Over its 25 year history, data protection has not been a glamorous topic. However, there is a growing realisation of the importance of information management and the consequences of failing to secure data properly, both in terms of its potential impact on business and a company's reputation. This is happening against a background of increased public concern about privacy and human rights.

Security lapses involving large scale losses of personal data were described by the Information Commissioner as "frankly horrifying" [1] before the recent spate of large incidents which included the very public loss of 25 million child benefit records by HMRC and 600,000 service records by MoD in 2007. The Information Commissioner has put business on notice that while he recognised that information is increasingly valuable, it can be "a toxic asset" [2] if not handled properly.

The implications of losing personal data are becoming more serious. Identity theft is a growing problem involving real costs borne by individuals. CIFA has estimated that each identity fraud typically takes from 3 to 48 hours of work for a victim to rectify the damage and in some cases up to 200 hours at a cost of £8,000. For a business causing a large scale loss of data, the potential costs are enormous. Companies now face a real danger of significant financial penalties, regulatory action and direct liability to individual data subjects. Added to this, large data losses carry a significant reputational risk.

Every business must properly define responsibility for information management and have in place coherent policies and procedures, rigorous training and carry out regular checks to ensure compliance. It is also important to have a contingency plan to deal with any significant loss of personal data.

There is now more prescriptive guidance from both the Information Commissioner and the FSA on the application of the data protection rules in a form that given the prevailing political climate is likely to favour more active enforcement. On top of this, significant new penalties will soon come into force giving the Information Commissioner the ability to punish historic breaches with financial penalties, contrasting with the present powers which are largely limited to regulating future behaviour.  

Move away from a "red tape" approach  

During the early life of the data protection rules, compliance was seen as a predominantly administrative task. At times it seemed that data protection was an obstacle to good practice withschools preventing parents taking pictures of their children in nativity plays and reports in the press that priests were not able to pray for ill people by name at mass. More seriously, in 2003 British Gas blamed the data protection rules for its failure to pass on to the Social Services the names of an elderly couple whose gas had been cut off. The couple later died, one of hypothermia. The Information Commissioner's Office has made is clear that data protection rules are to be applied with common sense and not used as a "duck out". [3]

Information security – your obligations  

The Data Protection Act 1998 [4] requires that Companies take:

"appropriate technical and organisation measures ... against unauthorised or unlawful processing ... and ... accidental loss... destruction... or damage to personal data". [5]

This is a subjective requirement which gives flexibility in a world of changing technologies and multiple technical standards. Unlike some jurisdictions, the UK does not require a specific technical level of security. This means that the data controller must assess what is an appropriate level of security given the type and sensitivity of the personal data that it holds. This decision will need to be reviewed as the type of data and technology changes and should be recorded in case it is necessary to prove what was done. The assessment must take account of the nature of the personal data held and the harm that a breach of security could cause. [6] Companies may take into account the state of technological development and the cost of implementing security measures.

Firms must also take reasonable steps to ensure the reliability of relevant employees [7] and, where a third party is used to process their data (as with an outsourcing arrangement), must put in place and enforce sufficient security guarantees [8] and enter into a written processing contract imposing minimum security requirements. [9]

 

The lack of a prescribed specific security standard does create a degree of uncertainty as to whether a company has met its obligations. In the past the Information Commissioner has given only general guidance on what level of data security he expects. It has meant that the chance of enforcement in any given area has perhaps been reduced. However, in 2008 he issued a view that encryption should be used for all laptops carrying personal data, that firms should follow ISO 27001 for their security policy and encrypt at least to FIPS 140-2 and FIPS-197. [10] While these steps are by no means universally adopted or necessarily accepted as standard data management practice they should be considered carefully.

Firms regulated by the FSA can face additional penalties if they do not put in place adequate data security. In 2007 the FSA fined Nationwide £980,000 when a laptop containing customer data was stolen from an employee's home [11] and Norwich Union £1,260,000 [12] for security lapses that led to large scale losses of customer data. The FSA has said that data security is relevant to each of its statutory objectives and has issued guidance on data security making it clear that it may take enforcement action against regulated firms taking unencrypted customer data offsite on laptops. [13]

Given the specific advice by both the Information Commissioner and the FSA all firms should look at the security of all mobile devices.

Responding to a breach  

The Data Protection Act does not specify how companies should respond to security breaches. However, as part of their general obligation to take appropriate measures against unauthorised processing, firms should have a plan for dealing with the consequences of a data security breach. The UK rules do not require that companies automatically notify data subjects when there has been a security breach: some bodies are concerned that rules requiring this would risk 'over notification' leading to individuals becoming used to repeated warnings which they might then ignore.

A plan to respond to a security breach should look at containment, recovery of data, risk assessment and possible notification (to the individuals and the relevant regulators). The Information Commissioner recommends as good practice that serious breaches of personal data security (either by value or sensitivity) be notified to it and that data controllers notify individuals of significant losses of data (over 1,000 records unencrypted records). [14] By comparison, the FSA's guidance recommends informing all customers of a relevant data loss unless the data was encrypted. FSA regulated firms are advised to consider giving advice and practical assistance to affected customers. The FSA does not impose a blanket requirement to notify but could create a rule imposing this if it was thought necessary.

Enforcement and liability for data losses  

Currently, the Information Commissioner's main power of enforcement is to issue a notice that requires a data controller to comply with the data protection principles in future. This notice can set out specific steps that the data controller must follow. Failure to comply with an enforcement notice is a criminal offence, punishable by a fine (£5,000 for summary offence, otherwise unlimited). In practice the Commissioner also uses written undertakings (non-statutory commitments which can be used to 'name and shame' those misusing personal data) to supplement his formal enforcement powers.

Formal enforcement has been sporadic to date but is likely to become more common as public concerns about data security increase. In March 2009 the Information Commissioner enforced a warrant on a firm allegedly operating an employee blacklist for use in the construction industry.[15] The Commissioner has said that it will also look to take action against the individual construction companies using this service to vet potential employees. Even ahead of any formal action, there is likely to be damage to the reputations of the companies involved.

Breach of the data protection rules can result in civil liability. Individuals suffering damage (and if there is damage, distress) as a result of a breach of the Data Protection Act can sue for compensation. [16] Awards have tended to be small and claims are often included in a wider action on privacy or breach of confidence. However, in an age of increasing identify theft, the possible losses for which a claim could be made by a third party under the Data Protection Act could be significant.

In the recent construction case referred to above, the Information Commissioner's Office has now taken over the illegal database and is providing a help line for those individuals who want to check if their information was on the black list. This approach may make individual claims more likely and could be used again in future.

The Information Commissioner's current powers of enforcement are forward looking rather than historic – there is as yet no right to fine data controllers for breaches, only to regulate their future behaviour. In effect, this can give "two strikes" before serious consequences result. The Information Commissioner recognised this limitation and asked Parliament for new powers which were included in the Criminal Justice and Immigration Act 2008. [17] These new powers will allow the Information Commissioner to impose a monetary penalty for serious contraventions of the data protection principles where this causes substantial damage or distress provided that the data controller has been reckless or negligent. The maximum penalty has not yet been set and the power is not yet in force but is expected to be introduced shortly. The Act also allows the Secretary of State to increase the maximum term of imprisonment as a penalty for unlawfully obtaining personal data.

As noted above, the FSA has shown that it is willing to impose significant fines and consider other enforcement action for regulated firms with inadequate data security.

Conclusions  

Data security is no longer a Cinderella topic. Companies should expect more active enforcement with the real risk of financial penalties, negative publicity and the possibility of third party claims. FSA regulated firms need to take particular care to take account of the FSA guidance.

Each data controller must look at the personal data that it controls and make an assessment of the required level of security, taking the Information Commissioner's guidance into account. While no specific security measures are mandated, an assessment must be made, documented and acted on. Companies need data handling policies and clear responsibilities as well as contingency plans for any breaches in data security. These plans must be regularly audited and compliance checked. As a minimum first step, given the specific advice from the Information Commissioner and the FSA, firms should consider encrypting all personal data on laptops and other mobile devices when taken offsite.