Last month saw the Information Commissioner’s Office (ICO) take enforcement action against two separate parties who failed to meet their obligations under the Data Protection Act 1998 (DPA) and adequately safeguard the personal data they held.
One organisation was a self-employed individual with the other a large public authority. This action serves as a reminder to those organisations, of whatever size, that hold and/or process personal data to ensure that they have in place adequate technical and organisational procedures to keep data secure.
Solicitor Loretta Maxfield explores why the ICO sanctioned the parties as it did, looking at what organisations handling personal data should take into consideration in relation to keeping personal data secure and discusses what the future looks like for those that do not have adequate technical and organisational procedures in place.
ICO Enforcement
On 10 March 2017 an English Barrister was fined £1,000 when client files were uploaded to the internet. The Barrister had created client files on her home computer, many of which contained highly sensitive information about children and vulnerable adults. The computer was password protected but the client files were unencrypted. The computer was accessible to her husband and during the process of updating the computer, her husband uploaded the files to an online directory to store them. Thereafter 15 of the 275 documents could be accessed online with a simple search of the internet, affecting around 200-250 individuals.
It was found that the Barrister had not used appropriate technical measures to prevent the unlawful or unauthorised processing of the information. The Bar Council had issued guidance in January 2013 that computers used by others, such as family members may require encryption to prevent unauthorised access to confidential information. The Barrister knew her husband could access the files, yet did not put such protection measures in place. This lack of encryption allowed the files to be accessed by third parties. The ICO found that the Barrister ought to have known there was the likelihood of the documents being accessed, as well as substantial distress caused to her clients if the information was not used in the way that they intended it to be.
In a separate matter concerning Norfolk City Council, on 15 March 2017, a third party had collected some office furniture, which had previously been used by the children’s social work team at the Council, to take away as part of an office move. Four days later one of the filing cabinets collected was bought from a second hand furniture shop. When the individual took the filing cabinet home they discovered that it contained a number of case files relating to children. The ICO found that the Council failed to take adequate steps to safeguard the personal data and they should have foreseen that there was a risk to the security of the personal data held on the files, without written procedures in place to determine the furniture removal process. Similarly to the previous case the Council ought to have known that distress would be caused to the individuals involved if the information had been used in ways they had not agreed to. The Council failed to take reasonable steps to protect the security of the personal data and were fined £60,000 for their failures.
What measures should you have in place when processing personal data?
The appropriate level of security to be adopted by you will be dependent upon various factors. There is no one-size fits all approach and the technical and organisational measures adopted by your organisations must be tailored to the following:
the nature of the information being processed;
the cost of implementation of any measures and your circumstances;
the potential harm which may result from a data breach;
the state of technological development; and
the size of your organisation (if appropriate).
With these considerations in mind, there are a number of measures you can implement to protect personal data, such as:
Technical measures:
use of passwords on computers/files;
encrypting digital documents to restrict access;
anonymising physical paper documentation to preserve the identity of the individuals concerned.
Physical measures:
having CCTV in place;
clean desk policy;
lockable filling cabinets;
regular training among staff;
disposing of paper waste appropriately; and
controlling access to your premises.
Whatever techniques you opt to use, the steps taken to limit the opportunities for the data subjects to suffer distress should always be carefully considered. It is advisable not only to have these physical and technical security measures in place but also that management procedures are established within your organisation to create a culture of awareness. People can often be the first line of defence when it comes to data security.
What is the future for those that do not have adequate technical and organisational procedures in place?
The DPA is soon to be replaced by the General Data Protection Regulations (GDPR) in May 2018. This will place a more onerous obligation on organisations to adequately protect personal data of individuals it holds whether this is data concerning employees, customers or third parties.
Currently, the ICO can impose fines of up to £500,000 for a breach of the DPA but the monetary penalties are to increase considerably under the GDPR. The maximum fine is to be set at the greater of 4% of turnover or €20M, which could be a significant blow to organisations. It should also be borne in mind that the ICO will have other non-pecuniary enforcement powers at its disposal, including forcing the organisation to stop processing the data causing serious business disruption.
If your organisation collects stores or otherwise processes personal data, we strongly recommend that you consider whether there are adequate technical and organisational measures in place to protect the security of the personal data you hold in line with current requirements. Going forward, a review should be undertaken to ensure, come May 2018, that such measures meet the requirements of GDPR.
If you would like further information on any of the issues raised in this article, please contact Loretta Maxfield on lmaxfield@thorntons-law.co.uk