Sharpen up your data protection act

The collection and use of personal information is essential to the functioning of businesses, but IT departments...

The collection and use of personal information is essential to the functioning of businesses, but IT departments need to be sure that the systems processing or holding these records comply with the Data Protection Act, writes Pauline Brace, principal security consultant at Global Secure Systems.

IT departments need to identify which systems the organisation uses to process personal data and how those systems interrelate so they can identify security vulnerabilities.

They also need to understand the different types of data in use and how sensitive each type is. One controversial issue here is whether IP addresses constitute personal data.

The head of the EU Article 29 working party has confirmed that IP addresses will be classified as personal data if someone can be identified from them. For many users, this will simply be another data category. But for online traders and companies using cookies to collect, use and share IP address information, including search engines, the impact of this on their business could be significant.

IT departments need to familiarise themselves with privacy impact assessments. Combined with security risk assessments, privacy impact assessments identify the level of security and control needed at each specification, development and test stage prior to deployment. They help IT teams understand how to manage third-party contracts and IT service suppliers before giving them access to systems processing personal data.

The IT team also needs to understand that any misuse of their elevated administration privileges to access personal data could be treated as unauthorised disclosure with compliance implications, for employees personally, as well as for their company. Almost two-thirds of the data breaches in 2007 came from within organisations themselves, and almost a quarter of those were thought to be malicious.

However, IT staff are not the only ones responsible for Data Protection Act compliance. Management must also ensure a company policy is in place, made clear to employees, and implemented. For example, if an employee has not been made aware of company policy on the use of laptops, and subsequently loses one, the law hold management responsible.

Appropriate training at all levels is key. A sound policy should include systems administrators, network designers and engineers, who not only need to understand the principles of compliance and the role they themselves play, but also to keep up to date with changes in internal business practices.

Being familiar with the eight principles of the Act is no longer sufficient awareness of the latest interpretations is also needed to ensure IT staff are not unknowingly accepting compliance failures. The Information Commissioner has said that where personal data losses occur as the result of lost laptops and mobile devices because encryption software has not been used to protect the data, then enforcement action will be pursued.

A recent survey by the Information Commissioner's Office revealed that 78% of SMEs were not aware that data accuracy was a Data Protection Act requirement.

The Data Protection Act was not introduced to erect more workplace barriers but to safeguard the rights and freedoms of citizens (both staff and customers) and grant them ownership of their personal data. With research showing that 95% of individuals place protection of their data in their top three concerns (above the NHS and equal rights), successful compliance with the Data Protection Act is paramount at all levels of an organisation.

Pauline Brace is principal security consultant at Global Secure Systems

David Lacey's security blog >>

Read more on IT governance