production management
HM Revenue and Customs has admitted to losing discs containing details of 25 million child benefit
claimants. In the wrong hands, these records could provide sophisticated criminals with a tool to steal
the identity of millions of innocent victims - to open bank accounts, get credit cards, loans, state
benefits and generate passports and driving licenses. By Andrew Dyson
Data security and protection
IN an age where face-to-face
transactions are no longer the norm
and paper records increasingly
obsolete, maintaining confidence in
the way personal information is
handled is essential best practice in
business. Organisations cannot and
must not take good security for
granted; the stakes are simply too high
to get it wrong. HMRC found this out
when within hours of the
announcement that that it had lost
child benefit discs there was a massive
public outcry, the Chairman resigned,
questions were asked in Parliament
and the Information Commissioner’s
Office commenced formal
investigations under the Data
Protection Act 1998.
Here we explore the importance of
managing personal information
properly, outlining the legal
responsibilities organisations have to
protect personal information, the
consequences of failing to comply with
those responsibilities and practical
steps that can avoid some of the most
damaging pitfalls.
Protecting personal information
The well publicised problems suffered
by HMRC highlight the risks of
failing to properly protect personal
information. Sadly, the case is not
unique. Earlier in the year, Nationwide
Building Society was fined a record
£1m for failing to take proper steps
when a laptop containing 11 million
customer records was stolen from an
employee’s car and a further 11 banks
and building societies were ‘named
and shamed’ for the reckless way in
which they discarded customer records
on the high street.
These incidents damage confidence,
erode hard won reputations and
ultimately lose businesses money.
High-profile security blunders in the
US and continental Europe have seen
companies lose millions of dollars off
stock market values and massive
payouts to blighted consumers and
vexed regulators. UK companies who
fail to protect privacy face similar risk
and should be prepared to manage the
adverse consequences.
Complying with the Data Protection Act
Taking proper care of personal
information is not just sound
commercial practice, it is a legal
requirement. Any organisation
responsible for the collection and use
of personal information must comply
with the Data Protection Act 1998. The
DPA establishes a legal framework
which ‘data controllers’ must follow
when processing personal information.
All data controllers have a duty to
keep personal information within
their control secure against
unauthorised or unlawful use. This is a
specific requirement within the DPA
and requires organisations to ensure
that:
■ personal information is held within
secure IT systems
■ appropriate physical and technical
controls are in place to limit access to
personal information held within the
organisation on a need to know basis
■ personnel who have access to
personal information are subject to
appropriate security vetting and
confidentiality agreements
■ everyone within the organisation is
aware of the role they have in
managing information security - for
example call centre staff should be able
to spot and deal with ‘blaggers’ who
may look to gain unauthorised access
to personal accounts
■ policies and procedures are in place
to manage security risk and effectively
deal with the any security breaches
■ penetration tests and audits are
regularly carried out to validate and
enhance these procedures
■ where personal information is
provided to a third party (for example,
to a payroll provider), a security risk
assessment is carried out on that
36 MWP march 2008
organisation before any personal
information is handed over and the
basis on which the information will be
used is clearly delineated in a ‘data
processor’ contract.
Information security is only one aspect
of the legal responsibilities set out in
the DPA. The legislation also sets out
broad responsibilities to manage
personal information in a fair and
lawful manner. Compliance with these
additional requirements means:
■ Formally notifying the ICO about
the types of personal information
collected and used by the organisation.
This notification is published in a
public register of data controllers.
■ Issuing privacy policies to staff,
customers etc which explain in clear
English the personal information held
by the organisation and this is used.
■ Only using personal information
for purposes which are ‘fair’ in all the
circumstances, having regard for the
individual’s expectation of privacy. It
will generally only be fair to use
personal information:
■ where necessary to fulfil a
legitimate business activity which does
not harm the individual (for example,
where necessary to fulfil a specific
transaction with the individual),
■ where necessary to comply with a
specific legal responsibility (for
example, to pay National Insurance
Contributions), or
■ where the individual has
specifically authorised their
information to be used in a particular
way (for example, where they ask for
their details to be passed to another
company).
■ Ensuring the purpose for which
information is to be used is as clearly
explained to the individual in the
relevant privacy policy and justifiable
on one of the abovementioned
grounds. It is often tempting to use
information collected for one purpose
at one time, for something else later
To view a Ceros magazine you need to have JavaScript enabled in your browser and have the flash player 8 or higher installed. To install the latest flash player, click the icon above, install the flash plugin and then click here to refresh this page.