On day 3 of our run-up to World IP Day on 26 April, we are looking at the importance of protecting your company’s information. Information is one of, if not the, most valuable assets that an organisation will hold, be it in the form of customer lists, business plans, pricing and marketing strategies, etc. In terms of protecting information, the best way to protect a company’s information is by ensuring that such information is kept confidential (where appropriate) and by ensuring that it is held securely. To that end information security is and remains a key issue for most organisations. Indeed a recent survey, commissioned by recruitment consultancy Robert Half Technology, of 100 Chief Information Officers (CIOs) across the UK found that 40% of CIOs have increased spending on IT security over the last 3 years. This finding is interesting given the current economic climate but it emphasises how seriously the issue is being taken at the highest levels within organisations.
As well as ensuring that an important and valuable business asset is protected there is also another very good reason for investing in information security and that is to avoid coming to the attention of the Information Commissioner. The Information Commissioner has various enforcement powers under the Data Protection Act 1998 (DPA), however the one that really gives the Information Commissioner’s Office (ICO) some teeth with which to police and encourage compliance with the DPA is the power that it has to impose fines by the issuing of monetary penalty notices. This power has been in force for just over 3 years now and in that time the Information Commissioner has levied fines totalling in excess of £4 million.
Interestingly, the vast majority of the fines that have been imposed to date have flowed from serious contraventions of the seventh data protection principle. The seventh principle provides that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Clearly information security will play a large role in an organisation’s ability to comply with this principle.
The ICO recently identified that a common area for improvement within private sector organisations is records management. This conclusion arose from a distinct lack of controls for disposal of records, be they electronic or paper and from a failure to have a clear document retention policy in place.
Another risk area that has been identified by the Information Commissioner is that created by the use by employees of their own personal devices for work purposes. The ever-increasing sophistication of electronic devices, such as smart phones and tablets, has resulted in a surge of requests from employees at all levels, from board members to administrative staff, to use their own personal devices for carrying out part or all of their job. The use of personal devices clearly creates some significant issues for employers in terms of how their organisation’s information is stored, accessed and used and could result in an employer being unable to control the use of such information unless strict policies are put in place, communicated to employees and subsequently enforced. For more information on this topic please read our article entitled “Bring You Own Device (BYOD) to Work” here:-
Information security and related policies are therefore key to protecting the information that is held by an organisation and it should be used to compliment other forms of protection, such as intellectual property rights.