Protection of information

Hi all

Security is always a big deal these days with regards to data protection - and so it should be in my honest opinion. Data protection should be high on the agenda for any company, especially those who handle larger amounts of personal data.

The thing is, what do we do about protecting it? The GDPR and Data Protection Act talk about securing data, especially special category data, ensuring that we secure our data is one of the data protection principles and that is integrity and confidentiality, known as the security principle; the GDPR says this about this principle, "processed in a manner that ensures appropriate security of the personal data." You'll find it at article 5f. Remember that the term 'processing' is the term used for receiving data, storing it, doing something with it or deleting it.

What people and companies want to know is, what kind of data do they have and how do they protect it? The answer here is not as straightforward as one would want, after all, companies process data in ways that they consider normal, but don't always want to go through the rigmarole of security to get to it. The trouble with this is evident, the easier it is to get to something, the easier way for a data breach to occur.

Let's take the example of a company processing health data (that's special category data) on their password protected PC's, accessible by many in an office. Do you think that it is right to just be able to log on to the computer and have access to those health files? I understand if you do because of the security applied to the PC. What we need to understand is that, should there be a data breach, the ICO has heard it all before, what they want to know is how you act, but before we go down that path, let us say that not only did you password protect the PC's, but you also password protected the word documents on the system as well, so anybody who gets access who shouldn't have done, can't get access to the vital data - and this is why integrity is so important. Integrity is all about keeping data together, so it doesn't get split up if you like, keeping data with integrity is maintaining its security, and not just allowing data to be processed because it's easier to work, that's no excuse. People will always, always moan when there is a data breach and yet, knew that security was lapse in the first place. Why didn't they want something done about it? Because it was easier to work. The ICO isn't interested in these excuses when it comes to data breaches.

Mitigating any data breach is top of the ICO's agenda, also near the top is what security you applied in the first place and, what have you done about a data breach since - and this is the hard part. The GDPR asks you to keep data confidential, after all that is what principle 5f is saying you should do, if you follow the data protection principles you will know that these principles are used to prosecute people. They look at the act and decide where you were complacent, that is why you use the principles to your advantage, even if you look no further in the regulation, at least make yourself aware of the principles of data protection because at the end of the day, these principles are used to 'have a go at you' should you fall foul of data protection laws. You'll only realise that you had 'tons of data' to secure, when you have a reported data breach and it sets the cat among the pigeons with the ICO or your National Supervisory Body.

Do something about it now. To mitigate any data breach we need to do a few things:

  1. Apply security relevant to the local environment;
  2. Apply security relevant to where the data is being processed and;
  3. Only allow access to those who require it in the course of their duties, anyone else should be excluded.

And that's confidential.

Laters

SteveB

Steven Burgess is Data Protection Officer for Disclosure Services Limited, A company specializing in the processing of data for criminal record checks.