Security of personal information - a guide for SMEs

by Hywel Evans

In the last 12 months a number of high profile breaches of data security have been reported. For example, documents from government departments and financial institutions have been found dumped in public places, nine NHS trusts have admitted losing patient records covering hundreds of thousands of adults and numerous laptop computers containing personal information have been stolen or left in public places.

One of the most high profile public sector breaches of data security was committed by HMRC who lost child benefit data containing the names, addresses, dates of birth, national insurance numbers and where relevant bank details of 25 million people. The missing discs have never been found.

These data security lapses are not restricted to the public sector. HSBC admitted losing a disc with the details of 370,000 customers and although the data was password protected it had not been encrypted. In 2007, both Nationwide and Norwich Union suffered heavy fines and public reprimands for data security lapses.

In the wake of these recent reports and the increased media scrutiny, the Information Commissioners' Office (ICO) has issued a "Data Protection Good Practice Note on Security of Personal Information." This guidance will help SMEs comply with the Data Protection Act 1998, which requires all organisations to have appropriate security to protect personal information against unlawful or unauthorised use or disclosure, and accidental loss, destruction and damage. At the same time the guidance will assist SMEs in deciding what approach and which security measures are appropriate in relation to the protection of the personal information they hold.

1. What personal information does the organisation hold?

   The guidance firstly focuses on the nature of the personal information controlled by the organisation and whether the organisation actually processes the information, or whether this is carried out by a third party acting on its behalf. An organisation needs to consider the value or sensitivity of the personal information and the consequences of a security breach.

   The ICO gives this example:

   "If you only have information that is publicly available then your security measures will focus more on protecting your premises, equipment, and any interruption of business a security breach could cause. If you have highly sensitive or confidential personal information, for example, about people's health or finances that could cause them damage or distress if this information fell into the hands of others, you will need to concentrate on any potential threat to the information and the vulnerabilities of your security measures."

2. Who is in charge?

   The guidance emphasises that someone in the organisation should have day to day responsibility for security measures, policies and procedures and ensuring compliance with such policies and procedures.

3. The organisation's security measures will depend on its own circumstances

   These circumstances will include the information it holds and how it is used, the premises, computer systems, the number of staff the organisation has and what access staff have to the personal information.

4. In light of the circumstances set out in paragraphs 1-3 above, an organisation will need to consider: (a) organisational measures; (b) staff; (c) physical security; and (d) computer security.
   1. Organisational Measures

      In deciding what organisational changes an organisation may need to implement, the organisation should consider its existing security policies and procedures (does it have any?). Also, does the person in charge have the authority and resources to ensure that this is prioritised and what access to personal information is given to persons outside the organisation.

      The guidance highlights a particular problem that often causes security problems: using a third party to process personal information. Particular care must be taken because it is the organisation that takes legal responsibility for what the third party provider does with the personal information. An organisation must follow certain steps laid down in the Act when a third party provider is used.

      1. The organisation must choose a provider that offers guarantees about the security of the processing it will do for the organisation.
      2. The organisation must have a written contract with the provider that sets out what the organisation allows the third party to do with the information. As a minimum it would expect the contract to be clear about its use and disclosure of the information. The contract must also require the provider to have in place security measures that are the equivalent of those the organisation would need if it were doing the job for itself.
      3. The organisation must take reasonable steps to check the provider is taking those security measures.
      
      
   2. Staff

      A high proportion of security incidents are staff related. The Act requires reasonable steps to be taken to ensure the reliability of staff that have access to personal information. For example:

      1. Reasonable steps at the recruitment stage to check the identity and reliability of staff who have access to personal information.
      2. Confidentiality provisions in employment contracts.
      3. Training of staff in relation to information holding, recognising "phishing" emails and the personal use staff can make of computers or phones.
      4. Making staff aware that they could commit a criminal offence if they give out or try to access personal information without the organisation's consent.
      
      
   3. Physical Security

      As has been highlighted in the media recently, many security incidents relate to the theft of laptops or briefcases. The organisation should check the security of its premises, its storage of paper based personal information, laptops and other portable equipment at night, the disposal of paper waste, control of access of visitors to its premises and whether people can see its computer screens from outside its buildings.

   4. Computer Security

      Computer security must be appropriate to the extent and usage of a computer system. The Act does not require "state of the art" technology (cost can be taken into account) but the measures taken must still be appropriate for the harm that could result and the nature of personal information processed.

      In deciding appropriate security for an organisation, the following should be considered:

      1. The management of the operation of the computer systems.
      2. Whether the organisation has servers (to which access will probably have to be limited and the organisation may need specialist security advice).
      3. Protection against loss of information if for example the power fails.
      4. Maintenance of equipment to prevent loss or interruption.
      5. What controls access to the computer systems? The strength of passwords and whether access to information is controlled by setting privileges.
      6. Does the organisation receive regular security updates for software?

      The Guidance also highlights the following questions:

      1. Does the organisation have procedures to securely delete information from computers?
      2. Whether and how often information is backed up?
      3. If the internet and email are used, what security measures are already in place, including firewalls and virus protection?
      4. Are there procedures in place if computers are hacked into or infected?
      5. Are staff warned about the insecurity of email and to ensure that sensitive information sent electronically is encrypted or sent by other means?
      6. If the organisation trades electronically, does it have the means to verify identities by the use of logons and passwords?

The guide also highlights considerations when laptops and portable media such as memory sticks and discs are taken out of the office. For example, are these devices transported securely with the organisation's permission, whether the loss of information contained could cause distress to people and whether these devices are encrypted?

The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.

The ICO states that personal information, which is stored, transmitted or processed in information, communication and technical infrastructures should also be managed and protected in accordance with the organisation's security policy and using best practice methodologies such as using the International Standard 27001. Further information can be found at 27001-online.com.

Where laptops are stolen after being left inadequately protected in inappropriate places, for examples cars or houses, and encryption software has not been used to protect the personal information then the ICO has said that it will take enforcement action.

This guidance should prove useful for SMEs when implementing and reviewing its security measures, policies and procedures. To assist with deciding what security measures to implement, the guidance also contains a list of helpful sources of further information about data security.

The Financial Authority Services (FSA) has also produced a factsheet "Your Responsibilities for Customer Data Security" which sets out factors to consider when handling, storing and disposing of personal information. This user friendly factsheet helpfully sets out the key points for each of the main issues and questions SMEs should ask themselves. Although the factsheet is aimed at SMEs in the financial services sector, it is also relevant to all SMEs who handle, store and/or dispose of personal information.

The ICO's Data Protection Good Practice Note on Security of Personal Information is available along with other useful information relating to data protection at www.ico.gov.uk.

The FSA's factsheet "Your Responsibilities for Customer Data Security" is available at www.fsa.gov.uk.

About the author
Hywel Evans is a solicitor in Hugh James’ commercial and technology practice. Hywel advises on general commercial, technology and intellectual property transactions. He has acted for both private sector and public sector clients in a broad range of sectors within the UK including blue chip corporations and suppliers with operations in the finance, insurance, IT and telecommunications sectors. Hywel has particular experience of technology and communications contracts, outsourcing and procurement. Prior to joining Hugh James, Hywel trained at Bird & Bird and was a solicitor at Clyde & Co. Find out more about Hugh James at www.hughjames.com.

Send a comment about this article to editor@itwales.com.