Data Security: Avoiding The Limelight

HM Revenue & Customs

Nationwide

Orange

Foreign and Commonwealth Office

To name a few organisations recently in the limelight for the wrong reasons..

The most recent high profile data security breaches contain an important message for all organisations about data security. It is often an organisation’s most basic and avoidable failings that lead to security breaches. The damage caused by such breaches – reputational, financial and in wasted management time – can be huge, but they are not difficult to prevent, especially with the right help.

At the heart of things is the obligation under the Data Protection Act 1998 (DPA) on all organisations that:

• process their own personal data (Data Controller), or
• appoint a third party to process personal data on their behalf (ie a Data Processor).

to take all appropriate measures, both technological and organisational, to keep that personal data safe and secure. Though many organisations focus on the technological aspects of security, in the recent high profile cases it has been at an organisational level that failures have occurred.

If an organisation is processing its own personal data, it needs to address:

• how and where it holds personal data.
• does it have a data/IT security policy and, if so, does it actually action/implement it and monitor compliance with it?
• who has access to the personal data? Are these persons vetted? Do the persons who have access include temporary employees?
• what training, supervision and ongoing monitoring procedures have been put in place to increase awareness of its staff of data security requirements and consequences of breach?
• has it identified and prepared the response team it would mobilise in the event of a breach?
• what arrangements are in place to deal with concerned customers and/or employees?

If an organisation has appointed (or is going to appoint) a Data Processor to process its personal data within the UK, the DPA requires that:

• it undertakes checks as to whether the proposed Data Processor can provide adequate security for personal data held, processed, stored, destroyed or transported/ transferred and monitors these on an ongoing basis.
• it has a written contract with the Data Processor that, as a minimum, imposes obligations on the Data Processor:
• to take all appropriate technological and organisational measures to ensure security of data and
• only to process personal data in accordance with instructions given by the Data Controller.

Additional important provisions to incorporate include an obligation on the Data Processor to notify the Data Controller immediately on the occurrence of any actual or suspected security breach and meaningful audit rights.

Remember, if a contractor has access to personal data eg, as a payroll processor, website host, software support provider, offshore service provider, etc, they are your Data Processor. The DPA does not impose obligations direct on Data Processors. If Data Controllers do not do so, by contract, not only are they breaching the DPA, but they lose their opportunity to transfer the risk to their processor.

If an organisation appoints a third party outside of the European Economic Area, there will be additional requirements to meet.

The consequences of failing to take these key steps can include major reputational damage, substantial financial damages and regulatory investigation.

• The loss of trust caused by a major security breach, whether of customer or employee data, can be very hard to restore.
• If an individual suffers financial loss because of a breach of the DPA, he/she can sue for that loss and also recover damages for distress – multiple identity theft through security lapses can mean significant damages claims.
• If the Data Controller has failed to put in place internal security, or failed to require their Data Processor to do so, they are in the firing line and, in the latter case, with little or no recourse against their Data Processor;
• The Information Commissioner, the DPA regulator in the UK, can and will investigate, with or without a complaint from an affected individual. Dealing with an investigation will involve substantial management time and legal costs and will often involve the Information Commissioner requiring binding and public undertakings as to future data management, breach of which is a contempt of court. It also puts the organisation involved on the Commissioner’s "radar" for the future.

We have extensive experience in advising clients in:

• setting up workable internal structures for ensuring data security.
• drafting Data Processor agreements with effective protections appropriate to the type of processing and the sensitivity and particular risks involved.
• dealing with major security breaches – advising clients on their rights and obligations, enforcing rights against Data Processors, setting up identity theft monitoring and insurance arrangements and dealing with complaints to the Information Commissioner.
• advising international organisations on major worldwide data sharing and data transfers.

Whether you are appointing, or being appointed as, a Data Processor involving national or international data transfers, dealing with a security breach, or need help in ensuring you avoid one, our highly regarded data protection team are ready to help. They can also assist on all other aspects of data protection law, whether at a strategic or implementation level.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.