Winchester Vacancies

Act now or pay later

The public sector has a poor track record when it comes to data security. With the Information Commissioner about to be handed new powers to levy substantial fines, it is more important than ever for local authorities to get their approach right, says Barbara Anthony.

Until recently, data protection law had not often been headline news. The high profile losses of personal information by various public authorities – most notably the loss by HM Revenue & Customs of the personal information of 25 million people – put an end to that.  

The Information Commissioner's Office (ICO) has described the number of incidences of loss or theft of personal data as "unacceptable". According to the ICO, some 434 organisations reported security breaches in the past 12 months, up from 277 the year before.

It appears that public bodies are still taking a while to catch up with the ICO’s message, with a lack of security standards and poor awareness and training about security risks seen as the two biggest challenges. A quick scan of the ICO’s press releases for 2009 that a range of councils, NHS trusts, housing associations and other organisations have run into problems.

And they continue to do so – press reports in November revealed that a laptop had been stolen from St Albans District Council containing personal details on more than 14,000 local postal voters. A month earlier saw the theft of a laptop belonging to Wigan Council which held personal data on almost 43,000 pupils.

The need to get data protection systems right has now been given an added urgency. Currently, the Information Commissioner only has the power to either serve an enforcement notice or accept an undertaking from an organisation found to be in breach of the data protection principles.

From 2010, new powers introduced by the Criminal Justice and Immigration Act 2008 will enable the Information Commissioner to impose a substantial monetary fine on any organisation which is found to have recklessly or deliberately breached the Data Protection Act 1998. The level of the fine has yet to be set by the Ministry of Justice but it is envisaged that it will be up to a maximum of £500,000.

In order to exercise this discretionary power, the Information Commissioner must be satisfied that:

  • There has been a serious contravention, by the data controller, of the requirement to comply with the data protection principles;
  • The contravention is likely to cause substantial damage or substantial distress;
  • The contravention was deliberate;
  • The data controller knew or ought to have known that there was a risk that the contravention would occur and that such a contravention would be likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

The ICO has issued draft guidance on the use of its new powers. The guidance highlights that the Information Commissioner may choose not to impose a fine if the organisation can show that it had proper procedures in place to prevent a breach.

Given the nature of electronic storage devices like laptops and memory sticks, it is never possible to eradicate the risk of their loss or theft as was the case with Wigan Council. However, it is the case that all local authorities should have policies in place to ensure that such loss or theft does not compromise employee and other personal information. This should include policies on taking staff and third party personal information off-site and the use of mobile computing and memory sticks and other data storage media.

The ICO has stated that anyone holding personal information should know the basics of encryption to protect such information. Clearly local authorities will need to review whether such knowledge amongst its employees and officers exists and, if it does not, put in place training and, if necessary, invest in the relevant software to enable encryption.  

Other safeguarding procedures and measures could include:

  • Risk assessments of the personal data held and the steps taken to address those risks;
  • Clear audit/governance arrangements identifying clear lines of responsibility for preventing data protection breaches;
  • Implementation of any guidance relevant to the data protection risk;
  • Implementing ISO 17799 on Information Security Management (available from www.iso.org) which sets out very practical guidance on data security – from the siting of computers and use of ‘mobile computing’ facilities to the use of fax machines for sending personal information.

Public bodies should take note of the Information Commissioner’s new powers and review their data protection procedures to ensure that they have taken all reasonable steps to prevent a breach from occurring.

Barbara Anthony is a solicitor in the insurance and public risk team at Browne Jacobson