Data Loss

"Data Loss" has hit the headlines on countless occasions recently.  Stolen laptops, lost CDs and misplaced memory sticks have caused panic and public outrage at the lack of care taken in the treatment of personal data. The scandals have prompted several reviews, reports and legislative changes in data protection. All of this points to a crack-down in data protection enforcement by the Information Commissioner's Office (the "ICO"), which is tasked with enforcing the Data Protection Act 1998 (the "DPA").

Penalties for Data Loss

It is not only government departments that have been named and shamed following data losses. Private companies are also at risk from enforcement action. At present, the ICO can serve an enforcement notice on any data controller it believes is breaching one or more of the data protection principles in the DPA. The notice sets out the steps to be taken to rectify the breach. The ICO can also seek a formal undertaking from the organisation that it will comply with the principles in future.

In September 2008, following the loss of an unencrypted compact disc containing the personal data of more than 3000 Virgin Media customers, the ICO required Virgin Media to sign an undertaking that it would implement a number of security measures to protect customers’ personal information more effectively in future. These included encrypting all portable or mobile devices which store and transmit personal information and ensuring that any company processing personal information on behalf of Virgin Media also uses encryption software. The ICO required that this must be clearly stated in the processor's contract.

The ICO publishes enforcement notices and associated undertakings on the ICO website. Naturally, this can lead to adverse publicity for the organisation involved in addition to the costs of any required remedial action to upgrade security or amend contracts. The ICO continues to campaign for greater resources and powers to properly monitor and enforce data protection compliance in the UK. However, at present, the ICO's actions may seem limited compared with the powers on offer to other regulators.

Institutions regulated by the Financial Services Authority are already at risk of hefty fines for data security lapses. The FSA has the power under the Financial Services and Markets Act 2000 to impose any fine that it considers appropriate where a regulated institution has failed to take reasonable care to carry out adequate risk management. The aim is to protect customers from the risk of financial crime. Last year, the FSA imposed a fine of nearly £1m on the Nationwide Building Society for failing to protect customer information after a laptop was stolen from an employee's home.

However, the ICO currently has no power to fine data controllers directly for a breach of the principles in the DPA, but this may soon change.

New Penalties, New Risks

The Criminal Justice and Immigration Act 2008 amends the DPA to allow the ICO to fine organisations directly for serious breaches of the DPA principles. The provision is not yet in force, but secondary legislation setting out the level of fines and their application is expected imminently. The Information Commissioner has recommended that the fines are brought in as soon as possible and that they should be in line with those imposed by the FSA.

Reducing the Risk of Data Loss

With the prospect of direct fines on the horizon, now is the time for all organisations that hold or share personal data to review their data protection policies and procedures. Compliance with the ICO's code of practice for sharing personal information is a useful step to show that your organisation complies with best practice. Although implementing the code is not a legal requirement, adhering to its principles should substantially reduce the risk of a data loss situation occurring.

The code of practice sets out a number of principles which organisations should address.

• Deciding when data should be shared

Review the objective for sharing data, assess the likely impact of sharing and consider the reaction of individuals involved. You may find that alternatives to data sharing, such as anonymising data, are lower risk or more appropriate.

• Fairness and transparency

Have a clear privacy policy which is easily accessible. Keep a list of any third parties with whom data is shared. Allow individuals to access and correct their personal information easily.

• Security
  

Review the adequacy of your technical security measures. For example, encrypt or password protect data and have physical and organisational security procedures in place, such as regular reviews and staff training.

Dealing with a Data Loss Situation

The ICO recommends that all organisations have a policy which addresses what to do in a data loss situation. Four steps should be followed:

1. Containment and Recovery:

The following initial steps are key:

• Decide who should take the lead on investigating the breach and ensure they have the appropriate resources.
• Establish who needs to be made aware of the breach.
• Establish whether anything can be done to recover any losses and limit the damage the breach can cause.
• Where appropriate, inform the police.

2. Assessment of Ongoing Risk:

Consider the type of data involved, how sensitive it is and what has happened to it. The appropriate response will also depend on whether the lost data is protected (including by encryption) and how many individuals are affected.

3. Notification of the Breach:

Organisations should consider whether to inform individual data subjects, recognising that it may not always be appropriate to inform individuals. At present, there is no law expressly requiring an organisation to notify a breach of the DPA. Nonetheless, if a large number of people are affected or there are very serious consequences, the ICO recommends that the organisation informs them of the breach. The ICO may then recommend making the breach public if it believes there is a strong public interest in doing so, although notifying individuals will often lead to public disclosure in any event.

4. Evaluation and Response:

Identify where improvements can be made to avoid data losses in future and implement them.

How We Can Help

We can assist by providing practical advice to address specific risks and problems, or general compliance with the DPA. To that extent, we can carry out data protection audits and identify any risks, provide advice on the implementation of data protection and privacy policies, and also prepare the form of data protection consents that may be required from individuals.

This briefing sheet reflects the legal position as at 06 May 2009.

Matthew Godfrey-Faussett
Partner , Technology & Commercial
Tel +44 (0)131 777 7101
Email matthew.godfrey-faussett@mcgrigors.com

Helen Krushave
Solicitor, Technology & Commercial
Tel +44 (0)131 777 7337
Email helen.krushave@mcgrigors.com

Robert Johnson
Senior Solicitor, Technology & Commercial
Tel +44 (0)20 7054 2714
Email robert.johnson@mcgrigors.com