This article looks at what has been the most significant of data protection themes to date, security, by digesting the Information Commissioner's Office's (ICO) guidance on data security, and outlining our top 10 tips to meet their suggestions.
Scope of the ICO guidance
Before we dive in, it is worth pausing to note that the ICO guidance on data security was specifically targeted at SME's; the implication being that larger organisations should already be familar with the following principles, implementing them day to day, and potentially going further.
The ICO has issued separate guidance around cloud computing, which addresses its specific security challenges. Look out for a future post from us on these Cloud-specific issues.
What status does the guidance have?
The guidance is not technically binding on the ICO, but in our view it is fair to say your organisation could expect to find itself in hotter regulatory water if a data security incident occurred and the following practices were not in place.
Conversely, if an incident occurred and your organisation had adopted the following practices, this would not rule out a DPA breach, but would help in mitigation.
Top 10 tips
These tips will be familiar to most people who deal in data security and governance best practice.
What may be surprising is the fact the ICO advise all organisations, however small, to adopt them. Whilst unquestionably good practice, this message belies the expense involved in practical, day-to-day data protection compliance.
The detail of each bullet, as well as its headline theme, is included in the ICO guidance.
- Do a risk assessment of the data you have to establish how much security is appropriate given the harm that might result to individuals about whom you hold personal data.
- Electronic and physical security are of equal importance. It is no good having the best firewall if printed copies of your data are routinely being left outside your offices. Specifically the ICO encourage locking up server rooms and all back-ups, and keeping anti-malware software and firewalls up to date and properly configured.
- Access controls are very important. These should cover individual users, but also be system (and even data)-specific where appropriate. Unique usernames and passwords for all users are a must. Passwords should be strong, regularly changed, subject to re-authentication after repeat failed login and managed closely so that leavers and absentees are cut out of your systems promptly.
- Staff knowledge and training provides a very valuable line of defence. All staff should understand what is an acceptable standard of behaviour regarding your systems and applications, what are their specific roles and responsibilities and have a basic understanding of their obligations under the DPA including what to do if there is data breach. Technical members of staff also need to ensure their knowledge of threats remains up to date, so appropriate steps can be taken in mitigation.
- Data in transit should be guarded closely. File encryption should be adopted, and any related passwords should be sophisticated. Mobile devices need to have remote wipe functionality. Most importantly, data on mobile devices should be kept to the minimum needed and removed once no longer required so ensure risks are not compounded over time.
- Maintenance and monitoring needs to be undertaken regularly and be effective, in particular to make sure anti-malware measures cover all devices and applications, applications themselves are kept up to date with the latest security patches, security scans and tests (e.g. penetration tests) are performed reasonably regularly and any resulting messages or identified vulnerabilities are reviewed and actioned.
- Good processes and controls are vital. This point should be self-evident already from those set out above, but the issue goes further. You should know what personal data you hold and how it is used (this is key to point 1 above, but hard to achieve in practice), not to mention the controls you have and have documented them to demonstrate compliance. In particular, you should have a written security policy which meshes with your existing processes. These policies and controls should be kept under continual review. You should consider using external experts if you feel you do not have the necessary expertise in house to address such issues.
- You should be keeping the level of personal data you hold to the minimum necessary. This point technically falls under different provisions of the DPA from security, but security and data minimisation are mutually supportive concepts. You should only collect data you geniunely need for your purposes at the outset. Thereafter, data should be archived separately once not needed for live use and deleted (securely of course) in line with an establised data retention and disposal policy.
- Treat suppliers with care. If you are acting as a "data controller" (i.e the person who controls the purposes for and manner in which data is used), you are likely to responsible for your supplier's acts as a "data processor" under the Data Protection Act 1998, so need to make sure your procurement process takes into account data protection issues, and in particular security issues from the very start so you can demonstrate compliance. A security audit should be performed up front on a risk-assessed basis, and before you actually start work with a supplier, an appropriate written contract must be in place (this is an absolute requirement of the DPA, and certain provisions must also be included). If a supplier is performing particularly sensitive services e.g. data destruction, these points obviously take on added importance.
- Back it up! Technically, data security is as much about data loss through corruption as it is about data ending up in the wrong hands, so make sure you keep regular, secure back-ups and (to continue the a theme already touched upon above) securely delete the back-ups once they are no longer required.
Point to take away.
If you think your organisation has gaps in its security approach, in particualar around any of the issues discussed above, you should prioritise action to remedy the position. Whilst compliance with the overall DPA is important, until recently data security was the only area in which regulatory fines had been levied.
We would expect this trend to continue.