0370 270 6000

Data security breaches - why all the fuss?

13 July 2009
Until recently, data protection law had not often been headline news. The recent high profile losses of personal information by various public authorities - most notably the loss by HMRC of the personal information of 25 million people - put an end to that. Simon White takes a look at how local authorities can best comply with the Data Protection Act.

Richard Thomas, who headed the Information Commissioners Office (ICO), which enforces the Data Protection Act, until June of this year, summed up the sea-change that needs to take place:

"Twenty five million records going missing from the HMRC is one of the most significant breaches in the history of data protection. This incident and its aftermath mark a turning point for data protection in the UK. Safeguarding large amounts of personal information - valuable assets for any organisation - has to be taken seriously from the top…the onus is on every organisation - and every leader within that body - to ensure there are clear lines of accountability to stop things from going badly wrong." (www.ico.gov.uk)

But organisations are taking a while to catch up with the message from the ICO. As recently as April it has been revealed that Wigan Borough Council had a laptop containing the personal information of 33,000 children stolen.

Legal consequences of data loss

The law already provides that local authorities can be sued directly in the civil courts by individuals whose personal information is lost in breach of the Data Protection Act. It is not difficult to envisage a scenario whereby an individual whose data has, for example, been stolen on a local authority laptop and used by criminals, would suffer significant damage and distress as a result of such a data loss.

The ICO also has powers to fine local authorities up to £5,000 for each breach of the Act. This brings with it inevitable reputational damage which can cause more harm than the fine itself.

Changes to data protection law

In the wake of recent breaches of the Act, the government has pushed through amendments to that Act, imposing new criminal penalties which should leave organisations in absolutely no doubt that safeguarding personal information held by them is vital.

New criminal sanctions

The Act has been changed so that organisations and their relevant officers, who recklessly breach the Data Protection Principles which enshrine the key aims of the Act may, in the near future, be fined a significant sum by a crown court. Details of exactly how significant the levels of the fines system to be put in place will be released by the government in Autumn 2009.

The Act requires, through the Seventh Data Protection Principle, that local authorities (along with all other data controllers) "…take appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

Given the nature of electronic storage devices like laptops and memory sticks, it is never possible to eradicate the risk of their loss or theft. However, it is the case that all local authorities should have policies in place to ensure that such loss or theft does not compromise employee and other personal information. It is likely that such policies should include a clear notice that laptops containing personal information should not be left in cars, even if those cars are locked.

Richard Thomas specifically stated that anyone - whether employee or data controller - holding personal information, should know the basics of encryption to protect such information. Clearly, local authorities will need to review whether such knowledge amongst its employees and officers exists and, if it doesnt, put in place training and, if necessary, invest in the relevant software to enable encryption. A failure to do so, even if it does not amount to recklessness, resulting in criminal sanction could be evidence for a civil claim in negligence.

Staying on the right side of the law

So what else can local authorities do to ensure they do not fall foul of the rules relating to information security under the Seventh Data Protection Principle?

Local authorities should:

  • ensure that there are policies on taking staff and third party personal information off-site, and the use of mobile computing, memory sticks and other data storage media
  • ensure these policies are properly communicated to employees and enforced
  • invest time in ensuring that they implement ISO 17799 on Information Security Management which sets out very practical guidance on data security - from the siting of computers and use of mobile computing facilities to the use of fax machines for sending personal information.

Training and events

6Jul

New guidance on exclusions - what you need to know ON24 webinar platform

The department for Education is releasing new guidance on exclusions and suspensions, making changes to the behaviour, suspension and exclusion framework and guidance. Join us on 6 July as we explain the proposed changes and help you understand how they will affect you and your school.

View event

13Jul

ICS Forum webinar series: New rules for service reconfiguration Microsoft Teams

Chaired by Sir Neil McKay, this 1 hour webinar, presented by Gerard Hanratty will look at the Secretary of State’s new powers under the Health & Care Act 2022 over service reconfiguration and how that will impact on the current approach. The session will look at working with your local authority and the NHS England assurance process.

View event

Focus on...

Blogs

Homes England partners with local authorities to boost the levelling up agenda

Homes England, the government’s housing accelerator, has partnered with two local authorities, Greater Manchester Combined Authority and the Association of South Essex Local Authorities, in a new Strategic Place Partnership (SPP) which is designed to align with the government’s levelling up agenda by delivering new homes in the regions.

View

Legal updates

Public Matters - June 2022

Updates include Acclimatise! You can’t afford to cop-out, Responding to Grenfell – Slow progress is better than none and more.

View

Legal updates

Acclimatise! You can’t afford to cop out!

Climate change could result in local authorities seeing an increase in claims from the employees and the public. In this article, we share our top 10 tips for mitigating the risk of claims.

View

Legal updates

The Role of SIAMs in an ICS

As times have changed, organisations have fallen in and out of love with the role of the outsourced SIAM provider versus the organisation fulfilling that role. It is a complex role and even more so in Government organisations, some with vast IT systems processing gigantic amounts of data with complex governance structures and models.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up