Security of personal data - the seventh data protection principle

Security of personal data is the seventh data protection principle and obliges data controllers to take ‘appropriate technical and organisational measures against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data.’ 

It is a common misconception that when an organisation delegates responsibility for data processing to an external company, or where they allow employees access to personal data as part of their jobs, that this absolves them of responsibility under the Data Protection Act (DPA).  The data controller (which can be an entire business, a department within an organisation, an individual team or any of these acting in common with another), retains ultimate responsibility under the DPA as it ‘determines the purposes for which and the manner in which any personal data is processed’.

A data processor will only process personal data on behalf of, and following the instruction of, a data controller.  Although there should be contractual arrangements in place that safeguard personal data during this data sharing, such contractual arrangements will only serve to provide recourse in the event of a breach.  It is crucial to ensure that adequate security measures are taken within the data processor’s organisation in order to avoid a breach of the DPA in the first place.

VSF Global

VFS Global, a visa contractor that is used by governments worldwide, is a glaring example of how simple it can be to overlook security of personal data.

The online application forms used by VFS Global organised applicants’ details using sequential reference numbers.  This meant that if an error was made by one user in inputting their own reference number, they were able to access another applicant’s form.  Details that could be accessed on the forms included dates of birth, passport details and addresses.  Although the use of sequential reference numbers was a seemingly simple and effective way of organising the visa application forms, it did not adequately protect against access to other records by other users. 

A new version of the online application form has since been released and VFS Global maintains that ‘data/information security is an extremely critical element of our service solution’.  Although the system has now been rectified, it is doubtful that this provides much comfort to those whose personal details were accessible to other users.

Morrisons

In a similar vein, it is a common misconception that the consequences of a data breach stop at any action that can be undertaken by the Information Commissioner’s Office.  Individuals who gain unauthorised access to data with the intent of committing an offence can be criminally liable.  A Liverpool man has recently been found guilty of unlawfully disclosing personal data of 100,000 Morrisons’ staff.  The individual was harbouring a grudge following commencement of disciplinary action in 2013 related to an allegation that he was purportedly using the Morrisons’ HQ mail room to post eBay packages

Morrisons’ employee details were sent to several high profile newspapers and also uploaded to data sharing websites.  The details included salaries, national insurance numbers, dates of birth and bank account details.

The individual found guilty of leaking the personal data has been sentenced to eight years in prison.  The data breach also cost Morrisons approximately £2 million to rectify, so it is clear that any breach of data protection law by errant employees can have far reaching consequences not only for the individual but also their employer.

Advice

Organisations would be well advised to undertake a data protection audit to assess the adequacy of their data security.  Businesses should also have a robust data protection policy in place and provide training on this policy to all those that have access to personal data in their roles.  Organisations must then remain vigilant and aware of the risks of outsourcing or having systems and processes in place that do not adequately protect the personal data that they process. Consider an audit of your current arrangements to ensure that they are up to date and fit for purpose.