HSBC was recently fined over £3m by the FSA for not adequately protecting personal data. This shows that quite apart from the adverse PR and damage to customers’/employees’ confidence, such losses can be very costly. Similar to the FSA’s powers, the Information Commissioner’s Office (ICO) will also soon have powers to fine organisations that commit serious breaches of the Data Protection Act 1998 (the Act). These powers are expected to come into force in April 2010.
In addition to being responsible for your own data security breaches, you could also find yourself liable for breaches by any organisations that process personal data on your behalf (e.g. payroll processors, or less obvious examples such as website hosts). This is because the Act requires you to make up front and ongoing checks as to the measures your processors take to keep data secure. You should also have a written contract in place under which your processor undertakes only to process the data in accordance with your instructions, and to take proper precautions to keep the data secure. If you fail to do this, you are on the hook for any data lost by your processor.
Recent press coverage has highlighted the importance of ensuring that your processor agreement addresses issues such as whether your processor may download personal data onto portable devices. If it can, the personal data should always be encrypted. Another important issue is to ensure that your processor notifies you immediately of any actual or suspected security breach. Often, if action is taken quickly, potential losses, for example, through identity fraud, can be avoided or minimised.
If you have existing processor agreements in place you may want to consider amending them to take account of these recent developments to try to minimise your risks going forward.