In two years’ time the UK’s Data Protection Act changes with our data laws coming into line with the rest of Europe. Businesses may think the Act is tough now but from 2014 data protection regulations will get even tougher. EU countries including Belgium, France, Germany and Spain have much tighter data regulation so they will become the benchmarks for new regulation.
Expert Phil Brining from Absolute Data spoke at a joint event to help businesses better understand the law. He explained how easy it is to breach the UK’s Data Protection Act – partly because computer and internet technologies have progressed since the act was introduced in 1998.
The Data Protection Act has simply not kept pace with technology and, particularly with the growth of social media, there are some very grey areas.
How you can breach the Data Protection Act
- Sending personal information to the wrong recipient (emails and attachments)
- Failing to keep sensitive personal information secure
- Loss of unencrypted PCs/Laptops/Memory Sticks etc containing personal information
- Loss of manual records containing personal information
- Illegally obtaining personal information
- Illegally selling-on personal information (or your staff selling it on)
- Inappropriate access to records containing personal information
- Inappropriate and inadequate security on systems, websites and transmitted data
- Inappropriate disposal of IT equipment, manual records etc
- Inadequate training of staff
- Inadequate policies and procedures
- Making unsolicited marketing calls
- Not having an up-to-date notification – this is the process where a business or organisation gives the Information Commissioner’s Office (ICO) details about their processing of personal information.
A hefty price for breaching the Data Protection Act
Phil discussed case studies that show just how easy it is to be caught out. As well as paying a substantial fine, companies can lose customers, be struck off tender lists and suffer severe damage to their reputation from negative PR. No sector is immune and ignorance isn’t going to get a business off the hook. Some recent examples of breaches of the Act:
- Brighton and Sussex University Hospitals Trust £325,000 fine for the theft of computer hard drives that were sold on Ebay
- London Borough of Barnet £70,000 fine for theft of paper files from an employees’ home
- Usha Patwal, given a two year conditional discharge and ordered to pay £614 prosecution costs for unlawfully accessing sister-in-law’s medical records
- Merfyn Pugh Estate Agents, given a conditional discharge of six months and was ordered to pay £614 prosecution costs for failure to notify the ICO
- Phoenix Nursery School, Wolverhampton, signed undertaking for losing a backup tape containing the personal details of 70 pupils and their parents or guardians
- Two councils, Worcestershire County and North Somerset, fined a total of £140,000 after they accidentally emailed personal data to the wrong people
How to avoid getting it wrong
Many of us in the audience were terrified by this stage! If it’s so easy to break the law now, how much harder will it get? Phil, who advises customers including Premier League football clubs on data issues, has some practical tips:
- Take the view that all data is personal data and err on the side of caution
- Make sure you have notified the ICO even if you’re a small, private company and you think you could be exempt from doing so. The ICO sometimes targets specific sectors eg estate agents were scrutinised because only a third had notified
- Technical failures and mistakes are often the fault of underlying issues in an organisation. Check your processes and systems; know who holds personal data, where it is and how it’s used; make sure you have someone senior in charge; have regular staff training; have external accreditation such as ISO27001 / BS10012 and bring in specialist help if necessary
- Think about privacy before you start a project and built in a system, rather than leaving it as an afterthought
- If you are using third parties to destroy or store paper documents or to keep electronic data then make sure you have robust service level agreements and that you are confident about their systems
- A password is not enough to protect laptops and computers where personal data is stored. You need to ensure that you have scrambled encryption.
You can read Phil’s full presentation here (800KB PowerPoint download).