The Information Commissioners Office is now naming and shaming any one found in breach, or nearly in breach, of the data protection act, irrespective of if it was deemed severe enough to receive a fine.
How does this affect you? What impact would slack security policies, have on your image? If you can’t prove you keep information safe, can you fulfil your other duties to your customers?
If you discovered that an organisation that you use, and that holds your personal information, had been named and shamed for lacking in data protection procedures, how would you react? Would you take your custom else where, to a company that had not been named in such a way? As a business can you even take that chance?
In a time where the competition for business is stiff, it is imperative that you don’t stand out from the crowd for the wrong reasons.
The ICO has the ability to hand out crippling fines to a business or organisation that they deem to be in breach of the Data Protection Act, but it also names on their website, companies that are close to being in breach.
As far as the ICO is concerned personal data is categorised as:
“Data which relates to a living individual who can be identified –
(a) From those data, or
(b) From those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”
(b) From those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”
It is your responsibility to ensure that all the information that you hold is properly handled and properly controlled. The ICO also has the right to use criminal prosecution, non-criminal enforcement and audit, as well as the monetary penalties against those that are found in breach.
“The Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress.”
The question remains, what procedure should you have in place to ensure that you are not found in breach?
Well as far as the ICO is concerned there are some very basic measures that you should have in place such as, Shredding all your confidential paper waste and training your staff, and checking the physical security of your premises.
But there are also other measures that need to be taken, for instance, encryption on your computer systems, taking regular back-ups of the information on your computer system and keeping it in a separate location so that if you lose your computers, you don’t lose the information. Allowing your staff access to only the information they need to do their job, and strict rules on sharing passwords. You should be downloading the latest patches or security updates firewall and virus-checking on to your computers. And when it comes to disposing of old equipment, you must securely remove all personal information before disposing of old computers (by using technology or destroying the hard disk).
Making sure that you have the correct policies in place is priceless when you consider the implications of not doing so. Its not just peace of mind, its good business practice.