Starting April 6, 2010, Data Protection Act (DPA) violations will be subject to fines of up to 500,000 pounds. The introduction of stiffer monetary penalties reflects the increasing need to force organisations to take data protection seriously, promote respect for the Data Protection Act and increase the consequences of non-compliance. The ICO does recognise that it is unworkable to have no appetite for risk and that losses will occur, so it is looking for organisations to prioritise controls to reduce risk to an acceptable level.
Although many organisations initially achieve DPA compliance, maintaining that compliance is often omitted from the planning and implementation stages for new projects or departments. Over time, changes in staff and processes can also lead to intentions not always matching actual practice. In this tip we'll review the best ways to get and keep IT systems compliant and avoid being fined for deliberately or recklessly violating the DPA.
Data Protection Act compliance: Encryption of personal data
The seventh DPA principle, which discusses protecting personal data, is of most interest from an IT security standpoint:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Put simply, to comply with this principle, access to personal data must be restricted to only those who need it, and they must handle it appropriately as outlined by the Information Commission's Office and other best practices. That means locking down personal data. This process begins by developing an understanding of what types of personal data the organisation holds and the harm that may result from a security breach. This will help determine the appropriate level of security that needs to be put in place.
The Data Protection Act does not define what "appropriate" security is, but it does state that computer security needs to be proportionate to the size and use of your organisation's systems. It means common sense should rule the day; there is no need to recreate Fort Knox if you are just running the database for the local jogging club.
However, one security control that should be implemented for all personal data in companies of all sizes is encryption. Encrypted data is intrinsically protected; when implemented properly, only those with access to the proper keys can decrypt and read the data. Encrypting personal data, whether it is held in a sophisticated database or a simple spreadsheet, means you can control access to the data, and that goes a long way toward preventing its "unauthorised or unlawful processing."
The transfer of data from one location or system to another is currently seen as the area of biggest risk to an organisation. By enforcing encryption when data is transferred, either over a network using SSL or IPsec, or copied onto portable media using a program such as TrueCrypt, it is possible to avoid many of the data loss scenarios that have beset various government departments, and negate any charges of recklessly breaching the principles of the Data Protection Act.
Security awareness training needs to drive home the point that data has a value, often far in excess of the devices that process or store it.
Data Protection Act compliance: User education
With or without encryption in place, organisations need a well-trained staff that understands its policies and can enforce and adapt them as new threats emerge. For example, the storage capacity and functionality of USB thumb drives, PDAs, laptops and smartphones have increased dramatically, as has the threat they can pose to your data.
Most employees see these devices as fancy gadgets that make their lives easier and not as potential security risks. This perception needs to be changed so they are not used inappropriately or treated casually. A 1 GB USB key may only cost 10 pounds, but if an entire customer database is copied onto it, its value could run into millions of pounds.
Likewise, if a laptop is lost or stolen, it will probably cost less than 500 pounds to replace, but any unencrypted data on it could end up costing the company half a million pounds in DPA fines. Security awareness training needs to drive home the point that data has a value, often far in excess of the devices that process or store it. The value of data can change of course, typically through context and aggregation, and this is another key concept that staff need to understand.
Getting these points across is critical to any security effort, because until employees truly value an organisation's data, they will not make the necessary effort to protect it. An effective way to achieve this is to include data protection measures in people's job descriptions so everyone is clear about who is responsible for ensuring information security. Additionally, making each head of department responsible for meeting targets, such as staff security training, will immediately move security up their agenda and list of priorities. Unless there is clear accountability for security, it will probably be overlooked, and your organisation's overall security will quickly become less than adequate.
A framework that you can use for establishing user education best practices and improving compliance with the requirements of the DPA is BS 10012:2009 - Data protection: Specification for a personal information management system. It provides a lot of useful guidance, presented in the management system style of "Plan-Do-Check-Act," and covers procedures in areas such as training and awareness, risk assessment, data sharing, data retention, disposal of data and disclosure to third parties.
Data Protection Act compliance: Privacy impact assessment
Periodically reviewing data-handling systems can highlight changes to how data is being used within an organisation. Inappropriate access to information can take many guises; someone may have access to too much data, another to too detailed data, and the next may be allowed too much context. For example, it doesn't make sense for sales and marketing to have two separate databases where information potentially pertaining to the same customers is stored in separate systems.
A privacy impact assessment (PIA) can help to identify, assess and address aspects of enterprise data handling that need improvement to ensure DPA compliance. A PIA requires conducting an internal assessment of privacy risks and liabilities. Its purpose is to examine system or project compliance with various privacy laws and it usually involves input from all stakeholders. For more information on how to conduct a PIA download, take a looks at the Privacy Impact Assessment (PIA) handbook from the Information Commissioner's Office (ICO) website.
Data Protection Act compliance: Data breach management
If, despite an organisation's best efforts, a breach of security occurs, it is important to be ready to respond. Business continuity plans must be in place to outline steps to recover any personal data that may have been lost or stolen. Such a plan should also, where necessary, include procedures for damage limitation; informing people about an information security breach can be an important part of managing the incident and how it is perceived outside the organisation. Set clear rules covering who needs to be notified and why.
The ICO's Guidance on data security breach management covers the circumstances in which organisations are expected to notify the ICO of a security breach and the information that should be supplied.
Data Protection Act compliance: Outsourcing
An enterprise may decide that its best option is to outsource the processing of personal data to an already DPA-compliant third party. If so, it is important that the enterprise's outsourcing contract requires the data processor to take the same security measures that would be taken if processing the data internally. Check out model data processing contract published by the European Committee for Standardization.
I am certainly not in favour of checkbox compliance efforts where the bare minimum is done to enable a list of requirements to be signed off. This approach invariably leads to poorly implemented and maintained security defences. But those who need to beef up organisational security to quickly comply with the Data Protection Act can benefit from knowing the areas and methods to concentrate on. It is impossible to eliminate information security risks completely, but with the appropriate strategy, the fundamentals can be put in place to improve security around people, processes and technology.
This was first published in March 2010