Data protection laws in UK and Europe
The Data Protection Act has been in force in the UK since 1984, and was superseded by the Data Protection Act 1998 which is intended align UK legislation with the European Directive of 1995 which required member states to protect people’s fundamental rights and freedoms and their right to privacy regarding the use of their personal data.
Any company holding personal data on individuals in the UK must register with the UK Information Commissioner’s Office (ICO) and take steps to adequately protect that data.
It should be noted that the Data Protection Act covers any personal information that is held on a computer or held on a relevant filing system. In some cases even a paper address book can be classified as a ‘relevant filing system’; for example diaries used to support commercial activities such as a salesperson’s diary.
Since April 2010, the ICO has had the power to levy fines of up to £500,000 for breaches of the DPA.
David Smith, the Deputy Information Commissioner, says the ICO balances the level of the fine imposed on an organisation according to a number of factors.
‘We apply fines based on the seriousness of the breach and the damage and distress that the breach has caused. An organisation has also got to have failed to take adequate steps to protect their data,’ he explains.
Since April 2010, the ICO has imposed fines on only four occasions, the largest fine of £100,000 being against Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, concerned a matter that was before the courts, and the second involved details of care proceedings.
According to Smith the ICO sees its role as protecting privacy and individuals from having their data used in a way that could cause them harm.
Some lawyers argue that this is a definition that could be open to interpretation as the use of information develops in the 21st century, and that there is a need to further strengthen the ICO by giving it the power to impose custodial sentences.
However, Smith says that there are no plans at present to add to the ICO’s powers in that way.
‘Ministers have said that they are not minded to introduce custodial sentences for data protection offences,’ says Smith, though he added that it was likely that the ICO would be granted the power to make breaches recordable offences – and to be able to confiscate the proceeds of crime.
The area that concerns the ICO in particular is the trade in personal data of the sort exposed in the recent media hacking legal actions involving the News of the World and the social engineering of data from companies.
‘The practices of blagging and social engineering to obtain information from a data controller that you are not authorised to have are areas of great concern to us,’ says Smith, who added that the ICO would also come down very hard on people who misused personal record data held on their employer’s system.
‘If, for example, someone sold details from a mobile phone companies database of customers whose phone contracts were up for renewal that would be something that we would take very seriously,’ he says.
Over the next two years it is also expected that the ICO will aim to increase awareness of data protection issues with small and medium-sized enterprises or SMEs.
As broader awareness of data protection issues begins to circulate in the UK business world, there will be correspondingly less tolerance shown to organisations that flout data protection rules.
The areas of greatest concern to SMEs will be the loss of personal client data on unprotected laptops and mobile devices.
The ICO has also signalled that data wiping and that of unencrypted or unprotected data lost or left on discarded hard drives, mobile phones and USB sticks will also be areas that it will focus on, particularly given that criminal are increasingly building databases of stolen IDs.
Discarded hard drives recovered from EU machines sent to Africa for illegal disposal currently sell for twice as much if they have data on them.
The practice of disposal of hard drives in Africa has now become a flourishing practice and breaches the European electrical waste reclamations laws known as the Waste Electrical and Electronic Equipment directive.
Those companies engaged in such actions risk prosecution from the Environment Agency. Meanwhile those whose drives are found to have been traded in this way could themselves face prosecution from the Environment Agency, the ICO and, if financial data is involved, the Financial Services Authority.
If the data involves payment cards they can also face additional measures from the Payment Card Industry Security Standards Council.
Cloud computing is another area that will involve the ICO if personal data is stored in the Cloud; once again it will be necessary for any data gathered in the EU on EU individuals to be stored and processed correctly.
Thus it is important to make sure that the company providing your cloud services can tell you where in its cloud your data is held, what back-ups are made of the data and where they are, if anyone has access to your data apart from you and what security measures it has in place to make sure that you comply with the UK DPA.
If your cloud supplier is storing the data in a country outside of the EU then it breaches EU data protection laws – and may breach those of the UK.
‘Organisations using an internet-based service must not relinquish control of the personal data they have collected, or expose it to security risks that would not have arisen had the data remained in their possession in the UK. To overcome this problem a written contract should be in place,’ says the ICO.
‘The organisation using these services is still classed as the data controller and therefore they would be responsible for keeping the information secure. If the organisation fails to meet this obligation under the Data Protection Act then the ICO would look at whether there’s a need for regulatory action to be taken.’
In early 2011 the Danish Data Protection Registrar refused permission for Odense Municipality, the equivalent of a UK county council, to use Google Apps because Odense would be unable to prove where the data was held – a necessity under the rules for subject access – and was required to draw up specific terms and conditions relating to the personal data it wanted to store in Google Apps between the municipality and Google.
The Information Commissioner’s Office and you
1. If you store personal data on behalf of clients ensure that you have registered with the ICO
2. Ensure that you have adequate protection for the data you hold. If you are unsure about this contact the ICO describe the information you use and what it is for and how it is stored and ask for their recommendations.
3. Use a computer security protection suite involving a firewall and make sure that it is frequently updated
4. Ensure that the software you are running on your computer is frequently patched.
5. If you use mobile devices that hold personal client and customer data make sure that the information held on them is adequately protected.This will usually mean that the devices are encrypted. Enabling a pin on a mobile phone may not be considered adequate.
6. Ensure that you know who has access to any personal records that you hold and that there is an audit trail on your systems that can show who accessed what records and when. Many commercial software systems now offer an audit trailing facility to provide you with this information.
7. Make sure that you have the necessary physical security to protect your records.
8. Make sure that a password policy is in use in your office to control access to office machines to your staff.
9. Have a policy for the use of personal devices and software services such as instant messaging services, internet email services and social media at work to protect against the misuse or copying of data. This should include a policy on the use of data storage devices such as mobile phones and USB sticks.
10. Ensure that any computers you dispose of have been data wiped before they leave your office. You should follow the same policy with mobile devices you no longer need such as laptops, mobile phones and USBs.
11. If you have decided to use a cloud computing service ensure that it meets the DPA. Again if you are unsure about this contact the ICO