Keep Personal Data Safe
How Important Is It To Keep Personal Data Safe?
After all the press and outrage regarding the News International hacking scandal this week, I thought it only right to produce a post on how important it is to keep personal data safe.
Data protection has been a huge issue in the last few years and concerns all those who process personal data, but have particular significance to those involved in storing and processing records. In the workplace this will be the people in charge of processing employment records such as; interview notes and sickness records.
Those who frequently read, or have access to, personal data as part of their job, for example working on a customer database, will need specific training. Training will ensure that they are fully compliant with the provisions of the Data Protection Act. If you’re an employer, it is your responsibility to ensure these staff are trained, educated and reliable and we would also recommend adding a confidentiality clause into their contracts of employment.
Should this data fall into the wrong hands, the employer is liable to pay compensation to the individual whose data has been compromised. Where this situation occurs, and the employer has failed to comply with DPA provisions, the individual is able to claim for damages and, sometimes, distress caused. If an employee suffers damages, he or she may also apply to court for an order that the employer rectify, erase, block or destroy the relevant personal data. Such an order would only be made where there was a substantial risk of further contravention from the data.
Failure to Comply
The implications of failure to comply with the DPA can be huge, from both a PR and financial perspective. Take these two examples:
In 2010, two employers (Hertfordshire County Council and (A4E), were found to have seriously breached the Data Protection Act of 1998. Both were fined £100,000 and £60,000 respectively.
The first fine of £100,000 was issued to Hertfordshire Council for two incidents in June 2010 when sensitive personal data from the Council’s childcare litigation unit was accidentally faxed to the wrong numbers.
- The first incident occurred on 11 June 2010 when a member of staff in the childcare litigation unit sent a fax relating to a child sex abuse case and containing sensitive personal data relating to seven individuals, to a member of the public instead of a Barrister’s chambers. The Council only became aware of the mistake when the member of public contacted them. As the personal data contained in the fax related to a case due to be heard at the High Court, the Council obtained an injunction to prohibit the member of the public from disclosing any information about the case, so as not to prejudice the hearing.
- The second incident occurred on 24 June 2010 when another member of staff in the childcare litigation unit sent a fax containing sensitive personal data concerning the care proceedings of three children to the wrong number. This time, the fax was sent to a Barrister’s Chambers, instead of the Court Manager at Watford County Court.
Another thing that didn’t go in the Council’s favour was their failure to use a fax header sheet with details of who to contact and what to do with a misdirected fax. The Information Commissioner also noted their lack of procedure for sending faxes; such as the recipient being ‘phoned ahead’ prior to sending the fax or which required the recipient to immediately verify receipt of the fax. The Information Commissioner also commented on how companies should be aware of the “risks” when sending such information by fax.
A4e (Action 4 Employment)
The second fine, this time of £60,000, was issued to A4e Limited. A4e are contracted by the Legal Services Commission (LSC) to operate Community Legal Advice Centres in Hull and Leicester. Under the contract, Sheffield-based A4e was required to send the LSC, and relevant local authorities, regular reports about the service. These reports included statistics about the individuals who had accessed services provided by the advice centres.
One of A4e’s employees was issued with a company laptop, in order for her to work on these reports at home. So that she was able to carry out this work, the employee loaded personal data from A4e’s central secure server onto the laptop. Like many people, the security settings on her laptop required only a password.
Unfortunately, on 18/19 June 2010, the employee’s home was burgled and the aforementioned laptop was stolen. It contained personal data (including sensitive personal data such as ethnic origin) relating to around 24,000 individuals.
The Information Commissioner criticised A4e for failing to encrypt the computer provided to the employee and failing to provide the employee with security devices for the laptop, such as a Kensington lock or a cable.
Despite A4e having a data protection policy, it later transpired that the individual employee had not been trained on it. Furthermore, in the Information Commissioner’s view, A4e should have ensured the laptop was encrypted before it was issued to the employee, rather than leaving it to the employee to arrange encryption.
As employers, or business owners, it is integral that you have a security system in place that stops anybody from being able to access data. This could be employee data, client data or otherwise. If it’s somebody’s personal data, you are liable if it ever found its way into another person’s hands.
Training is important, please keep in mind the cost of training towards the cost of a hefty fine from the Information Commissioner. Now, go and encrypt all your company computers, buy some padlocks and secure that data!