Data protection: best practice

Regular audits, higher penalties and controlling the use of USB pens in organisations could all improve the protection of data, Assistant Information Commissioner Ken MacDonald tells an agendaNi conference.

Fines of up to £500,000 can be issued by the Information Commissioner’s Office (ICO) for data protection breaches.

To date, though, the biggest fine the authority has levied is £100,000. Hertfordshire County Council was forced to pay out after it faxed information on child protection to the wrong recipient in two separate cases.

Assistant Information Commissioner Ken MacDonald explains that on the first occasion “rather graphic” information was sent to a private individual and in the second case sensitive legal papers were faxed to a solicitor’s firm, which were mistakenly “passed around the whole office” to determine who was dealing with the case before it emerged that nobody in the firm was responsible.

The Information Commissioner’s Office (ICO) was set up in 1984 as the Data Protection Registrar to uphold information rights, promote openness by public bodies and ensure data privacy for individuals. MacDonald leads the Scotland and Northern Ireland offices.

“When we look at monetary penalties, one of the things we will take into account if we are considering levying one is the resources that are available to the organisations,” he remarks.

The ICO recognises that small companies may not be able to pump the same level of resources into data security as large corporations or the public sector. However, this is “not an excuse” if there is a breach and the full picture would have to be examined before a decision on penalties would be made.

Failure to follow an enforcement notice is a criminal offence so it is a “very powerful sanction”.

Many companies have a different view of what measures should be taken to protect data but MacDonald contends that they must appreciate that it’s not all about technical solutions.

“Appropriate measures will be determined by the characteristics of the data which you hold, the sensitivity of it, whether or not it’s very basic information,” he comments.

Sensitive information

Encryption is becoming “increasingly important” and the ICO is planning to take action in cases where sensitive information is lost from laptops or USB sticks that haven’t been encrypted.

Blocking ports should be a priority for companies and questions should be asked as to whether it is necessary for an individual to be able to download things onto USB sticks and other portable media. “If it’s not, then block the port because otherwise there is a risk,” advises MacDonald.

Every organisation should have an up-to- date asset register so that they know “exactly what sort of IT equipment they have” and where it is. He cites the example of the old Belvoir Park Hospital where computer equipment and patient files were left in derelict buildings: “It appears that there was no clear register of ownership of what had been in that site before the trust merged.”

Holding onto data when it is no longer useful is asking for trouble, warns MacDonald, because “every piece of data that you hold is a piece of data that could go missing”.

Information should be disposed of carefully and securely, which may mean employing a specialist contractor to ensure hard drives and other sensitive information is “destroyed appropriately”.

MacDonald recommends that companies request an audit of data protection by the ICO: “We’ve had a couple of audits on aspects of data handling within Northern Ireland public authorities over the last few months.” He says that the ICO is “broadly happy with what is happening” in the province.

One of the biggest data security breaches occurred in 2007 when two HMRC CDs with the personal details of 25 million people were lost. MacDonald states: “This is the case that suddenly we realised exactly the volume of information that could go missing.”

In his concluding remarks, MacDonald advised: “You will have to give data out at times but make sure that if you are giving it out it is given out in accordance with the law and not on one of these USB sticks.”