Employees can be a great liability to a company's regulatory compliance program -- or, if trained properly, they can be a great asset. The following is a list of topics that information security pros should be sure to cover when training their employees about secure data handling for the Data Protection Act.
An important thing to bear in mind about the DPA is that, in a number of key ways, it sets out principles rather than specific compliance requirements, and organisations have to work out how to apply the various principles in their own environments.
1. What restrictions does the DPA put in place in relation to collecting personal data?
The first three principles of the DPA that a data controller (the individual or organisation that is processing the personal data) must comply with are that personal data (data about a living human being that would enable him or her to be identified) must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
Essentially this means that, for most employees, complying with their company's policies will ensure these principles are met.
2. Do the people whose information we collect have to know we’re collecting it?
A fair processing notice must be given to individuals before you process their information. In this notice, you must outline what and how personal information is going to be processed. This is to make sure the individuals concerned know exactly what is going to happen to their information and how it will be used. You shouldn't be doing anything with personal information unless the individual has been made aware of it. This notice should be written in clear and understandable English. On websites, it is usually included in the Terms & Conditions of Usage.
3. If asked, can we pass personal data to a third party?
Generally (i.e., there are specific legal exemptions) the DPA does not allow disclosure to a third-party data processor -- even including police officers, social security officers, bank managers or the person's relatives -- or another data controller unless the individual had been informed of the disclosure. You will need specific procedures to describe exactly what authorisation may be required before data can be shared with a third party, including relatives, police forces and new employers. It's important to note that these procedures must be written specifically to suit the requirements of the organisation: A financial organisation will have different procedures from, for instance, a manufacturing company.
4. What do we have to do to ensure personal data is securely held?
Written security policies and procedures should cover the levels of protection appropriate for the different records you hold; a security management system, such as that specified in ISO/IEC 27001, may be an appropriate way to ensure data is held securely. Data collected through websites, such as for ecommerce or marketing purposes, is also subject to the DPA, and, similarly, you must take the appropriate steps to ensure this data is also secure.
Again, these policies and procedures will be specific to each organisation. Some companies will design processes such that all data processing is automated, because that helps them meet their ‘appropriate security’ obligations; others may have largely manual processes, and should train their employees specifically on how to handle the particular data for which they will be responsible. Thus, it's essential to understand your organisation's data handling processes thoroughly before training employees.
5. Must all personal data be kept up-to-date?
The fourth principle of the DPA is that personal information must be accurate and up to date. This means that you need procedures for updating information, particularly information that changes regularly, such as addresses.
6. For how long can personal data be retained?
The fifth principle of the Data Protection Act states that 'personal data kept for any purpose shouldn't be kept for longer than necessary'. Data controllers must therefore have their own data retention policy, and must implement it, ensuring that when data reaches the end of its retention period it is securely and permanently destroyed. Any personal data that exists outside of its authorised environment should be considered a data breach and reported in line with the organisation's data breach reporting procedure.
7. Is access to personal information limited to those with a business need-to-know?
Any sharing of personal information must be necessary. For example, those who have to approve a loan application will necessarily be privy to personal information about the applicant. However, those who are marketing to loan applicants generally will not have to see personal information about any one individual in order to fulfill that business requirement.
Any information shared must be relevant and not excessive. This applies in particular to sensitive personal information (personal information relating to the individual’s racial or ethnic origin, political opinions, religious or other beliefs, membership of a trade union, physical or mental health or condition, sexual life, or commission or alleged commission of any offence).
8. What protection must be given to data that is stored on a laptop or other portable media?
When personal information is held on a laptop or other portable device -- in particular where it contains financial or medical information -- it should be encrypted. The level of protection provided by the encryption should be reviewed and the corresponding Data Protection Act policy updated periodically to ensure it is sufficient if the device were lost or stolen. The current encryption standard is FIPS 140-2. In addition to technical security, organisations must have policies on the appropriate use and security of portable devices and ensure their staff is given proper information awareness training sessions on these.
9. Can we monitor staff activity by CCTV or their use of email?
If you monitor staff by collecting or using information about them, the DPA will apply. This includes when you use CCTV to monitor staff for crime, when you check telephone logs to detect excessive private use, and when you monitor emails or check Internet use. The DPA does not prohibit monitoring; however, staff should be aware of the nature, extent and reasons for any monitoring unless, exceptionally, covert monitoring is justified. However, covert monitoring should only be carried out after taking professional legal advice.
10. Who do we have to notify if there is a data breach?
Data controllers have a responsibility under the DPA to ensure appropriate and proportionate security of the personal data they hold. There is no legal obligation on data controllers to report breaches of security that result in loss, release or corruption of personal data, but the Information Commissioner believes serious breaches should be brought to the attention of the ICO.
About the author:
Alan Calder is a leading author on information security and IT governance issues. He is also chief executive of IT Governance Limited, the one-stop-shop for books, tools, information and advice on governance, risk management and compliance in the UK. Alan was previously CEO of Wide Learning, a supplier of e-learning; of Focus Central London, a training and enterprise council; and of Business Link London City Partners, a government agency focused on helping growing businesses to develop. He was a member of the Information Age Competitiveness Working Group of the UK Government's Department for Trade & Industry, and is a member of the DNV Certification Services Certification Committee, which certifies compliance with international standards including BS7799.