There have been a number of news stories recently about high profile data loss incidents in the public sector. These stories increasingly involve laptops being taken off premise.
One such incident earlier this year saw London Councils of Ealing and Hounslow fined £150,000 after two laptops, containing the details of almost 3,000 individuals, were stolen from an employee’s home. There was no evidence to suggest the data was accessed by a third party but as the laptops were simply password protected with no encryption the councils were fined for breaching the Data Protection Act (DPA).
Similarly a school in Oldham breached the act after an unencrypted laptop was stolen from a teacher’s car whilst it was parked outside their home, leading to sensitive data relating to 90 pupils falling into rogue hands. The school was also required to sign an undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted using appropriate software.
Staff will also be trained on how to follow the school’s policy for the storage and use of personal data, and the school has agreed that its policies on data protection and IT security issues will be appropriately and regularly monitored.
Under a Ministry of Justice ruling organisations can now be fined up to £500,000, 100 times more than the previous maximum fine of £5,000. The organisation charged with enforcing compliance with the DPA and imposing fines is the Information Commissioner’s Office (ICO).
The DPA requires all organisations to have appropriate security to protect personal information against unlawful or unauthorised use or disclosure, and accidental loss, destruction or damage and the ICO has powers to change the behaviour of organisations that collect, use and keep personal information and are able to fine those who fail to adequately protect personal information they hold.
With these new ICO powers to impose fines and enforce undertakings, as well as the bad publicity and embarrassment that has come from the news headlines surrounding data breaches, schools cannot afford to underestimate the importance of ensuring all devices securely store and backup data and are able to protect and/or destroy information taken outside of the school boundaries.
The explosion in the use of personal devices and laptops, and increasing mobility of teachers and school staff means sensitive school or pupil information is increasingly stored on rogue devices often with little or no data protection.
Few teachers back up the data stored on a daily basis and the information is held on portable devices which, in many cases, do not have adequate protection against device loss and data is unprotected, with little encryption, which extends the risk of data breaches outside the workplace, through broken lost or stolen laptops.
Schools need to make sure they are securing any device that contains sensitive data, data which could cause damage or distress to individuals, whether they are personal or corporate devices, PCs, laptops, tablets or smart phones.
The DPA dictates that computer security measures must ensure that: if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned and where the information held on a portable device could be used to cause an individual damage or distress it should be encrypted. There are various technologies available, here are my pick of the best technologies around to ensure your devices are compliant with DPA on and off premise:
1. Automatic online PC Backup and Recovery
Back-up-as-a-service can offer fully automated, encrypted backup and recovery services online, which allow schools to back up their data on and off site over the internet. This can also eliminate capital expenditure and offer reduced operational costs compared to running backup and recovery in-house.
2. At rest encryption
Files and folders selected for backup are automatically encrypted as well as metadata to ensure no sensitive information can be gleaned, enabling you to be fully compliant with the DPA and the strictest data privacy legislation.
3. Remote data deletion
Enables you to delete files in the backup dataset remotely if a device is lost or stolen without needing the device to come online, whilst also allowing you access to recent backups of any files you have deleted, safe in the knowledge that the sensitive data is encrypted.
4. Port access control
Port access control makes sure sensitive information doesn’t leave the device or enter the device if it shouldn’t contain sensitive information. It allows you to prevent unauthorised USB use and control access through any port or media including CD/DVDs, USB, serial, Bluetooth and wireless ports, as well as letting you enable read or write access only or lock down a port completely on a user by user basis.
5. Device tracking
Tracks the location of a laptop or desktop if it connects to the internet after being lost or stolen.