Data Protection Act 1998
The Data Protection Act 1998 (DPA) applies to data controllers in the UK. The DPA is intended to safeguard the personal data of data subjects by requiring data controllers to put in place security measures to protect personal data. See PLC IPIT & Communications, Practice note, Overview of UK data protection regime for an overview of the DPA and its key definitions.
The key principle that addresses the security of personal data is Principle 7 of the DPA (Security Principle). The Security Principle requires data controllers to put in place appropriate technical and organisational security measures to prevent
- Unauthorised or unlawful access
- Accidental loss
- Destruction or damage to personal data.
Other principles of the DPA are also relevant to the security of personal data, including:
Principles 3, 4 and 5: require personal data to be:
- not excessive for the purpose for which it is processed;
- up-to-date; and
- not kept for longer than is necessary.
Following these principles will assist with compliance with the Security Principle because, for example, if data is not held for longer than necessary, there is less risk of unauthorised or unlawful access, accidental loss, destruction or damage to that personal data. For practical guidance on data retention and destruction, see Data retention and destruction policy.
Principle 8: prohibits the transfer of personal data to a country or territory outside of the European Economic Area (EEA), unless that country or territory ensures an adequate level of protection for the rights and freedoms of the data subject, in relation to the processing of personal data. Protecting those rights and freedoms will include keeping personal data secure. See PLC IPIT & Communications, Practice note, Overview of UK data protection regime.
Where, for example, IT services are provided by a Data processor who carries out processing of a public body's personal data from outside of the EEA (for example, through a sub-contractor), that public body will need to ensure it has the right to transfer personal data to that country in compliance with Principle 8, for example through use of the European Commission-approved model contract for transfers of personal data from a data controller to a data processor located outside of the EEA.
This practice note focuses on the Security Principle. For an overview of other principles of the DPA, see PLC IPIT & Communications, Practice note, Overview of UK data protection regime and Standard document, Data protection policy.
The Security Principle
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" (Part I(7), Schedule 1 to DPA).
It is necessary to determine on a case-by-case basis and by reference to guidance available to data controllers, the breadth and depth of security measures which will be appropriate for the purpose of the Security Principle.
Overview of guidance on "appropriate" security
The main obligation under the DPA relating to protection of personal data by data controllers is contained in the Security Principle.
The guidance states that the Security Principle should be interpreted as follows:
- Potential harm. The data controller must ensure appropriate levels of security, having regard to harm that may result from unauthorised or unlawful processing, accidental loss, damage or destruction and the nature of the data to be protected. At the same time, regard should be had to the state of technological development and implementation cost.
- Reliability of employees. Data controllers have a responsibility to take reasonable steps to ensure that the employees who have access to personal data are reliable. This will also extend to reliability of data processor employees.
- Data processor security. When choosing data processors the data controller must ensure they provide sufficient guarantees in respect of the technical and organisational security measures which will govern the data processors processing for the data controller and ensure that the data processor complies with those measures (see Data processor vetting and contracting).
- Data processors must enter into a written contract with the data controller covering the data processing in question and the data processor must agree to comply with obligations equivalent to those imposed on the Information Commissioner's guidance.
The Information Commissioner has also published a number of Good Practice Notes on what constitutes appropriate security.
In the statement, Our approach to encryption, the Information Commissioner advocates using best practice methodologies, such as the International Standard 27001 (see Data Protection Good Practice Note: Security of personal information. International Standard 27001 is one of a number of international and national standards relating to security good practice. It specifically focuses on information security management. The Information Commissioner states in the statement that further to a number of stolen laptop incidents, "in future, where such losses occur and where encryption software has not been used to protect the data, enforcement action will be pursued".
See Regulatory Enforcement and Sanctions Act 2008 and PLC IPIT & Communications, Practice note, Overview of UK data protection regime, for details of sanctions for non-compliance.
Data Security Tips is a topic-specific guide available on the Information Commissioner's website.
Security good practice note
While a good starting point, the Data Protection Good Practice Note: Security of personal information is fairly high-level and is aimed at small to medium organisations, rather than larger organisations.
Privacy by design
The Information Commissioner has commissioned the Enterprise Privacy Group (EPG) to produce a report which will assist data controllers to incorporate "privacy by design". The EPG report will explore considerations of privacy before implementing new systems and the use of privacy enhancing technologies, such as security of personal data built in "from the ground up". The report was made public at the Privacy by Design Conference on 26 November 2008.
Cabinet Office Report
Following the initial data handling report issued by the Cabinet Office in December 2007 (see Data Handling Procedures in Government: Interim Progress Report (December 2007), the Cabinet Office published its final report in June 2008 on recommended data security handling (including personal data) (see Data Handling Procedures in Government: Final Report (June 2008). The Report, describes measures that should be put in place by central government bodies and ways to improve security. The Cabinet Office also published Cross Government Actions: Mandatory Minimum Measures, which are intended to set out processes (Section I) and specific measures (Section II) for protecting information to be implemented by central government. These include:
- Technical measures. The report refers to protective measures, such as encryption and penetrationtesting, which central government bodies must put in place.
- Culture change. The report describes how internal culture needs to change, including in relation to security planning that should be carried out and implementation of Privacy Impact Assessments. The report states that the Information Commissioner has made a powerful case for Privacy Impact Assessments and Privacy Impact Reports, and refers to the Privacy Impact Assessment handbook issued by the Information Commissioner. The Information Commissioner also recommends the use of security risk assessments in the March 2008 Good Practice Note: Guidance on data security breach management.
- Streamlined processes for information risk management. The report emphasises the need for standardisation and enhancing processes for understanding and managing information risk and describes the roles of key individuals to enable this. The report states that new systems containing protected personal data will be subject to mandated accreditation and must build in greater access control and logging.
- Training. The report recommends mandatory training for individuals with access to, or involved in, managing protected personal data.
- Consequences for staff. The report suggests making it clear that failing to comply with protective measures is a serious matter that could potentially lead to dismissal.
- Information assets and transparency. The report advocates improving transparency by publicising more information about certain information assets and how they are used and arrangements for protecting data through information charters. The report states that Information Asset Owners are to be appointed (they have specific tasks that are set out in the report).
- Contracting. The report states that from July 2008, standard contractual clauses on information assurance will be incorporated into contracts. These standard contract requirements are discussed in more detail at the Office of Government Commerce (OGC) Model ICT Services Contract.
The report is to be updated and reviewed by the Cabinet Office to take account of new developments. Government departments will be required to report annually on their progress with the measures described in the report. The Cabinet Committee on Personal Data Security will be the body overseeing progress.
The report is intended to be used alongside the Manual of Protective Security (to be replaced by the Security Policy Framework in October 2008) and the Civil Service Management Code.
Local Government Association Security Guidance
The report states that while its focus has been on central government bodies, local government and other independent public sector organisations also play a crucial role in the delivery of public services. The overall aim is for consistent standards to be applied. The report also states that the government would like other organisations to adopt similar approaches.
The Local Government Association has produced similar guidance and approaches for local government as a whole. This guidance was published on 18 November 2008.
Practicalities of compliance with the Security Principle
Policies, processes and training
In practice, data controllers will usually put in place policies, processes and training to help employees and contractors comply with their obligations under the Security Principle.
Data protection policy
A data protection policy should give clear instructions to employees as to what they need to do to comply with the DPA, in the context of their employment by a public body. For a sample policy, see PLC IPIT & Communications, Standard document, Data protection policy.
IT and internet use policy
A good IT and internet use policy should include clear restrictions on employees' use of IT resources, such as:
- Restrictions on the use of removable media.
- Requirements for encryption of removable media.
- Restrictions on the use and transportation of laptops and e-mail.
- Prohibitions on the use of internet-based products for the storage of personal data (such as webmail, "cloud computing" services for hosting documents and peer-to-peer networking).
Data retention and destruction policy
In order to protect personal data, it is vitally important to ensure that it is stored appropriately using approved and audited systems, and periodically destroyed. A data retention and destruction policy should set out clear guidelines for employees on to how to store personal data and the retention periods for different categories of data. The DPA requires personal data be kept no longer than is necessary for the purposes for which it was collected. While there is no universal retention period, this type of policy can help employees to assess the appropriate timescale.
Data security breach management policy
In March 2008, the Information Commissioner issued a Good Practice Note: Guidance on data security breach management advocating:
- Accountability at the top.
- Having a security breach team to deal with personal data security breach incidents.
- Regular risk assessments.
For practical guidance on security breach management, see Personal data security breach management: checklist.
IT and security controls
Controls can be technical (such as access controls) or physical security (such as swipe cards, locked rooms and cabinets and clean desk practices). Access controls will, for example, mean that senior employees are likely to have better access to a public body's information, including personal data, than a junior employee, or that consultants may be granted restricted access to systems.
Security level categorisation for personal data
This involves allocating data security to categories with different security requirements for different types of personal data. For example, employee health records or appraisal records might be allocated a high security rating than information about an employee's working hours.
Security protocols, such as the means by which certain categories of personal data can or cannot be communicated or transferred and stored may be implemented. For example, it may be prohibited to send certain categories of personal data by e-mail or to store that data on removable storage devices, such as USB sticks or discs.
This involves training employees and where necessary, consultants and other service providers on data protection and data security. Employees should receive training on what they need to do to keep personal data secure, including training on disclosure of personal data to other public bodies, other departments or even within the public body in question.
The Information Commissioner has issued guidance that will assist public bodies with achieving best practice, the Data Protection Good Practice Note: Data sharing between different local authority departments, and a number of other Good Practice Notes dealing with requests for specific types of information, including under the Freedom of Information Act 2000 and how this interacts with the DPA requirements to protect personal data.
Data processor vetting and contracting
Choosing the right data processor is important because the DPA applies to data controllers and not to data processors. Even if a breach of the Security Principle is caused by a data processor, the relevant data controller will ultimately be liable for that breach under the DPA.
Practical considerations when appointing data processors include:
- Vetting data processors. Vetting data processors and their ability to comply with security requirements is necessary before they are given access to the data controller's personal data.
- Best Value. Public body data controllers will also, need to consider Best Value requirements when choosing their data processor. For example, where bidders are tendering for public sector services, part of the evaluation criteria may be the ability of bidders who will have access to personal data of that public body, to provide appropriate security assurance and that public body may wish during the procurement process to evaluate the tendered security levels.
OGC Model ICT Services Contract
The OGC announced on 1 July 2008 that, where procuring ICT services in the public sector under an OGC Model ICT Services Contract, certain clauses and schedules on data protection, confidentiality and security are mandatory and must be used without amendment (see ICO Information note 08/08. The explanatory note accompanying the revised OGC Model ICT Services Contract (version 2.1.1) (OGC Contract), which was published on 1 July 2008, also states that the provisions have been made mandatory for the purposes of compliance with clause 3.9 of the Report, which states that "From July ... standard contract clauses on information assurance will be incorporated into contracts".
In the Q&A section of the explanatory note the OGC states that even non-ICT contracts should use the mandatory clauses in cases where data handling is an issue. See OGC Contract and the Information Assurance in Procurement guidance note, both available on the Partnerships UK website. See also PLC IPIT & Communications, Practice note, Public procurement of ICT and Legal update, Government publishes final report on data-handling procedures.
Data processor contracts
The following data processor contractual issues should be considered in addition to the Security Principle requirements.
Reporting, audit and correction
Even if a data processor has contractually agreed to the Security Principle obligations (including in the mandatory form in clause 41 of the OGC Contract, that data controllers are still ultimately responsible for DPA their contractual security obligations. See clauses 24 (Audit), 25 (Records and Reporting) and 56 (Remedial Plan Process) of the OGC Contract these are not mandatory clauses.
In addition to pre-contract vetting, data controllers will also need to build reporting, audit and fault correction mechanisms into their contracts to allow them to track compliance and require rectification of non-compliance.
Public bodies should also impose obligations on data processors to take reasonable measures to ensure the reliability of their employees. Clauses 28.11 and 28.12 of the OGC Contract are mandatory clauses dealing with staff vetting. These clauses work in conjunction with a mandatory warranty in relation to staff vetting set out in clause 45.2.1. If staff vetting is of a particularly high priority, it is also advised that staff vetting provisions are included in schedule 2.5 of the OGC Contract, which sets out the Security Requirements and Plan (and which is also mandatory). This will help data controllers to monitor and where necessary require correction of data security breaches.
Data processor contracts should contain confidentiality clauses that will assist with the protection of personal data. The definition of confidential information, which is to be protected by the confidentiality provisions should include reference to the personal data that is to be processed by the data processor under the contract (for example, see the definition of "Authority Confidential Information" in the OGC Contract).
The confidentiality clause (clause 43) of the OGC Contract is a mandatory provision of that contract as is clause 40, which relates to protection of "Authority Data". See PLC IPIT & Communications, Legal update, Government publishes final report on data-handling procedures.
Similar confidentiality considerations will apply during any procurement process where bidders will have access to personal data in advance of entering into a contract. For example, where employee personal data is disclosed in advance of contracting to enable bidders to determine their proposed charges for services and for the purpose of compliance with TUPE obligations. The Information Commissioner has produced the Data Protection Good Practice Note: Security of personal information to deal with these circumstances.
For NHS contracting, the data controller will also want to require compliance with the NHS Confidentiality Code of Practice.
Data controllers may, in addition to contractual confidentiality rights, also have common law confidentiality rights that they can rely on. Practical measures, such as marking confidential personal data to be disclosed as "confidential" and having clear confidentiality and security categorisation will help maintain those common law rights. Care should be taken not to dilute the common law confidentiality rights by indiscriminately labelling information as "confidential". For more information, see PLC Employment, Practice note, Confidentiality during employment and after termination.
Liability clauses and indemnities
Consideration should be given to the possibility of setting liability caps and/or excluding liability. Public bodies will need to consider the potential harm that could result from a personal data security breach and the appropriate level of liability caps, or whether personal data security breach liability should be uncapped. High or unlimited liability caps are likely to have an impact on the cost of services, and therefore public bodies will need to balance having higher or unlimited caps on liability against the cost of the service, to determine at what levels Best Value is achieved.
Targeted liability provisions may be helpful. For example, blanket references to unlimited liability for any breach of the data protection obligations may attract a risk premium on the service cost. If a contract contains data protection requirements to assist with data subject access requests, it is unlikely to be necessary to require unlimited liability for failing to provide relevant information within an agreed time period. It may be more appropriate to target limits of liability and unlimited liability at specific data protection and security provisions, which if breached could have a major impact on the data processor.
Key areas of risk for public bodies include the cost of dealing with a personal data security breach, including internal and third party investigation and incident management costs. Also of importance will be the potential for damage to reputation and general damage caused by the loss of data, both of which are areas of liability that data processors will commonly seek to exclude entirely. Loss of profits is not usually a particular issue for public bodies, but public bodies may need to consider other potential financial losses that they could incur as a result of a data security breach. For example, if a contract is terminated early on account of a data security breach this could result in the loss of anticipated and even potentially agreed savings. Another example of financial loss that a public body could suffer is loss of grant funding.
Consideration should be given to whether any particular losses resulting from a personal data security breach incident should be recoverable on an indemnity basis.
Personal data security breach reporting, remediation and termination
Data processors will wish to consider their right to require remediation of personal data security breaches. It may be appropriate to include specific security breach reporting and remediation processes in contracts with data processors and also to reserve rights to use third parties to assist with incident mitigation and remediation at the cost of the data processor.
Termination rights in the event of personal data security breaches should be clearly set out in the contract with a data processor, rather than a data controller seeking to rely only on more general material breach termination rights. For example, in the OGC Contract, a material breach of the mandatory clauses 41 (Protection of Personal Data), 42 (Freedom of Information), 43 (Confidentiality) or the mandatory schedule 2.5 obligations (Security Requirements and Plan) will allow termination of the contract by the public body customer. For more information, see PLC IPIT & Communications, Practice note, Public procurement of ICT.
Where data protection and data security warranties are given by a data processor, if the intention is that a breach of one or more of those warranties will allow for termination, then this needs to be made clear in the contract to avoid warranty provisions in a contract being interpreted as giving a right to damages but not termination.
Consequences of breaching the Security Principle
Liability of the data controller under the DPA
For enforcement sanctions and remedies under the DPA, including new powers under the Criminal Justice and Immigration Act, see PLC IPIT & Communications, Practice Note, Overview of UK data protection regime.
Official Secrets Act
While not specifically a data protection issue, loss of personal data that falls under the Official Secrets Act (OSA) will be subject to prosecution under the OSA. Amongst the high profile security breaches in 2007/08, the Cabinet Office reported the loss of two "UK Top Secret" documents that were left on a train.
Prosecution will arise if:
- The party who discloses the information is a member of the security or intelligence services or another official who has been notified that they are subject to the OSA. If information is to be handed to a third party that should be protected by the OSA, it is imperative that any contract states that the data processor is subject to the OSA.
- The person who discloses the information is or has been a Crown servant or government contractor and the disclosure is of any information relating to (amongst other things) security, intelligence, defence or international relations, which they had by virtue of that position.
Regulatory Enforcement and Sanctions Act 2008
The Regulatory Enforcement and Sanctions Act 2008 (RESA) provides additional sanctioning powers to to "designated regulators". The Information Commissioner is a designated regulator for the purposes of RESA. RESA does not automatically confer these powers on regulators but makes it possible for a minister to grant them. These additional sanctioning powers are to impose fixed monetary civil penalties. For more information on RESA, see PLC Environment, Practice note, Regulatory Enforcement and Sanctions Act 2008.
The penalties under RESA are only available in relation to "relevant offences". This definition of relevant offences covers a limited number of offences under the DPA. While a number of those offences could potentially be relevant for the purpose of personal data security breaches, the most relevant is likely to be the criminal offence of failing to comply with an enforcement notice (section 47, RESA). The Information Commissioner has increasingly used its powers over the last two years to enforce action in the event of data security breaches, through the power to issue enforcement notices. Parties who have had enforcement notices issued against them and parties who have given undertakings in relation to Security Principle breaches are listed on the Information Commissioner's website.
A breach of section 55 of the DPA may also be of particular relevance (this relates to unauthorised obtaining and disclosure of personal data).
Security Breach Management
Personal data security breaches can happen, even when great amounts of time, money and effort are invested by public bodies to prevent them.