Continuing this series of blogs on data protection compliance, we’ve been exploring the eight Data Protection Principles (DPPs) established under the Data Protection Act 1998 (DPA). This week’s blog is solely devoted to the seventh DPP on security because it’s the most breached out of all eight! The seventh DPP requires that appropriate ‘technical’ and ‘organisational measures’ are taken against unauthorised or unlawful use of Personal Information and against accidental loss, destruction or damage.

What’s ‘appropriate’?

The DPA takes account of technological advances as well as the cost of implementation when assessing what is appropriate. For example, if the current software version is v20 and you’re still on v10, you leave yourself and your systems vulnerable! Upgrades seek to address those vulnerabilities so you need to ensure you/your IT provider is running the software’s latest version. However, the DPA does not require you to spend a king’s ransom on the next new thing if your current set up provides adequately for all your needs. Also take into account the nature of the data and the level of harm or detriment that could result from any loss or damage: the more sensitive the data, the more robust the system needs to be.

What do ‘organisational measures entail?

This is about the physical security as well as good staff training. Do a walk-through with security aware eyes: from the approach to the premises to the last man out, map the key security issues. For example, if it’s a key pad entry, when was the last time the PIN was changed? What can be seen/heard from the entry? What about staff training: what, when and how and how often is it refreshed? What about policies and procedures: are they adequate and up to date so that staff understand what they can and must not do? Is there a clear desk policy? Are filing cabinets locked and what happens to the keys at the end of the day?

What do ‘technological measures’ entail?

Well, it’s the usual suspects: ID authentication; firewalls, spy guards, virus checkers and software upgrades, to name but a few! It’s about ensuring complex passwords that must be renewed regularly and not sharing between staff because the computer doesn’t record who’s sitting in front of it, only who’s logged on! It’s about making sure your IT is fit for purpose and staff have adequate training before being let loose on your systems! It’s about access to data on a need-to-know basis only and it’s about good resilience planning so that if something goes wrong backups are in place to provide business continuity. It’s also about how you dispose of your hardware when you renew.

If your IT (or any other activity) is outsourced, the seventh DPP also requires this to be under written contract, obliging the contractor to have a level of compliance equivalent to the duties placed on you as a data controller under the DPA.

Next time – where is ‘the cloud’?

Maureen H Falconer is Regional Manager – Scotland for the Information Commissioner’s Office.