential measures. If the cost of a particular measure would be disproportionate to the risk profile for the relevant data, an organisation is not required to use that measure.
- Must consider the current level of technology. Cutting edge technologies are not necessarily required (especially if they are disproportionately expensive), but readily available and cost-effective technologies should be considered and deployed.
- Must review and revise the measures being adopted periodically. Organisations need to reflect the "state of technological development" on an ongoing basis and this state is not constant. It is also possible for the risk profile of data to evolve over time, both down as well as up.
- Has to do far more than just pay lip-service to data security. This statement may seem obvious given the above comments, but we regularly see information security policies which are not being followed on the ground. In regulatory terms, having a policy is a start, but if it is not followed it is tantamount to lip service, hence (as alluded to above) a rolling programme of audits to check policies are being followed, training to ensure awareness remains high, and real action to rectify issues, are all required.