The Data Protection Act (DPA) 1998 is the main piece of legislation that governs the protection and handling of personal data in the U.K. Although the act is excessively complex, it defines eight basic principles of information-handling practice. The seventh data security principle, one that has caused a fair amount of consternation among infosec professionals, states that entities holding personal information are required to have "appropriate" security measures in place to prevent unauthorised processing or loss of personal data.
Although most organisations in the U.K. are legally obliged to comply with the Data Protection Act, the spate of recent data losses, many involving government departments, shows the legislation has done little to improve the way data is safeguarded. The Information Commissioner's Office (ICO), the independent government authority charged with enforcing compliance with the act, has failed to establish respect for the regulation and create a culture of data security throughout U.K. businesses and government. The ICO's soft approach, combined with a lack of funds and resources to pursue offenders through the courts, has served to weaken the DPA. Early this year, for example, the European Commission intervened over what it saw as a failure of the ICO to punish British Telecommunications Group plc for the way it secretly intercepted and analysed users' click-stream data to serve them targeted advertising.
Prompted by the ever-increasing amounts of public data being handled, however, and the recent embarrassing rash of data loss incidents, this situation is starting to change. To give the act more bite, a breach of any of the DPA's eight data protection principles is now a criminal offence. Also, the ICO has been given new powers to carry out compliance spot checks and to fine offenders. The office has even issued enforcement notices to the Ministry of Defence and HM Revenue & Customs, requiring them to follow recommendations made following various reviews of their data-handling processes.
DPA compliance and the meaning of "appropriate"
So what can be done to ensure that your organisation is meeting the principle of data security? Well "appropriate" and "adequate" security measures include both technical and organisational measures, and it is the latter where most organisations fall short. Organisational measures include such controls as security policies, accountability for the ownership of data, as well as staff security awareness training. Reviewing the recent incidents of lost data, it is apparent that these measures are sadly lacking in public and private organisations alike.
When was the last time you reviewed your security policy? Does it take into account the use of removable media, such as USB thumb drives, or mobile users' PDAs, laptops and smartphones? Your security policies must be kept current and made accessible and detailed enough so that employees know how to handle data.
Staff must also be made aware of their roles and responsibilities when handling data, and that the security policies will be rigorously enforced. An effective way of putting policies into effect is to write these responsibilities into people's job descriptions.
To see what actions government is taking to improve its data security, read the Cabinet Office's report on Data Handling Procedures in Government, and the recommendations made by Kieran Poynter, Chairman of PricewaterhouseCoopers, in his review of information security at HM Revenue and Customs. Both of these reports provide guidance on what steps need to be taken to ensure data within an organisation is valued and protected.
The DPA has many ambiguities, but the ICO is approachable. So if you have any doubts as to whether aspects of the act apply to your organisation or whether your security measures are appropriate, it is best to speak with them directly.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in November 2008