If you store any kind of personal data then you will know that you have an obligation under the Data Protection Act to keep that data safe. The most obvious line of attack is a technical one: hackers gaining access; so it’s vital to have strong IT security. However, it’s important not to forget about your physical security and the good old fashioned risk of someone breaking in and stealing computers or even hard copies of documents.
Within the Data Protection Act it requires that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
According to ICO (Information Commissioner’s Office) guidelines, this means that you have a responsibility to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff.
Basically this means that if you don’t take proper precautions to prevent your data being stolen, whether physically or virtually, you could be in violation of the Data Protection Act and a potential consequence could even be a prison sentence.
Organisations such as law firms, accountants, financial advisers etc are obviously affected, but so are medical centres, dentists and other health practitioners, whose data includes valuable information like National Insurance numbers, postcodes and birthdates which can be used for identity theft (which can be far more lucrative than stealing money or more traditional ‘valuables’). Indeed, most companies that trade keep a certain amount of personal data including names, addresses and credit/debit card details. The Act states that not only should this kind of data be encrypted, you should also take appropriate measures to ensure that you’re protected against break-ins in the first place.
Where you have staff members who take data home, such as on laptops or even smart phones, there should also be adequate security in their homes as well. Here’s a case of a solicitor breaching the Act after having a laptop stolen from her home when away on holiday. This case mainly concerns the lack of encryption but it did take into account her home security as well. Because this incident took place before the Information Commissioner was granted powers to impose financial penalties she escaped without a fine however, the watchdog warned that it should “act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too”.
The impact on your customers whose data has been compromised should not be diminished either both in terms of consequences to them and their perception of you as the data controller.
Technical and physical security should therefore go hand in hand for any organisation that stores data. To overlook either is not only irresponsible; it could be illegal.
We offer our business customers a free security audit to assess what security is required for the assets protected. To arrange yours call 0800 612 9799 (from a landline), 0345 833 5543 (from a mobile) or complete our enquiry form.