The possible financial and commercial consequences of the loss of sensitive customer data or confidential corporate information are far reaching. Organisations need to be fully aware of the risks of losing data, as well as how to prevent it.
Such data is typically lost through carelessness, lack of training or theft. Furthermore, the loss of employee data is likely to be in breach of the Data Protection Act. This could leave an organisation open to legal claims by the employees and customers affected (if they can establish financial loss) or, alternatively, complaints to the Information Commissioner, who regulates this area. Brand damage aside, the damage to the morale and confidence of employees and customers could be substantial, further impacting on the business.
Barely a month passes without an organisation, frequently in the public sector, suffering damaging publicity through data loss. Data losses from government departments have caused embarrassment across Whitehall and have led to reviews of practice at departments such as Her Majesty’s Revenue and Customs (HMRC) and the Ministry of Defence, culminating in the publication of a Cabinet Office report on data handling procedures in government.
The widespread use of service providers also causes further complications, with third parties (such as contractors or suppliers) responsible for the loss of significant data. In August 2008, for example, unencrypted data on 84,000 prisoners held in England and Wales went missing after an employee of large consultancy firm lost a memory stick. The missing data included names, dates of birth and information on the expected release of certain prisoners. Consequently, the employee responsible was suspended, and the consulting firm ultimately lost a lucrative Home Office contract.
The highest profile data loss was probably that suffered by HMRC in November 2007, when 25 million records containing the names, addresses, dates of birth and National Insurance numbers of the entire HMRC Child Benefit database went missing. Human error was again the cause: a junior member of staff decided to send the details in unrecorded and unregistered delivery through a courier service to the National Audit Office.
The government itself acknowledges that complete security of data may simply be impossible. Speaking in early November 2008, following the loss of a memory stick containing the passwords to a government website used to submit online tax returns, Prime Minister Gordon Brown explained that it was important to recognise that he could not promise that every single item of information held by the government would always be safe because mistakes in the communication of information were inevitable.
The most important piece of legislation to be aware of is the Data Protection Act 1998 which, among other things, sets down a number of principles for handling sensitive and personal data, such as:
- data should be processed fairly and lawfully;
- data should be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
- appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal data.
Business should be aware that an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Data Protection Act is entitled to compensation from the data controller for that damage.
Organisations should also be mindful of the powers of the Information Commissioner to impose fines for deliberate or reckless breaches of the Data Protection Act. This power was granted to the Information Commissioner in May 2008 under the Criminal Justice and Immigration Act – a clear signal that data protection must become a priority.
Additionally, while the Human Rights Act 1998 is only directly enforceable against public authorities (such as NHS Trusts, government departments or local authorities) private sector employers need to at least be aware of an individual’s right to respect for their private and family life, their home and their correspondence.
A final consideration is any contractual obligation that might have been breached by the unauthorised disclosure of information. For example, an organisation might have entered into a contract, with a third party, which incorporates terms relating to how the third party’s data will be secured or processed. Should these terms have been breached by any data loss incident, then the third party may take legal proceedings for breach of contract.
The Information Commissioner regulates this area and while the Codes of Practice that are issued are for guidance and not binding legislation, they will always be considered by Courts or Tribunals in determining proceedings in relation to any breach of the Data Protection Act.
The guidance covers a number of important areas for organisations that handle personal information and stresses that any organisation should analyse the potential risks that might flow from an unauthorised disclosure of the information, including:
- identifying specific staff who have responsibility for the security of such data;
- implementing appropriate security and organisational measures to ensure the safety of such data (both technical and physical security);
- considering the appropriate levels of security to be applied, such as encryption or password protection.
It also concurs with the Financial Services Authority (FSA), which produced a specific report as a result of a review of industry practice and standards in managing the risk of data loss, that customer data must not be taken off site on laptops or other portable devices that are not encrypted; failure to comply can see the FSA taking enforcement action.
Furthermore, it highlights that many firms do not undertake appropriate risk assessment regarding the potential loss of data, while implementation of data security policies is often patchy. The use of third parties is also identified as a potential point of weakness with firms generally relying too much on assumptions that contractual terms were being met, without actually checking.
Over-riding everything, it is the data controller who will still ultimately needs to comply with the principles set out in the Data Protection Act.
Important data, whether relating to customers, an organisation itself, or its employees, is clearly necessary for any organisation to function. To paraphrase the Information Commissioner, such data can be (and often is) both a crucial asset and a toxic liability. The challenge for all organisations is to assess the risks that they face, bearing in mind the categories of the data held, consider the possible consequences of any data loss, and then put in place appropriate and proportionate protections, both technical and physical, to ensure the security of the data as much as is humanly possible.
As the Information Commissioner acknowledged in an interview he gave in October 2008: 'things will inevitably go wrong, therefore you should plan for things going wrong'. Organisations have to become more aware that holding large elements of personal data creates a significant risk and therefore substantial protective measures are needed in order to secure that data.