The collection and use of personal information is
essential to the functioning of businesses, but IT departments need
to be sure that the systems processing or holding these records
comply with the Data Protection Act, writes Pauline Brace,
principal security consultant atGlobal Secure
Systems.
IT departments need to identify which systems the organisation
uses to process personal data and how those systems interrelate so
they can identify security vulnerabilities.
They also need to understand the different types of data in use
and how sensitive each type is. One controversial issue here is
whether IP addresses constitute personal data.
The head of the
EU Article 29 working party has confirmed that IP addresses
will be classified as personal data if someone can be identified
from them. For many users, this will simply be another data
category. But for online traders and companies using cookies to
collect, use and share IP address information, including search
engines, the impact of this on their business could be
significant.
IT departments need to familiarise themselves with
privacy impact assessments. Combined with security risk
assessments, privacy impact assessments identify the level of
security and control needed at each specification, development and
test stage prior to deployment. They help IT teams understand how
to manage third-party contracts and IT service suppliers before
giving them access to systems processing personal data.
The IT team also needs to understand that any misuse of their
elevated administration privileges to access personal data
could be treated as unauthorised disclosure with compliance
implications, for employees personally, as well as for their
company. Almost two-thirds of the data breaches in 2007 came from
within organisations themselves, and almost a quarter of those were
thought to be malicious.
However, IT staff are not the only ones responsible for
Data
Protection Act compliance. Management must also ensure a
company policy is in place, made clear to employees, and
implemented. For example, if an employee has not been made aware of
company policy on the use of laptops, and subsequently loses one,
the law hold management responsible.
Appropriate training at all levels is key. A sound policy should
include systems administrators, network designers and engineers,
who not only need to understand the principles of compliance and
the role they themselves play, but also to keep up to date with
changes in internal business practices.
Being familiar with the
eight principles of the Act is no longer sufficient awareness
of the latest interpretations is also needed to ensure IT staff are
not unknowingly accepting compliance failures.
The Information Commissioner
has said that where personal data losses occur as the result of
lost laptops and mobile devices because encryption software has not
been used to protect the data, then enforcement action will be
pursued.
A recent survey by the Information Commissioner's Office
revealed that 78% of SMEs were not aware that data accuracy was a
Data Protection Act requirement.
The Data Protection Act was not introduced to erect more
workplace barriers but to safeguard the rights and freedoms of
citizens (both staff and customers) and grant them ownership of
their personal data. With research showing that 95% of individuals
place protection of their data in their top three concerns (above
the NHS and equal rights), successful compliance with the Data
Protection Act is paramount at all levels of an organisation.
Pauline Brace is principal security consultant at Global Secure
Systems
David
Lacey's security blog >>