If your business stores client names, addresses and details – it has a duty of care to safeguard that data. Most organisations will also be storing bank account details for invoicing as well as other important information. What if you lose that information? According to the Information Commissioner’s Office, if you do not follow their eight principles your business is negligent – but what are those principles?
The good news is that there is nothing terribly difficult about the principles and most are simply ‘good common sense’. However, one of our data recovery clients was awarded a £1/2million fine for a serious data breach, which could have easily been avoided had they known their responsibilities.
The overriding principle is that data must be handled fairly and lawfully. This means that you should have legitimate reasons for collecting and holding onto data and be transparent on how you intend to use it. Similarly there should be no adverse effects for those for whom you hold data.
As an organisation you are not allowed to process any data other than for the primary purpose. For instance if you hold bank account details of clients, you can only use these for accounting purposes. When you no longer act for a client, you will have no reason to retain their details and data should be securely destroyed. The Information Commissioner’s Office is very clear about holding onto data that is no longer purposeful.
Importantly, your organisation must ensure that any data is properly safeguarded against loss, both technically and physically. Whilst they do not dictate how data should be secured, typically an organisation should take as much care as they would take to protect their own data. ISO27001 (Information Management) is a useful tool to refer to when in doubt. Essentially, limiting physical access and encryption are considered sufficient for most purposes. Theft of data from laptops is the most common cause of data breach and mobile users should always employ encryption.
Lastly these principles discuss transferring data. Sharing data outside the European Union is ill advised, unless the receiving organisation guarantees adequate protection and freedom of information for individuals and organisations.
Tony Pitter the Managing Director of Data Recovery Specialists says “Our computer forensics team are kept busy investigating and reporting on serious data breaches. These are wholly unavoidable with a little foresight. The Data Protection Act is mostly common sense and organisations should understand that even the smallest data breach can be devastating for those concerned”.