As holders of client sensitive information, all businesses have a legal obligation to adhere to the Data Protection Act (DPA). For a company to be compliant with the DPA, they must ensure that appropriate measures are taken to guard against unauthorised or unlawful access to or use of personal data. As such, the implementation of strong and well enforced data security guidelines is vital.
Data security guidelines should broadly divide into two categories: technical and organisational. Technical protection of data involves the installation of security programmes such as firewalls and antivirus software, which block unauthorised access to the computer network and help to prevent the installation of malware such as Trojan horses that can give malicious users access to and control of infected computer systems.
Organisational measures to properly guard against unauthorised or unlawful use of personal data typically take the form of an acceptable use policy. Such a policy should control the way in which staff access and use sensitive data. This might include limiting employee access to only that data that is that necessary to do their jobs, imposing guidelines on the proper use of passwords to access personal data, and preventing the sharing or distribution of data which may result in a breach of the DPA.
Most importantly, an acceptable use policy should address the transport and management of data offsite, as this is where it is most prone to being lost or stolen. With the explosion in the popularity of laptops, writable discs and USB storage devices, it is all too easy for sensitive information to be lost in an office or left in the back of a taxi. An acceptable use policy should prohibit the transport of sensitive data offsite unless absolutely necessary and in such cases require the written permission of an assigned supervisor of data security. The policy should also require all such data to be fully password protected and encrypted, and staff should be made aware of their responsibility to protect all devices containing sensitive data from loss.
The costs of breaching the DPA by not properly securing client data can be significant. In addition to the potentially serious damage to a company’s reputation, the Information Commissioner’s Office can impose a fine of up to 5,000 GBP, and such a loss may also incur the wrath of other regulatory bodies. In 2007, Nationwide Building Society was fined nearly 1 million GBP by the Financial Services Authority following the theft of a laptop that contained confidential customer data from an employee’s home. Further, if injured parties choose to take their case to civil court, there is no limit to the potential damages that could be awarded.
With reports of data security breaches – such as the HMRC’s loss of the personal details of 25 million Britons – keeping the issue of data protection firmly at the front of the public mind, now more than ever businesses must ensure that data is stored safely and securely, or face potentially crippling financial and reputational losses.