Data Protection made easy

     
 

Home

About us

Training

Advice

Contact us

In the News

Data protection/ cookie info.

 

In the News

New! Fines for data handling blunders.  From the 6th April 2010 the Information Commissioner will be able to impose monetary penalties (i.e. fines) up to £500K (half a million pounds) on data controllers (that means any organisation or individual responsible for looking after personal information).  This will be for deliberate or negligent breaches of data protection that cause substantial damage or distress to the individuals whose information is lost or otherwise endangered.  All sectors – public, private and voluntary – are affected.  The only area not affected is where people are handling personal information for purely private domestic purposes e.g. a database of your family and friends kept at home
 

 Here are some examples where a penalty might be imposed:

- if financial details like credit card numbers are lost leading to identity fraud and financial loss

- if medical records go astray causing distress to the individuals who worry that other people might see their private medical details even if no one does actually see them (see the recent news stories below)
 

When deciding whether to impose a penalty the   Information Commissioner will check to see if the data controller has done the following things:

  • Carried out a risk assessment
  • Set up clear lines of responsibility for looking after personal information
  • Trained staff and rolled out appropriate policies and procedures
  • Followed relevant codes of practice on data protection and security including advice published by the Information Commissioner
  • Implemented appropriate protection such as encrypting laptops and all other portable media; blocking the use of USB ports and strictly controlling data downloads and transfers
  • Regularly monitored and audited data handling processes including those of any service providers used
  • Addressed risks as quickly as possible after they have been identified
     

 

And if the worst comes to the worst and there is  a      breach it might help avoid a fine if the data controller has:

  • Voluntarily reported it to the Information Commissioner and cooperated with his office
  • Acted swiftly to minimise the impact
  • Offered compensation to individuals affected
  • Fixed the root causes

But if the data controller has ignored advice and the breach is a repeat of one that happened before, it is unlikely to look good! 

So it is definitely a good idea to get data protection in order now – one to avoid a blunder happening and two to mitigate the potentially serious financial impact if something does go wrong despite all your efforts
 
   

   Data losses already reported in 2010: 

Southampton University Hospitals NHS Trust – an unencrypted laptop holding 33,000 patient records was stolen from a retinal screening van. The laptop was attached by a cable but this was cut by the thief.   Organisations should avoid transporting large amounts of personal data unless absolutely necessary and laptops should have full disk encryption

Lancashire County Council left social work records containing an extensive amount of personal information in a filing cabinet that was bought second-hand by a member of the public.  Great care needs to be taken when disposing of equipment to make sure that information, whether held electronically or in paper format, is not left behind.

 
HMRC loses personal data of 25 million people in post.  Details included names, dates of birth, National Insurance numbers and in some cases bank details.   This happened after a request from the National Audit Office to HM Revenue and Customs for data on child benefit recipients.  Apparently a relatively junior member of staff downloaded the data onto two CDs and sent them by the internal mail operated by a courier firm.  The discs were lost and there are fears that the information could get into the wrong hands leading to ID theft on an unprecedented scale.
The first question is how could a junior member of staff  (or anyone, however senior,) download the data with such ease?  It’s not enough simply to have procedures to protect data – human beings are fallible and mistakes happen – data storage systems need to be designed to prevent downloads like this unless a whole series of checks and authorisations have been made on the system first. 
The NAO claim they didn’t even request or need all this data anyway.  As far as data protection goes, less is always more and only information that is absolutely necessary should ever be collected or used.  It also helps to store different items of information separately and only join them up when this is essential. It is possible for data to be validated without the information itself being revealed to the person making a check.
Another question is why no one seems to have queried the download.  This is maybe because personal data is still not (or was not until this incident!) widely perceived to be valuable.  Many people don’t destroy their financial information (statements, credit card receipts etc) securely.  And how often have you heard someone give away personal details in a mobile phone call on the train?  Personal data should be protected like cash – or even more carefully - as the consequences of it getting into the wrong hands can be more devastating than losing cash.
Data protection training is also essential.  This should include everyone – from the most senior people in the organisation to temporary staff and consultants – everyone who will be handling or making decisions about personal information.  A recent survey by security firm Websense showed that organisations frequently give temporary staff wide access to personal and confidential data.  This makes it very easy for someone with malicious intent to steal data.  So access to data also needs to be carefully controlled and fully audited.
Data protection training emphasises that it’s everyone’s responsibility to look after data – not just the data protection officer’s job!  Good training will give everyone an internal alarm that rings when something is not right.
Prevention is always better than cure – the public reaction to this incident has been pretty angry.  If an organisation can’t look after personal information, people will start asking if it can do anything properly.  And now the Information Commissioner has advised that all personal data in transit  - on laptops, discs etc, should be encrypted as password protection isn’t adequate.  If an organisation loses data in transit and it wasn’t encrypted, in future he will use his enforcement powers against that organisation.  And the Information Commissioner’s powers are set to be increased with the ability to make spot checks on organisations.
But as always, it is better to be safe than sorry. 

 

Bank of Scotland loses customer data in post.  Details of 62 thousand mortgage customers were put on a disc in the ordinary post but it never turned up at the other end.  The details included names, addresses and dates of birth.  This kind of information can be very useful to identity thieves.  A date of birth is often used as a security check.
The bank said that normally the disc would have been encrypted and sent by secure post or courier and that human error was to blame.  Bank of Scotland is part of the HBOS group which has been in the news already this year for various problems with handling customer data - such as putting unshredded documents in rubbish bins. 
Effective data protection training should give all staff the awareness to avoid this kind of mishap.  Something else to watch out for is sending large amounts of personal data in unprotected files via email.  Security experts warn that putting information in an email without protection is like writing it on the back of a postcard.  So it is always advisable to do a risk assessment for the type and amount of data being sent and make sure it is adequately protected - perhaps by finding an alternative delivery method.

 

School report found in street (Howard School for Boys, Rainham, Essex) -and  it wasn't mincing its words about certain pupils - 'dingbat', 'wally', 'away with the fairies' were just some of the comments.

And the person who found it didn't just hand it back - they went to the press.  cue interviews with angry parents (one of whom had been described as 'quite rough' in the confidential report ).

As far as data protection goes, the 'special purposes' exemption allows disclosures for journalistic purposes if the matter is in the public interest (not necessarily the same as 'interesting to the public') although it was probably both in this case.

For the school - there are two data protection lessons. 

First - it's an easy thing to print 'Confidential' or 'Do not leave lying around ' on the cover of a document, it takes a bit more to have procedures that follow through on that.

Second - under the 'subject access' provision of the Data Protection Act, pupils have a right to make requests to see information about them held by their school (and parents have a right to see their educational record).  It's unlikely that any exemption would apply, so they could have ended up reading their entry. 

(For further information , see the Technical Guidance Note produced by the office of the Information commissioner: 'Access to pupils' information held by schools in England' at www.ico.gov.uk under Document library)

No doubt we all know at least one dingbat or wally but would we really want them to know how we feel?  Particularly at work where they might claim discrimination as a result of making an access request and seeing their boss's opinion of them!  So any notes about staff should always be objective with opinions separated from facts. 

 

Read the Top 10 blunders and how to avoid them here.

 

A third of people* admit they throw away documents containing important personal information without shredding them first. This includes bank statements and receipts.

*survey by Information commissioner's Office January 2007

The  BBC 3 TV programme The Real Hustle has shown how burglars can raid your dustbin and use a utility bill or similar document plus a faked photo ID to persuade a locksmith that they are the home's owner, get your front door opened and then rifle your belongings.
  Copyright 2010, Simply DP Ltd