Friday 30th April 2010

Breaching Data Protection - Increased Penalties

The ICO (information Commissioner’s Office) has introduced an increase in the financial penalties to be imposed on organisations for serious breaches of the Data Protection Act 1998 - organisations who breach the code may now be ordered to pay up to £500,000!

With this in mind, it would be an ideal time for your organisation to go back to basics and ensure there is a clear line of responsibility when it comes to the control of data, for example who is the Data Controller and/or the Data processor.

The definitions might provide some clarity:

Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

A data processor may hold and process personal data but does not exercise responsibility of control for that data; therefore this role is more limited than that of the data controller who has the ultimate control and power over the data. It is important to note in relation to a penalty, this cannot be imposed on anyone who is not the data controller.

What Constitutes a Serious Breach?

The increased penalty does refer to a ‘serious breach’ of data protection and therefore there would have to be a serious contravention of the Data Protection Act, substantial consequences from a breach or reasonable steps were not put in place.

Examples of this can be:

• where security measures have not been taken, (ie locking personnel files in a secure, preferably locked, cabinet)
  
• personal or medical (sensitive) data was lost or misplaced
  
• inaccurate personal data was submitted as a reference by an ex-employer which resulted in the individual being refused a job opportunity.

The situation described in the final point above could arise quite easily if incorrect dates were given, the incorrect reason for termination was given or the incorrect job title or responsibilities were given. Therefore, using this example can you say there are enough provisions in your organisation?

Internal Reflection

• Following this, an appropriate question to ask would be;
  
• How do you currently hold this information?
  
• Is there a leavers spreadsheet, who is responsible for data entry and processing requests such as a reference? How do you ensure its accuracy?
  
• Is there an exit interview held?

We would strongly encourage the practise of an exit interview, an official leavers letter with confirmed dates, holidays etc and also a spreadsheet with new starts and leaver details which includes all the details needed for an employment reference

How Best HR practise can Contribute to Effective Data Control

Interestingly, the ICO has suggested that among the factors which would be advised to be put in place to reduce the risk of any breaches and to evidence appropriate measures, there are numerous procedures relating to best HR practice, including:

Ensuring appropriate policies, procedures, practices and advice is given to staff. For example, introducing and communicating an IT policy in which security measures and staff responsibilities are identified.

Clear lines of responsibility for the control of data i.e. someone identified as responsible for storing personal data and another for ensuring up-to-date details are obtained.

Specific policies in relation to a potential or previous contravention i.e. if staff access work emails on their PDA’s – ensure that there is a policy created which details the security measures to be put in place and the steps to take if you lose it or it is stolen.

Another point to note is when you do discover there is a leak of information or a contravention of the Act, you must act accordingly to secure the information. For example, storing CV’s / personal data on an internal system when all staff have access to and when this is discovered creating a separate file system with password control, so only the appropriate individuals have access to this information.

Conclusion – ensure policies, procedures and process are in place

In conclusion, due to the emphasis being put on fining breaches of the Act, there is a big incentive now for organisations to have in place not only an IT policy but more specific mobile and laptop policies which identify security risks for employees who regularly use these devices. Lone working and home working policies are also appropriate for review when looking at data protection, where employees are accessing information away from the office and the measures that you put in place to avoid improper use or leak of this information to external sources. Of course, people can be the most liable security risk – so ensure you have a tight confidentiality clause and policy in place as well!!