The UK’s Information Commissioner’s Office (ICO) is known to prefer an “engaging” rather than an enforcement approach with organisations. However, when looking at the “action we’ve taken” page on the ICO website the ICO’s enforcement activity seems to be increasing by the day. While the ICO has stated that it wants to focus its enforcement efforts going forward on unsolicited marketing, such as nuisance messages and calls, breaches of security requirements have to date attracted the majority of the ICO’s enforcement attention. Therefore, organisations operating in the UK would be well-served to focus on understanding and adhering to the ICO’s expectations for data security compliance.
Areas of enforcement: security takes priority
Historically, the ICO has issued significant fines for data security breaches. For example, in the past few months, the highest fine issued for a data security breach amounted to £180,000 (approx.US$ 279,279) (the ICO has power to issue a monetary penalty of up to £500,000 (approx. US$ 775,565)). Data security rules are set out in the Data Protection Act 1998 (DPA). To accommodate the pace of technological development, the DPA does not specify what security measures an organisation must put in place to keep data secure. Instead the DPA requires that, having regard to the state of technological development and the cost of implementing any measures, data controllers put in place security measures appropriate to: (a) the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage; and (b) the nature of the data to be protected. While this approach has resulted in a flexible standard despite rapid technological developments in the last 20 years, it is not always helpful for organisations trying to understand what security measures they actually need to implement to avoid falling foul of the security rules.
ICO guidance on security
To assist organisations’ compliance with the DPA, the ICO has issued guidance on a variety of security topics, as security breaches can take many different forms such as equipment failure, acts of God (e.g. floods) and sophisticated IT system attacks. In particular, the ICO’s website offers helpful guidance on issues including disposal of an IT asset, implementing a Bring Your Own Device policy, the security hazards of cloud computing, when and where to use encryption, what to do in the case of a security breach and when to notify a security breach to the ICO. The ICO has also issued a practical guide to IT security for small businesses, guidance on how to protect personal data in online services and top tips on IT security.
For more practical guidance on what types of security measures will comply with the DPA data security rules in specific scenarios, the ICO’s enforcement and monetary penalty notices can be particularly helpful. As security breaches are in the majority of cases the result of human error, enforcement notices usually require organisations to put in place adequate data protection training to address the organisational and technical faults that caused the breach in the first place. However, sometimes the ICO’s notices require the organisation to adopt specific policies such as a data disposal policy or due diligence procedures for the appointment of third party vendors/suppliers.
Moreover, in some cases, such as in the Monetary Penalty Notice issued in February this year to Staysure.co.uk, there are clear indications as to what the ICO expects of organisations. In that case, the lack of a formal process to review and apply software updates and the storage of payment card CVV data in breach of company policy were found to be violations serious enough to deserve a fine of £175,000 (approx. US$ 271,451). Additionally, the ICO has also published guidance on the procedure it follows to issue monetary penalty notices, which provides insight on its approach.
How to comply with ICO security guidance
Guidance on how to comply with the DPA security rules is therefore available to organisations, although it may not always be easy to navigate. Our summary of the practical steps to be taken in this area following the ICO’s recommendations are as follows:
- Undertake a comprehensive but manageable data security compliance review. This should focus on internal policies and procedures, as well as the arrangements with service providers.
- Ensure that any data security policies in place can be understood by those who need to observe them and are made available to them.
- Devise a suitable due diligence process for choosing and appointing data processors.
- Implement a contractual strategy for agreements with service providers that takes into account the nature of the data processing service and the sensitivity of a potential data incident.
- Draw up and implement a viable data incident response plan that makes it clear when and how to report security breaches.