Housing Matters June 2008

Data Security – Avoiding the Pitfalls
High profile cases such as last year’s loss of 25 million child benefit records has made the issue of data security a very hot topic.  In an effort to reduce the instances of data loss, the Information Commissioner is seeking an increase in the statutory penalties available for breach of the Data Protection Act (DPA), and increasingly authorities are looking to impose personal liability upon directors and senior managers of organisations that breach data protection legislation.  Both the DPA and Regulation of Investigative Powers Act (RIPA) 2000 impose criminal sanctions for breaches committed with the “consent or connivance or to be attributable to any neglect on the part of any director, manager, secretary or similar officer… or any person who was purporting to act in any such capacity”. 

This represents a major difficulty for organisations as there are severe penalties for lapses in data security, but the requirements of corporate governance and business efficacy demand that organisations hold and use data.  According to an IT Governance Institute Survey, 91% of executives recognise that IT is vital to the success of their business.  At the same time, three quarters are aware that they need to apply greater IT governance to establish better visibility and reduce risk of project failure.  How then can an organisation minimise its liability?

As part of your employment contracts your organisation should have enforceable computer use policies which deal with areas such as:

• Internet use and abuse
• The requisite level of authority and necessary precautions before entering into contractual relations over the internet
• The proper use of e-mail including warnings about the distribution of sexual or racially discriminating material by e-mail
• Viruses
• Access to external sites which may give rise to security risks; and
• The proper use of passwords.

As each organisation is different, the actual e-mail and internet policy adopted in each case should be tailored to meet the precise needs of your business.  Furthermore, the policy in use has to be realistic.  In an employment case, it would hardly be acceptable to argue that a breach to a policy which forbade all internet and e-mail usage which is not strictly work related constituted misconduct, if in fact that policy were ignored elsewhere in the office.

Having set the context of employee control over the internet within the framework of a policy, practices will then have to reflect that policy and sensible approaches to the risks of data misuse.  In particular, areas that are often neglected are ways of demonstrating that information which is held in electronic form is subject to the same control over the dissemination of confidential and proprietary material that equivalent information held in hard copy would be.

Your organisation needs to carry out a thorough risk assessment of the types of confidential information they hold, the form in which it is held, and the purposes for which it is held.  This includes the following safeguards:

• If information is confidential, make sure it is treated as such within your organisation.   Courts will not grant injunctions to restrain misuse of confidentiality in relation to information which has not been treated as confidential within the organisation itself.  Label information as confidential both electronically and physically.
• Restrict access to confidential information to the employees and third parties who have a genuine need to use it.
• Ensure that there are clear and enforceable policies in place about employee use of IT systems on which confidential information may be stored, including restrictions on remote access, use of mobile electronic memory devices, sharing passwords and so forth, and that a demonstrably higher level of security is applied to access to parts of the system holding particularly sensitive or important data.
• Where data or files are handled by third parties, such as internet service providers, call-centres or outsourced service providers ensure that the contracts under which the services are provided contain equally robust provisions that confidential information is safeguarded. Audit provisions allowing the data owners or relevant regulatory authorities the ability to verify them.
• Make sure if confidential data is held electronically that the system has been thoroughly protected on a technical level, including by the use of encryption, firewalls, forced password changes, penetration testing, ethical hacking, etc and that a disaster recovery/business continuity plan is in place, tested and kept up to date.
• Carry out appropriate background checks (within the constraints set by the Data Protection Act and applicable employment and criminal records legislation) on employees and other personnel having access to the system, particularly those who may have higher level access (such as those with systems administration privileges).

For further information contact: 
Susan Hall
0845 165 5409
susan.hall@cobbetts.com