The 'appropriate' way to comply with Data Protection Act 1998

The U.K. Data Protection Act is 10 years old, but the evidence shows that many organisations are still not up to standard when it comes to the seventh data security principle: using "appropriate and adequate security measures" to protect personal data. Michael Cobb explains what "appropriate" actually means and why companies will actually have to start being concerned with the definition.

Don't miss need-to-know info!
Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!

The Data Protection Act (DPA) 1998 is the main piece of legislation that governs the protection and handling of personal data in the U.K. Although the act is excessively complex, it defines eight basic principles of information-handling practice. The seventh data security principle, one that has caused a fair amount of consternation among infosec professionals, states that entities holding personal information are required to have "appropriate" security measures in place to prevent unauthorised processing or loss of personal data.

The Principles

1 Personal data shall be processed fairly and lawfully.

2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4 Personal data shall be accurate and, where necessary, kept up to date.

5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Although most organisations in the U.K. are legally obliged to comply with the Data Protection Act, the spate of recent data losses, many involving government departments, shows the legislation has done little to improve the way data is safeguarded. The Information Commissioner's Office (ICO), the independent government authority charged with enforcing compliance with the act, has failed to establish respect for the regulation and create a culture of data security throughout U.K. businesses and government. The ICO's soft approach, combined with a lack of funds and resources to pursue offenders through the courts, has served to weaken the DPA. Early this year, for example, the European Commission intervened over what it saw as a failure of the ICO to punish British Telecommunications Group plc for the way it secretly intercepted and analysed users' click-stream data to serve them targeted advertising.

Prompted by the ever-increasing amounts of public data being handled, however, and the recent embarrassing rash of data loss incidents, this situation is starting to change. To give the act more bite, a breach of any of the DPA's eight data protection principles is now a criminal offence. Also, the ICO has been given new powers to carry out compliance spot checks and to fine offenders. The office has even issued enforcement notices to the Ministry of Defence and HM Revenue & Customs, requiring them to follow recommendations made following various reviews of their data-handling processes.

DPA compliance and the meaning of "appropriate"
So what can be done to ensure that your organisation is meeting the principle of data security? Well "appropriate" and "adequate" security measures include both technical and organisational measures, and it is the latter where most organisations fall short. Organisational measures include such controls as security policies, accountability for the ownership of data, as well as staff security awareness training. Reviewing the recent incidents of lost data, it is apparent that these measures are sadly lacking in public and private organisations alike.

When was the last time you reviewed your security policy? Does it take into account the use of removable media, such as USB thumb drives, or mobile users' PDAs, laptops and smartphones? Your security policies must be kept current and made accessible and detailed enough so that employees know how to handle data.

Staff must also be made aware of their roles and responsibilities when handling data, and that the security policies will be rigorously enforced. An effective way of putting policies into effect is to write these responsibilities into people's job descriptions.

To see what actions government is taking to improve its data security, read the Cabinet Office's report on Data Handling Procedures in Government, and the recommendations made by Kieran Poynter, Chairman of PricewaterhouseCoopers, in his review of information security at HM Revenue and Customs. Both of these reports provide guidance on what steps need to be taken to ensure data within an organisation is valued and protected.

The DPA has many ambiguities, but the ICO is approachable. So if you have any doubts as to whether aspects of the act apply to your organisation or whether your security measures are appropriate, it is best to speak with them directly.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several Security Schools and, as a site expert, answers user questions on application security and platform security.

Read more on IT risk management