RECENT high-profile data security breaches have caused organisations all over the country to examine their data security measures.
There have been a number of security lapses resulting in embarrassing publicity for the MoD, NHS boards, police forces and local councils – and for private sector businesses such as Carphone Warehouse, Marks & Spencer and logistics firms.
No-one wants to join this list of those publicly named and shamed and no-one wants to receive a compensation claim or an enforcement notice from the Information Commissioner's Office (ICO).
The Data Protection Act 1998 is intended to ensure compliance with the data protection principles, which aim to protect the security and privacy of individuals' personal data. It is the seventh data protection principle (that data must be kept secure) that has been the subject of recent breaches.
These include: the loss or theft of unencrypted laptops and USB memory sticks; sensitive documents lost in the post or left on public transport; and websites where technical problems have left data exposed.
What are the consequences of breaches in security? Breaches can take many forms, from computer malware paralysing your systems to the theft or unintended release of confidential information. There is also the embarrassing publicity such a breach may receive and the loss of public confidence that follows.
These are practical consequences, but what about legal consequences? If the data that is stolen or unintentionally released is either a third party's confidential information or contains someone's personal data then this may lead to a court action for damages or a breach of the Act.
Such a breach of the Act can lead to the ICO making a public enforcement notice (an official warning and an instruction to remedy the breach) against your organisation.
Failing to comply with the enforcement notice can lead to a prosecution and fines being imposed, both on the organisation and on any manager, director or partner who consented to the breach or whose neglect led to the breach.
In addition, where someone suffers financial loss as a result of the breach of the Act then they can claim damages in respect of that loss.
The ICO has a useful Good Practice Note on the Security of Personal Information (available from its website or via snipurl.com/gpnspi). Some steps you can take include:
&149 conducting a risk assessment of the security of your data and carrying out regular data security audits;
&149 appointing someone to have responsibility for your data security;
&149 considering your physical security (such as locking up files, laptops, discs and memory sticks);
&149 training your staff and ensuring they comply with a security policy, including controlling access to certain information;
&149 regularly backing up your data and having an incident response plan;
• and putting in place technological measures.
Implementing technological measures does not mean unnecessary and expensive security measures, but you should take into account the risk of a breach, the harm that would result in a breach and the state of technological development as well as the costs.
Some simple technological measures include password protection, the encryption of data on laptops and other portable data storage devices, controlling e-mail systems, having firewall, antivirus protection and so on.
Some organisations are taking this further and seeking to comply with the ISO 27001 standard on information security management. This can be used not only to try to prevent data security breaches and to comply with the Act, but also as a tool to demonstrate good working practices and maintain public confidence.
Data security is a topic stepping out of the shadows of the IT department and into the boardroom. You should take the time to think carefully about your organisation's data security and seek appropriate professional advice if you have any concerns.
• Graeme Moffett is a senior associate at Shepherd+ Wedderburn, one of Scotland's "big four" law firms, with offices in Aberdeen, Edinburgh, Glasgow and London.