Companies risk fines over data security

An NCC survey reveals that half of organisations still do not have an information security policy

Half of all businesses are risking prosecution because they do not have an information security policy.

The extent of companies' carelessness is revealed in a survey by the National Computing Centre (NCC) only weeks before the 1 March deadline when a more stringent Data Protection Act comes into force.

The NCC survey, based on a sample of 250 organisations, found that only a quarter of manufacturing companies had an information security policy - a proportion that drops below 10% for construction companies questioned. Even among those which had a data security policy, only 80% had taken the requirements of the new Data Protection Act into account.

The 1998 Data Protection Act goes beyond the 1984 Act by specifying the degree of care companies should take.

Its seventh principle requires that "appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data".

Susan Hall, partner and head of IT law at Manchester solicitors Cobbetts, said, "Anyone without a data security policy is running a serious risk under the new Act."

David Smith, assistant data protection registrar, said the lack of information security among manufacturing companies was worrying.

"This ties in with research we have done, not yet published, which shows that while big users have given attention to data protection we need to look at companies where data processing is not seen as a mainstream part of their business."

For companies with established data protection policies, an important change in the new Data Protection Act is the requirement that contracts with outsourcing companies should include a data protection clause.

Sandro Monetti, security consultant at NCC Services, said, "Even people with information security policies can be caught out because they are now required to act as a gamekeeper with outsourced data processing. They can also be caught by acquisitions where the digital due diligence misses checking on the acquired company's information security," he added.

Read more on Privacy and data protection